[ruby-talk:444406] [ANN] rodauth-oauth 1.5.0 released

rodauth-oauth 1.4.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
rodauth-oauth
is certified <https://openid.net/certification/&gt; for the following profiles
of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd
Party Init OP
Session Management OP, RP-Initiated Logout OP, Front-Channel OP,
Back-Channel OP

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc
end

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* PKCE
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests (JAR)
* JWT Secured authorization response mode (JARM)
* Pushed Authorization requests (PAR)
* Demonstrating Proof-of-Possession at the Application Layer (DPoP)
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Self Issued Tokens
* OpenID Connect Dynamic Client Registration
* OpenID Session Management
* OpenID RP Initiated Logout
* OpenID Frontchannel Logout
* OpenID Backchannel Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

# 1.5.0

## Highlights

### OAuth DPoP Support

`rodauth-oauth` supports Demonstrating Proof-of-Possession at the
Application Layer (also known as DPoP), via the `oauth_dpop` feature.
This provides a mechanism to bind access tokens to a particular client
based on public key cryptography.

More info about the feature [in the
docs](DPoP · Wiki · OS / rodauth-oauth · GitLab).

## Improvements

All features managing cookies are now able to configure them as
"session cookies" (i.e. removed on browser shutdown) by setting the
expiration interval auth method to `nil`. This ncludes:

* `oauth_prompt_login_interval` (from the `oidc` feature)
* `oauth_oidc_user_agent_state_cookie_expires_in` (from the
`oidc_session_management` feature)

## Bugfixes

* when using the `oauth_token_instrospection` feature, the
`token_type` has been fixed to show "Bearer" (instead of
"access_token").