## 0.10.0 (10/06/2022) ### Features #### Resource Indicators RFC: https://datatracker.ietf.org/doc/html/rfc8707 `rodauth-oauth` now supports Resource Indicators, via the optional `:oauth_resource_indicators` feature. #### JWT: extra options The following extra option values were added: * `oauth_jwt_jwe_keys` * `oauth_jwt_public_keys` * `oauth_jwt_jwe_public_keys` `:oauth_jwt_jwe_keys` should be used to store all provider combos of encryption keys, indexed by an algo/method tuple: ```ruby oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } } ``` The first element of the hash should indicate the preferred encryption mode, when no combination is specifically requested. It should be considered the most future-proof way of declaring JWE keys, and support for `oauth_jwt_jwe_key` and friends should be soon deprecated. Both `oauth_jwt_public_keys` and `oauth_jwt_jwe_public_keys` provide a way to declare multiple keys to be exposed as the provider JWKs in the `/jwks` endpoint. ### Improvements * Added translations for portuguese. #### OpenID Connect improvements * The `:oidc` feature now depends on `rodauth`'s [account_expiration](http://rodauth.jeremyevans.net/rdoc/files/doc/account_expiration_rdoc.html) feature. Although a more-involved-somewhat-breaking change, it was required in order to keep track of account login event timestamps, necessary for correct `"auth_time"` calculation (see the first bugfix mention for more details, and Breaking Changes for migration path). * Support for the `ui_locales` parameter was added. This feature depends on the `:i18n` feature provided by [rodauth-i18n](https://github.com/janko/rodauth-i18n). * Support for the `claims_locales` parameter was added, in that the `get_oidc_param` and `get_additional_param`, when accepting a 3rd parameter, will be passed a locale code: ```ruby # given "claims_locales=en pt" get_oidc_param { |account, param, locale| } # will be called twice for the same param, one with locale as "en", another as "pt" get_oidc_param { |account, param| } # will be called once without locale ``` * Support for `max_age` parameter was added. * Support for `acr_values` parameter was added. When "phr", and a `rodauth` 2-factor feature (like [otp](http://rodauth.jeremyevans.net/rdoc/files/doc/otp_rdoc.html)) is enabled, the user will be requested for 2-factor authentication before performing the OpenID Authorization Request. When "phrh", and `rodauth`'s [webauthn_login](http://rodauth.jeremyevans.net/rdoc/files/doc/webauthn_login_rdoc.html) feature is enabled, the user will be requested for WebAuthn authentication before performing the OpenID Authorization Request. Any other acr values are considered provider-specific, and the `require_acr_value(acr_value)` option should be provided to deal with it (it'll be called after authentication is ensured and before the authorization request is processed). ### Bugfixes * reverted the `"auth_time"` calculation "fix" introduced in 0.9.3, which broke compliance with the RFC (the implementation prior to that was also broken, hence why `"account_expiration"` plugin was introduced as a dependency). ### Breaking Changes As you read already, the `"account_expiration"` feature is now required by default by `"oidc"`. In order to migrate to it, here's a suggested strategy: 1. Add the relevant database tables Add a migration looking roughly like this: ```ruby create_table(:account_activity_times) do foreign_key :id, :accounts, primary_key: true, type: Integer DateTime :last_activity_at, null: false DateTime :last_login_at, null: false DateTime :expired_at end ``` 2. Update and deploy `rodauth-oauth` 0.10.0 (Nothing required beyond `enable :oidc`.) 3. Set `:last_login_at` to a value. Like now. You can , for example, run this SQL: ```sql UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP; ``` --- That's it, nothing fancy or accurate. Yes, the `last_login_at` is wrong, but as sessions expire, it should go back to normal.