CHANGELOG.md in rodauth-oauth-0.4.3 vs CHANGELOG.md in rodauth-oauth-0.5.0
- old
+ new
@@ -1,42 +1,54 @@
# CHANGELOG
## master
+### 0.5.0 (08/02/2021)
+
+#### RP-Initiated Logout
+
+The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
+
+#### Security
+
+The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
+
+A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.
+
### 0.4.3 (09/12/2020)
* Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.
### 0.4.2 (24/11/2020)
-### Bugfixes
+#### Bugfixes
* database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.
### 0.4.1 (24/11/2020)
-### Improvements
+#### Improvements
When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
-### Bugfixes
+#### Bugfixes
* An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
### 0.4.0 (13/11/2020)
-### Features
+#### Features
* A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
* The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
-### Improvements
+#### Improvements
* For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
-### Bugfixes
+#### Bugfixes
* The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
* rails tests were silently not running in CI;
* The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;
\ No newline at end of file