- [#PR ID] Add your changelog entry here.
- Support Doorkeeper 5.7
- [#201] Add back typ=JWT to header
- [#198] Fully qualify
JWT::JWK::Thumbprintconstant with :: (thanks to @stanhu)
- [#194] Default to RFC 7638 kid fingerprint generation (thanks to @stanhu).
- [#186] Simplify gem configuration reusing Doorkeeper configuration option DSL (thanks to @nbulaj).
- [#182] Drop support for Ruby 2.6 and Rails 5 (thanks to @sato11).
- [#188] Fix dookeeper-jwt compatibility (thanks to @zavan).
Note that v1.8.4 changed the default kid fingerprint generation from RFC 7638 to a format based on the SHA256 digest of the key element. To restore the previous behavior, upgrade to v1.8.6.
- [#177] Replace
json-jwtwithruby-jwtto align with doorkeeper-jwt (thanks to @kristof-mattei). - [#185] Don't call active_record_options for Doorkeeper >= 5.6.3 (thanks to @zavan).
- [#183] Stop render consent screen when user is not logged-in (thanks to @nov).
- [#180] Add PKCE support to OpenID discovery endpoint (thanks to @stanhu).
- [#168] Allow to use custom doorkeeper access grant model (thanks @nov).
- [#170] Controllers inherit
Doorkeeper::AppliactionMetalController(thanks @sato11). - [#171] Correctly override
AuthorizationsControllerparams (thanks to @nbulaj).
- [#153] Fix ArgumentError caused by client credential validation introduced in Doorkeeper 5.5.1 (thanks to @CircumnavigatingFlatEarther)
- [#161] Fix .well-known/openid-connect issuer (respond to block if provided) (thanks to @fkowal).
- [#152] Expose oauth-authorization-server in routes (thanks to @mitar)
No changes from v1.8.0-rc1.
This gem now requires Doorkeeper 5.5 and Ruby 2.5.
- [#138] Support form_post response mode (thanks to @linhdangduy)
- [#144] Support block syntax for
issuerconfiguration (thanks to @maxxsnake) - [#145] Register token flows with the strategy instead of the token class (thanks to @paukul)
- [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)
- [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
- [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
- [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)
- [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)
- [#111] Add configuration callback
select_account_for_resource_ownerto support theprompt=select_accountparam - [#112] Add grant_types_supported to discovery response
- [#114] Fix user_info endpoint when used in api mode
- [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
- [#117] Fix migration template to use Rails migrations DSL for association.
- [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)
- [#108] Add support for Doorkeeper 5.4
- [#103] Add support for end_session_endpoint
- [#109] Test against Ruby 2.7 & Rails 6.x
This version adds on_delete: :cascade to the migration template for the oauth_openid_requests table, in order to fix #82.
For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with on_delete: :cascade included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:
class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
def up
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
end
def down
remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
end
end- [#96] Bump
json-jwtbecause of CVE-2019-18848 (thanks to @leleabhinav) - [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
- [#98] Cascade deletes from
oauth_openid_requeststooauth_access_grants(thanks to @manojmj92) - [#99] Fix
audienceclaim when application is not set on access token (thanks to @ionut998)
- [#85] This gem now requires Doorkeeper 5.2, Rails 5, and Ruby 2.4
- [#81] Allow silent authentication without user consent (thanks to @jarosan)
- Don't support Doorkeeper >= 5.2 due to breaking changes
- [#80] Check for client presence in controller, fixes a 500 error when
client_idis missing (thanks to @cincospenguinos @urnf @isabellechalhoub)
- [#75] Fix return value for
after_successful_response(thanks to @daveed)
- [#72] Add
revocation_endpointandintrospection_endpointto discovery response (thanks to @scarfacedeb)
- [#70] This gem now requires Doorkeeper 5.0, and actually has done so since v1.5.4 (thanks to @michaelglass)
- [#69] Return
crvparameter for EC keys (thanks to @marco-nicola)
- [#66] Fix an open redirect vulnerability (CVE-2019-9837, thanks to @meagar)
- [#67] Don't delete existing tokens with
prompt=consent(thanks to @nov)
- [#62] Support customization of redirect params in
id_tokenandid_token tokenresponses (thanks to @meagar)
- [#60] Don't break native authorization in Doorkeeper 5.x
- [#58] Use versioned migrations for Rails 5.x (thanks to @tvongaza)
- [#56] The previous release was a bit premature, this fixes some compatibility issues with Doorkeeper 5.x
- [#55] This gem is now compatible with Doorkeeper 5.x
- [#52] Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions
- Support for Ruby versions older than 2.3 was dropped
- Redirect errors per Section 3.1.2.6 of OpenID Connect 1.0 (by @ryands)
- Set
id_tokenwhen it's nil in token response (it's used inrefresh_tokenrequests) (by @Miouge1)
- Support for Implicit Flow (
response_type=id_tokenandresponse_type=id_token token), see the updated README for usage instructions (by @nashby, @nhance and @stevenvegt)
- The configuration setting
jws_private_keywas renamed tosigning_key, you can still use the old name until it's removed in the next major release
- Support for pairwise subject identifiers (by @travisofthenorth)
- Support for EC and HMAC signing algorithms (by @110y)
- Claims now receive an optional third
access_tokenargument which allow you to dynamically adjust claim values based on the client's token (by @gigr)
- Fixes the
undefined local variable or method 'pre_auth'error
- The configuration setting
jws_public_keywasn't actually used, it's deprecated now and will be removed in the next major release - The undocumented shorthand
to_procsyntax for defining claims (claim :user, &:name) is not supported anymore
- Claims now receive an optional second
scopesargument which allow you to dynamically adjust claim values based on the requesting applications' scopes (by @nbibler) - The
promptparameter valuesloginandconsentare now supported - The configuration setting
protocolwas added (by @gigr)
- Standard Claims are now mapped correctly to their default scopes (by @tylerhunt)
- Blank
nonceparameters are now ignored
nilvalues and empty strings are now removed from the UserInfo and IdToken responses- Allow
json-jwtdependency at ~> 1.6. (by @nbibler) - Configuration blocks no longer internally use
instance_evalwhich previously gave undocumented and unexpectedselfaccess to the caller (by @nbibler)
This release is a general clean-up and adds support for some advanced OpenID Connect features.
- This version adds a table to store temporary nonces, use the generator
doorkeeper:openid_connect:migrationto create a migration - Implement the new configuration callbacks
auth_time_from_resource_ownerandreauthenticate_resource_ownerto support advanced features
- Add discovery endpoint (a16caa8)
- Add webfinger and keys endpoints for discovery (f70898b)
- Add supported claims to discovery response (1d8f9ea)
- Support prompt=none parameter (c775d8b)
- Store and return nonces in IdToken responses (d28ca8c)
- Add generator for initializer (80399fd)
- Support max_age parameter (aabe3aa)
- Respect scope grants in UserInfo response (25f2170)