CHANGELOG.md in rodauth-oauth-0.4.2 vs CHANGELOG.md in rodauth-oauth-0.4.3

- old
+ new

@@ -1,26 +1,30 @@ # CHANGELOG ## master -### 0.4.2 +### 0.4.3 (09/12/2020) +* Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format. + +### 0.4.2 (24/11/2020) + ### Bugfixes -* database entensions were being run in resource server mode, when it's not expected that the oauth db tables are around. +* database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around. -### 0.4.1 +### 0.4.1 (24/11/2020) ### Improvements When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources. ### Bugfixes -* An error ocurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code. +* An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code. -### 0.4.0 +### 0.4.0 (13/11/2020) ### Features * A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token. @@ -35,11 +39,11 @@ * The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box; * rails tests were silently not running in CI; * The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted; -### 0.3.0 +### 0.3.0 (8/10/2020) #### Features * `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also, refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked. @@ -64,11 +68,11 @@ Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed. Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet). -### 0.2.0 +### 0.2.0 (9/9/2020) #### Features ##### SAML Assertion Grant Type @@ -108,14 +112,12 @@ #### Chore * 97.7% test coverage; * `rodauth-oauth` CI tests run against sqlite, postgresql and mysql. -### 0.1.0 +### 0.1.0 (31/7/2020) -(31/7/2020) - #### Features ##### OpenID `rodauth-oauth` now ships with support for [OpenID Connect](https://openid.net/connect/). In order to enable, you have to: @@ -156,14 +158,12 @@ * Authorization request submission can receive the `scope` as an array of values now, instead of only dealing with receiving a white-space separated list. * fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`). -### 0.0.6 +### 0.0.6 (6/7/2020) -(6/7/2020) - #### Features The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (see https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server **must** store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, **tokens must be signed then encrypted** (or just signed). ###### Options: @@ -181,14 +181,12 @@ #### Chore Removed React Javascript from example applications. -### 0.0.5 +### 0.0.5 (26/6/2020) -(26/6/2020) - #### Features * new option: `oauth_scope_separator` (default: `" "`), to define how scopes are stored; ##### Resource Server mode @@ -220,14 +218,12 @@ #### Chore * option `scopes_param` renamed to `scope_param`; * -## 0.0.4 +## 0.0.4 (13/6/2020) -(13/6/2020) - ### Features #### Token introspection `rodauth-oauth` now ships with an introspection endpoint (`/oauth-introspect`). @@ -259,14 +255,12 @@ ### Bugfixes * Fixed scope claim of JWT ("scopes" -> "scope"); -## 0.0.3 +## 0.0.3 (5/6/2020) -(5/6/2020) - ### Features #### `:oauth_http_mac` A new feature builds on top of `:oauth` to allow MAC authorization. @@ -293,14 +287,12 @@ * added options for disabling pkce and access type (respectively, `use_oauth_pkce?` and `use_oauth_access_type?`); * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`; * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...); -## 0.0.2 +## 0.0.2 (29/5/2020) -(29/5/2020) - ### Features * Implementation of PKCE by OAuth Public Clients (https://tools.ietf.org/html/rfc7636); * Implementation of grants using "access_type" and "approval_prompt" ([similar to what Google OAuth 2.0 API does](https://wiki.scn.sap.com/wiki/display/Security/Access+Google+APIs+using+the+OAuth+2.0+Client+API)); @@ -311,10 +303,8 @@ ### Fix * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE). -## 0.0.1 - -(14/5/2020) +## 0.0.1 (14/5/2020) Initial implementation of the Oauth 2.0 framework, with an example app done using roda. \ No newline at end of file