Last Update: 2023-04-29 00:05:41 +0000

0.10.0 (10/06/2022)


Resource Indicators

RFC: datatracker.ietf.org/doc/html/rfc8707

rodauth-oauth now supports Resource Indicators, via the optional :oauth_resource_indicators feature.

JWT: extra options

The following extra option values were added:

  • oauth_jwt_jwe_keys

  • oauth_jwt_public_keys

  • oauth_jwt_jwe_public_keys

:oauth_jwt_jwe_keys should be used to store all provider combos of encryption keys, indexed by an algo/method tuple:

oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } }

The first element of the hash should indicate the preferred encryption mode, when no combination is specifically requested.

It should be considered the most future-proof way of declaring JWE keys, and support for oauth_jwt_jwe_key and friends should be soon deprecated.

Both oauth_jwt_public_keys and oauth_jwt_jwe_public_keys provide a way to declare multiple keys to be exposed as the provider JWKs in the /jwks endpoint.


  • Added translations for portuguese.

OpenID Connect improvements

Although a more-involved-somewhat-breaking change, it was required in order to keep track of account login event timestamps, necessary for correct "auth_time" calculation (see the first bugfix mention for more details, and Breaking Changes for migration path).

  • Support for the ui_locales parameter was added. This feature depends on the :i18n feature provided by rodauth-i18n.

  • Support for the claims_locales parameter was added, in that the get_oidc_param and get_additional_param, when accepting a 3rd parameter, will be passed a locale code:

# given "claims_locales=en pt"

get_oidc_param { |account, param, locale| }
# will be called twice for the same param, one with locale as "en", another as "pt"

get_oidc_param { |account, param| }
# will be called once without locale
  • Support for max_age parameter was added.

  • Support for acr_values parameter was added.

When “phr”, and a rodauth 2-factor feature (like otp) is enabled, the user will be requested for 2-factor authentication before performing the OpenID Authorization Request.

When “phrh”, and rodauth‘s webauthn_login feature is enabled, the user will be requested for WebAuthn authentication before performing the OpenID Authorization Request.

Any other acr values are considered provider-specific, and the require_acr_value(acr_value) option should be provided to deal with it (it’ll be called after authentication is ensured and before the authorization request is processed).


  • reverted the "auth_time" calculation “fix” introduced in 0.9.3, which broke compliance with the RFC (the implementation prior to that was also broken, hence why "account_expiration" plugin was introduced as a dependency).

Breaking Changes

As you read already, the "account_expiration" feature is now required by default by "oidc". In order to migrate to it, here’s a suggested strategy:

  1. Add the relevant database tables

Add a migration looking roughly like this:

create_table(:account_activity_times) do
  foreign_key :id, :accounts, primary_key: true, type: Integer
  DateTime :last_activity_at, null: false
  DateTime :last_login_at, null: false
  DateTime :expired_at
  1. Update and deploy rodauth-oauth 0.10.0

(Nothing required beyond enable :oidc.)

  1. Set :last_login_at to a value.

Like now. You can , for example, run this SQL:

UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP;

That’s it, nothing fancy or accurate. Yes, the last_login_at is wrong, but as sessions expire, it should go back to normal.