Revision history for Catalyst-Plugin-OAuth2-ResourceServer
0.003 2026-07-16
- Genericise the example OAuth scopes (now example:*) and remove
downstream-application references from the README and the
perl_critic author test comment, so the distribution reads as
standalone. Examples and tests only; no functional change.
0.002 Unreleased
- Version bump so consumers reliably install the current code over any
0.001 already present in an environment (cpanm treats same-version as
satisfied); no code change from the 0.001 line below.
- Initial MCP-profile OAuth 2.1 Resource Server.
- The iat claim is now verified. Crypt::JWT's verify_iat is asymmetric
with verify_exp/verify_nbf: omitting the key disables the check
entirely rather than validating when present, so a token with a
far-future iat was accepted. It is now passed as undef, which is the
only way to get validate-if-present. verify_nbf is passed explicitly
as undef too: same behaviour as before, but it documents itself.
- The RFC 9728 resource_metadata URL is derived only when the resource
is an http(s) URI with an authority, and omitted otherwise (it is
optional per RFC 9728). A non-hierarchical resource such as a URN
previously produced a malformed value, which the shipped example
emitted.
- Token-verification and subject-resolution failures no longer
interpolate the exception into the log. Both paths are
credential-adjacent: the resolver hook is handed the verified
claims, so its exception could carry them.
- WWW-Authenticate parameter values are escaped per the RFC 7230
quoted-string rules.
- t/00-load.t loads ::Server and ::Error as well as the plugin.