[ANN] rodauth-oauth 1.5.0 released
rodauth-oauth 1.5.0 has been released.
rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:
Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP
as simple asrodauth do enable :oauth_authorization_code_grant # or enable :oidc end
Among its features, it supports:
- Authorization Code Grant
- Refresh Token Grant
- Implicit Grant
- Client Credentials Grant
- Device Code Grant
- Token Revocation
- Token Introspection
- Auth Server Metadata
- PKCE
- Resource Indicators
- JWT Access Tokens
- mTLS Client Authentication
- Assertion Framework
- SAML 2.0 Bearer Assertion Grant
- JWT Bearer Assertion Grant
- JWT Secured authorization requests (JAR)
- JWT Secured authorization response mode (JARM)
- Pushed Authorization requests (PAR)
- Demonstrating Proof-of-Possession at the Application Layer (DPoP)
- Dynamic Client Registration
- OpenID
- OpenID Discovery
- OpenID Multiple Response types
- OpenID Self Issued Tokens
- OpenID Connect Dynamic Client Registration
- OpenID Session Management
- OpenID RP Initiated Logout
- OpenID Frontchannel Logout
- OpenID Backchannel Logout
It can also be used with Rails (via the “rodauth-rails” gem).
Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline
These are the release notes since the last update:
1.5.0 Highlights OAuth DPoP Supportrodauth-oauth
supports Demonstrating Proof-of-Possession at the Application Layer (also known as DPoP), via the oauth_dpop
feature. This provides a mechanism to bind access tokens to a particular client based on public key cryptography.
More info about the feature in the docs.
ImprovementsAll features managing cookies are now able to configure them as “session cookies” (i.e. removed on browser shutdown) by setting the expiration interval auth method to nil
. This ncludes:
-
oauth_prompt_login_interval
(from theoidc
feature) -
oauth_oidc_user_agent_state_cookie_expires_in
(from theoidc_session_management
feature)
- when using the
oauth_token_instrospection
feature, thetoken_type
has been fixed to show “Bearer” (instead of “access_token”).
Post a comment