Changelog

All notable changes to this project will be documented in this file. See commit-and-tag-version for commit guidelines.

9.8.3 (2026-04-27)

Fixes

• await registration token policy (6269602)
• pass ciba user code to verifier (a340869)
• reject malformed dpop htu with a clearer message (1b6146c)
• select signing keys for jwt access tokens (1d6df9c)
• validate ciba notification tokens (2807a8f)

9.8.2 (2026-04-17)

Fixes

• html-escape debug data sent to development-only interactions (924d25c), closes #1414

9.8.1 (2026-04-15)

Refactor

• relax native app custom URI scheme validation (75be6ce), closes #1411

9.8.0 (2026-04-07)

Features

• promote rpMetadataChoices to stable (cc8cfcc)

Refactor

• do not depend on undici being part of the bundle (2ffec73)

9.7.1 (2026-03-18)

Refactor

• CIMD: filter unrecognized array members before validating (969edba), closes #1398
• fetch_body_check.js now returns early when limit is Infinite (a794f51)
• fixup grant_types and response_types mismatch instead of rejecting (81538bf)
• process client schema after custom metadata processing (35fb736)
• pull csrf into a shared module (6239f17)

9.7.0 (2026-03-06)

Features

• add configuration for limiting external resource body limits (0c424cd)
• experimental support for Client ID Metadata Document (CIMD) (d5323f4)
• prevent fetching special-use IP address resources (1548834)

Documentation

• align section titles and auto-generate toc (287bfa8)
• description fixes and various editorial edits (a8f4f15)
• fix attestClientAuth link (9c6f095)
• solve generated nested lists (d1ebcd2)
• update README.md prose for experimental features (b029f47)
• update the generated content to reflect the jsdoc structure (aa9f83b)

Refactor

• extract setWWWAuthenticateHeader to a shared module (bb66e62)

9.6.1 (2026-02-19)

Refactor

• extract NON_REJECTABLE_CLAIMS into shared constant (2b7c025)
• extract shared grant handler helpers to reduce duplication (f5eee9e)
• extract shared token finder for introspection and revocation (666c2b0)

Fixes

• required PAR should not affect CIBA and DAG (8167bd0)

9.6.0 (2025-12-07)

Features

• add RAR support to CIBA flows (0fc5893), closes #1358

Documentation

• update spec links (019fa43)

9.5.2 (2025-10-24)

Refactor

• change new Debug() to debug() (#1363) (b86b47c)

9.5.1 (2025-08-29)

Fixes

• safeguard global navigator access (1caae21)

9.5.0 (2025-08-29)

Features

• support ML-DSA JWS algorithm identifiers (f308b09)

Refactor

• add a warning for more unsupported runtimes (c55d58e)
• make warn/info warnings colorization a no-op in nonTTY (0c0a5b6)

9.4.2 (2025-08-23)

Fixes

• check for native logout redirect allowed same way as during auth (419f286), closes #1351

9.4.1 (2025-08-11)

Documentation

• add an getAttestationSignaturePublicKey example (3a7730c)

Refactor

• avoid code generation from strings by pre-compiling eta views (f997073)
• drop the default implementation of pairwiseIdentifier (6a2338a)
• remove oidc-token-hash dependency (b607491)

9.4.0 (2025-07-17)

Features

• Experimental support for Attestation-Based Client Authentication (d655ebd)

Refactor

• consistently lowercase header names and use req/res aliases (1748a54)
• cors: update default client-based cors helper (77e06eb)
• reconcile dpop and attestation challenge implementations (e31f639)

Documentation

• updated documentation for configuration options (5710d61)

9.3.0 (2025-07-16)

Features

• revocation: add an allowed token revocation policy helper (a7e47e4)

Documentation

• update README.md (857c34d)

Fixes

• introspection: use unsupported_token_type to indicate structured jwt tokens cannot be introspected (c9001be)
• revocation: use unsupported_token_type to indicate structured jwt tokens cannot be revoked (b45b00c)

Refactor

• pull structured token rejection to a shared middleware (30367af)

9.2.0 (2025-06-24)

Features

• expose RFC8414 Authorization Server Metadata route (c5bd90f)

9.1.3 (2025-06-02)

Fixes

• ensure an account’s accountId and claims().sub is the same (9b89153), closes #1336

9.1.2 (2025-05-28)

Fixes

• ignore allowOmittingSingleRegisteredRedirectUri when FAPI 2.0 is used (e2de529)

9.1.1 (2025-04-28)

Refactor

• oidc-provider now uses koa@3 (3a83d32)

9.1.0 (2025-04-26)

Features

• experimental support for OIDC RP Metadata Choices (f3550da)

Fixes

• only include DPoP-Nonce in Access-Control-Expose-Headers when DPoP is enabled (e769aa8)

Refactor

• avoid assignment operators in conditional expressions (b7ed877)
• improve static find performance (106f94a)
• update some default helpers for readability (0818c36)

Documentation

• more clarity for features.dPoP.allowReplay (779a141)

9.0.1 (2025-04-17)

Documentation

• mark experimental features more distinctly (986adc5)
• update references and styling of spec links (a4787b8)

Fixes

• DCR endpoints only include www-authenticate for non-registration related errors (9a864d6)

Refactor

• client schema defaults and static props (843943d)
• handle frame-ancestors in wmrm without a regexp (4f85585)
• push multiple elements to the recognized array in client_schema (d478a8b)
• simpler DCR validate registration access token (5f01eda)

9.0.0 (2025-04-15)

⚠ BREAKING CHANGES

• authorization and logout endpoints no longer support the HTTP POST method by default, this can be re-enabled using the enableHttpPostMethods boolean configuration, this also requires that cookies.long.sameSite is set to none
• cookie session sameSite attribute default is now “lax” instead of “none”
• userinfo requests with bearer tokens will now fail if they also include DPoP
• userinfo now includes both dpop and bearer challenges when dpop is enabled
• accessing protected resources without an access token will now yield a 401 HTTP Status Code instead of a 400
• default PKCE configuration no longer requires PKCE to be used unless RFC9700 or a given profile says so
• removed the provider.Account getter
• all Provider routes will now end the HTTP request when finished, koa middlewares that are “downstream” will no longer be executed after a route is matched in oidc-provider, “upstream” control flows are unaffected
• the Provider no longer includes a catch-all 404 Not Found error handler
• FAPI profile behaviours no longer force PKCE, these should be forced by configuring the pkce.required configuration helper the default of which already does so.
• the server’s JWK Key IDs (JWK kid parameter) now must be unique, no two keys must use the same kid.
• the revokeGrantPolicy configuration helper is now also invoked during opaque Access Token revocation, its default return remains false for this case though
• CIBA ping and poll delivery mode ID Tokens no longer include at_hash, urn:openid:params:jwt:claim:rt_hash, and urn:openid:params:jwt:claim:auth_req_id
• authorization code grant type issued ID Tokens no longer include at_hash
• device authorization grant type issued ID Tokens no longer include at_hash
• refresh token grant type issued ID Tokens no longer include at_hash
• implicit grant type issued ID Tokens no longer include s_hash unless the request is a FAPI 1.0 Final request
• global fetch() API is now used to make outgoing HTTP requests instead of the “got” module.
• the httpOptions configuration option was removed and a new option to accomodate the use of fetch() interface was added. This options is aptly called “fetch” and its call signature and expected returns mirror the fetch() API.
• Enabling JAR (Request Objects by Value) is now enabled via features.requestObjects.enabled boolean instead of features.requestObjects.request boolean
• removed support for Passing a Request Object by Reference (JAR request_uri)
• removed legacy sameSite cookie fallback
• removed support for Node.js 18.x
• removed support for Node.js 20.x
• removed the pkce.methods configuration
• removed the features.requestObjects.mode configuration
• removed support for Ed448
• removed support for X448
• removed support for secp256k1 / ES256K
• removed support for FAPI 1.0 ID2

Features

• Access Token revocation may now also optionally revoke the underlying grant (4f69668)
• add support for the fully-specified Ed25519 JWS Algorithm Identifier (645b900)
• DPoP support is now enabled by default (a5694af)
• Experimental support for external signing keys, e.g. in a KMS or HSM (8b3ceff)
• expose current requests’ ctx via Provider.ctx static getter (1fbd81b)
• update FAPI 2.0 implementation to FAPI 2.0 Final (eff3115)

Documentation

• auto-format code blocks (c2c520f)
• dpop cannot acked anymore, it is stable (a48c51f)
• improvements to linked resources (cf77770)
• mention external types (5f8a450)
• move adapters to the Community Guides Discussions section (ba806ca)
• move recipes to the Community Guides Discussions section (cd8da28)
• remove mentions of the connect server framework (7cb1aaa)
• update README to use named exports (8355886)
• update version support matrix (abbfe2f)

Fixes

• no access token provided error is now a 401 (8493e2d)
• userinfo now includes both dpop and bearer challenges when dpop is enabled (1093f6b)

Refactor

• change default PKCE usage requirement (fdf8ad8)
• change default session cookie from sameSite none to lax (b47eee8)
• cleanup unused azp claim code (6c57e63)
• deprecate the .app getter (9b61212)
• disable HTTP POST Method handling of authorization and logout endpoints (d56304c)
• encryption and key derivation is not blocking the main thread (73a422f)
• ensure all route handlers are final (8cc44e6)
• escape www-authenticate backslashes despite not directly using them (e789b98)
• increase all random identifiers from ~126 bits of randomness to ~256 (45721f8)
• minimal change to support koa@3 (925cee5)
• no more warnings if cookie keys are missing (7ab6157)
• omit generic “typ: JWT” in issued JSON Web Tokens (4eb4004)
• pass over internal configuration getters (0243964)
• Provider is now the Koa application instance (167216e)
• remove hardcoded require PKCE checks (be0b2fd)
• remove object-hash dependency (fda9385)
• remove optional ID Token _hash claims (58ca2c2)
• remove the provider.Account getter (dd2bde4)
• remove unused code (e5fc3cb)
• remove uses of randomFill and Buffer.allocUnsafe (00fe106)
• removed legacy sameSite cookie fallback (2defa70)
• removed support for FAPI 1.0 ID2 (311e3e2)
• removed support for Passing a Request Object by Reference (JAR request_uri) (bacf375)
• removed the features.requestObjects.mode configuration (4ec8327)
• removed the pkce.methods configuration (4a736b8)
• Request Object (JAR) is now enabled with features.requestObjects.enabled (20d60a4)
• simplify default assertJwtClaimsAndHeader configuration (1ea27a6)
• update Node.js support matrix (db57556)
• use fetch() api to make outgoing HTTP requests (cc70e5a)
• use hkdf in dpop’s rolling nonce calculation (7b77967)
• use more optional chaining (e5539ae)
• use oneshot hash methods instead of intermediate Hash objects (2dc4bd1)
• use structuredClone instead of JSON.stringify then parse (ad02170)
• use URL.parse (11e1b33)
• userinfo requests with bearer tokens will now fail if they also include DPoP (e5efa5c)

8.8.1 (2025-03-06)

Fixes

• add “exp” to Logout Tokens (c6c01f1), closes #1295

Documentation

• update spec links (076ee58)

8.8.0 (2025-02-17)

Features

• mark RFC9701 (features.jwtIntrospection) as stable (e2a2de2)

8.7.0 (2025-02-13)

Features

• allow own KeyGrip instances in cookies.keys configuration (d5d2900)

8.6.1 (2025-01-19)

Fixes

• allow specifying the user-agent header for outgoing requests (#1287) (c77513c)

8.6.0 (2024-11-21)

Features

• add a helper for asserting JWT Client Auth claims and header (82d4e50)

Documentation

• update verbiage “provider” > “authorization server” (3768192)

Refactor

• move assertJwtClaimsAndHeader after regular JWT claims set validation (05f6bf4)

8.5.3 (2024-11-05)

Fixes

• normalize single string set-cookie headers (6effeed)

8.5.2 (2024-10-19)

Refactor

• remove use of node:url in favour of WHATWG URL (0dc59a1)

Documentation

• update docs/README.md (07f6333)

---

Older entries →