1.3.0 (02/04/2023)¶ ↑
Features¶ ↑
Self-Signed Issued Tokens¶ ↑
rodauth-oauth
supports self-signed issued tokens, via the oidc_self_issued feature.
More info about the feature in the docs.
JARM¶ ↑
rodauth-oauth
supports JWT-secured Authorization Response Mode, also known as JARM, via the oauth_jwt_secured_authorization_response_mode.
More info about the feature in the docs.
Improvements¶ ↑
fill_with_account_claims
auth method¶ ↑
fill_with_account_claims
is now exposed as an auth method. This allows one to override to be able to cover certain requirements, such as aggregated and distributed claims. Here’s a link to the docs explaining how to do it.
oidc: only generate refresh token when offline_access
scope is used.¶ ↑
When the oidc
feature is used, refresh tokens won’t be generated anymore by default; in order to do so, the offline_access
needs to be requested for in the respective authorization request, as the spec mandates.
oidc: implicit grant loaded by default¶ ↑
The oidc
feature now loads the oauth_implicit_grant feature by default. This hadn’t been done before due to the wish to ship a secure integration by default, but since then, spec compliance became more prioritary, and this is a requirement.
Bugfixes¶ ↑
-
rails integration: activerecord migrations fixes:
-
use
bigint
for foreign keys; -
index creation instruction with the wrong syntax;
-
set precision 6 for default timestamps, to comply with AR defaults;
-
add missing
code
column to theoauth_pushed_requests
table; -
oidc: when using the
id_token
, or any composite response type includingid_token
, using any response mode other thanfragment
will result in an invalid request.