## 1.4.0 (08/11/2023)

## Highlights

rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following logout profiles:

* Session Management OP
* RP-Initiated Logout OP
* Front-Channel Logout OP
* Back-Channel Logout OP

The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentication_server.rb) and deployed [here](https://rodauth-oauth-oidc.onrender.com).

## Features

### OIDC logout features

`rodauth-oauth` ships with the following new features:

* `oidc_sesssion_management` - enables [OIDC session management](https://openid.net/specs/openid-connect-session-1_0.html)
* `oidc_frontchannel_logout` - enables [OIDC frontchannel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
* `oidc_backchannel_logout` - enables [OIDC backchannel logout](https://openid.net/specs/openid-connect-backchannel-1_0.html)

which, along with the existing `oidc_rp_initiated_logout`, implemment all OIDC logout profiles.

## Breaking changes

If you're using `oidc`, the dependency on `account_expiration` has been replaced by the `active_sessions` rodauth feature. This change is required because it fixes bugs associated with accounts expiring in order for id token invalidation to work.

If you're migrating, it's recommended that you keep depending on `account_expiration` during the transition, add `active_sessions` tables as per [rodauth specs](https://github.com/jeremyevans/rodauth/blob/master/spec/migrate/001_tables.rb#L150), and run them alongside one another for the max period ID tokens should be valid, after which you can remove `account_expiration` and its tables.

Some `auth_value_methods` were changed to `auth_methods` everywhere where it made sense. If you were overriding them, you'll have to wrap them in a block:

```ruby
# in 1.3.2
oauth_jwt_issuer "http://myissuer.com"
# in 1.4.0
oauth_jwt_issuer { "http://myissuer.com" }
```

## Improvements

### OAuth SAML Bearer Grant per oauth application settings

The `oauth_saml_bearer_grant` feature requires a new table/resource, SAML settings, which enable "per client applicatioon" SAML settings, and therefore, make this feature usable in enterprise/multi-tenancy scenarios.

## Bugfixes

* remove `html_safe` usage in rails views to prevent XSS in the authorize form.
* fixed for OIDC RFC 5.4 when requesting claims using scope values
* `oauth_rp_initiated_logout` does not crash anymore on logout requests with `id_token_hint`
* `oauth_rp_initiated_logout` now works with response types other than `code`
* `oauth_rp_initiated_logout` emits an ID token hint invalid message when not able to decode the `id_token_hint`

## Chore

* `oauth_tls_client_auth` is not dependent on the `oauth_jwt` feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it.