rodauth-oauth 1.0.0.pre.beta1 → 1.0.0

data/lib/rodauth/features/oidc_dynamic_client_registration.rb

@@ -51,9 +51,25 @@ module Rodauth
         end
       end
 
+      if features.include?(:oauth_jwt_secured_authorization_request)
+        if (value = @oauth_application_params[oauth_applications_request_uris_column])
+          if value.is_a?(Array)
+            @oauth_application_params[oauth_applications_request_uris_column] = value.each do |req_uri|
+              unless check_valid_uri?(req_uri)
+                register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(req_uri))
+              end
+            end.join(" ")
+          else
+            register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
+          end
+        elsif oauth_require_request_uri_registration
+          register_throw_json_response_error("invalid_client_metadata", register_required_param_message("request_uris"))
+        end
+      end
+
       if (value = @oauth_application_params[oauth_applications_subject_type_column])
         unless %w[pairwise public].include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("subject_type"))
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_client_metadata_message("subject_type", value))
         end
 
         if value == "pairwise"
@@ -84,51 +100,75 @@ module Rodauth
             register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
           end
         elsif !oauth_jwt_jws_algorithms_supported.include?(value)
-          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_signed_response_alg"))
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("id_token_signed_response_alg", value))
         end
       end
 
-      if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
-         !oauth_jwt_jwe_algorithms_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_alg"))
-      end
+      if features.include?(:oauth_jwt_secured_authorization_request)
+        if defined?(oauth_applications_request_object_signing_alg_column) &&
+           (value = @oauth_application_params[oauth_applications_request_object_signing_alg_column]) &&
+           !oauth_jwt_jws_algorithms_supported.include?(value) && !(value == "none" && oauth_request_object_signing_alg_allow_none)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("request_object_signing_alg", value))
+        end
 
-      if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column]) &&
-         !oauth_jwt_jwe_encryption_methods_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("id_token_encrypted_response_enc"))
+        if defined?(oauth_applications_request_object_encryption_alg_column) &&
+           (value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column]) &&
+           !oauth_jwt_jwe_algorithms_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("request_object_encryption_alg", value))
+        end
+
+        if defined?(oauth_applications_request_object_encryption_enc_column) &&
+           (value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column]) &&
+           !oauth_jwt_jwe_encryption_methods_supported.include?(value)
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_client_metadata_message("request_object_encryption_enc", value))
+        end
       end
 
-      if (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column]) &&
-         !oauth_jwt_jws_algorithms_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_signed_response_alg"))
+      if features.include?(:oidc_rp_initiated_logout) && (defined?(oauth_applications_post_logout_redirect_uris_column) &&
+           (value = @oauth_application_params[oauth_applications_post_logout_redirect_uris_column]))
+        if value.is_a?(Array)
+          @oauth_application_params[oauth_applications_post_logout_redirect_uris_column] = value.each do |redirect_uri|
+            unless check_valid_uri?(redirect_uri)
+              register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(redirect_uri))
+            end
+          end.join(" ")
+        else
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(value))
+        end
       end
 
-      if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column]) &&
+      if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_alg_column]) &&
          !oauth_jwt_jwe_algorithms_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_alg"))
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("id_token_encrypted_response_alg", value))
       end
 
-      if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column]) &&
+      if (value = @oauth_application_params[oauth_applications_id_token_encrypted_response_enc_column]) &&
          !oauth_jwt_jwe_encryption_methods_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("userinfo_encrypted_response_enc"))
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("id_token_encrypted_response_enc", value))
       end
 
-      if defined?(oauth_applications_request_object_signing_alg_column) &&
-         (value = @oauth_application_params[oauth_applications_request_object_signing_alg_column]) &&
+      if (value = @oauth_application_params[oauth_applications_userinfo_signed_response_alg_column]) &&
          !oauth_jwt_jws_algorithms_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_signing_alg"))
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("userinfo_signed_response_alg", value))
       end
 
-      if defined?(oauth_applications_request_object_encryption_alg_column) &&
-         (value = @oauth_application_params[oauth_applications_request_object_encryption_alg_column]) &&
+      if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_alg_column]) &&
          !oauth_jwt_jwe_algorithms_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_alg"))
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("userinfo_encrypted_response_alg", value))
       end
 
-      if defined?(oauth_applications_request_object_encryption_enc_column) &&
-         (value = @oauth_application_params[oauth_applications_request_object_encryption_enc_column]) &&
+      if (value = @oauth_application_params[oauth_applications_userinfo_encrypted_response_enc_column]) &&
          !oauth_jwt_jwe_encryption_methods_supported.include?(value)
-        register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message("request_object_encryption_enc"))
+        register_throw_json_response_error("invalid_client_metadata",
+                                           register_invalid_client_metadata_message("userinfo_encrypted_response_enc", value))
       end
     end
 

data/lib/rodauth/features/oidc_rp_initiated_logout.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+
+module Rodauth
+  Feature.define(:oidc_rp_initiated_logout, :OidcRpInitiatedLogout) do
+    depends :oidc
+
+    auth_value_method :oauth_applications_post_logout_redirect_uris_column, :post_logout_redirect_uris
+    translatable_method :oauth_invalid_post_logout_redirect_uri_message, "Invalid post logout redirect URI"
+
+    # /oidc-logout
+    auth_server_route(:oidc_logout) do |r|
+      require_authorizable_account
+      before_oidc_logout_route
+
+      # OpenID Providers MUST support the use of the HTTP GET and POST methods
+      r.on method: %i[get post] do
+        catch_error do
+          validate_oidc_logout_params
+
+          oauth_application = nil
+
+          if (id_token_hint = param_or_nil("id_token_hint"))
+            #
+            # why this is done:
+            #
+            # we need to decode the id token in order to get the application, because, if the
+            # signing key is application-specific, we don't know how to verify the signature
+            # beforehand. Hence, we have to do it twice: decode-and-do-not-verify, initialize
+            # the @oauth_application, and then decode-and-verify.
+            #
+            claims = jwt_decode(id_token_hint, verify_claims: false)
+
+            redirect_logout_with_error(oauth_invalid_client_message) unless claims
+
+            oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["aud"]).first
+            oauth_grant = db[oauth_grants_table]
+                          .where(
+                            oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+                            oauth_grants_account_id_column => account_id
+                          ).first
+
+            # check whether ID token belongs to currently logged-in user
+            redirect_logout_with_error(oauth_invalid_client_message) unless oauth_grant && claims["sub"] == jwt_subject(oauth_grant,
+                                                                                                                        oauth_application)
+
+            # When an id_token_hint parameter is present, the OP MUST validate that it was the issuer of the ID Token.
+            redirect_logout_with_error(oauth_invalid_client_message) unless claims && claims["iss"] == oauth_jwt_issuer
+          end
+
+          # now let's logout from IdP
+          transaction do
+            before_logout
+            logout
+            after_logout
+          end
+
+          error_message = logout_notice_flash
+
+          if (post_logout_redirect_uri = param_or_nil("post_logout_redirect_uri"))
+            error_message = catch(:default_logout_redirect) do
+              oauth_application = db[oauth_applications_table].where(oauth_applications_client_id_column => claims["client_id"]).first
+
+              throw(:default_logout_redirect, oauth_invalid_client_message) unless oauth_application
+
+              post_logout_redirect_uris = oauth_application[oauth_applications_post_logout_redirect_uris_column].split(" ")
+
+              unless post_logout_redirect_uris.include?(post_logout_redirect_uri)
+                throw(:default_logout_redirect,
+                      oauth_invalid_post_logout_redirect_uri_message)
+              end
+
+              if (state = param_or_nil("state"))
+                post_logout_redirect_uri = URI(post_logout_redirect_uri)
+                params = ["state=#{CGI.escape(state)}"]
+                params << post_logout_redirect_uri.query if post_logout_redirect_uri.query
+                post_logout_redirect_uri.query = params.join("&")
+                post_logout_redirect_uri = post_logout_redirect_uri.to_s
+              end
+
+              redirect(post_logout_redirect_uri)
+            end
+
+          end
+
+          redirect_logout_with_error(error_message)
+        end
+
+        redirect_response_error("invalid_request")
+      end
+    end
+
+    private
+
+    # Logout
+
+    def validate_oidc_logout_params
+      # check if valid token hint type
+      return unless (redirect_uri = param_or_nil("post_logout_redirect_uri"))
+
+      return if check_valid_no_fragment_uri?(redirect_uri)
+
+      redirect_logout_with_error(oauth_invalid_client_message)
+    end
+
+    def redirect_logout_with_error(error_message = oauth_invalid_client_message)
+      set_notice_flash(error_message)
+      redirect(logout_redirect)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:end_session_endpoint] = oidc_logout_url
+      end
+    end
+  end
+end

data/lib/rodauth/oauth/http_extensions.rb

@@ -16,6 +16,9 @@ module Rodauth
 
         http = Net::HTTP.new(uri.host, uri.port)
         http.use_ssl = uri.scheme == "https"
+        http.open_timeout = 15
+        http.read_timeout = 15
+        http.write_timeout = 15 if http.respond_to?(:write_timeout)
 
         if form_data
           request = Net::HTTP::Post.new(uri.request_uri)
@@ -44,9 +47,19 @@ module Rodauth
           response = http_request(uri, *args)
           ttl = if response.key?("cache-control")
                   cache_control = response["cache-control"]
-                  cache_control[/max-age=(\d+)/, 1].to_i
+                  if cache_control.include?("no-cache")
+                    nil
+                  else
+                    max_age = cache_control[/max-age=(\d+)/, 1].to_i
+                    max_age.zero? ? nil : max_age
+                  end
                 elsif response.key?("expires")
-                  Time.parse(response["expires"]).to_i - Time.now.to_i
+                  expires = response["expires"]
+                  begin
+                    Time.parse(expires).to_i - Time.now.to_i
+                  rescue ArgumentError
+                    nil
+                  end
                 end
 
           [JSON.parse(response.body, symbolize_names: true), ttl]

data/lib/rodauth/oauth/ttl_store.rb

@@ -28,6 +28,8 @@ class Rodauth::OAuth::TtlStore
 
     payload, ttl = block.call
 
+    return payload unless ttl
+
     @store_mutex.synchronize do
       # given that the block call triggers network, and two requests for the same key be processed
       # at the same time, this ensures the first one wins.

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "1.0.0-beta1"
+    VERSION = "1.0.0"
   end
 end

data/locales/en.yml

@@ -9,6 +9,7 @@ en:
     user_code_not_found_error_flash: "No device to authorize with the given user code"
     authorize_page_title: "Authorize"
     authorize_page_lead: "The application %{name} would like to access your data."
+    authorize_error_page_title: "Authorize Error"
     oauth_cancel_button: "Cancel"
     oauth_applications_page_title: "Oauth Applications"
     oauth_application_page_title: "Oauth Application"
@@ -55,6 +56,7 @@ en:
     invalid_url_message: "Invalid URL"
     oauth_unsupported_token_type_message: "Invalid token type hint"
     null_error_message: "is not filled"
+    oauth_unsupported_response_type_message: "Unsupported response type"
     oauth_already_in_use_message: "error generating unique token"
     oauth_expired_token_message: "the device code has expired"
     oauth_access_denied_message: "the authorization request has been denied"
@@ -62,6 +64,7 @@ en:
     oauth_slow_down_message: "authorization request is still pending but poll interval should be increased"
     oauth_code_challenge_required_message: "code challenge required"
     oauth_unsupported_transform_algorithm_message: "transform algorithm not supported"
-    oauth_request_uri_not_supported_message: "request uri is unsupported"
     oauth_invalid_request_object_message: "request object is invalid"
     oauth_invalid_scope_message: "The Access Token expired"
+    oauth_authorize_parameter_required: "Invalid or missing '%{parameter}'"
+    oauth_invalid_post_logout_redirect_uri_message: "Invalid post logout redirect URI"

data/locales/pt.yml

@@ -9,6 +9,7 @@ pt:
     user_code_not_found_error_flash: "Não existe nenhum dispositivo a ser autorizado com o código de usuário inserido"
     authorize_page_title: "Autorizar"
     authorize_page_lead: "O aplicativo %{name} gostaria de aceder aos seus dados."
+    authorize_error_page_title: Erro de autorização
     oauth_cancel_button: "Cancelar"
     oauth_applications_page_title: "Aplicativos OAuth"
     oauth_application_page_title: "Aplicativo Oauth"
@@ -55,6 +56,7 @@ pt:
     invalid_url_message: "URL inválido"
     oauth_unsupported_token_type_message: "Sugestão de tipo de token inválida"
     null_error_message: "não está preenchido"
+    oauth_unsupported_response_type_message: "Tipo de resposta inválido"
     oauth_already_in_use_message: "erro ao gerar token único"
     oauth_expired_token_message: "o código de dispositivo expirou"
     oauth_access_denied_message: "o pedido de autorização foi negado"
@@ -62,6 +64,7 @@ pt:
     oauth_slow_down_message: "o pedido de autorização ainda está pendente mas o intervalo de actualização deve ser aumentado"
     oauth_code_challenge_required_message: "código de negociação necessário"
     oauth_unsupported_transform_algorithm_message: "algoritmo de transformação não suportado"
-    oauth_request_uri_not_supported_message: "request_uri não é suportado"
     oauth_invalid_request_object_message: "request_object é inválido"
     oauth_invalid_scope_message: "O Token de acesso expirou"
+    oauth_authorize_parameter_required: "'%{parameter}' inválido ou em falta"
+    oauth_invalid_post_logout_redirect_uri_message: "URI de redireccionamento pós-logout inválido"

data/templates/authorize.str

@@ -9,12 +9,13 @@
   }
   <p class="lead">
   #{
-    rodauth.authorize_page_lead(name: <<-LINK
-      <a target="_blank" href="#{h(rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column])}">
+    application_uri = rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column]
+    application_name = application_uri ? (<<-LINK) : rodauth.oauth_application[rodauth.oauth_applications_name_column]
+      <a target="_blank" href="#{h(application_uri)}">
         #{h(rodauth.oauth_application[rodauth.oauth_applications_name_column])}
       </a>
     LINK
-    )
+    rodauth.authorize_page_lead(name: application_name)
   }
   </p>
   <div class="list-group">
@@ -60,12 +61,16 @@
 
     #{
       rodauth.authorize_scopes.map do |scope|
-        <<-HTML
-          <div class="form-check">
-            <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
-            <label class="form-check-label" for="#{scope}">#{h(scope)}</label>
-          </div>
-        HTML
+        if rodauth.features.include?(:oidc) && scope == "offline_access"
+          "<input type=\"hidden\" name=\"scope[]\" value=\"#{scope}\" />"
+        else
+          <<-HTML
+            <div class="form-check">
+              <input id="#{scope}" class="form-check-input" type="checkbox" name="scope[]" value="#{h(scope)}">
+              <label class="form-check-label" for="#{scope}">#{h(scope)}</label>
+            </div>
+          HTML
+        end
       end.join
     }
 
@@ -77,10 +82,12 @@
     #{"<input type=\"hidden\" name=\"redirect_uri\" value=\"#{rodauth.redirect_uri}\"/>" if rodauth.param_or_nil("redirect_uri")}
     #{"<input type=\"hidden\" name=\"code_challenge\" value=\"#{rodauth.param("code_challenge")}\"/>" if rodauth.features.include?(:oauth_pkce) && rodauth.param_or_nil("code_challenge")}
     #{"<input type=\"hidden\" name=\"code_challenge_method\" value=\"#{rodauth.param("code_challenge_method")}\"/>" if rodauth.features.include?(:oauth_pkce) && rodauth.param_or_nil("code_challenge_method")}
+    #{"<input type=\"hidden\" name=\"prompt\" value=\"#{rodauth.param("prompt")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("prompt")}
     #{"<input type=\"hidden\" name=\"nonce\" value=\"#{rodauth.param("nonce")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("nonce")}
     #{"<input type=\"hidden\" name=\"ui_locales\" value=\"#{rodauth.param("ui_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("ui_locales")}
     #{"<input type=\"hidden\" name=\"claims_locales\" value=\"#{rodauth.param("claims_locales")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims_locales")}
-    #{"<input type=\"hidden\" name=\"acr\" value=\"#{rodauth.param("acr_values")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("acr_values")}
+    #{"<input type=\"hidden\" name=\"claims\" value=\"#{h(rodauth.param("claims"))}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("claims")}
+    #{"<input type=\"hidden\" name=\"acr_values\" value=\"#{rodauth.param("acr_values")}\"/>" if rodauth.features.include?(:oidc) && rodauth.param_or_nil("acr_values")}
     #{
       if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators
         rodauth.resource_indicators.map do |resource|

data/templates/authorize_error.str

@@ -0,0 +1,12 @@
+<div class="container">
+  <div class="alert alert-danger">
+    <p>
+      #{@error}
+    </p>
+  </div>
+ <p class="text-center">
+  <a href="#{@back_url}" class="btn btn-outline-danger">
+    #{rodauth.oauth_cancel_button}
+  </a>
+ </p>
+</div>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.beta1
+  version: 1.0.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-21 00:00:00.000000000 Z
+date: 2022-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rodauth
@@ -66,7 +66,7 @@ extra_rdoc_files:
 - doc/release_notes/0_9_1.md
 - doc/release_notes/0_9_2.md
 - doc/release_notes/0_9_3.md
-- doc/release_notes/1_0_0_beta1.md
+- doc/release_notes/1_0_0.md
 files:
 - CHANGELOG.md
 - LICENSE.txt
@@ -104,11 +104,12 @@ files:
 - doc/release_notes/0_9_1.md
 - doc/release_notes/0_9_2.md
 - doc/release_notes/0_9_3.md
-- doc/release_notes/1_0_0_beta1.md
+- doc/release_notes/1_0_0.md
 - lib/generators/rodauth/oauth/install_generator.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
 - lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb
+- lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize_error.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/device_search.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/device_verification.html.erb
 - lib/generators/rodauth/oauth/templates/app/views/rodauth/new_oauth_application.html.erb
@@ -142,6 +143,7 @@ files:
 - lib/rodauth/features/oauth_token_revocation.rb
 - lib/rodauth/features/oidc.rb
 - lib/rodauth/features/oidc_dynamic_client_registration.rb
+- lib/rodauth/features/oidc_rp_initiated_logout.rb
 - lib/rodauth/oauth.rb
 - lib/rodauth/oauth/database_extensions.rb
 - lib/rodauth/oauth/http_extensions.rb
@@ -152,6 +154,7 @@ files:
 - locales/en.yml
 - locales/pt.yml
 - templates/authorize.str
+- templates/authorize_error.str
 - templates/client_secret_field.str
 - templates/description_field.str
 - templates/device_search.str
@@ -166,15 +169,15 @@ files:
 - templates/oauth_grants.str
 - templates/redirect_uri_field.str
 - templates/scope_field.str
-homepage: https://gitlab.com/honeyryderchuck/rodauth-oauth
+homepage: https://gitlab.com/os85/rodauth-oauth
 licenses:
 - Apache-2.0
 metadata:
-  homepage_uri: https://honeyryderchuck.gitlab.io/rodauth-oauth/
-  documentation_uri: https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/
-  bug_tracker_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth/issues
-  source_code_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth
-  changelog_uri: https://gitlab.com/honeyryderchuck/rodauth-oauth/-/blob/master/CHANGELOG.md
+  homepage_uri: https://os85.gitlab.io/rodauth-oauth/
+  documentation_uri: https://os85.gitlab.io/rodauth-oauth/rdoc/
+  bug_tracker_uri: https://gitlab.com/os85/rodauth-oauth/issues
+  source_code_uri: https://gitlab.com/os85/rodauth-oauth
+  changelog_uri: https://gitlab.com/os85/rodauth-oauth/-/blob/master/CHANGELOG.md
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -187,9 +190,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.2.32
 signing_key:

data/doc/release_notes/1_0_0_beta1.md

@@ -1,38 +0,0 @@
-## 1.0.0-beta1 (21/10/2022)
-
-### Breaking changes
-
-The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the [migration guide](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/blob/6465b8522a78cf0037a55d3d4b81f68f7811be68/MIGRATION-GUIDE-v1.md).
-
-A short list of the main highlights:
-
-
-* Ruby 2.5 or higher is required.
-* `oauth_http_mac` feature removed.
-* `oauth_tokens` table (and resource) were removed (only `oauth_applications` and `oauth_grants`, access and refresh tokens are now properties of the latter).
-* access and refresh tokens hashed by default when stored in the database.
-* default oauth response mode is `"form_post"`.
-* oauth specific features require explicit enablement of respective features (no more `enable :oauth`)
-* refresh token policy is "rotation" by default
-
-### Features
-
-The following helpers are exposed in the `rodauth` object:
-
-* `current_oauth_account` - returns the dataset row for the `rodauth` account associated to an oauth access token in the "authorization" header.
-* `current_oauth_application` - returns the dataset row for the oauth application associated to an oauth access token in the "authorization" header.
-
-When used in `rails` via `rodauth-rails`, both are exposed directly as controller helpers.
-
-#### `oauth_resource_server` plugin
-
-This plugin can be used as a convenience when configuring resource servers.
-
-### Improvements
-
-* `:oauth_introspect` plugin: OAuth introspection endpoint exposes the token's `"username"` claim.
-* endpoint client authentication supports "client credentials grant" access tokens.
-
-### Bugfixes
-
-* fixed `oidc` calculation of `"auth_time"` claim.