RubyFlow The Ruby and Rails community linklog

×

The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

[ANN] rodauth-oauth 1.3.0 released - self-signed issued tokens, JARM

by Tiago

rodauth-oauth 1.3.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP

as simple as

rodauth do enable :oauth_authorization_code_grant # or enable :oidc end

Among its features, it supports:

  • Authorization Code Grant
  • Refresh Token Grant
  • Implicit Grant
  • Client Credentials Grant
  • Device Code Grant
  • Token Revocation
  • Token Introspection
  • Auth Server Metadata
  • PKCE
  • Resource Indicators
  • JWT Access Tokens
  • mTLS Client Authentication
  • Assertion Framework
  • SAML 2.0 Bearer Assertion Grant
  • JWT Bearer Assertion Grant
  • JWT Secured authorization requests (JAR)
  • JWT Secured authorization response mode (JARM)
  • Pushed Authorization requests
  • Dynamic Client Registration
  • OpenID
  • OpenID Discovery
  • OpenID Multiple Response types
  • OpenID Self Issued Tokens
  • OpenID Connect Dynamic Client Registration
  • OpenID Relying Party Initiated Logout

It can also be used with Rails (via the “rodauth-rails” gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

1.3.0 (02/04/2023) Features Self-Signed Issued Tokens

rodauth-oauth supports self-signed issued tokens, via the oidc_self_issued feature.

More info about the feature in the docs.

JARM

rodauth-oauth supports JWT-secured Authorization Response Mode, also known as JARM, via the oauth_jwt_secured_authorization_response_mode.

More info about the feature in the docs.

Improvements fill_with_account_claims auth method

fill_with_account_claims is now exposed as an auth method. This allows one to override to be able to cover certain requirements, such as aggregated and distributed claims. Here’s a link to the docs explaining how to do it.

oidc: only generate refresh token when offline_access scope is used.

When the oidc feature is used, refresh tokens won’t be generated anymore by default; in order to do so, the offline_access needs to be requested for in the respective authorization request, as the spec mandates.

oidc: implicit grant loaded by default

The oidc feature now loads the oauth_implicit_grant feature by default. This hadn’t been done before due to the wish to ship a secure integration by default, but since then, spec compliance became more prioritary, and this is a requirement.

Bugfixes
  • rails integration: activerecord migrations fixes:
    • use bigint for foreign keys;
    • index creation instruction with the wrong syntax;
    • set precision 6 for default timestamps, to comply with AR defaults;
    • add missing code column to the oauth_pushed_requests table;
  • oidc: when using the id_token , or any composite response type including id_token, using any response mode other than fragment will result in an invalid request.

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in