Solid OIDC Support
This is the main new feature for this release.
With the now accepted RSA
signatures for DPoP tokens, the ephemeral, dynamic clients and
the basic serving of webid
documents for each user, Rauthy should now fully support Solid OIDC.
This feature just needs some more real world testing with already existing applications though.
These 3 new features are all opt-in, because a default deployment of Rauthy will most probably
not use them at all. There is a whole new section in the Config
called EPHEMERAL CLIENTS
where you can configure these things. The 3 main variables you need
to set are:
# Can be set to 'true' to allow the dynamic client lookup via URLs as
# 'client_id's during authorization_code flow initiation.
# default: false
ENABLE_EPHEMERAL_CLIENTS=true
# Can be set to 'true' to enable WebID functionality like needed
# for things like Solid OIDC.
# default: false
ENABLE_WEB_ID=true
# If set to 'true', 'solid' will be added to the 'aud' claim from the ID token
# for ephemeral clients.
# default: false
ENABLE_SOLID_AUD=true
Afterward, the only "manual" thing you need to do is to add a custom scope called webid
once via the Admin UI.
EVENT_MATRIX_ERROR_NO_PANIC
This new config variable solves a possible chicken and egg problem, if you use a self-hosted
Matrix server and Rauthy as its OIDC provider at the same time. If both services are offline,
for instance because of a server reboot, you would not be able to start them.
- The Matrix Server would panic because it cannot connect to and verify Rauthy
- Rauthy would panic because it cannot connect to Matrix
Setting this variable to true
solves this issue and Rauthy would only log an error in that
case instead of panicking. The panic is the preferred behavior though, because this makes
100% sure that Rauthy will actually be able to send out notification to configured endpoints.
Features
- ~20% smaller binary size by stripping unnecessary symbols
680d5e5 - Accept
DPoP
tokens withRSA
validations
daade41 - Dynamically build up and serve custom scopes in the
/.well-known/openid-configuration
904cf09 - A much nicer way of generating both DEV and PROD TLS certificates by using Nioca
has been integrated into the project itself, as well as the
Rauthy Book
463bf8a
a14beda - Implement opt-in ephemeral clients
52c84c2
617908b - Implement opt-in basic
webid
document serving
bca77f5
1e32f6f
79cb836
55433f4
3cdf81c - For developers, a new CONTRIBUTING.md
guide has been added to get people started quickly
7c38142
411393f - Add a new config variable
EVENT_MATRIX_ERROR_NO_PANIC
to only throw an error instead of
panic on Matrix connection errors
4fc3382 - Not really a bug nor a feature, but the "App Version Update" watcher now remembers a
sent notification for an update and will only notify after a restart again.
be19735
Bugfixes
- In a HA deployment, the new integrated health watcher from v0.17.0 could return false positives
93d75d5
9bbaeb2 - In v0.18.0 a bug has been introduced because of internal JWKS optimizations. This produced
cache errors when trying to deserialize cached JWKS after multiple requests.
3808423
New Contributors
Images
Postgres
ghcr.io/sebadob/rauthy:0.19.0
SQLite
ghcr.io/sebadob/rauthy:0.19.0-lite