rodauth-oauth 1.4.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
rodauth-oauth
is certified <https://openid.net/certification/> for the following profiles
of the OpenID Connect™ protocol:
Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd
Party Init OP
Session Management OP, RP-Initiated Logout OP, Front-Channel OP,
Back-Channel OP
# as simple as
rodauth do
enable :oauth_authorization_code_grant
# or
enable :oidc
end
Among its features, it supports:
* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests (JAR)
* JWT Secured authorization response mode (JARM)
* Pushed Authorization requests (PAR)
* Demonstrating Proof-of-Possession at the Application Layer (DPoP)
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Self Issued Tokens
* OpenID Connect Dynamic Client Registration
* OpenID Session Management
* OpenID RP Initiated Logout
* OpenID Frontchannel Logout
* OpenID Backchannel Logout
It can also be used with Rails (via the "rodauth-rails" gem).
Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
These are the release notes since the last update:
# 1.5.0
## Highlights
### OAuth DPoP Support
`rodauth-oauth` supports Demonstrating Proof-of-Possession at the
Application Layer (also known as DPoP), via the `oauth_dpop` feature.
This provides a mechanism to bind access tokens to a particular client
based on public key cryptography.
More info about the feature [in the
docs](DPoP · Wiki · OS / rodauth-oauth · GitLab).
## Improvements
All features managing cookies are now able to configure them as
"session cookies" (i.e. removed on browser shutdown) by setting the
expiration interval auth method to `nil`. This ncludes:
* `oauth_prompt_login_interval` (from the `oidc` feature)
* `oauth_oidc_user_agent_state_cookie_expires_in` (from the
`oidc_session_management` feature)
## Bugfixes
* when using the `oauth_token_instrospection` feature, the
`token_type` has been fixed to show "Bearer" (instead of
"access_token").