RubyFlow The Ruby and Rails community linklog

×

The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

[ANN] rodauth-oauth 1.4.0 released

by Tiago

rodauth-oauth 1.4.0 has been released.

rodauth-oauth is a rack-compatible toolkit for building OAuth 2.0 authorization servers, as well as OpenID Authentication Providers. rodauth-oauth is certified for the following profiles of the OpenID Connect™ protocol:

Basic OP, Implicit OP, Hybrid OP, Config OP, Dynamic OP, Form Post OP, 3rd Party Init OP Session Management OP, RP-Initiated Logout OP, Front-Channel OP, Back-Channel OP

as simple as

rodauth do enable :oauth_authorization_code_grant # or enable :oidc end

Among its features, it supports:

  • Authorization Code Grant
  • Refresh Token Grant
  • Implicit Grant
  • Client Credentials Grant
  • Device Code Grant
  • Token Revocation
  • Token Introspection
  • Auth Server Metadata
  • PKCE
  • Resource Indicators
  • JWT Access Tokens
  • mTLS Client Authentication
  • Assertion Framework
  • SAML 2.0 Bearer Assertion Grant
  • JWT Bearer Assertion Grant
  • JWT Secured authorization requests (JAR)
  • JWT Secured authorization response mode (JARM)
  • Pushed Authorization requests
  • Dynamic Client Registration
  • OpenID
  • OpenID Discovery
  • OpenID Multiple Response types
  • OpenID Self Issued Tokens
  • OpenID Connect Dynamic Client Registration
  • OpenID Session Management
  • OpenID RP Initiated Logout
  • OpenID Frontchannel Logout
  • OpenID Backchannel Logout

It can also be used with Rails (via the “rodauth-rails” gem).

Website: https://honeyryderchuck.gitlab.io/rodauth-oauth/ Documentation: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/ Wiki: https://gitlab.com/honeyryderchuck/rodauth-oauth/wikis/home CI: https://gitlab.com/honeyryderchuck/rodauth-oauth/pipeline

These are the release notes since the last update:

1.4.0 (08/11/2023) Highlights

rodauth-oauth is now OpenID certified for the following logout profiles:

  • Session Management OP
  • RP-Initiated Logout OP
  • Front-Channel Logout OP
  • Back-Channel Logout OP

The OIDC server used to run the test can be found here and deployed here.

Features OIDC logout features

rodauth-oauth ships with the following new features:

which, along with the existing oidc_rp_initiated_logout, implemment all OIDC logout profiles.

Breaking changes

If you’re using oidc, the dependency on account_expiration has been replaced by the active_sessions rodauth feature. This change is required because it fixes bugs associated with accounts expiring in order for id token invalidation to work.

If you’re migrating, it’s recommended that you keep depending on account_expiration during the transition, add active_sessions tables as per rodauth specs, and run them alongside one another for the max period ID tokens should be valid, after which you can remove account_expiration and its tables.

Improvements OAuth SAML Bearer Grant per oauth application settings

The oauth_saml_bearer_grant feature requires a new table/resource, SAML settings, which enable “per client applicatioon” SAML settings, and therefore, make this feature usable in enterprise/multi-tenancy scenarios.

Bugfixes
  • remove html_safe usage in rails views to prevent XSS in the authorize form.
  • fixed for OIDC RFC 5.4 when requesting claims using scope values
  • oauth_rp_initiated_logout does not crash anymore on logout requests with id_token_hint
  • oauth_rp_initiated_logout now works with response types other than code
  • oauth_rp_initiated_logout emits an ID token hint invalid message when not able to decode the id_token_hint
Chore
  • Using auth_methods everywhere where auth_value_methods was used and didn’t make sense.
  • oauth_tls_client_auth is not dependent on the oauth_jwt feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it.
1.3.2 (27/07/2023) Improvements
  • require_signed_request_object option for JAR (oauth_jwt_secured_authorization_request plugin) is now supported:
    • in the oauth server metadata endpoint
    • as a plugin config option (oauth_require_signed_request_object, defaults to false)
    • as a oauth dynamic registration endpoint param (require_signed_request_object, requires corresponding columnn)
    • enforces JAR-based authorization, andd does not allow unsigned JAR JWTs, when turned on.
Bugfixes
  • JWT decoding failed in circumstances where a declared encryption algo didn’t have key/method declared.
  • fix for when PAR (oauth_pushed_authorization_request feature) is used with JAR (oauth_jwt_secured_authorization_request plugin), and PAR request_uri param wasn’t being removed when validating authorize request parameters, thereby making JAR logic evaluate it as a JAR requuest_uri (it is now correctly not taken into account in such a case);
1.3.1 (27/06/2023) Bugfixes
  • Set 401 error response when client_id parameter is invalid, or from an unexisting client application, instead of failing with a 500 (@igor-alexandrov).
  • update rails authorize form to use roda request params instead, as plain params was breaking JAR and PAR-based authorize forms in rails applications.
Chore
  • set :padding to false in Base64.urlsafe_encode64 calls (@felipe.zavan)

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in