RubyFlow The Ruby and Rails community linklog

×

The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

rodauth-oauth 0.9.0 released (Client Credentials Grant, Dynamic Client Registration)

by Tiago

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers.

as simple as

rodauth do enable :oauth #, :oidc end

Among its features, it supports:

  • Authorization Code Grant
  • Refresh Token Grant
  • Implicit Grant
  • Client Credentials Grant
  • Device Code Grant
  • Token Revocation
  • Token Introspection
  • Auth Server Metadata
  • PKCE
  • JWT Access Tokens
  • Assertion Framework
  • SAML 2.0 Bearer Assertion Grant
  • JWT Bearer Assertion Grant
  • JWT secured authorization requests
  • Dynamic Client Registration
  • OpenID
  • OpenID Discovery
  • OpenID Multiple Response types
  • OpenID Connect Dynamic Client Registration
  • OpenID Relying Party Initiated Logout

It can also be used with Rails (via the “rodauth-rails” gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

0.9.0 (18/04/2022) Features Dynamic client registration

rodauth-oauth now supports the Oauth Dynamic client registration RFC, via the oauth_dynamic_client_registration feature; it also supports the OpenID variant, via the oidc_dynamic_client_registration feature.

With it, you now have the option to enable API-driven client application registration.

Client Credentials grant

rodauth-oauth now supports the Client Credentials grant, via the oauth_client_credentials_grant feature.

Improvements OAuth Applications & Tokens paginated list pages

The management dashboards for OAuth Applications & Tokens were loading the full dataset into the HTML view. They’ll now only show 20 records by default, and present pagination links to navigate across pages (for the default templates).

More Oauth Application properties

As a result of implementing “OAuth Dynamic client registration”, new functionality is unlocked when the following database columns are set on the oauth applications table:

  • token_endpoint_auth_method - enables oauth application-scoped verification of used client authentication method.
  • grant_types - scopes the supported grant types for the given application.
  • response_type - scopes the supported response types for the given application.
  • logo_uri - stores an image link which can be used to load and display a logo in the authorization form.
  • tos_uri - stores a link to the oauth application “Terms of Service” page.
  • policy_uri - stores a link to the oauth application “Policy” page.
  • jwks_uri - stores a link where to load the oauth application JWKs from.
  • jwks - stores the JWKS from the oauth application.
  • contacts stores the contacts.
  • software_id - stores the software unique identifier.
  • software_version - stores the software version for the unique identifier.
  • subject_type - stores the subject type used for calculating the JWT sub claim for the applicatiion.
  • request_object_signing_alg - stores the signing algorithm which request objects coming from the application will be signed with.
  • request_object_encryption_alg - stores the encryption algorithm which request objects coming from the application will be encrypted with.
  • request_object_encryption_enc - stores the encryption method which request objects coming from the application will be encrypted with.
  • id_token_signed_response_alg - stores the signing algorithm which id tokens from the application will be signed with.
  • id_token_encrypted_response_alg - stores the encryption algorithm which id tokens from the application will be encrypted with.
  • id_token_encrypted_response_enc - stores the encryption method which id tokens from the application will be encrypted with.
  • userinfo_signed_response_alg - stores the signing algorithm which JWT-encoded userinfo payloads from the application will be signed with.
  • userinfo_encrypted_response_alg - stores the encryption algorithm which JWT-encoded userinfo payloads from the application will be encrypted with.
  • userinfo_encrypted_response_enc - stores the encryption method which JWT-encoded userinfo payloads from the application will be encrypted with.
TTL Store has finer grained lock

The TTL Store, used for the JWKs cache rotation p.ex., had a lock around the section which would involve the HTTP request for the JWKs, which would block the process for the duration of it. The lock has been removed around that area, and if two requests happen for the same URL, first one wins.

Deprecations and breaking changes
  • (oauth_jwt plugin) :oauth_jwt_algorithm option default is now "RS256" (previous one was "HS256", and yes, this an assymetric cryptography move).
  • (oauth_jwt plugin) jws_jwk option (and all the labels and params) is deprecated.

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in