Last Update: 2023-04-29 00:05:41 +0000

0.0.5 (26/6/2020)


  • new option: oauth_scope_separator (default: " "), to define how scopes are stored;

Resource Server mode

rodauth-oauth can now be used in a resource server, i.e. only for authorizing access to resources:

plugin :rodauth do
  enable :oauth

  is_authorization_server? false
  authorization_server_url "https://auth-server"

It requires the authorization to implement the server metadata endpoint (/.well-known/oauth-authorization-server), and if using JWS, the JWKs URI endpoint (unless oauth_jwt_public_key is defined).


  • Multiple Redirect URIs are now allowed for client applications out-of-the-box. In order to use it in API mode, you can pass the redirect_uri with an array of strings (the URLs) as values; in the new client application form, you can add several input fields with name field as redirect_uri[]. ATTENTION!! When using multiple redirect URIs, passing the desired redirect URI to the authorize form becomes mandatory.

  • store scopes with whitespace instead of comma; set separator as oauth_scope_separator option, to keep backwards-compatibility;

  • client application can now store multiple redirect uris; the POST API parameters can accept the redirect_uri param value both as a string or an array of string; internally, they’ll be stored in a whitespace-separated string;


  • Fixed RETURNING support in the databases supporting it (such as postgres).


  • option scopes_param renamed to scope_param; *