rodauth-oauth 1.3.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
rodauth-oauth
is certified <https://openid.net/certification/> for the following profiles
of the OpenID Connect™ protocol:
Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd
Party Init OP
# as simple as
rodauth do
enable :oauth_authorization_code_grant
# or
enable :oidc
end
Among its features, it supports:
* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests (JAR)
* JWT Secured authorization response mode (JARM)
* Pushed Authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Self Issued Tokens
* OpenID Connect Dynamic Client Registration
* OpenID Relying Party Initiated Logout
It can also be used with Rails (via the "rodauth-rails" gem).
Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
These are the release notes since the last update:
## 1.3.0 (02/04/2023)
## Features
### Self-Signed Issued Tokens
`rodauth-oauth` supports self-signed issued tokens, via the
`oidc_self_issued` feature.
More info about the feature [in the
docs](Self Issued OpenID · Wiki · OS / rodauth-oauth · GitLab).
#### JARM
`rodauth-oauth` supports JWT-secured Authorization Response Mode, also
known as JARM, via the
`oauth_jwt_secured_authorization_response_mode`.
More info about the feature [in the
docs](JWT Secured Authorization Response Mode · Wiki · OS / rodauth-oauth · GitLab).
## Improvements
### `fill_with_account_claims` auth method
`fill_with_account_claims` is now exposed as an auth method. This
allows one to override to be able to cover certain requirements, such
as aggregated and distributed claims. Here's a [link to the
docs](Id Token Authentication · Wiki · OS / rodauth-oauth · GitLab)
explaining how to do it.
### oidc: only generate refresh token when `offline_access` scope is used.
When the `oidc` feature is used, refresh tokens won't be generated
anymore by default; in order to do so, the `offline_access` needs to
be requested for in the respective authorization request, [as the spec
mandates](Final: OpenID Connect Core 1.0 incorporating errata set 1).
### oidc: implicit grant loaded by default
The `oidc` feature now loads the `oauth_implicit_grant` feature by
default. This hadn't been done before due to the wish to ship a secure
integration by default, but since then, spec compliance became more
prioritary, and this is a requirement.
## Bugfixes
* rails integration: activerecord migrations fixes:
* use `bigint` for foreign keys;
* index creation instruction with the wrong syntax;
* set precision 6 for default timestamps, to comply with AR defaults;
* add missing `code` column to the `oauth_pushed_requests` table;
* oidc: when using the `id_token` , or any composite response type
including `id_token`, using any response mode other than `fragment`
will result in an invalid request.