Contents

### 1.3.2 (27/07/2023)

#### Improvements

* `require_signed_request_object` option for JAR (`oauth_jwt_secured_authorization_request` plugin) is now supported:
  * in the oauth server metadata endpoint
  * as a plugin config option (`oauth_require_signed_request_object`, defaults to `false`)
  * as a oauth dynamic registration endpoint param (`require_signed_request_object`, requires corresponding columnn)
  * enforces JAR-based authorization, andd does not allow unsigned JAR JWTs, when turned on.

#### Bugfixes

* JWT decoding failed in circumstances where a declared encryption algo didn't have key/method declared.
* fix for when PAR (`oauth_pushed_authorization_request` feature) is used with JAR (`oauth_jwt_secured_authorization_request` plugin), and PAR `request_uri` param wasn't being removed when validating authorize request parameters, thereby making JAR logic evaluate it as a JAR `requuest_uri` (it is now correctly not taken into account in such a case);

Version data entries

6 entries across 6 versions & 1 rubygems

Version	Path
rodauth-oauth-1.6.3	doc/release_notes/1_3_2.md
rodauth-oauth-1.6.2	doc/release_notes/1_3_2.md
rodauth-oauth-1.6.0	doc/release_notes/1_3_2.md
rodauth-oauth-1.5.0	doc/release_notes/1_3_2.md
rodauth-oauth-1.4.0	doc/release_notes/1_3_2.md
rodauth-oauth-1.3.2	doc/release_notes/1_3_2.md