## 1.0.0 (15/12/2022) ## Highlights rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following certification profiles: * Basic OP * Implicit OP * Hybrid OP * Config OP * Dynamic OP * Form Post OP and passes the conformance tests for RP-Initiated Logout OP. The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentication_server.rb) and deployed [here](https://rodauth-oauth-oidc.onrender.com). ### Breaking changes The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/os85/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68f7811be68/MIGRATION-GUIDE-v1.md). A short list of the main highlights: * Ruby 2.5 or higher is required. * `oauth_http_mac` feature removed. * `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter). * access and refresh tokens hashed by default when stored in the database. * default oauth response mode is `"form_post"`. * oauth specific features require explicit enablement of respective features (no more `enable :oauth`) * refresh token policy is "rotation" by default * homepage url is no longer a client application required property. * OIDC RP-initiated logout extracted into `oidc_rp_initiated_logout` feature. ### Features The following helpers are exposed in the `rodauth` object: * `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header. * `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header. When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers. #### `oauth_resource_server` plugin This plugin can be used as a convenience when configuring resource servers. #### JAR support for request_uri query param The `oauth_jwt_secured_authorization_request` plugin now supports a `request_uri` query param as well. #### OIDC features * The `oidc` plugin supports [essential claims](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter), via the `claims` authorization request query parameter. * id token built with `"c_hash"` and `"at_hash"` claims when they should. ### Improvements * `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim. * endpoint client authentication supports "client credentials grant" access tokens. * `acr_values_supported` exposed in the openid configuration. * `oauth_request_object_signing_alg_allow_none` enables `"none"` as an accepted request object signing alg when `true` (`false` by default). * OIDC `offline_access` supported. ### Bugfixes * fixed `oidc` calculation of `"auth_time"` claim. * JWT: "sub" is now always a string. * `response_type` is now an authorization request required parameter (as per the RFC). * `state` is now passed along when redirecting from authorization requests with `error`; * access token can now be read from POST body or GET query params (as per the RFC). * id token no longer shipping with claims with `null` value; * id token no longer encoding claims by default (only when `response_type=id_token`, as per the RFC). * support "JWT without kid" when doing jwt decoding for JWT tokens not generated in the provider (such as request objects). * Set `iss` and `aud` claims in the Userinfo JWT response. * Make sure errors are also delivered via form POST, when `response_mode=form_post`. * Authorization request now shows an error page when `response_type` or `client_id` are missing, or `redirect_uri` is missing or invalid; a new `"authorize_error"` template is invoked in such cases. * oidc: nonce present in id token when using the "id_token token" response type. * error parameter delivered in URL fragment when failing an implicit grant autorization request.