1.5.0

Highlights

OAuth DPoP Support

rodauth-oauth supports Demonstrating Proof-of-Possession at the Application Layer (also known as DPoP), via the oauth_dpop feature. This provides a mechanism to bind access tokens to a particular client based on public key cryptography.

More info about the feature in the docs.

Improvements

All features managing cookies are now able to set configure them as “session cookies” (i.e. removed on browser shutdown) by setting the expiration interval auth method to nil. This ncludes:

• oauth_prompt_login_interval (from the oidc feature)

• oauth_oidc_user_agent_state_cookie_expires_in (from the oidc_session_management feature)

Bugfixes

• when using the oauth_token_instrospection feature, the token_type has been fixed to show “Bearer” (instead of “access_token”).