[ruby-talk:444374] [ANN] rodauth-oauth 1.4.0 released

rodauth-oauth 1.4.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
is certified <https://openid.net/certification/&gt; for the following profiles
of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd
Party Init OP
Session Management OP, RP-Initiated Logout OP, Front-Channel OP,
Back-Channel OP

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests (JAR)
* JWT Secured authorization response mode (JARM)
* Pushed Authorization requests
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Self Issued Tokens
* OpenID Connect Dynamic Client Registration
* OpenID Session Management
* OpenID RP Initiated Logout
* OpenID Frontchannel Logout
* OpenID Backchannel Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

## 1.4.0 (08/11/2023)

## Highlights

rodauth-oauth is now [OpenID
certified](https://openid.net/certification/) for the following logout

* Session Management OP
* RP-Initiated Logout OP
* Front-Channel Logout OP
* Back-Channel Logout OP

The OIDC server used to run the test can be found
[here](examples/oidc/authentication_server.rb · master · OS / rodauth-oauth · GitLab)
and deployed [here](https://rodauth-oauth-oidc.onrender.com).

## Features

### OIDC logout features

`rodauth-oauth` ships with the following new features:

* `oidc_sesssion_management` - enables [OIDC session
management](Final: OpenID Connect Session Management 1.0)
* `oidc_frontchannel_logout` - enables [OIDC frontchannel
logout](Final: OpenID Connect Front-Channel Logout 1.0)
* `oidc_backchannel_logout` - enables [OIDC backchannel
logout](Final: OpenID Connect Back-Channel Logout 1.0)

which, along with the existing `oidc_rp_initiated_logout`, implemment
all OIDC logout profiles.

## Breaking changes

If you're using `oidc`, the dependency on `account_expiration` has
been replaced by the `active_sessions` rodauth feature. This change is
required because it fixes bugs associated with accounts expiring in
order for id token invalidation to work.

If you're migrating, it's recommended that you keep depending on
`account_expiration` during the transition, add `active_sessions`
tables as per [rodauth
and run them alongside one another for the max period ID tokens should
be valid, after which you can remove `account_expiration` and its

## Improvements

### OAuth SAML Bearer Grant per oauth application settings

The `oauth_saml_bearer_grant` feature requires a new table/resource,
SAML settings, which enable "per client applicatioon" SAML settings,
and therefore, make this feature usable in enterprise/multi-tenancy

## Bugfixes

* remove `html_safe` usage in rails views to prevent XSS in the authorize form.
* fixed for OIDC RFC 5.4 when requesting claims using scope values
* `oauth_rp_initiated_logout` does not crash anymore on logout
requests with `id_token_hint`
* `oauth_rp_initiated_logout` now works with response types other than `code`
* `oauth_rp_initiated_logout` emits an ID token hint invalid message
when not able to decode the `id_token_hint`

## Chore

* Using `auth_methods` everywhere where `auth_value_methods` was used
and didn't make sense.
* `oauth_tls_client_auth` is not dependent on the `oauth_jwt` feature,
and can therefore be used with non-JWT access tokens, at least with
the features which do not require it.

### 1.3.2 (27/07/2023)

#### Improvements

* `require_signed_request_object` option for JAR
(`oauth_jwt_secured_authorization_request` plugin) is now supported:
  * in the oauth server metadata endpoint
  * as a plugin config option (`oauth_require_signed_request_object`,
defaults to `false`)
  * as a oauth dynamic registration endpoint param
(`require_signed_request_object`, requires corresponding columnn)
  * enforces JAR-based authorization, andd does not allow unsigned JAR
JWTs, when turned on.

#### Bugfixes

* JWT decoding failed in circumstances where a declared encryption
algo didn't have key/method declared.
* fix for when PAR (`oauth_pushed_authorization_request` feature) is
used with JAR (`oauth_jwt_secured_authorization_request` plugin), and
PAR `request_uri` param wasn't being removed when validating authorize
request parameters, thereby making JAR logic evaluate it as a JAR
`requuest_uri` (it is now correctly not taken into account in such a

### 1.3.1 (27/06/2023)

#### Bugfixes

* Set 401 error response when `client_id` parameter is invalid, or
from an unexisting client application, instead of failing with a 500
* update rails authorize form to use roda request params instead, as
plain params was breaking JAR and PAR-based authorize forms in rails

#### Chore

* set `:padding` to `false` in `Base64.urlsafe_encode64` calls (@felipe.zavan)