Last Update: 2023-11-27 06:15:32 +0000

1.4.0 (08/11/2023)


rodauth-oauth is now OpenID certified for the following logout profiles:

  • Session Management OP

  • RP-Initiated Logout OP

  • Front-Channel Logout OP

  • Back-Channel Logout OP

The OIDC server used to run the test can be found here and deployed here.


OIDC logout features

rodauth-oauth ships with the following new features:

which, along with the existing oidc_rp_initiated_logout, implemment all OIDC logout profiles.

Breaking changes

If you’re using oidc, the dependency on account_expiration has been replaced by the active_sessions rodauth feature. This change is required because it fixes bugs associated with accounts expiring in order for id token invalidation to work.

If you’re migrating, it’s recommended that you keep depending on account_expiration during the transition, add active_sessions tables as per rodauth specs, and run them alongside one another for the max period ID tokens should be valid, after which you can remove account_expiration and its tables.

Some auth_value_methods were changed to auth_methods everywhere where it made sense. If you were overriding them, you’ll have to wrap them in a block:

# in 1.3.2
oauth_jwt_issuer "http://myissuer.com"
# in 1.4.0
oauth_jwt_issuer { "http://myissuer.com" }


OAuth SAML Bearer Grant per oauth application settings

The oauth_saml_bearer_grant feature requires a new table/resource, SAML settings, which enable “per client applicatioon” SAML settings, and therefore, make this feature usable in enterprise/multi-tenancy scenarios.


  • remove html_safe usage in rails views to prevent XSS in the authorize form.

  • fixed for OIDC RFC 5.4 when requesting claims using scope values

  • oauth_rp_initiated_logout does not crash anymore on logout requests with id_token_hint

  • oauth_rp_initiated_logout now works with response types other than code

  • oauth_rp_initiated_logout emits an ID token hint invalid message when not able to decode the id_token_hint


  • oauth_tls_client_auth is not dependent on the oauth_jwt feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it.