- client schema invalidation code not set (edf22fb)
- allow native app callbacks in client post_logout_redirect_uris (3fca22b)
- bump backchannelLogout to draft-07 (95611d9)
- graduate issAuthResp feature as stable and enable by default (e774f60)
- ensure jwt replay detection takes clockTolerance into account (f167233)
- substr > slice change in mountPath should have been substring (adc0d63)
- resourceIndicators: await the result of useGrantedResource (#1173) (64a8028)
- add iss to error responses when issAuthResp is enabled (05ac3a8)
- expose invalid_dpop_proof error code and set it to 401 on userinfo (2628d7e)
- use paseto configuration from
getResourceServerInfo (#1150) (02c821d)
- clearly mark that multiple pop mechanisms are not allowed (49eed4c)
- duplicate iss and aud as JWE Header Parameters (b26ea44)
- add LTS Gallium as a supported runtime version (19b4d0d)
- use insufficient_scope instead of invalid_scope at userinfo_endpoint (ba8a8f0)
- OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable feature (3c54d8d)
- CIBA Core 1.0 is now a stable feature (cc8bc0d)
- support v3.local, v3.public, and v4.public paseto access tokens format (aca5813)
- add missing x-ua-compatible to form_post and dag input (f773669), closes #1052
- memory adapter grant references for intended models (2fe4dc8)
- use correct keystore select method for paseto access tokens (ce394bc)
- issue id tokens with claims when resource is used (#1038) (4b16c71)
- use 303 See Other HTTP response status code for built in redirects (c243bf6)
- handle backchannel requests in grant revocation (8fe9aec)
- fapi: Draft feature
fapiRW was replaced by a stable fapi
feature.
- fapi: The default profile for the new
fapi feature is
Financial-grade API Security Profile 1.0 - Part 2: Advanced (Final) rather than
Financial-grade API - Part 2: Read and Write API Security Profile (ID2).
ID2 albeit being an Implementer’s Draft remains a possible
features.fapi.profile option
- deviceFlow: ensure pairwise device flow clients prove ownership of their jwks_uri (ec99201)
- remove default got user-agent (d65187c)
- skip validating client redirect_uris presence when not required (90965bb)
- account claims scope argument type during refresh token exchange (bd1bee1), closes #1000
- store original PAR signed request object after decryption (fa26e55)
- update DPoP implementation to ietf draft 03 (d08126f)
- enable customizing client auth jwt assertion expected audience (e6286a6)
- interaction uid is now an alias to its jti, it is not stored anymore either (2d85768)
- keyselection for ecdh when both OKP and EC are present (a0f8f7d)
- v1.paseto token alg keystore value to be PS384 instead of RS384 (ae1f879)
- save the grantId reference field with an interaction session (6cab64e)
- typo in consent detail missingOIDClaims -> missingOIDCClaims (1427383)
- allow control of which errors flow back to client’s redirect_uri (219cd45)
- server_error codes no longer redirect back to clients (b591d7f)
- PAR no longer remaps all errors as
invalid_request_object.
IdToken.prototype.issue now requires the use
option.- JWT Header Parameter
client_id in Request Objects is
now ignored.
- Request Objects now require
iss and aud claims.
OIDCContext.prototype.dPoP getter was removed.- BaseToken.prototype.setThumbprint
jkt mode now
expects the string thumbprint value instead of the jose.JWK instance.
- Client JWKS
kid values are no longer automatically
calculated per RFC7638 when missing. As a result when client’s public
keys are used to encrypt assertions the kid header will be missing
when such keys are used.
- Provider constructor will now reject JWKS that serve
no purpose (e.g. are only usable for encryption but encryption is
disabled).
- Client and Provider JWKS are validated to be
syntactically correct as before but only resolve to a
crypto.KeyObject
when they’re used.
sector_identifier_uri is now verified regardless of
client’s subject_type when provided.response_type=token is no longer supportedSession.prototype.accountId function was removed, it
is just a property access now.- Session adapter payload property
account was renamed
to accountId.
- Interactions result
login.account was renamed to
login.accountId
Session.prototype.loginAccount option account was
renamed to accountId- TypeScript type definitions are no longer bundled with
the package, instead these will be re-published to DefinitelyTyped.
configuration.features.resourceIndicators was
completely re-implemented.configuration.audiences helper function was removed,
use the resourceIndicators feature instead.- Access Tokens with an audience can no longer be used
to access the userinfo endpoint.
- Only a single audience (“aud”) is permitted in
Access Tokens and Client Credential tokens.
- Structured (JWT and PASETO) access tokens Access Tokens
no longer default to using the clientId as audience, if no audience is
specified an Error is throw indicating that issuing a structured token
is probably not needed for a token only usable at the userinfo_endpoint.
- Only opaque access tokens without an audience may be
used to access the userinfo_endpoint.
- Only opaque access tokens may be introspected using
the introspection_endpoint.
- Only opaque access tokens may be revoked using
the revocation_endpoint.
- Only opaque access tokens get stored using the adapter.
- Structured (JWT and PASETO) access tokens do not get
stored by the adapter anymore.
access_token.saved event is only emitted for opaque
access tokens, non-opaque tokens get emitted via access_token.issued.- PASETO tokens were re-implemented from scratch using
the new resourceIndicators implementation.
client_credentials.saved event is only emitted for
opaque access tokens, non-opaque tokens get emitted via
client_credentials.issued.- Structured (JWT and PASETO) access tokens MUST contain
an audience, an error will be thrown if they don’t.
formats.jwtAccessTokenSigningAlg configuration was
removed in favour of Resource Server configuration helpers.- The default consent prompt interaction details have
changed, these now include
missingOIDCScopes(string[]),
missingOIDClaims(string[]),
missingResourceScope({ [resourceIndicator]: string[]).
- The interaction result
consent structure changed. It
may now only contain a single property, grantId (string) which is
the identifier of a Grant (returned by calling Grant.prototype.save()).
- Session-bound artifacts no longer fail to load when
the session’s grant has less scopes than the artifact, instead the
action will work with the intersection of currently granted scopes with
the ones on the artifact.
- Sessions no longer hold the “granted” set of
scopes/claims. This is now tracked in the Grant artifact instead. The
following properties are no longer present on the
session.authorizations[client_id] object: rejectedScopes,
rejectedClaims, promptedClaims, promptedScopes.
- The following Session prototype methods have been
removed: acceptedClaimsFor, acceptedScopesFor, promptedClaimsFor,
promptedScopesFor, rejectedClaimsFor, rejectedScopesFor.
- OpenID Connect Session Management draft
implementation was removed. This is due to front-channel becoming more
and more unreliable due to browsers blocking third-party cookie access.
- OpenID Connect Front-Channel Logout draft
implementation was removed. This is due to front-channel becoming more
and more unreliable due to browsers blocking third-party cookie access.
- The
jwt-ietf token format is now just jwt. The
ietfJWTAccessTokenProfile feature is therefore obsolete and removed.
The prior jwt format may be emulated using the
formats.customizers.jwt helper function.
- Default PKCE use policy now enforces the use of PKCE
code_challenge for all requests where PKCE applies. Use the
pkce.required helper to revert to the old policy if you have a reason
to exempt some clients from this policy.
ctx.oidc.uid is now undefined, no random values are
now generated. In places where ctx.oidc.uid was used as a source
of a random value, an always fresh random value is now generated
instead.- Removed every
DEBUG=* code other than error ones.
Ways to debug the code will surface through logging in the future.
- The Device Flow feature resume path now longer contains
the user code in the URL. Instead,
deviceCode is now attached to
Interaction models when part of a device authorization grant flow.
- The DeviceCode model now gets
grantId property
assigned only after successful consent interaction.
- Every interaction now gets a totally unique identifier,
“same grant”, which never actually was about grants, or consequent
bounces through interaction will now each get a unique identifier.
- The
features.webMessageResponseMode.scriptNonce
helper was removed, all inline scripts will now have their sha256
automatically added to CSP script-src directives when one is present.
client_id and client_secret values are now checked
to conform to their ABNF syntax (%x20-7E).- Allowing to omit a redirect_uri parameter for
clients with a single one registered is now disabled by default. You can
re-enable this using the
allowOmittingSingleRegisteredRedirectUri
configuration option.
- Configuration option
cookies.short.maxAge was removed.
Use ttl.Interaction configuration to define the Interaction TTL which
in turn controls the cookie expiration.
- Configuration option
cookies.long.maxAge was removed.
Use ttl.Session configuration to define the Session TTL which
in turn controls the cookie expiration.
- Configuration option
cookies.short.expires was
removed.
- Configuration option
cookies.long.expires was
removed.
- Interaction.prototype.save
ttl argument is now
required.
- Session.prototype.save
ttl argument is now required.
- Provider.prototype.requestUriCache getter was removed.
features.jwtUserinfo is disabled by default now.- Removed “whitelist” Request Object merging strategy
requestObjects.mergingStrategy configuration is now a
string valued “strict” or “lax”requestObjects.mergingStrategy configuration is now
requestObjects.mode.- Configuration option
whitelistedJWA is now
enabledJWA.
- Removed HS256 as a default-enabled algorithm from the
following configuration values so that all AS-issued assertions are
firm to only come from the AS:
whitelistedJWA.idTokenSigningAlgValues,
whitelistedJWA.userinfoSigningAlgValues,
whitelistedJWA.introspectionSigningAlgValues,
whitelistedJWA.authorizationSigningAlgValues
- Default JWE Algorithms (“alg”) now includes “dir”.
- ECDH-ES KW variants are not enabled by default anymore.
- The default for JWT Access Tokens’ signing algorithm
is no longer the client’s
id_token_signed_response_alg falling back to
RS256 but rather only the provider’s default
id_token_signed_response_alg.
- Removed built in support for urn: request uris.
- Renamed RequestUriCache.prototype.resolveWebUri to
RequestUriCache.prototype.resolve
- The
claims configuration property can no longer be
a Map instance, only plain objects are allowed.
request_object_signing_alg no longer means a request
object must be provided, require_signed_request_object boolean value
serves that purpose now as per the clarifications made in OIDF and IETF
Working Groups.- The deprecated
postLogoutSuccessSource configuration
property was removed, use
features.rpInitiatedLogout.postLogoutSuccessSource instead.
- The deprecated
logoutSource configuration
property was removed, use
features.rpInitiatedLogout.logoutSource instead.
- RedirectUriMismatch error was removed.
redirect_uri_mismatch error codes are now
invalid_redirect_uri.- Only www-urlencoded bodies recognize RFC6750 payload
bearer token. On the authorization server this only affects the dynamic
registration features and removes an unintended side effect.
extraAccessTokenClaims helper function is renamed to
extraTokenClaims.- The jwks_uri response is now using the proper content
type
application/jwk-set+json.
- Default Interaction TTL increased from 10 minutes to
1 hour.
- The following Provider instance getters/setters are
removed: subdomainOffset, proxyIpHeader, maxIpsCount, keys. You can
access the underlying Koa app via
provider.app if you have the need
to use these.
- Default clientBasedCORS helper return value is now
false, you must ergo use this helper to open up cors based on your
policy.
- The deprecated
setS256Thumbprint token instance
method is removed.
- The deprecated
OIDCContext.prototype.bearer method
is removed.
- removed
dynamicScopes configuration option, scope
configuration using pre-configured values is gone in favour of
Resource Indicators refactor.
- httpOptions helper function argument is now just
a URL instance. It no longer receives the “to be executed” http request
options.
- httpOptions helper changed. It can now only return
three properties {
timeout: number,
agent: instanceof https.Agent || http.Agent,
lookup: dns.lookup like option
}
- The deprecated
pkceMethods configuration property was
removed, use pkce.methods instead.
provider.setInteractionSession function was removed.meta interaction result was removed.- Structured token constructors now require a client
property with a client instance rather than a clientId property.
extraClientMetadata.validator ctx argument is now
the first one.- Single member audience arrays are now transformed to a
single audience string value instead.
- Introspection response
jti is not returned for
opaque tokens.
OIDCContext and Interaction instance property
signed renamed to trusted.provider.interactionDetails now only works if both
req and res are provided.Provider.prototype.callback is now a function instead
of a getter.- Node.js runtime version policy changed. Version
12.19.0 is now the minimum required runtime and ONLY LTS releases are
supported. This means “Current” Node releases are not officially
supported and you may get mixed results when using them.
- added configurable policy for issuing registration access tokens (f18395f)
- allow dynamic session and interaction expiration TTL (afcb375)
- allow pre-existing Grants to be loaded during authorization (9dc7921)
- apply max expiration on PAR objects created from a JWT (03f9d8f)
- automatically add inline scripts to CSP script-src directives (85c3f4d), closes #850 #584
- check client_id and client_secret ABNF syntax (3d0d078)
- control whether underlying Grant gets destroyed during logout and revocation (ee74dcf)
- features.resourceIndicators (RFC 8707) is now a stable feature (84c3a5c)
- helper function to decide whether to validate client.sector_identifier_uri (72058a5)
- JWT Access Tokens are now just issued and not stored anymore (d1ee6b7)
- JWT Access Tokens can now be encrypted with a symmetric secret shared with the recipient (0f76c65)
- JWT Access Tokens can now be encrypted with an asymmetric public key of the recipient (d2a63b7)
- JWT Access Tokens can now be HMAC-signed with a symmetric secret shared with the recipient (5041158)
- omitting redirect_uri for clients with a single one is now optional (329c577)
- opaque token length can now be influenced (f35764f), closes #760
- PAR no longer requires otherwise enabled
features.requestObjects (33f3a83)
- PASETO Access Tokens are now just issued and not stored anymore (4efe741)
- PASETO Access Tokens can now be encrypted with a symmetric secret shared with the recipient using v1.local (2e78582)
- PASETO Access Tokens now support both v1.public and v2.public (dff2a72)
- require Node.js version ^12.19.0 || ^14.15.0 (2a54e33)
- require use of PKCE (aa2bd51)
- sector_identifier_uri can be used without pairwise subject_type (202e4c5)
- The key used to asymmetrically sign JWT Access Tokens can now be chosen based on its Key ID. (8b32707)
- The key used to asymmetrically sign PASETO Access Tokens can now be chosen based on its Key ID. (efd3dab)
- check DPoP htm as case-sensitive (33223ff)
- delay FAPI response type/mode check when request_uri is present (78916b7)
- ignore clockTolerance when verifying stored PAR objects (c3c2276)
- only www-urlencoded bodies recognize RFC6750 payload bearer token (4553bd5)
- remap
invalid_redirect_uri as invalid_request in PAR (ceb3cd1)
- remove legacy accept header value from request uri requests (4cc28ef)
- typescript: Interaction.prototype.session structure (#924) (76c36c7)
OIDCContext and Interaction property signed renamed (0ed56bd)- audience arrays with 1 member are changed to a single value (d156983)
- by default disabled JWT Userinfo Responses (5931a59)
- changed default signing algorithm selection method (995d2d4)
- clean up RequestUriCache (8c0b9c5)
- configuration
whitelistedJWA is now enabledJWA (d77fd4f)
- default clientBasedCORS helper is now false (4cf4cc6)
- default enabled JWAs (d8ebde0)
- default Interaction TTL increased from 10 minutes to 1 hour (f6c7b5e)
- extraClientMetadata.validator arguments reordered (ea6dc73)
- idToken.issue() now requires the
use option (d1d9421)
- introspection response
jti not returned for opaque tokens (a333aaa)
- only allow objects as
claims configuration parameter (2ac59b7)
- provider.callback is now a function instead of a getter (e78e573)
- provider.interactionDetails(req, res) now requires res (2c3a667)
- provider’s jwks_uri is now application/jwk-set+json content (285eb41)
- remove bundled TypeScript type defintions (3a6b671)
- remove deprecated
pkceMethods configuration property (65712d0)
- remove deprecated
setS256Thumbprint token instance method (6afaf31)
- remove few deprecated configuration properties (1767c8f)
- remove Provider.prototype.requestUriCache (e8b411c)
- remove the deprecated
OIDCContext.prototype.bearer method (52000d5)
- removed
dynamicScopes configuration option (285fc7a)
- removed a bunch of proxied methods from provider to app (3fb32e7)
- removed oidc.uid, removed a lot of debug (801d28f)
- Removed OpenID Connect Front-Channel Logout (feecb5e)
- Removed OpenID Connect Session Management (224dd38)
- removed provider.setInteractionSession and result meta object (ac1b0f6)
- rename session.account to session.accountId for consistency (3e81740)
- renamed
extraAccessTokenClaims helper function (ce57d6d)
- replaced the
jwt format with jwt-ietf as it is stable now (d61b515)
- request_object_signing_alg no longer forces request object use (e7309af)
- requestObjects.mergingStrategy “whitelist” was removed (7b10e9f)
- require client in structured tokens constructors (a4e02bd)
- response_type value
token is no longer supported (0c74a1a)
- updated
got http request library (b395a0d)
- use invalid_redirect_uri over redirect_uri_mismatch error (2565cce)
- use jose@3 instead of jose@2 (5572e0e)
← Newer entries | Older entries →
