1_3_2.md

doc/release_notes/1_3_2.md
Last Update: 2024-04-05 12:58:59 +0000

1.3.2 (27/07/2023)

Improvements

  • require_signed_request_object option for JAR (oauth_jwt_secured_authorization_request plugin) is now supported:

  • in the oauth server metadata endpoint

  • as a plugin config option (oauth_require_signed_request_object, defaults to false)

  • as a oauth dynamic registration endpoint param (require_signed_request_object, requires corresponding columnn)

  • enforces JAR-based authorization, andd does not allow unsigned JAR JWTs, when turned on.

Bugfixes

  • JWT decoding failed in circumstances where a declared encryption algo didn’t have key/method declared.

  • fix for when PAR (oauth_pushed_authorization_request feature) is used with JAR (oauth_jwt_secured_authorization_request plugin), and PAR request_uri param wasn’t being removed when validating authorize request parameters, thereby making JAR logic evaluate it as a JAR requuest_uri (it is now correctly not taken into account in such a case);