rodauth-auth now supports using a SAML Assertion to request for an Access token.In order to enable, you have to:
plugin :rodauth do enable :oauth_saml end
For more info about integrating it, check the wiki.
At some point, you’ll want to replace the pkeys and algorithm used to generate and verify the JWT access tokens, but you want to keep validating previously-distributed JWT tokens, at least until they expire. Now you can, via two new options,
oauth_jwt_legacy_algorithm, which will be declared in the JWKs URI and used to verify access tokens.
oauth_reuse_access_token is set, if there’s already an existing valid access token, any new grant for the same application / account / scope will keep the same access token. This can be helpful in scenarios where one wants the same access token distributed across devices.
The method used to verify access to the authorize flow is called
require_authorizable_account. By default, it checks if a user is logged in by using rodauth’s own
require_account. This is the method you’d want to redefine in order to augment these requirements, i.e. request 2fa authentication.
Expired and revoked access tokens end up generating a lot of garbage, which will have to be periodically cleaned up. You can mitigate this now by setting a uniqueness index for a group of columns, i.e. if you set a uniqueness index for the
rodauth-oauth will transparently reuse the same db entry to store the new access token. If setting some other type of uniqueness index, make sure to update the option
oauth_tokens_unique_columns (the array of columns from the uniqueness index).
before_*_route callbacks appropriately.
Fixed some mishandling of HTTP headers when in in resource-server mode.
97.7% test coverage;
rodauth-oauthCI tests run against sqlite, postgresql and mysql.