" "), to define how scopes are stored;
rodauth-oauth can now be used in a resource server, i.e. only for authorizing access to resources:
plugin :rodauth do enable :oauth is_authorization_server? false authorization_server_url "https://auth-server" end
It requires the authorization to implement the server metadata endpoint (
/.well-known/oauth-authorization-server), and if using JWS, the JWKs URI endpoint (unless
oauth_jwt_public_key is defined).
Multiple Redirect URIs are now allowed for client applications out-of-the-box. In order to use it in API mode, you can pass the
redirect_uriwith an array of strings (the URLs) as values; in the new client application form, you can add several input fields with name field as
redirect_uri. ATTENTION!! When using multiple redirect URIs, passing the desired redirect URI to the authorize form becomes mandatory.
store scopes with whitespace instead of comma; set separator as
oauth_scope_separatoroption, to keep backwards-compatibility;
client application can now store multiple redirect uris; the POST API parameters can accept the redirect_uri param value both as a string or an array of string; internally, they’ll be stored in a whitespace-separated string;
RETURNINGsupport in the databases supporting it (such as postgres).