Last Update: 2024-06-17 10:14:17 +0000

1.0.0 (15/12/2022)


rodauth-oauth is now OpenID certified for the following certification profiles:

  • Basic OP

  • Implicit OP

  • Hybrid OP

  • Config OP

  • Dynamic OP

  • Form Post OP

and passes the conformance tests for RP-Initiated Logout OP.

The OIDC server used to run the test can be found here and deployed here.

Breaking changes

The full description of breaking changes, and suggestions on how to make the migration smoother, can be found in the migration guide.

A short list of the main highlights:

  • Ruby 2.5 or higher is required.

  • oauth_http_mac feature removed.

  • oauth_tokens table (and resource) were removed (only oauth_applications and oauth_grants, access and refresh tokens are now properties of the latter).

  • access and refresh tokens hashed by default when stored in the database.

  • default oauth response mode is "form_post".

  • oauth specific features require explicit enablement of respective features (no more enable :oauth)

  • refresh token policy is “rotation” by default

  • homepage url is no longer a client application required property.

  • OIDC RP-initiated logout extracted into oidc_rp_initiated_logout feature.


The following helpers are exposed in the rodauth object:

  • current_oauth_account - returns the dataset row for the rodauth account associated to an oauth access token in the “authorization” header.

  • current_oauth_application - returns the dataset row for the oauth application associated to an oauth access token in the “authorization” header.

When used in rails via rodauth-rails, both are exposed directly as controller helpers.

oauth_resource_server plugin

This plugin can be used as a convenience when configuring resource servers.

JAR support for request_uri query param

The oauth_jwt_secured_authorization_request plugin now supports a request_uri query param as well.

OIDC features

  • The oidc plugin supports essential claims, via the claims authorization request query parameter.

  • id token built with "c_hash" and "at_hash" claims when they should.


  • :oauth_introspect plugin: OAuth introspection endpoint exposes the token’s "username" claim.

  • endpoint client authentication supports “client credentials grant” access tokens.

  • acr_values_supported exposed in the openid configuration.

  • oauth_request_object_signing_alg_allow_none enables "none" as an accepted request object signing alg when true (false by default).

  • OIDC offline_access supported.


  • fixed oidc calculation of "auth_time" claim.

  • JWT: “sub” is now always a string.

  • response_type is now an authorization request required parameter (as per the RFC).

  • state is now passed along when redirecting from authorization requests with error;

  • access token can now be read from POST body or GET query params (as per the RFC).

  • id token no longer shipping with claims with null value;

  • id token no longer encoding claims by default (only when response_type=id_token, as per the RFC).

  • support “JWT without kid” when doing jwt decoding for JWT tokens not generated in the provider (such as request objects).

  • Set iss and aud claims in the Userinfo JWT response.

  • Make sure errors are also delivered via form POST, when response_mode=form_post.

  • Authorization request now shows an error page when response_type or client_id are missing, or redirect_uri is missing or invalid; a new "authorize_error" template is invoked in such cases.

  • oidc: nonce present in id token when using the “id_token token” response type.

  • error parameter delivered in URL fragment when failing an implicit grant autorization request.