rodauth-oauth 0.7.4 → 0.9.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (82) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +1 -424
  3. data/README.md +30 -390
  4. data/doc/release_notes/0_0_1.md +3 -0
  5. data/doc/release_notes/0_0_2.md +15 -0
  6. data/doc/release_notes/0_0_3.md +31 -0
  7. data/doc/release_notes/0_0_4.md +36 -0
  8. data/doc/release_notes/0_0_5.md +36 -0
  9. data/doc/release_notes/0_0_6.md +21 -0
  10. data/doc/release_notes/0_1_0.md +44 -0
  11. data/doc/release_notes/0_2_0.md +43 -0
  12. data/doc/release_notes/0_3_0.md +28 -0
  13. data/doc/release_notes/0_4_0.md +18 -0
  14. data/doc/release_notes/0_4_1.md +9 -0
  15. data/doc/release_notes/0_4_2.md +5 -0
  16. data/doc/release_notes/0_4_3.md +3 -0
  17. data/doc/release_notes/0_5_0.md +11 -0
  18. data/doc/release_notes/0_5_1.md +13 -0
  19. data/doc/release_notes/0_6_0.md +9 -0
  20. data/doc/release_notes/0_6_1.md +6 -0
  21. data/doc/release_notes/0_7_0.md +20 -0
  22. data/doc/release_notes/0_7_1.md +10 -0
  23. data/doc/release_notes/0_7_2.md +21 -0
  24. data/doc/release_notes/0_7_3.md +10 -0
  25. data/doc/release_notes/0_7_4.md +5 -0
  26. data/doc/release_notes/0_8_0.md +37 -0
  27. data/doc/release_notes/0_9_0.md +56 -0
  28. data/doc/release_notes/0_9_1.md +9 -0
  29. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb +25 -4
  30. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb +11 -0
  31. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb +20 -0
  32. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb +27 -10
  33. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application.html.erb +17 -5
  34. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_application_oauth_tokens.html.erb +39 -0
  35. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb +6 -5
  36. data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_tokens.html.erb +12 -15
  37. data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb +21 -1
  38. data/lib/rodauth/features/oauth.rb +3 -1418
  39. data/lib/rodauth/features/oauth_application_management.rb +225 -0
  40. data/lib/rodauth/features/oauth_assertion_base.rb +96 -0
  41. data/lib/rodauth/features/oauth_authorization_code_grant.rb +252 -0
  42. data/lib/rodauth/features/oauth_authorization_server.rb +0 -0
  43. data/lib/rodauth/features/oauth_base.rb +778 -0
  44. data/lib/rodauth/features/oauth_client_credentials_grant.rb +33 -0
  45. data/lib/rodauth/features/oauth_device_grant.rb +220 -0
  46. data/lib/rodauth/features/oauth_dynamic_client_registration.rb +252 -0
  47. data/lib/rodauth/features/oauth_http_mac.rb +3 -21
  48. data/lib/rodauth/features/oauth_implicit_grant.rb +59 -0
  49. data/lib/rodauth/features/oauth_jwt.rb +275 -100
  50. data/lib/rodauth/features/oauth_jwt_bearer_grant.rb +59 -0
  51. data/lib/rodauth/features/oauth_management_base.rb +68 -0
  52. data/lib/rodauth/features/oauth_pkce.rb +98 -0
  53. data/lib/rodauth/features/oauth_resource_server.rb +21 -0
  54. data/lib/rodauth/features/oauth_saml_bearer_grant.rb +102 -0
  55. data/lib/rodauth/features/oauth_token_introspection.rb +108 -0
  56. data/lib/rodauth/features/oauth_token_management.rb +79 -0
  57. data/lib/rodauth/features/oauth_token_revocation.rb +109 -0
  58. data/lib/rodauth/features/oidc.rb +38 -9
  59. data/lib/rodauth/features/oidc_dynamic_client_registration.rb +147 -0
  60. data/lib/rodauth/oauth/database_extensions.rb +15 -2
  61. data/lib/rodauth/oauth/jwe_extensions.rb +64 -0
  62. data/lib/rodauth/oauth/refinements.rb +48 -0
  63. data/lib/rodauth/oauth/ttl_store.rb +9 -3
  64. data/lib/rodauth/oauth/version.rb +1 -1
  65. data/locales/en.yml +33 -12
  66. data/templates/authorize.str +57 -8
  67. data/templates/client_secret_field.str +2 -2
  68. data/templates/description_field.str +1 -1
  69. data/templates/device_search.str +11 -0
  70. data/templates/device_verification.str +24 -0
  71. data/templates/homepage_url_field.str +2 -2
  72. data/templates/jwks_field.str +4 -0
  73. data/templates/jwt_public_key_field.str +4 -0
  74. data/templates/name_field.str +1 -1
  75. data/templates/new_oauth_application.str +9 -0
  76. data/templates/oauth_application.str +7 -3
  77. data/templates/oauth_application_oauth_tokens.str +52 -0
  78. data/templates/oauth_applications.str +3 -2
  79. data/templates/oauth_tokens.str +10 -11
  80. data/templates/redirect_uri_field.str +2 -2
  81. metadata +80 -3
  82. data/lib/rodauth/features/oauth_saml.rb +0 -104
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cbc2a014ad242752b436e810b24df8839c00c7a066b860e4cf418c16f19cfbad
4
- data.tar.gz: e8c27858547f1df38662608cf74f6f75f48b438ec29137bfffd820320077b185
3
+ metadata.gz: 8d0412f0fc70f27a32d2517afbc688eae79304a52fd074298ecac3176edf2ee8
4
+ data.tar.gz: 2bed00e6896786192f3a4b93b145e8b75b0813741b323213586d736745323617
5
5
  SHA512:
6
- metadata.gz: d8cabdea042eb26aaf1941ff9881f4cce9ffa4eb35557d7105d3c2195ced323f860654be7d161e56c85d91f7312fd041a39379516b97d6df47cf1637f273fb1f
7
- data.tar.gz: d45c638c97f34705ddfe0ab124da3ed143188513454192aae65c4227d5e255ed0e5223fd3b3273418e2cc12896a7c175ce4786ecc20d6e611a1e4a3b28e412ca
6
+ metadata.gz: d04277337c21a48a9b0504eaadac11342bd69a0892e1ee7bd7114880b35fe1cdf4e086044d8fa6198c82da3b8f49b6e12be58b98316f592ed980733d2c2cdaa7
7
+ data.tar.gz: f3b8ebe3574ff7559c827a42b76ad698b3a33ba93593fe09695a833af92709ca39b33a9e3be0d1c57c6300666de97850810f37e629a29e59bddd0b8746f63f10
data/CHANGELOG.md CHANGED
@@ -1,424 +1 @@
1
- # CHANGELOG
2
-
3
- ## master
4
-
5
- ### 0.7.4 (15/01/2022)
6
-
7
- #### Bugfixes
8
-
9
- * including missing erb templates in the package.
10
-
11
- ## 0.7.3 (14/01/2022)
12
-
13
- #### Bugfixes
14
-
15
- * fixed generator declarations and views generator, in orderto copy templates and rewrite paths accordingly.
16
- * update view templates to not use "%%".
17
-
18
- #### Chore
19
-
20
- * `rodauth` is now declared as a dependency, with minimum version set `2.0`.
21
-
22
- ### 0.7.2 (14/12/2021)
23
-
24
- #### Features
25
-
26
- * Revoking tokens from the OAuth Application management interface (@muellerj)
27
-
28
- Token revocation was only possible when using the client ID and Secret, to aid "logout" functionality from client applications. Although the admin interface (available via `r.oauth_applications`) displayed a "Revoke" button alongside tokens in the list page, this was not working. The RFC does allow for the use case of application administrators being able to manually revoke tokens (as a result of client support, for example), so this functionality was enabled (only for the oauth application owner, for now).
29
-
30
- #### Bugfixes
31
-
32
- Default scope usage related bugfixes:
33
-
34
- * Improved default scope conversion to avoid nested arrays (@muellerj);
35
- * Authorize form shows a disabled checkbox and POST's no scope when default scope is to be used (@muellerj);
36
- * example default scope fixed for example authorization server (should be string) (@muellerj);
37
- * several param fixes in view templates (@muellerj);
38
-
39
- OAuth Applications Management fixes:
40
-
41
- * Access to OAuth Application page is now restricted to app owner;
42
- * OAuth Applications page now lists the **only** the applications owned by the logged in user;
43
-
44
- ### 0.7.1 (05/12/2021)
45
-
46
- #### Improvements
47
-
48
- * Adapted the `rodauth-i18n` configuration to comply with the guidelines for `v0.2.0` (which is the defacto minimmal supported version).
49
-
50
- #### Bugfixes
51
-
52
- * `convert_timestamp` was removed from the templates, as it's private API.
53
- * Several missing or wrong URLs in templates fixed (authorize form was wrongly processing scopes when none was selected).
54
-
55
- ### 0.7.0 (02/12/2021)
56
-
57
- #### Features
58
-
59
- * Internationalization (i18n) support by hooking on [rodauth-i18n](https://github.com/janko/rodauth-i18n).
60
- * Sets all text using `translatable_method`.
61
- * Provides english translations for all `rodauth-oauth` related user facing text.
62
-
63
- #### Improvements
64
-
65
- * Enable CORS requests for OpenID configuration endpoint (@ianks)
66
- * Introspect endpoint now exposes the `exp` token property (@gmanley)
67
-
68
- #### Bugfixes
69
-
70
- * on rotation policy, although the first refresh token was invalidated, a new one wasn't being provided. This change allows a new refresh token to be generated and exposed in the response (@gmanley)
71
-
72
- #### Chore
73
-
74
- Setting `rodauth` minimal supported version to `2.0.0`.
75
-
76
- ### 0.6.1 (08/09/2021)
77
-
78
- #### Bugfixes
79
-
80
- * Fixed rails view templates escaping.
81
- * Fixed declaration of authorize template in the generator.
82
-
83
- ### 0.6.0 (21/05/2021)
84
-
85
- ### Improvements
86
-
87
- * RBS signatures
88
-
89
- ### Chore
90
-
91
- * Ruby 3 and Truffleruby are now officially supported and tested in CI.
92
-
93
- ### 0.5.1 (19/03/2021)
94
-
95
- #### Improvements
96
-
97
- * Changing "Callback URL" to "Redirect URL" in default templates;
98
-
99
- #### Bugfixes
100
-
101
- * (rails integration) Fixed templates location;
102
- * (rails integration) Fixed migration name from generator;
103
- * (rails integration) fixed links, html tags, styling and unassigned variables from a few view templates;
104
- * `oauth_application_path` is now compliant with prefixes and other url helpers, while now having a `oauth_application_url` counterpart;
105
- * (rails integration) skipping csrf checks for "/userinfo" request (OIDC)
106
-
107
- ### 0.5.0 (08/02/2021)
108
-
109
- #### RP-Initiated Logout
110
-
111
- The `:oidc` plugin can now do [RP-Initiated Logout](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/RP-Initiated-Logout). It's disabled by default, so read the docs to learn how to enable it.
112
-
113
- #### Security
114
-
115
- The `:oauth_jwt` (and by association, `:oidc`) plugin(s) verifies the claims of used JWT tokens. This is a **very important security fix**, as without it, there is no protection against replay attacks and other types of misuse of the JWT token.
116
-
117
- A new auth method, `generate_jti(claims)`, was [added to the list of oauth_jwt plugin options](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/JWT-Access-Tokens#rodauth-options). By default, it'll hash the `aud` and `iat` claims together, but you can overwrite how this is done.
118
-
119
- ### 0.4.3 (09/12/2020)
120
-
121
- * Introspection requests made to an Authorization Server in "resource server" mode are not correctly encoding the body using the "application/x-www-form-urlencoded" format.
122
-
123
- ### 0.4.2 (24/11/2020)
124
-
125
- #### Bugfixes
126
-
127
- * database extensions were being run in resource server mode, when it's not expected that the oauth db tables are around.
128
-
129
- ### 0.4.1 (24/11/2020)
130
-
131
- #### Improvements
132
-
133
- When in "Resource Server" mode, calling `rodauth.authorization_token` will now return an hash of the JSON payload that the Authorization Server responds, and which was already previously used to authorize access to protected resources.
134
-
135
- #### Bugfixes
136
-
137
- * An error occurred if the client passed an empty authorization header (`Authorization: ` or `Authorization: Bearer `), causing an unexpected error; It now responds with the proper `401 Unauthorized` status code.
138
-
139
- ### 0.4.0 (13/11/2020)
140
-
141
- #### Features
142
-
143
- * A new method, `get_additional_param(account, claim)`, is now exposed; this method will be called whenever non-OIDC scopes are requested in the emission of the ID token.
144
-
145
- * The `form_post` response is now supported, either by passing the `response_mode=form_post` request param in the authorization URL, or by setting `oauth_response_mode "form_post"` option. This improves the overall security of an Authorization server even more, as authorization codes are sent to client applications via a POST request to the redirect URI.
146
-
147
-
148
- #### Improvements
149
-
150
- * For the OIDC `address` scope, proper claims are now emitted as per the standard, i.e. the "formatted", "street_address", "locality", "region", "postal_code", "country". These will be the ones referenced in the `get_oidc_param` method.
151
-
152
- #### Bugfixes
153
-
154
- * The rails templates were missing declarations from a few params, which made some of the flows (the PKCE for example) not work out-of-the box;
155
- * rails tests were silently not running in CI;
156
- * The CI suite was revamped, so that all Oauth tests would be run under rails as well. All versions from rails equal or above 5.0 are now targeted;
157
-
158
- ### 0.3.0 (8/10/2020)
159
-
160
- #### Features
161
-
162
- * `oauth_refresh_token_protection_policy` is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it's `none`, for backwards-compatibility. However, when set to `rotation`, refresh tokens will be "use-once", i.e. a token refresh request will generate a new refresh token. Also, refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.
163
-
164
- #### Improvements
165
-
166
-
167
- * Support for the OIDC authorize [`prompt` parameter](https://openid.net/specs/openid-connect-core-1_0.html) (sectionn 3.1.2.1). It supports the `none`, `login` and `consent` out-of-the-box, while providing support for `select-account` when paired with [rodauth-select-account, a rodauth feature to handle multiple accounts in the same session](https://gitlab.com/honeyryderchuck/rodauth-select-account).
168
-
169
- * Refresh Tokens are now expirable. The refresh token expiration period is governed by the `oauth_refresh_token_expires_in` option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.
170
-
171
- #### Bugfixes
172
-
173
- * Default Templates now being packaged, as a way to provide a default experience to the OAuth journeys.
174
-
175
- * fixing metadata urls when plugin loaded with a prefix path (@ianks)
176
-
177
- * All date/time-based calculations, such as determining an expiration date, or checking if a token has expired, are now performed using database arithmetic operations, using sequel's `date_arithmetic` plugin. This will eliminate subtle bugs, such as when the database timezone is different than the application OS timezone.
178
-
179
- * OIDC configuration endpoint is now stricter, eliminating JSON metadata inherited from the Oauth metadata endpoint. (@ianks)
180
-
181
- #### Chore
182
-
183
- Use `rodauth.convert_timestamp` in the templates, whenever dates are displayed.
184
-
185
- Set HTTP Cache headers for metadata responses, such as `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration`, so they can be stored at the edge. The cache will be valid for 1 day (this value isn't set by an option yet).
186
-
187
- ### 0.2.0 (9/9/2020)
188
-
189
- #### Features
190
-
191
- ##### SAML Assertion Grant Type
192
-
193
- `rodauth-auth` now supports using a SAML Assertion to request for an Access token.In order to enable, you have to:
194
-
195
- ```ruby
196
- plugin :rodauth do
197
- enable :oauth_saml
198
- end
199
- ```
200
-
201
- For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/SAML-Assertion-Access-Tokens).
202
-
203
- ##### Supporting rotating keys
204
-
205
- At some point, you'll want to replace the pkeys and algorithm used to generate and verify the JWT access tokens, but you want to keep validating previously-distributed JWT tokens, at least until they expire. Now you can, via two new options, `oauth_jwt_legacy_public_key` and `oauth_jwt_legacy_algorithm`, which will be declared in the JWKs URI and used to verify access tokens.
206
-
207
-
208
- ##### Reuse access tokens
209
-
210
- If the `oauth_reuse_access_token` is set, if there's already an existing valid access token, any new grant for the same application / account / scope will keep the same access token. This can be helpful in scenarios where one wants the same access token distributed across devices.
211
-
212
- ##### require_authorizable_account
213
-
214
- The method used to verify access to the authorize flow is called `require_authorizable_account`. By default, it checks if a user is logged in by using rodauth's own `require_account`. This is the method you'd want to redefine in order to augment these requirements, i.e. request 2fa authentication.
215
-
216
- #### Improvements
217
-
218
- Expired and revoked access tokens end up generating a lot of garbage, which will have to be periodically cleaned up. You can mitigate this now by setting a uniqueness index for a group of columns, i.e. if you set a uniqueness index for the `oauth_application_id/account_id/scopes` column, `rodauth-oauth` will transparently reuse the same db entry to store the new access token. If setting some other type of uniqueness index, make sure to update the option `oauth_tokens_unique_columns` (the array of columns from the uniqueness index).
219
-
220
- #### Bugfixes
221
-
222
- Calling `before_*_route` callbacks appropriately.
223
-
224
- Fixed some mishandling of HTTP headers when in in resource-server mode.
225
-
226
- #### Chore
227
-
228
- * 97.7% test coverage;
229
- * `rodauth-oauth` CI tests run against sqlite, postgresql and mysql.
230
-
231
- ### 0.1.0 (31/7/2020)
232
-
233
- #### Features
234
-
235
- ##### OpenID
236
-
237
- `rodauth-oauth` now ships with support for [OpenID Connect](https://openid.net/connect/). In order to enable, you have to:
238
-
239
- ```ruby
240
- plugin :rodauth do
241
- enable :oidc
242
- end
243
- ```
244
-
245
- For more info about integrating it, [check the wiki](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/wikis/home#openid-connect-since-v01).
246
-
247
- It supports omniauth openID integrations out-of-the-box, [check the OpenID example, which integrates with omniauth_openid_connect](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/examples).
248
-
249
- #### Improvements
250
-
251
- * JWT: `sub` claim now also handles "pairwise" subjects. For that, you have to set the `oauth_jwt_subject_type` option (`"public"` or `"pairwise"`) and `oauth_jwt_subject_secret` (will be used for salting the `sub` when the type is `"pairwise"`).
252
- * JWT: `auth_time` claim is now supported; if your application uses the `rodauth` feature `:account_expiration`, it'll use the `last_account_login_at` method, otherwise you can set the `last_account_login_at` option:
253
-
254
- ```ruby
255
- last_account_login_at do
256
- convert_timestamp(db[accounts_table].where(account_id_column => account_id).get(:that_column_where_you_keep_the_data))
257
- end
258
- ```
259
- * JWT: `iss` claim now defaults to `authorization_server_url` when not defined;
260
- * JWT: `aud` claim now defaults to the token application's client ID (`client_id` claim was removed as a result);
261
-
262
-
263
-
264
- #### Breaking Changes
265
-
266
- `rodauth-oauth` URLs no longer have the `oauth-` prefix, so make sure you update your integrations accordingly, i.e. where you used to rely on `/oauth-authorize`, you'll have to use `/authorize`.
267
-
268
- URI schemes for client applications redirect URIs have to be `https`. In order to override this, set the `oauth_valid_uri_schemes` to an array of your expected URI schemes.
269
-
270
-
271
- #### Bugfixes
272
-
273
- * Authorization request submission can receive the `scope` as an array of values now, instead of only dealing with receiving a white-space separated list.
274
- * fixed trailing "/" in the "issuer" value in server metadata (`https://server.com/` -> `https://server.com`).
275
-
276
-
277
- ### 0.0.6 (6/7/2020)
278
-
279
- #### Features
280
-
281
- The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (see https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server **must** store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, **tokens must be signed then encrypted** (or just signed).
282
-
283
- ###### Options:
284
-
285
- * `:oauth_application_jws_jwk_column`: db column where the public key is stored; since it's stored in the JWS format, it can be stored either as a String (JSON-encoded), or as an hstore (if you're using postgresql);
286
- * `:oauth_jwt_jwe_key`: key used to decrypt the request JWT;
287
- * `:oauth_jwt_jwe_public_key`: key used to encrypt the request JWT, and which will be exposed in the JWKs URI in the JWK format;
288
-
289
-
290
- #### Improvements
291
-
292
- * Removing all `_param` options; these defined the URL params, however we're using protocol-defined params, so it's unlikely (and undesired) that these'll change.
293
- * Hitting the revoke endpoint with a JWT access token returns a 400 error;
294
-
295
- #### Chore
296
-
297
- Removed React Javascript from example applications.
298
-
299
-
300
- ### 0.0.5 (26/6/2020)
301
-
302
- #### Features
303
-
304
- * new option: `oauth_scope_separator` (default: `" "`), to define how scopes are stored;
305
-
306
- ##### Resource Server mode
307
-
308
- `rodauth-oauth` can now be used in a resource server, i.e. only for authorizing access to resources:
309
-
310
-
311
- ```ruby
312
- plugin :rodauth do
313
- enable :oauth
314
-
315
- is_authorization_server? false
316
- authorization_server_url "https://auth-server"
317
- end
318
- ```
319
-
320
- It **requires** the authorization to implement the server metadata endpoint (`/.well-known/oauth-authorization-server`), and if using JWS, the JWKs URI endpoint (unless `oauth_jwt_public_key` is defined).
321
-
322
- #### Improvements
323
-
324
- * Multiple Redirect URIs are now allowed for client applications out-of-the-box. In order to use it in API mode, you can pass the `redirect_uri` with an array of strings (the URLs) as values; in the new client application form, you can add several input fields with name field as `redirect_uri[]`. **ATTENTION!!** When using multiple redirect URIs, passing the desired redirect URI to the authorize form becomes mandatory.
325
- * store scopes with whitespace instead of comma; set separator as `oauth_scope_separator` option, to keep backwards-compatibility;
326
- * client application can now store multiple redirect uris; the POST API parameters can accept the redirect_uri param value both as a string or an array of string; internally, they'll be stored in a whitespace-separated string;
327
-
328
- #### Bugfixes
329
-
330
- * Fixed `RETURNING` support in the databases supporting it (such as postgres).
331
-
332
- #### Chore
333
-
334
- * option `scopes_param` renamed to `scope_param`;
335
- *
336
-
337
- ## 0.0.4 (13/6/2020)
338
-
339
- ### Features
340
-
341
- #### Token introspection
342
-
343
- `rodauth-oauth` now ships with an introspection endpoint (`/oauth-introspect`).
344
-
345
- #### Authorization Server Metadata
346
-
347
- `rodauth-oauth` now allows to define an authorization metadata endpoint, which has to be defined at the route of the router:
348
-
349
- ```ruby
350
- route do |r|
351
- r.rodauth
352
- rodauth.oauth_server_metadata
353
- ...
354
- ```
355
-
356
- #### JWKs URI
357
-
358
- the `oauth_jwt` feature now ships with an endpoint, `/oauth-jwks`, where client applications can retrieve the JWK set to verify generated tokens.
359
-
360
- #### JWT access tokens as authorization grants
361
-
362
- The `oauth_jwt` feature now allows the usage of access tokens to authorize the generation of new tokens, [as per the RFC](https://tools.ietf.org/html/rfc7523#section-4);
363
-
364
- ### Improvements
365
-
366
- * using `client_secret_basic` authorization where client id/secret params were allowed (i.e. in the token and revoke endpoints, for example);
367
- * improved JWK usage for both supported jwt libraries;
368
- * marked `fetch_access_token` as auth_value_method, thereby allowing users to fetch the access token from other sources than the "Authorization" header (i.e. form body, query params, etc...)
369
-
370
- ### Bugfixes
371
-
372
- * Fixed scope claim of JWT ("scopes" -> "scope");
373
-
374
- ## 0.0.3 (5/6/2020)
375
-
376
- ### Features
377
-
378
- #### `:oauth_http_mac`
379
-
380
- A new feature builds on top of `:oauth` to allow MAC authorization.
381
-
382
- ```ruby
383
- plugin :rodauth do
384
- enable :oauth_http_mac
385
- # options here...
386
- end
387
- ```
388
-
389
- #### `:oauth_jwt`
390
-
391
- Another new feature, this time supporting the generation of JWT access tokens.
392
-
393
- ```ruby
394
- plugin :rodauth do
395
- enable :oauth_jwt
396
- # options here...
397
- end
398
- ```
399
-
400
- ### Improvements
401
-
402
- * added options for disabling pkce and access type (respectively, `use_oauth_pkce?` and `use_oauth_access_type?`);
403
- * renamed the existing `use_oauth_implicit_grant_type` to `use_oauth_implicit_grant_type?`;
404
- * It's now usable as JSON API (small caveat: POST authorize will still redirect on success...);
405
-
406
- ## 0.0.2 (29/5/2020)
407
-
408
- ### Features
409
-
410
- * Implementation of PKCE by OAuth Public Clients (https://tools.ietf.org/html/rfc7636);
411
- * Implementation of grants using "access_type" and "approval_prompt" ([similar to what Google OAuth 2.0 API does](https://wiki.scn.sap.com/wiki/display/Security/Access+Google+APIs+using+the+OAuth+2.0+Client+API));
412
-
413
- ### Improvements
414
-
415
- * Store token/refresh token hashes in the database, instead of the "plain" tokens;
416
- * Client secret hashed by default, and provided by the application owner;
417
-
418
- ### Fix
419
-
420
- * usage of client secret for authorizing the generation of tokens, as the spec mandates (and refraining from them when doing PKCE).
421
-
422
- ## 0.0.1 (14/5/2020)
423
-
424
- Initial implementation of the Oauth 2.0 framework, with an example app done using roda.
1
+ See the Release Notes under https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/doc/release_notes