0_0_4.md

doc/release_notes/0_0_4.md
Last Update: 2025-05-10 23:54:05 +0000

0.0.4 (13/6/2020)

Features

Token introspection

rodauth-oauth now ships with an introspection endpoint (/oauth-introspect).

Authorization Server Metadata

rodauth-oauth now allows to define an authorization metadata endpoint, which has to be defined at the route of the router:

route do |r|
  r.rodauth
  rodauth.oauth_server_metadata
  ...

JWKs URI

the oauth_jwt feature now ships with an endpoint, /oauth-jwks, where client applications can retrieve the JWK set to verify generated tokens.

JWT access tokens as authorization grants

The oauth_jwt feature now allows the usage of access tokens to authorize the generation of new tokens, as per the RFC;

Improvements

  • using client_secret_basic authorization where client id/secret params were allowed (i.e. in the token and revoke endpoints, for example);

  • improved JWK usage for both supported jwt libraries;

  • marked fetch_access_token as auth_value_method, thereby allowing users to fetch the access token from other sources than the “Authorization” header (i.e. form body, query params, etc…)

Bugfixes

  • Fixed scope claim of JWT (“scopes” -> “scope”);