CHANGELOG.md in rodauth-oauth-0.0.6 vs CHANGELOG.md in rodauth-oauth-0.1.0

- old
+ new

@@ -1,11 +1,61 @@
 # CHANGELOG
 
 ## master
 
+### 0.1.0
+
+(31/7/2020)
+
+#### Features
+
+##### OpenID
+
+`rodauth-oauth` now ships with support for [OpenID Connect](https://openid.net/connect/). In order to enable, you have to:
+
+```ruby
+plugin :rodauth do
+  enable :oidc
+end
+```
+
+For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
+
+It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples).
+
+#### Improvements
+
+* JWT: `sub` claim now also handles "pairwise" subjects. For that, you have to set the `oauth_jwt_subject_type` option (`"public"` or `"pairwise"`) and `oauth_jwt_subject_secret` (will be used for salting the `sub` when the type is `"pairwise"`).
+* JWT: `auth_time` claim is now supported; if your application uses the `rodauth` feature `:account_expiration`, it'll use the `last_account_login_at` method, otherwise you can set the `last_account_login_at` option:
+
+```ruby
+last_account_login_at do
+  convert_timestamp(db[accounts_table].where(account_id_column => account_id).get(:that_column_where_you_keep_the_data))
+end
+```
+* JWT: `iss` claim now defaults to `authorization_server_url` when not defined;
+* JWT: `aud` claim now defaults to the token application's client ID (`client_id` claim was removed as a result);
+
+
+
+#### Breaking Changes
+
+`rodauth-oauth` URLs no longer have the `oauth-` prefix, so make sure you update your integrations accordingly, i.e. where you used to rely on `/oauth-authorize`, you'll have to use `/authorize`.
+
+URI schemes for client applications redirect URIs have to be `https`. In order to override this, set the `oauth_valid_uri_schemes` to an array of your expected URI schemes.
+
+
+#### Bugfixes
+
+* Authorization request submission can receive the `scope` as an array of values now, instead of only dealing with receiving a white-space separated list.
+* fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).
+
+
 ### 0.0.6
 
+(6/7/2020)
+
 #### Features
 
 The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (see https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server **must** store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, **tokens must be signed then encrypted** (or just signed).
 
 ###### Options:
@@ -23,12 +73,14 @@
 #### Chore
 
 Removed React Javascript from example applications.
 
 
-### 0.0.5 (26/6/2020)
+### 0.0.5
 
+(26/6/2020)
+
 #### Features
 
 * new option: `oauth_scope_separator` (default: `" "`), to define how scopes are stored;
 
 ##### Resource Server mode
@@ -60,12 +112,14 @@
 #### Chore
 
 * option `scopes_param` renamed to `scope_param`;
 *
 
-## 0.0.4 (13/6/2020)
+## 0.0.4
 
+(13/6/2020)
+
 ### Features
 
 #### Token introspection
 
 `rodauth-oauth` now ships with an introspection endpoint (`/oauth-introspect`).
@@ -97,12 +151,14 @@
 
 ### Bugfixes
 
 * Fixed scope claim of JWT ("scopes" -> "scope");
 
-## 0.0.3 (5/6/2020)
+## 0.0.3
 
+(5/6/2020)
+
 ### Features
 
 #### `:oauth_http_mac`
 
 A new feature builds on top of `:oauth` to allow MAC authorization.
@@ -129,12 +185,14 @@
 
 * added options for disabling pkce and access type (respectively, `use_oauth_pkce?` and `use_oauth_access_type?`);
 * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`;
 * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...);
 
-## 0.0.2 (29/5/2020)
+## 0.0.2
 
+(29/5/2020)
+
 ### Features
 
 * Implementation of PKCE by OAuth Public Clients (https://tools.ietf.org/html/rfc7636);
 * Implementation of grants using "access_type" and "approval_prompt" ([similar to what Google OAuth 2.0 API does](https://wiki.scn.sap.com/wiki/display/Security/Access+Google+APIs+using+the+OAuth+2.0+Client+API));
 
@@ -145,8 +203,10 @@
 
 ### Fix
 
 * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
 
-## 0.0.1 (14/5/2020)
+## 0.0.1
+
+(14/5/2020)
 
 Initial implementation of the Oauth 2.0 framework, with an example app done using roda.
\ No newline at end of file