0.10.0 (10/06/2022)¶ ↑
Features¶ ↑
Resource Indicators¶ ↑
RFC: datatracker.ietf.org/doc/html/rfc8707
rodauth-oauth now supports Resource Indicators, via the optional :oauth_resource_indicators feature.
JWT: extra options¶ ↑
The following extra option values were added:
-
oauth_jwt_jwe_keys -
oauth_jwt_public_keys -
oauth_jwt_jwe_public_keys
:oauth_jwt_jwe_keys should be used to store all provider combos of encryption keys, indexed by an algo/method tuple:
oauth_jwt_jwe_keys { { %w[RSA-OAEP A128CBC-HS256] => key } }
The first element of the hash should indicate the preferred encryption mode, when no combination is specifically requested.
It should be considered the most future-proof way of declaring JWE keys, and support for oauth_jwt_jwe_key and friends should be soon deprecated.
Both oauth_jwt_public_keys and oauth_jwt_jwe_public_keys provide a way to declare multiple keys to be exposed as the provider JWKs in the /jwks endpoint.
Improvements¶ ↑
-
Added translations for portuguese.
OpenID Connect improvements¶ ↑
-
The
:oidcfeature now depends onrodauth‘s account_expiration feature.
Although a more-involved-somewhat-breaking change, it was required in order to keep track of account login event timestamps, necessary for correct "auth_time" calculation (see the first bugfix mention for more details, and Breaking Changes for migration path).
-
Support for the
ui_localesparameter was added. This feature depends on the:i18nfeature provided by rodauth-i18n. -
Support for the
claims_localesparameter was added, in that theget_oidc_paramandget_additional_param, when accepting a 3rd parameter, will be passed a locale code:
# given "claims_locales=en pt" get_oidc_param { |account, param, locale| } # will be called twice for the same param, one with locale as "en", another as "pt" get_oidc_param { |account, param| } # will be called once without locale
-
Support for
max_ageparameter was added. -
Support for
acr_valuesparameter was added.
When “phr”, and a rodauth 2-factor feature (like otp) is enabled, the user will be requested for 2-factor authentication before performing the OpenID Authorization Request.
When “phrh”, and rodauth‘s webauthn_login feature is enabled, the user will be requested for WebAuthn authentication before performing the OpenID Authorization Request.
Any other acr values are considered provider-specific, and the require_acr_value(acr_value) option should be provided to deal with it (it’ll be called after authentication is ensured and before the authorization request is processed).
Bugfixes¶ ↑
-
reverted the
"auth_time"calculation “fix” introduced in 0.9.3, which broke compliance with the RFC (the implementation prior to that was also broken, hence why"account_expiration"plugin was introduced as a dependency).
Breaking Changes¶ ↑
As you read already, the "account_expiration" feature is now required by default by "oidc". In order to migrate to it, here’s a suggested strategy:
-
Add the relevant database tables
Add a migration looking roughly like this:
create_table(:account_activity_times) do foreign_key :id, :accounts, primary_key: true, type: Integer DateTime :last_activity_at, null: false DateTime :last_login_at, null: false DateTime :expired_at end
-
Update and deploy
rodauth-oauth0.10.0
(Nothing required beyond enable :oidc.)
-
Set
:last_login_atto a value.
Like now. You can , for example, run this SQL:
UPDATE account_activity_times SET last_login_at = CURRENT_TIMESTAMP;
That’s it, nothing fancy or accurate. Yes, the last_login_at is wrong, but as sessions expire, it should go back to normal.