Home

Rodauth OAuth: The Oauth 2.0 provider toolkit

Rodauth Oauth is a ruby DSL to build OAuth 2.0 authorization servers and OpenID Connect Identity Providers in a seamless way. It integrates with any rack framework, including Ruby on Rails. It’s simple but also highly customizable, and can be used to build a new identity provider from the ground up, or integrate with any existing user/account management solution you might have.

How to install

# standalone gem
gem install rodauth-oauth

or in a Gemfile:

gem "rodauth-oauth"

How to use

This is the simplest Provider example:

# cat config.ru
require "roda"

class OAuthServer < Roda

  plugin :rodauth do
    enable :login, :oauth_authorization_code_grant
    oauth_application_scopes %w[profile.read profile.write books.read books.research]

    # or if you want to set up oidc
    enable :login, :oidc
    oauth_application_scopes %w[openid email profile profile.read profile.write books.read books.research]
  end

  route do |r|
    r.rodauth

    r.is "users" do
      r.get do
        rodauth.require_oauth_authorization("profile.read")
        # ...
      end

      r.post do
        rodauth.require_oauth_authorization("profile.write")
        # ...
      end
      # ...
    end

    r.is "books" do
      # must have at least of the scopes
      rodauth.require_oauth_authorization("books.read", "books.research")

      r.get do
        # ...
      end
    end
  end
end

Components

Features

OAuth 2.0 protocol framework

rodauth-oauth implements the several OAuth 2.0 specs as their own rodauth features. This means you can enable only the features you want.

When any of the features is enabled, rodauth-oauth provides the following functionality by default:

(This functionality is not available if the oauth_resource_server feature is enabled.)

The following OAuth 2.0 grant features are implemented:

OpenID Connect

Support for OpenID Connect is built on top of the existing OAuth and Oauth JWT functionality. It’s available via the oidc feature, and implements the following features:

Extras

Integration

Comparisons

Here’s how rodauth-oauth compares to the alternatives:

  rodauth-oauth doorkeeper
Access Tokens
Refresh Token Grant
Authorization Code Grant
Implicit Grant
Client Credentials Grant
Resource Owner Password Credentials Grant
PKCE
Token Revocation
Token Introspection
Dynamic Client Registration
Device Code Grant ✅ (* via the doorkeeper-device_authorization_grant extension)
JWT Access Tokens ✅ (* via the doorkeeper-jwt extension)
JWE support
JWT Secured Authorization Requests (JAR)
JWT Secured Authorization Response Mode (JARM)
Pushed Authorization Requests (PAR)
OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)
Mutual-TLS Client Authentication
Assertion Grants Framework
SAML 2.0 Bearer Grant
JWT Bearer Grant
OpenID Connect ✅ (* via the doorkeeper-openid_connect extension)
OpenID Dynamic Client Registration
OpenID Connect Session Management
OpenID RP Initiated Logout
Frontchannel Logout
Backchannel Logout

Appraisals

Roda/Sequel/Rodauth

A word of acknowledgement to Jeremy Evans, the maintainer of rodauth, roda, and sequel, on which shoulders rodauth-oauth stands, and on which philosophy and design principles it was based on.

Rodauth-Rails

A word of acknowledgement to Janko Marohnic, the maintainer of rodauth-rails and sequel-activerecord_connection, without which rodauth-oauth couldn’t work on Rails.