Contents

This version passes the conformance tests for the following OpenID Connect certification profiles:

* Basic certification
* Form-post basic certification
* Config certification
* Dynamic Config certification (`response_type=code`)

## Breaking Changes

* homepage url is no longer a client application required property.
* OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature.

## Features

* `oauth_jwt_secured_authorization_request` now supports a `request_uri` query param as well.
* `oidc` supports essential claims, via the `claims` authorization request query parameter.

## Improvements

* exposing `acr_values_supported` in the openid configuration.
* `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default).
* OIDC `offline_access` supported.

## Bugfixes

* JWT: "sub" is now always a string.
* `response_type` is now an authorization request required parameter (as per the RFC).
* `state` is now passed along when redirecting from authorization requeests with `error`;
* access token can now be read from POST body or GET quety params (as per the RFC).
* id token no longer shipping with claims with `null` value;
* id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC).
* support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).
* Set `iss` and `aud` claims in the Userinfo JWT response.
* Make sure errors are also delivered via form POST, when `response_mode=form_post`.

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
rodauth-oauth-1.0.0.pre.beta2	doc/release_notes/1_0_0_beta2.md