Skip to content

CHANGELOG.md

Latest commit

 

History

History
373 lines (245 loc) · 20.9 KB

CHANGELOG.md

File metadata and controls

373 lines (245 loc) · 20.9 KB

Unreleased

  • Please add here
  • [#303] execute account selection even without owner, and select_account_for_resource_owner can now receive nil as the first argument.
  • [#304] allow handle auth_time per grant
  • [#305] Document the auth_time_from_access_token config option in the README (per-grant auth_time), clarifying that it only affects the ID Token auth_time claim and not max_age enforcement
  • [#307] Fix bundle exec rake server for the test application
  • [#313] Move Configuration documentation from README to Wiki
  • [#312] Raise Errors::MissingRequiredClaim instead of silently dropping a blank REQUIRED ID Token claim (iss/sub/aud/exp/iat) in IdToken#as_json, which previously could emit a non-conformant ID Token (OIDC Core 1.0 §2). OPTIONAL claims such as nonce/auth_time are still omitted when blank
  • [#311] Include the REQUIRED client_secret_expires_at member (value 0, never expires) in the Dynamic Client Registration response whenever a client_secret is issued (RFC 7591 §3.2.1 / OpenID Connect Dynamic Client Registration 1.0 §3.2)

v1.10.1 (2026-06-03)

  • [#294] Drop stale Metrics/ClassLength and Metrics/BlockLength overrides from .rubocop_todo.yml
  • [#293] Drop Naming/VariableNumber from .rubocop_todo.yml and normalise test variable names
  • [#291] Document multi-namespace mount pattern for multiple resource owner models (#192)
  • [#292] Drop formatting cops from .rubocop_todo.yml and align trailing-comma style with upstream doorkeeper
  • [#296] Fix the prompt parameter being rejected with invalid_request when it contains leading or duplicate spaces (e.g. prompt=%20none) — blank entries in the space-delimited value are now ignored
  • [#299] Raise InvalidConfiguration when the issuer config resolves to a blank value instead of silently advertising an empty issuer in the discovery document. Since v1.10.0 an arity-2 issuer block receives (resource_owner, application) — both nil in the discovery context — so a block relying on the old v1.9.0 request argument could return nil and produce a discovery issuer that mismatched the ID token iss (#298)

v1.10.0 (2026-06-01)

Important

  • Breaking (arity-2 issuer blocks): resolve_issuer now dispatches arity-2 blocks with (resource_owner, application) in all contexts, including discovery. In v1.9.0 DiscoveryController passed request as the first argument; existing arity-2 blocks that relied on this receive (nil, nil) in v1.10.0 and should migrate to arity-3 — see #298 for details and migration examples
  • [#241] Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see Doorkeeper PR)
  • [#242] Fix NoMethodError for openid_request in testing environments.
  • [#246] Fix at_hash to use correct hash algorithm based on signing_algorithm
  • [#250] Return configured issuer instead of root_url in WebFinger response (thanks to @sato11 for the original work in #172)
  • [#248] Fix max_age always triggering reauthentication when auth_time_from_resource_owner returns Integer
  • [#254] Breaking: Omit expires_in from the response_type=id_token response (OIDC Core §3.2.2.5 — expires_in represents the Access Token lifetime; it is still returned for response_type=id_token token)
  • [#252] Treat auth_time_from_resource_owner as optional in IdToken — omit auth_time claim when unconfigured instead of raising InvalidConfiguration
  • [#256] Accept non-callable values (symbol / string) for the protocol config option, matching the pattern used by issuer / signing_algorithm / signing_key / expiration
  • [#258] Skip IdToken construction on password grants without the openid scope
  • [#259] Skip IdToken construction on authorization code grants without the openid scope
  • [#261] Fix obsolete RuboCop configuration (require:plugins:, RSpec/FilePath split, remove Capybara/FeatureMethods)
  • [#263] Security/Breaking: Determine dynamically registered client's confidential flag from token_endpoint_auth_method per RFC 7591 — previously every dynamically registered client was created as public (confidential: false), which let callers authenticate with only client_id (by_uid_and_secret(uid, nil) bypass). Default is now client_secret_basic (confidential); none produces a public client; unsupported values (e.g. private_key_jwt) are rejected with invalid_client_metadata. Also derive token_endpoint_auth_methods_supported in the response from Doorkeeper.configuration.client_credentials_methods instead of a hardcoded list, matching #236
  • [#264] Apply safe RuboCop autocorrections and fix resulting artifacts
  • [#265] Add Dynamic Client Registration section to README
  • [#266] Validate application_type, response_types, and grant_types parameters in dynamic client registration per RFC 7591 — reject unsupported values with invalid_client_metadata and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
  • [#267] Add authorize_dynamic_client_registration config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to request, params, request.headers, etc.) and falsy return values reject the request with 401 invalid_token. Default is nil so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
  • [#268] Update Dynamic Client Registration README for validated metadata parameters
  • [#269] Document authorize_dynamic_client_registration in README
  • [#270] Document the unified issuer block signature in README
  • [#278] Test against Ruby 4.0.
  • [#271] Security: Add auth_time_from_session config for per-session max_age enforcement. The legacy auth_time_from_resource_owner cannot distinguish between concurrent sessions and is now deprecated for max_age use (see #150)
  • [#272] Document auth_time_from_session in README (follow-up to #271)
  • [#273] Security/Hardening: Merge framework-controlled registered claims last — iss/sub/aud/exp/iat/nonce/auth_time for the ID Token and sub for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).
  • [#276] Get RuboCop to zero offenses: fix Lint/MissingSuper in IdTokenResponse, replace puts with warn for deprecation notices, and modernise spec style
  • [#277] Fix README inaccuracies (signing_algorithm description and link, discovery_url_options endpoint list, oauth-authorization-server route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token
  • [#279] Return account_selection_required when a prompt=select_account handler does not generate a response, per OIDC Core 1.0 §3.1.2.6 — previously the authorization silently continued without account selection. Adds the missing Errors::AccountSelectionRequired class, mirroring the existing login_required backstop for reauthenticate_resource_owner
  • [#275] Return login_required for max_age reauthentication when prompt=none, instead of triggering the interactive reauthenticate_resource_owner flow (OIDC Core §3.1.2.1)
  • [#284] Document acr / amr claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the claim DSL, with callouts for the response: and scope: defaults that silently bite
  • [#288] Document offline_access scope recipe in README — show how to wire use_refresh_token with scope-based filtering for OIDC offline access
  • [#281] Fix NoMethodError / DoubleRenderError when resource_owner_authenticator redirects with a truthy non-model value (e.g. current_user || redirect_to(login_url)). Normalize the leaked value to nil when performed? and add missing if owner guard on select_account.
  • [#285] Document custom jwks_uri path pattern in README — show how to advertise a non-default path in the discovery document using Rails' direct URL helper
  • [#283] Support multiple signing keys in the JWKS response — signing_key now also accepts an array (and callables returning an array). The first entry is the active key used to sign new ID tokens; the remaining entries are published in the JWKS so clients can still validate tokens signed with a retired key during a rotation window. Single-value and callable forms continue to work unchanged
  • [#286] Allow claims to be assigned to multiple scopes via scope: [:profile, :all_data] — the claim is returned whenever the access token grants any of the listed scopes. Note: the previously implicit Claim#scope= writer (from attr_accessor :scope) is no longer provided; rebuild the claim instead of mutating it
  • [#287] Add apply_prompt_to_non_oidc_requests option to honor the prompt parameter on plain OAuth requests that do not include the openid scope
  • [#282] Allow prompt=none reauthorization with a narrower subset of previously-granted scopes (issue #63). Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; previously these requests returned consent_required.
  • [#290] Freeze Claim#scopes and Claim#response arrays at construction so callers can't accidentally mutate the claim's internal state from outside
  • [#297] Fix the generated initializer's issuer example referencing an undefined request local (the block parameter is _request), which raised NameError when copied verbatim

v1.9.0 (2026-03-16)

  • [#229] Allow to application manage signing key and algorithm
  • [#230] Add dynamic client registration
  • [#233] fix: handle DoubleRenderError in library instead of requiring consumer workaround
  • [#232] Implements customizable OpenID request class
  • [#236] Derive token_endpoint_auth_methods_supported from Doorkeeper's client_credentials config
  • [#225] Allow configuration of id_token expiration using a block.
  • [#237] Fix dynamic client registration returning hashed secret when hash_application_secrets is enabled
  • [#226] Respect Doorkeeper's configured pkce_code_challenge_methods

v1.8.11 (2025-02-10)

  • [#219] Test against Ruby 3.4.
  • [#216] Test against Rails 7.1, 7.2, 8.0.
  • [#222] Support max_age=0
  • [#221] Avoid raising invalid_request error on prompt=create
  • [#220] Define priority on possible prompt values to statically & successfully process multiple prompt values
  • [#224] Define priority between max_age & prompt

v1.8.10 (2024-11-29)

  • [#215] Drop support for Ruby 2.7, 3.0 and Rails 6.
  • [#209] Configuration per IdToken expiration (thanks to @martinezcoder)

v1.8.9 (2024-05-07)

  • Support Doorkeeper 5.7

v1.8.8 (2024-02-26)

  • [#201] Add back typ=JWT to header

v1.8.7 (2023-05-18)

  • [#198] Fully qualify JWT::JWK::Thumbprint constant with :: (thanks to @stanhu)

v1.8.6 (2023-05-12)

  • [#194] Default to RFC 7638 kid fingerprint generation (thanks to @stanhu).

v1.8.5 (2023-02-02)

  • [#186] Simplify gem configuration reusing Doorkeeper configuration option DSL (thanks to @nbulaj).
  • [#182] Drop support for Ruby 2.6 and Rails 5 (thanks to @sato11).
  • [#188] Fix dookeeper-jwt compatibility (thanks to @zavan).

v1.8.4 (2023-02-01)

Note that v1.8.4 changed the default kid fingerprint generation from RFC 7638 to a format based on the SHA256 digest of the key element. To restore the previous behavior, upgrade to v1.8.6.

  • [#177] Replace json-jwt with ruby-jwt to align with doorkeeper-jwt (thanks to @kristof-mattei).
  • [#185] Don't call active_record_options for Doorkeeper >= 5.6.3 (thanks to @zavan).
  • [#183] Stop render consent screen when user is not logged-in (thanks to @nov).

v1.8.3 (2022-12-02)

  • [#180] Add PKCE support to OpenID discovery endpoint (thanks to @stanhu).

v1.8.2 (2022-07-13)

  • [#168] Allow to use custom doorkeeper access grant model (thanks @nov).
  • [#170] Controllers inherit Doorkeeper::AppliactionMetalController (thanks @sato11).
  • [#171] Correctly override AuthorizationsController params (thanks to @nbulaj).

v1.8.1 (2022-02-09)

  • [#153] Fix ArgumentError caused by client credential validation introduced in Doorkeeper 5.5.1 (thanks to @CircumnavigatingFlatEarther)
  • [#161] Fix .well-known/openid-connect issuer (respond to block if provided) (thanks to @fkowal).
  • [#152] Expose oauth-authorization-server in routes (thanks to @mitar)

v1.8.0 (2021-05-11)

No changes from v1.8.0-rc1.

v1.8.0-rc1 (2021-04-20)

Upgrading

This gem now requires Doorkeeper 5.5 and Ruby 2.5.

Changes

  • [#138] Support form_post response mode (thanks to @linhdangduy)
  • [#144] Support block syntax for issuer configuration (thanks to @maxxsnake)
  • [#145] Register token flows with the strategy instead of the token class (thanks to @paukul)

v1.7.5 (2020-12-15)

Changes

  • [#126] Add discovery_url_options option for discovery endpoints URL generation (thanks to @phlegx)

Bugfixes

  • [#123] Remove reference to ApplicationRecord (thanks to @wheeyls)
  • [#124] Clone doorkeeper.grant_flows array before appending 'refresh_token' (thanks to @davidbasalla)
  • [#129] Avoid to use the config alias while supporting Doorkeeper 5.2 (thanks to @kymmt90)

v1.7.4 (2020-07-06)

  • [#119] Execute end_session_endpoint in the controllers context (thanks to @joeljunstrom)

v1.7.3 (2020-07-06)

  • [#111] Add configuration callback select_account_for_resource_owner to support the prompt=select_account param
  • [#112] Add grant_types_supported to discovery response
  • [#114] Fix user_info endpoint when used in api mode
  • [#116] Support Doorkeeper API (> 5.4) for registering custom grant flows.
  • [#117] Fix migration template to use Rails migrations DSL for association.
  • [#118] Use fragment urls for implicit flow error redirects (thanks to @joeljunstrom)

v1.7.2 (2020-05-20)

Changes

  • [#108] Add support for Doorkeeper 5.4
  • [#103] Add support for end_session_endpoint
  • [#109] Test against Ruby 2.7 & Rails 6.x

v1.7.1 (2020-02-07)

Upgrading

This version adds on_delete: :cascade to the migration template for the oauth_openid_requests table, in order to fix #82.

For existing installations, you should add a new migration in your application to drop the existing foreign key and replace it with a new one with on_delete: :cascade included. Depending on the database you're using and the size of your application this might bring up some concerns, but in most cases the following should be sufficient:

class UpdateOauthOpenIdRequestsForeignKeys < ActiveRecord::Migration[5.2]
  def up
    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id, on_delete: :cascade)
  end

  def down
    remove_foreign_key(:oauth_openid_requests, column: :access_grant_id)
    add_foreign_key(:oauth_openid_requests, :oauth_access_grants, column: :access_grant_id)
  end
end

Bugfixes

  • [#96] Bump json-jwt because of CVE-2019-18848 (thanks to @leleabhinav)
  • [#97] Fixes for compatibility with Doorkeeper 5.2 (thanks to @linhdangduy)
  • [#98] Cascade deletes from oauth_openid_requests to oauth_access_grants (thanks to @manojmj92)
  • [#99] Fix audience claim when application is not set on access token (thanks to @ionut998)

v1.7.0 (2019-11-04)

Changes

  • [#85] This gem now requires Doorkeeper 5.2, Rails 5, and Ruby 2.4

v1.6.3 (2019-09-24)

Changes

  • [#81] Allow silent authentication without user consent (thanks to @jarosan)
  • Don't support Doorkeeper >= 5.2 due to breaking changes

v1.6.2 (2019-08-09)

Bugfixes

  • [#80] Check for client presence in controller, fixes a 500 error when client_id is missing (thanks to @cincospenguinos @urnf @isabellechalhoub)

v1.6.1 (2019-06-07)

Bugfixes

  • [#75] Fix return value for after_successful_response (thanks to @daveed)

Changes

  • [#72] Add revocation_endpoint and introspection_endpoint to discovery response (thanks to @scarfacedeb)

v1.6.0 (2019-03-06)

Changes

  • [#70] This gem now requires Doorkeeper 5.0, and actually has done so since v1.5.4 (thanks to @michaelglass)

v1.5.5 (2019-03-03)

  • [#69] Return crv parameter for EC keys (thanks to @marco-nicola)

v1.5.4 (2019-02-15)

Bugfixes

  • [#66] Fix an open redirect vulnerability (CVE-2019-9837, thanks to @meagar)
  • [#67] Don't delete existing tokens with prompt=consent (thanks to @nov)

Changes

  • [#62] Support customization of redirect params in id_token and id_token token responses (thanks to @meagar)

v1.5.3 (2019-01-19)

Bugfixes

  • [#60] Don't break native authorization in Doorkeeper 5.x

Changes

  • [#58] Use versioned migrations for Rails 5.x (thanks to @tvongaza)

v1.5.2 (2018-09-04)

Changes

  • [#56] The previous release was a bit premature, this fixes some compatibility issues with Doorkeeper 5.x

v1.5.1 (2018-09-04)

Changes

  • [#55] This gem is now compatible with Doorkeeper 5.x

v1.5.0 (2018-06-27)

Features

  • [#52] Custom claims can now also be returned directly in the ID token, see the updated README for usage instructions

v1.4.0 (2018-05-31)

Upgrading

  • Support for Ruby versions older than 2.3 was dropped

Features

  • Redirect errors per Section 3.1.2.6 of OpenID Connect 1.0 (by @ryands)
  • Set id_token when it's nil in token response (it's used in refresh_token requests) (by @Miouge1)

v1.3.0 (2018-03-05)

Features

  • Support for Implicit Flow (response_type=id_token and response_type=id_token token), see the updated README for usage instructions (by @nashby, @nhance and @stevenvegt)

v1.2.0 (2017-08-31)

Upgrading

  • The configuration setting jws_private_key was renamed to signing_key, you can still use the old name until it's removed in the next major release

Features

  • Support for pairwise subject identifiers (by @travisofthenorth)
  • Support for EC and HMAC signing algorithms (by @110y)
  • Claims now receive an optional third access_token argument which allow you to dynamically adjust claim values based on the client's token (by @gigr)

Bugfixes

v1.1.2 (2017-01-18)

Bugfixes

  • Fixes the undefined local variable or method 'pre_auth' error

v1.1.1 (2017-01-18)

Upgrading

  • The configuration setting jws_public_key wasn't actually used, it's deprecated now and will be removed in the next major release
  • The undocumented shorthand to_proc syntax for defining claims (claim :user, &:name) is not supported anymore

Features

  • Claims now receive an optional second scopes argument which allow you to dynamically adjust claim values based on the requesting applications' scopes (by @nbibler)
  • The prompt parameter values login and consent are now supported
  • The configuration setting protocol was added (by @gigr)

Bugfixes

  • Standard Claims are now mapped correctly to their default scopes (by @tylerhunt)
  • Blank nonce parameters are now ignored

Changes

  • nil values and empty strings are now removed from the UserInfo and IdToken responses
  • Allow json-jwt dependency at ~> 1.6. (by @nbibler)
  • Configuration blocks no longer internally use instance_eval which previously gave undocumented and unexpected self access to the caller (by @nbibler)

v1.1.0 (2016-11-30)

This release is a general clean-up and adds support for some advanced OpenID Connect features.

Upgrading

  • This version adds a table to store temporary nonces, use the generator doorkeeper:openid_connect:migration to create a migration
  • Implement the new configuration callbacks auth_time_from_resource_owner and reauthenticate_resource_owner to support advanced features

Features

  • Add discovery endpoint (a16caa8)
  • Add webfinger and keys endpoints for discovery (f70898b)
  • Add supported claims to discovery response (1d8f9ea)
  • Support prompt=none parameter (c775d8b)
  • Store and return nonces in IdToken responses (d28ca8c)
  • Add generator for initializer (80399fd)
  • Support max_age parameter (aabe3aa)
  • Respect scope grants in UserInfo response (25f2170)