0_3_0.md

doc/release_notes/0_3_0.md
Last Update: 2023-01-10 23:21:31 +0000

0.3.0 (8/10/2020)

Features

  • oauth_refresh_token_protection_policy is a new option, which can be used to set a protection policy around usage of refresh tokens. By default it’s none, for backwards-compatibility. However, when set to rotation, refresh tokens will be “use-once”, i.e. a token refresh request will generate a new refresh token. Also, refresh token requests performed with already-used refresh tokens will be interpreted as a security breach, i.e. all tokens linked to the compromised refresh token will be revoked.

Improvements

  • Support for the OIDC authorize {prompt parameter}[https://openid.net/specs/openid-connect-core-1_0.html] (sectionn 3.1.2.1). It supports the none, login and consent out-of-the-box, while providing support for select-account when paired with rodauth-select-account, a rodauth feature to handle multiple accounts in the same session.

  • Refresh Tokens are now expirable. The refresh token expiration period is governed by the oauth_refresh_token_expires_in option (default: 1 year), and is the period for which a refresh token can be used after its respective access token expired.

Bugfixes

  • Default Templates now being packaged, as a way to provide a default experience to the OAuth journeys.

  • fixing metadata urls when plugin loaded with a prefix path (@ianks)

  • All date/time-based calculations, such as determining an expiration date, or checking if a token has expired, are now performed using database arithmetic operations, using sequel's date_arithmetic plugin. This will eliminate subtle bugs, such as when the database timezone is different than the application OS timezone.

  • OIDC configuration endpoint is now stricter, eliminating JSON metadata inherited from the Oauth metadata endpoint. (@ianks)

Chore

Use rodauth.convert_timestamp in the templates, whenever dates are displayed.

Set HTTP Cache headers for metadata responses, such as /.well-known/oauth-authorization-server and /.well-known/openid-configuration, so they can be stored at the edge. The cache will be valid for 1 day (this value isn’t set by an option yet).