RubyFlow The Ruby and Rails community linklog

×

The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

[ANN] rodauth-oauth 1.2.0 released

by Tiago

rodauth-oauth 1.2.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP.

as simple as

rodauth do enable :oauth_authorization_code_grant # or enable :oidc end

Among its features, it supports:

  • Authorization Code Grant
  • Refresh Token Grant
  • Implicit Grant
  • Client Credentials Grant
  • Device Code Grant
  • Token Revocation
  • Token Introspection
  • Auth Server Metadata
  • PKCE
  • Resource Indicators
  • JWT Access Tokens
  • mTLS Client Authentication
  • Assertion Framework
  • SAML 2.0 Bearer Assertion Grant
  • JWT Bearer Assertion Grant
  • JWT Secured authorization requests
  • Pushed Authorization requests
  • Dynamic Client Registration
  • OpenID
  • OpenID Discovery
  • OpenID Multiple Response types
  • OpenID Connect Dynamic Client Registration
  • OpenID Relying Party Initiated Logout

It can also be used with Rails (via the “rodauth-rails” gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

1.2.0 (13/02/2023) Features Pushed Authorization Requests (PAR)

RFC: https://datatracker.ietf.org/doc/html/rfc9126

rodauth-oauth supports Pushed Authorization Requests, via the :oauth_pushed_authorization_request feature.

More info about the feature in the wiki.

mTLS Client Auth (+ certificate-bound access tokens)

RFC: https://www.rfc-editor.org/rfc/rfc8705

The :oauth_tls_client_auth feature adds support for the variants of mTLS Client Authentication “PKI Mutual-TLS Method” and 2Self-Signed Certificate Mutual-TLS Method”. It also supports client certificate bound access tokens.

More about it in the wiki.

Dynamic Client Registration management

RFC: https://www.rfc-editor.org/rfc/rfc7592

Support for dynamci client registration management was added to the :oauth_dynamic_client_registration feature.

More info about it in the wiki.

Improvements
  • Support for 3rd-party initiated login was added, by including support for the initiate_login_uri attribute in the register route from the :oauth_dynamic_client_registration feature.
  • Support for multitenant resource ownership was added, here’s a description from the wiki.
Bugfixes
  • oidc: userinfo claims were not including claims with value false, such as "email_verified". This behaviour has been fixed, and only claims of value null are omitted.
1.1.0 (10/01/2023) Features Loopback Interface Redirection URI support

https://www.rfc-editor.org/rfc/rfc8252#section-7.3

Redirect URIs based on loopback addresses (“127.0.0.1”, “::1”) are now supported when used in an authorization request with an ephemeral port (@avdigrimm).

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in