0.10.0 (10/06/2022)¶ ↑
Features¶ ↑
Resource Indicators¶ ↑
RFC: datatracker.ietf.org/doc/html/rfc8707
rodauth-oauth
now supports Resource Indicators, via the optional :oauth_resource_indicators
feature.
JWT: extra options¶ ↑
The following extra option values were added:
-
oauth_jwt_jwe_keys
-
oauth_jwt_public_keys
-
oauth_jwt_jwe_public_keys
:oauth_jwt_jwe_keys
should be used to store all provider combos of encryption keys, indexed by an algo/method tuple:
oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } }
The first element of the hash should indicate the preferred encryption mode, when no combination is specifically requested.
It should be considered the most future-proof way of declaring JWE
keys, and support for oauth_jwt_jwe_key
and friends should be soon deprecated.
Both oauth_jwt_public_keys
and oauth_jwt_jwe_public_keys
provide a way to declare multiple keys to be exposed as the provider JWKs in the /jwks
endpoint.
Improvements¶ ↑
-
Added translations for portuguese.
OpenID Connect improvements¶ ↑
-
The
:oidc
feature now depends onrodauth
‘s account_expiration feature.
Although a more-involved-somewhat-breaking change, it was required in order to keep track of account login event timestamps, necessary for correct "auth_time"
calculation (see the first bugfix mention for more details, and Breaking Changes for migration path).
-
Support for the
ui_locales
parameter was added. This feature depends on the:i18n
feature provided by rodauth-i18n. -
Support for the
claims_locales
parameter was added, in that theget_oidc_param
andget_additional_param
, when accepting a 3rd parameter, will be passed a locale code:
# given "claims_locales=en pt" get_oidc_param { |account, param, locale| } # will be called twice for the same param, one with locale as "en", another as "pt" get_oidc_param { |account, param| } # will be called once without locale
-
Support for
max_age
parameter was added. -
Support for
acr_values
parameter was added.
When “phr”, and a rodauth
2-factor feature (like otp) is enabled, the user will be requested for 2-factor authentication before performing the OpenID Authorization Request.
When “phrh”, and rodauth
‘s webauthn_login feature is enabled, the user will be requested for WebAuthn authentication before performing the OpenID Authorization Request.
Any other acr values are considered provider-specific, and the require_acr_value(acr_value)
option should be provided to deal with it (it’ll be called after authentication is ensured and before the authorization request is processed).
Bugfixes¶ ↑
-
reverted the
"auth_time"
calculation “fix” introduced in 0.9.3, which broke compliance with the RFC (the implementation prior to that was also broken, hence why"account_expiration"
plugin was introduced as a dependency).
Breaking Changes¶ ↑
As you read already, the "account_expiration"
feature is now required by default by "oidc"
. In order to migrate to it, here’s a suggested strategy:
-
Add the relevant database tables
Add a migration looking roughly like this:
create_table(:account_activity_times) do foreign_key :id, :accounts, primary_key: true, type: Integer DateTime :last_activity_at, null: false DateTime :last_login_at, null: false DateTime :expired_at end
-
Update and deploy
rodauth-oauth
0.10.0
(Nothing required beyond enable :oidc
.)
-
Set
:last_login_at
to a value.
Like now. You can , for example, run this SQL:
UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP;
That’s it, nothing fancy or accurate. Yes, the last_login_at
is wrong, but as sessions expire, it should go back to normal.