Last Update: 2023-11-27 06:15:32 +0000

1.2.0 (13/02/2023)


Pushed Authorization Requests (PAR)

RFC: datatracker.ietf.org/doc/html/rfc9126

rodauth-oauth supports Pushed Authorization Requests, via the :oauth_pushed_authorization_request feature.

More info about the feature in the wiki.

mTLS Client Auth (+ certificate-bound access tokens)

RFC: www.rfc-editor.org/rfc/rfc8705

The :oauth_tls_client_auth feature adds support for the variants of mTLS Client Authentication “PKI Mutual-TLS Method” and 2Self-Signed Certificate Mutual-TLS Method“. It also supports client certificate bound access tokens.

More about it in the wiki.

Dynamic Client Registration management

RFC: www.rfc-editor.org/rfc/rfc7592

Support for dynamci client registration management was added to the :oauth_dynamic_client_registration feature.

More info about it in the wiki.


  • Support for 3rd-party initiated login was added, by including support for the initiate_login_uri attribute in the register route from the :oauth_dynamic_client_registration feature.

  • Support for multitenant resource ownership was added, here’s a description from the wiki.


  • oidc: userinfo claims were not including claims with value false, such as "email_verified". This behaviour has been fixed, and only claims of value null are omitted.