[ruby-talk:444448] [ANN] rodauth-oauth 1.6.0 released

rodauth-oauth 1.6.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0
authorization servers, as well as OpenID Authentication Providers.
is certified <https://openid.net/certification/&gt; for the following profiles
of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd
Party Init OP
Session Management OP, RP-Initiated Logout OP, Front-Channel OP,
Back-Channel OP

# as simple as
rodauth do
  enable :oauth_authorization_code_grant
  # or
  enable :oidc

Among its features, it supports:

* Authorization Code Grant
* Refresh Token Grant
* Implicit Grant
* Client Credentials Grant
* Device Code Grant
* Token Revocation
* Token Introspection
* Auth Server Metadata
* Resource Indicators
* JWT Access Tokens
* mTLS Client Authentication
* Assertion Framework
* SAML 2.0 Bearer Assertion Grant
* JWT Bearer Assertion Grant
* JWT Secured authorization requests (JAR)
* JWT Secured authorization response mode (JARM)
* Pushed Authorization requests (PAR)
* Demonstrating Proof-of-Possession at the Application Layer (DPoP)
* Dynamic Client Registration
* OpenID
* OpenID Discovery
* OpenID Multiple Response types
* OpenID Self Issued Tokens
* OpenID Connect Dynamic Client Registration
* OpenID Session Management
* OpenID RP Initiated Logout
* OpenID Frontchannel Logout
* OpenID Backchannel Logout

It can also be used with Rails (via the "rodauth-rails" gem).

Website: rodauth-oauth · honeyryder
Documentation: Rodauth OAuth: OAuth 2.0 and OpenID for rodauth
Wiki: Home · Wiki · OS / rodauth-oauth · GitLab
CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

# 1.6.0

## Improvements

### "at+jwt" and "id_token+jwt" ty header in JWT tokens

In order to distinguish/identify tokens, JWT access tokens generated
by the `oauth_jwt` feature will contain the "at+jwt" value in the
"typ" header (which follows the [recomendation in the
RFC](RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens)),
whereas ID tokens generated by the `oidc` feature will contain the
"id_token+jwt" value in the "typ" header (there is no official
recommendation, but some providers are using this).

**Note**: This header will also be used to validate access tokens.
This means that, once you upgrade, **access tokens generated prior to
the upgrade won't be usable anymore**. In order to mitigate this and
smoothen the upgrade process, disable header verification for a period
greater than the access token expiration time in your application
(controlled by the `oauth_access_token_expires_in` auth value method,
60 minutes by default); this will allow older access tokens to expire.
You can so by overriding the `verify_access_token_headers` auth


rodauth do
  enable :oauth_jwt # or :oidc
  oauth_access_token_expires_in 60 * 60

  verify_access_token_headers { } # do nothing