All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning according to OAuth / OpenID connect specifications, changes may break in order to comply with those.
- removed analytics gathering repl on
boruta.gen.migration
task
- revoke previous issued tokens in case of code replay
- Note that you must run the
boruta.gen.migration
task to keep your database schema up to date while upgrading to this version.
- clients have a
metadata
attribute where one can store json objects - according to OpenID Connect core 1.0, clients have a
logo_uri
attribute boruta.gen.migration
triggers a form to get statistics about boruta usage
- Note that you must run the
boruta.gen.migration
task to keep your database schema up to date while upgrading to this version.
- public key is optional for oauth clients
- Note that you must run the
boruta.gen.migration
task to keep your database schema up to date while upgrading to this version.
- configuration and support for client authentication methods (
client_secret_post
,client_secret_basic
,client_secret_jwt
,private_key_jwt
) RFC 7521, RFC 7523 - dynamic client registration support OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1
- handle userinfo signed responses
- client key pair regeneration admin function
Admin.regenerate_client_key_pair/1,3
- Note that you must run the
boruta.gen.migration
task to keep your database schema up to date while upgrading to this version.
- allow lower case bearer authorization header
- prompt=none management for authorization code grant requests
- store the previous code associated with the delivered access token in authorization code grants
- prompt=none management for authorization code grant requests
- remove symmetric keys from openid jwks
- Note that you must run the
boruta.gen.migration
task to keep your database schema up to date while upgrading to this version. - Upgrade to this version need you to invalidate the cache by running
Boruta.Config.cache_backend().delete_all()
- confidential client management as stated in OAuth 2.0 RFC, documented here. It defaults to false (already existing clients will not be confidential)
- token as the created
Boruta.Oauth.Token
attribute inBoruta.Oauth.TokenResponse
- client credentials does not check client secret by default anymore, the client has to be set as confidential to do so
- enable refresh token rotation, revoke previous refresh token on successful refresh token requests
- fix redirect_uri injection in implicit, hybrid and code grants
- id tokens include
kid
header with the corresponding client id Boruta.Oauth.ResourceOwner
extra_claims
attribute that defines claims to be included in id tokens
- do not not issue an access token in authorization code and hybrid grants if code was issued to an other client
- id token
at_hash
andc_hash
binary sizes for SHA256 and SHA384 signature hash algorithms
Note that you must run the boruta.gen.migration
task to keep your database schema up to date while upgrading to this version.
- handle
response_mode
in hybrid requests - client id_token validation for ecto adapter
- per client id token signature algorithm configuration (introduce a database schema change)
- prefer
invalid_grant
toinvalid_code
andinvalid_refresh_token
- error messages have been improved
- handle
response_mode
in hybrid requests errors
- respond to authorize requests with
token_type
only when an access token is returned - generated migrations can be rollbacked
- clients pkey constraint do not crash on admin create
- hybrid requests shall return all errors as fragment
- dialyzer warning on
Boruta.Oauth.Error
struct type
- OpenID Connect jwks endpoint domain and application layer generation
- OpenID Connect userinfo endpoint domain and application layer generation
- OpenID Connect prompt=none login_required errors in domain
- expose
Boruta.Oauth.Client.grant_types/0
- expose
Boruta.Oauth.IdToken.signature_alg/0
andBoruta.Oauth.IdToken.hash_alg/0
Admin.delete_inactive_tokens/0,1
does not return deleted tokens
- generated openid authorize controller prompt=none error params type
Boruta.Ecto.Admin.get_scopes_by_names/1
Boruta.Ecto.Admin.regenerate_client_secret/1,2
Boruta.Ecto.Admin.delete_inactive_tokens/0,1
Boruta.Ecto.Client.grant_types/0
- ability to insert/update clients with given id/secret
- inserting/updating a client inserts non existing authorized_scopes
oauth_module
injection inboruta.gen.controllers
generated controllers default toBoruta.Oauth
- store previous token while refreshing access tokens (need to run
boruta.gen.migration
mix task to be up to date) Boruta.Ecto.Admin.list_active_tokens/0,1
returns query result instead of anEcto.Query
Boruta.Oauth.ResourceOwners.claims/2
callback takes aBoruta.Oauth.ResourceOwner
struct instead ofsub
as parameter
- better Ecto errors management
- remove padding from pkce code challenge checks
- reduce resource_owners adapter calls
- domain wildcard for client redirect_uris
- Ecto
ClientsAdapter.get_by(id: id, secret: secret)
is removed in preference ofClientsAdapter.get_client(id)
andOauth.Client.check_secret(client, secret)
. - Ecto
ClientsAdapter.get_by(id: id, redirect_uri: redirect_uri)
is removed in preference ofClientsAdapter.get_client(id)
andOauth.Client.check_redirect_uri(client, redirect_uri)
.
- OpenID Connect core 1.0 integration
- hybrid flow
- authorization code and implicit grants with OpenID Connect compatibility
public_revoke
per client configuration allowing to revoke tokens without providing client secret.introspect
andrevoke
supported grant types per client configuration.
Boruta.Oauth.AuthorizeResponse
andBoruta.Oauth.TokenResponse
do not provide token value invalue
field but prefer giving value by token typecode
,access_token
orid_token
.
%AuthorizeResponse{
type: "code",
value: value,
expires_in: 60
}
becomes
%AuthorizeResponse{
type: :code,
code: value,
expires_in: 60
}
- add nonce column to tokens
- default column values migrations
- migration management
boruta.gen.migrations
does incremental changes
- codes are revoked after first usage
boruta.gen.controllers
generated paths in umbrella apps
- remove redirect_uris regex pattern check
public_refresh_token
per client configuration allowing to refresh tokens without providing client secret.refresh_token_ttl
per client configuration setting refresh tokens duration (along withrefresh_tokne_max_ttl
:boruta mix configuration).issuer
:boruta mix configuration.
boruta.gen.controllers
generated paths in umbrella apps.- Refreshed tokens has associated access_token scope as default.
- Requests with no client secret won't raise an error.
invalid_client
do not return neither format, nor redirect_uri inBoruta.Oauth.Error
.
AuthorizeApplication
,IntrospectApplication
,RevokeApplication
, andTokenApplication
behaviours allowing to implement separately different OAuth use cases.list_active_tokens
Ecto admin functionBoruta.AccessTokensAdapter
,Boruta.CodesAdapter
,Boruta.ClientsAdapter
, andBoruta.ScopesAdapter
encapsulating adapters that are set in configuration.Boruta.Oauth.AuthorizeResponse.redirect_to_url/1
functionBoruta.Oauth.Error.redirect_to_url/1
functionboruta.gen.controllers
mix taskBoruta.Ecto
schemas documentation
- do not issue access_tokens from other clients refresh tokens
- Internal server errors when no client_id provided to token and refresh_token grants
- Refresh token revocation
- Different OAuth flows integration guides
- Migration fix generated by
mix boruta.gen.migration
task
- Documentation