RubyFlow The Ruby and Rails community linklog


The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

[ANN] rodauth-oauth 1.5.0 released

rodauth-oauth 1.5.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP

as simple as

rodauth do enable :oauth_authorization_code_grant # or enable :oidc end

Among its features, it supports:

  • Authorization Code Grant
  • Refresh Token Grant
  • Implicit Grant
  • Client Credentials Grant
  • Device Code Grant
  • Token Revocation
  • Token Introspection
  • Auth Server Metadata
  • PKCE
  • Resource Indicators
  • JWT Access Tokens
  • mTLS Client Authentication
  • Assertion Framework
  • SAML 2.0 Bearer Assertion Grant
  • JWT Bearer Assertion Grant
  • JWT Secured authorization requests (JAR)
  • JWT Secured authorization response mode (JARM)
  • Pushed Authorization requests (PAR)
  • Demonstrating Proof-of-Possession at the Application Layer (DPoP)
  • Dynamic Client Registration
  • OpenID
  • OpenID Discovery
  • OpenID Multiple Response types
  • OpenID Self Issued Tokens
  • OpenID Connect Dynamic Client Registration
  • OpenID Session Management
  • OpenID RP Initiated Logout
  • OpenID Frontchannel Logout
  • OpenID Backchannel Logout

It can also be used with Rails (via the “rodauth-rails” gem).

Website: Documentation: Wiki: CI:

These are the release notes since the last update:

1.5.0 Highlights OAuth DPoP Support

rodauth-oauth supports Demonstrating Proof-of-Possession at the Application Layer (also known as DPoP), via the oauth_dpop feature. This provides a mechanism to bind access tokens to a particular client based on public key cryptography.

More info about the feature in the docs.


All features managing cookies are now able to configure them as “session cookies” (i.e. removed on browser shutdown) by setting the expiration interval auth method to nil. This ncludes:

  • oauth_prompt_login_interval (from the oidc feature)
  • oauth_oidc_user_agent_state_cookie_expires_in (from the oidc_session_management feature)
  • when using the oauth_token_instrospection feature, the token_type has been fixed to show “Bearer” (instead of “access_token”).

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in