Last Update: 2023-11-27 06:15:32 +0000

1.3.0 (02/04/2023)


Self-Signed Issued Tokens

rodauth-oauth supports self-signed issued tokens, via the oidc_self_issued feature.

More info about the feature in the docs.


rodauth-oauth supports JWT-secured Authorization Response Mode, also known as JARM, via the oauth_jwt_secured_authorization_response_mode.

More info about the feature in the docs.


fill_with_account_claims auth method

fill_with_account_claims is now exposed as an auth method. This allows one to override to be able to cover certain requirements, such as aggregated and distributed claims. Here’s a link to the docs explaining how to do it.

oidc: only generate refresh token when offline_access scope is used.

When the oidc feature is used, refresh tokens won’t be generated anymore by default; in order to do so, the offline_access needs to be requested for in the respective authorization request, as the spec mandates.

oidc: implicit grant loaded by default

The oidc feature now loads the oauth_implicit_grant feature by default. This hadn’t been done before due to the wish to ship a secure integration by default, but since then, spec compliance became more prioritary, and this is a requirement.


  • rails integration: activerecord migrations fixes:

  • use bigint for foreign keys;

  • index creation instruction with the wrong syntax;

  • set precision 6 for default timestamps, to comply with AR defaults;

  • add missing code column to the oauth_pushed_requests table;

  • oidc: when using the id_token , or any composite response type including id_token, using any response mode other than fragment will result in an invalid request.