Changelog (Page 4)

7.1.1 (2021-03-10)

Bug Fixes

save the grantId reference field with an interaction session (6cab64e)
typo in consent detail missingOIDClaims -> missingOIDCClaims (1427383)

7.1.0 (2021-03-05)

Features

allow control of which errors flow back to client’s redirect_uri (219cd45)
server_error codes no longer redirect back to clients (b591d7f)

7.0.0 (2021-03-03)

⚠ BREAKING CHANGES

PAR no longer remaps all errors as invalid_request_object.
IdToken.prototype.issue now requires the use option.
JWT Header Parameter client_id in Request Objects is now ignored.
Request Objects now require iss and aud claims.
OIDCContext.prototype.dPoP getter was removed.
BaseToken.prototype.setThumbprint jkt mode now expects the string thumbprint value instead of the jose.JWK instance.
Client JWKS kid values are no longer automatically calculated per RFC7638 when missing. As a result when client’s public keys are used to encrypt assertions the kid header will be missing when such keys are used.
Provider constructor will now reject JWKS that serve no purpose (e.g. are only usable for encryption but encryption is disabled).
Client and Provider JWKS are validated to be syntactically correct as before but only resolve to a crypto.KeyObject when they’re used.
sector_identifier_uri is now verified regardless of client’s subject_type when provided.
response_type=token is no longer supported
Session.prototype.accountId function was removed, it is just a property access now.
Session adapter payload property account was renamed to accountId.
Interactions result login.account was renamed to login.accountId
Session.prototype.loginAccount option account was renamed to accountId
TypeScript type definitions are no longer bundled with the package, instead these will be re-published to DefinitelyTyped.
configuration.features.resourceIndicators was completely re-implemented.
configuration.audiences helper function was removed, use the resourceIndicators feature instead.
Access Tokens with an audience can no longer be used to access the userinfo endpoint.
Only a single audience (“aud”) is permitted in Access Tokens and Client Credential tokens.
Structured (JWT and PASETO) access tokens Access Tokens no longer default to using the clientId as audience, if no audience is specified an Error is throw indicating that issuing a structured token is probably not needed for a token only usable at the userinfo_endpoint.
Only opaque access tokens without an audience may be used to access the userinfo_endpoint.
Only opaque access tokens may be introspected using the introspection_endpoint.
Only opaque access tokens may be revoked using the revocation_endpoint.
Only opaque access tokens get stored using the adapter.
Structured (JWT and PASETO) access tokens do not get stored by the adapter anymore.
access_token.saved event is only emitted for opaque access tokens, non-opaque tokens get emitted via access_token.issued.
PASETO tokens were re-implemented from scratch using the new resourceIndicators implementation.
client_credentials.saved event is only emitted for opaque access tokens, non-opaque tokens get emitted via client_credentials.issued.
Structured (JWT and PASETO) access tokens MUST contain an audience, an error will be thrown if they don’t.
formats.jwtAccessTokenSigningAlg configuration was removed in favour of Resource Server configuration helpers.
The default consent prompt interaction details have changed, these now include missingOIDCScopes(string[]), missingOIDClaims(string[]), missingResourceScope({ [resourceIndicator]: string[]).
The interaction result consent structure changed. It may now only contain a single property, grantId (string) which is the identifier of a Grant (returned by calling Grant.prototype.save()).
Session-bound artifacts no longer fail to load when the session’s grant has less scopes than the artifact, instead the action will work with the intersection of currently granted scopes with the ones on the artifact.
Sessions no longer hold the “granted” set of scopes/claims. This is now tracked in the Grant artifact instead. The following properties are no longer present on the session.authorizations[client_id] object: rejectedScopes, rejectedClaims, promptedClaims, promptedScopes.
The following Session prototype methods have been removed: acceptedClaimsFor, acceptedScopesFor, promptedClaimsFor, promptedScopesFor, rejectedClaimsFor, rejectedScopesFor.
OpenID Connect Session Management draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
OpenID Connect Front-Channel Logout draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
The jwt-ietf token format is now just jwt. The ietfJWTAccessTokenProfile feature is therefore obsolete and removed. The prior jwt format may be emulated using the formats.customizers.jwt helper function.
Default PKCE use policy now enforces the use of PKCE code_challenge for all requests where PKCE applies. Use the pkce.required helper to revert to the old policy if you have a reason to exempt some clients from this policy.
ctx.oidc.uid is now undefined, no random values are now generated. In places where ctx.oidc.uid was used as a source of a random value, an always fresh random value is now generated instead.
Removed every DEBUG=* code other than error ones. Ways to debug the code will surface through logging in the future.
The Device Flow feature resume path now longer contains the user code in the URL. Instead, deviceCode is now attached to Interaction models when part of a device authorization grant flow.
The DeviceCode model now gets grantId property assigned only after successful consent interaction.
Every interaction now gets a totally unique identifier, “same grant”, which never actually was about grants, or consequent bounces through interaction will now each get a unique identifier.
The features.webMessageResponseMode.scriptNonce helper was removed, all inline scripts will now have their sha256 automatically added to CSP script-src directives when one is present.
client_id and client_secret values are now checked to conform to their ABNF syntax (%x20-7E).
Allowing to omit a redirect_uri parameter for clients with a single one registered is now disabled by default. You can re-enable this using the allowOmittingSingleRegisteredRedirectUri configuration option.
Configuration option cookies.short.maxAge was removed. Use ttl.Interaction configuration to define the Interaction TTL which in turn controls the cookie expiration.
Configuration option cookies.long.maxAge was removed. Use ttl.Session configuration to define the Session TTL which in turn controls the cookie expiration.
Configuration option cookies.short.expires was removed.
Configuration option cookies.long.expires was removed.
Interaction.prototype.save ttl argument is now required.
Session.prototype.save ttl argument is now required.
Provider.prototype.requestUriCache getter was removed.
features.jwtUserinfo is disabled by default now.
Removed “whitelist” Request Object merging strategy
requestObjects.mergingStrategy configuration is now a string valued “strict” or “lax”
requestObjects.mergingStrategy configuration is now requestObjects.mode.
Configuration option whitelistedJWA is now enabledJWA.
Removed HS256 as a default-enabled algorithm from the following configuration values so that all AS-issued assertions are firm to only come from the AS: whitelistedJWA.idTokenSigningAlgValues, whitelistedJWA.userinfoSigningAlgValues, whitelistedJWA.introspectionSigningAlgValues, whitelistedJWA.authorizationSigningAlgValues
Default JWE Algorithms (“alg”) now includes “dir”.
ECDH-ES KW variants are not enabled by default anymore.
The default for JWT Access Tokens’ signing algorithm is no longer the client’s id_token_signed_response_alg falling back to RS256 but rather only the provider’s default id_token_signed_response_alg.
Removed built in support for urn: request uris.
Renamed RequestUriCache.prototype.resolveWebUri to RequestUriCache.prototype.resolve
The claims configuration property can no longer be a Map instance, only plain objects are allowed.
request_object_signing_alg no longer means a request object must be provided, require_signed_request_object boolean value serves that purpose now as per the clarifications made in OIDF and IETF Working Groups.
The deprecated postLogoutSuccessSource configuration property was removed, use features.rpInitiatedLogout.postLogoutSuccessSource instead.
The deprecated logoutSource configuration property was removed, use features.rpInitiatedLogout.logoutSource instead.
RedirectUriMismatch error was removed.
redirect_uri_mismatch error codes are now invalid_redirect_uri.
Only www-urlencoded bodies recognize RFC6750 payload bearer token. On the authorization server this only affects the dynamic registration features and removes an unintended side effect.
extraAccessTokenClaims helper function is renamed to extraTokenClaims.
The jwks_uri response is now using the proper content type application/jwk-set+json.
Default Interaction TTL increased from 10 minutes to 1 hour.
The following Provider instance getters/setters are removed: subdomainOffset, proxyIpHeader, maxIpsCount, keys. You can access the underlying Koa app via provider.app if you have the need to use these.
Default clientBasedCORS helper return value is now false, you must ergo use this helper to open up cors based on your policy.
The deprecated setS256Thumbprint token instance method is removed.
The deprecated OIDCContext.prototype.bearer method is removed.
removed dynamicScopes configuration option, scope configuration using pre-configured values is gone in favour of Resource Indicators refactor.
httpOptions helper function argument is now just a URL instance. It no longer receives the “to be executed” http request options.
httpOptions helper changed. It can now only return three properties { timeout: number, agent: instanceof https.Agent || http.Agent, lookup: dns.lookup like option }
The deprecated pkceMethods configuration property was removed, use pkce.methods instead.
provider.setInteractionSession function was removed.
meta interaction result was removed.
Structured token constructors now require a client property with a client instance rather than a clientId property.
extraClientMetadata.validator ctx argument is now the first one.
Single member audience arrays are now transformed to a single audience string value instead.
Introspection response jti is not returned for opaque tokens.
OIDCContext and Interaction instance property signed renamed to trusted.
provider.interactionDetails now only works if both req and res are provided.
Provider.prototype.callback is now a function instead of a getter.
Node.js runtime version policy changed. Version 12.19.0 is now the minimum required runtime and ONLY LTS releases are supported. This means “Current” Node releases are not officially supported and you may get mixed results when using them.

Features

added configurable policy for issuing registration access tokens (f18395f)
allow dynamic session and interaction expiration TTL (afcb375)
allow pre-existing Grants to be loaded during authorization (9dc7921)
apply max expiration on PAR objects created from a JWT (03f9d8f)
automatically add inline scripts to CSP script-src directives (85c3f4d), closes #850 #584
check client_id and client_secret ABNF syntax (3d0d078)
control whether underlying Grant gets destroyed during logout and revocation (ee74dcf)
features.resourceIndicators (RFC 8707) is now a stable feature (84c3a5c)
helper function to decide whether to validate client.sector_identifier_uri (72058a5)
JWT Access Tokens are now just issued and not stored anymore (d1ee6b7)
JWT Access Tokens can now be encrypted with a symmetric secret shared with the recipient (0f76c65)
JWT Access Tokens can now be encrypted with an asymmetric public key of the recipient (d2a63b7)
JWT Access Tokens can now be HMAC-signed with a symmetric secret shared with the recipient (5041158)
omitting redirect_uri for clients with a single one is now optional (329c577)
opaque token length can now be influenced (f35764f), closes #760
PAR no longer requires otherwise enabled features.requestObjects (33f3a83)
PASETO Access Tokens are now just issued and not stored anymore (4efe741)
PASETO Access Tokens can now be encrypted with a symmetric secret shared with the recipient using v1.local (2e78582)
PASETO Access Tokens now support both v1.public and v2.public (dff2a72)
require Node.js version ^12.19.0 || ^14.15.0 (2a54e33)
require use of PKCE (aa2bd51)
sector_identifier_uri can be used without pairwise subject_type (202e4c5)
The key used to asymmetrically sign JWT Access Tokens can now be chosen based on its Key ID. (8b32707)
The key used to asymmetrically sign PASETO Access Tokens can now be chosen based on its Key ID. (efd3dab)

Bug Fixes

check DPoP htm as case-sensitive (33223ff)
delay FAPI response type/mode check when request_uri is present (78916b7)
ignore clockTolerance when verifying stored PAR objects (c3c2276)
only www-urlencoded bodies recognize RFC6750 payload bearer token (4553bd5)
remap invalid_redirect_uri as invalid_request in PAR (ceb3cd1)
remove legacy accept header value from request uri requests (4cc28ef)
typescript: Interaction.prototype.session structure (#924) (76c36c7)

Refactor

OIDCContext and Interaction property signed renamed (0ed56bd)
audience arrays with 1 member are changed to a single value (d156983)
by default disabled JWT Userinfo Responses (5931a59)
changed default signing algorithm selection method (995d2d4)
clean up RequestUriCache (8c0b9c5)
configuration whitelistedJWA is now enabledJWA (d77fd4f)
default clientBasedCORS helper is now false (4cf4cc6)
default enabled JWAs (d8ebde0)
default Interaction TTL increased from 10 minutes to 1 hour (f6c7b5e)
extraClientMetadata.validator arguments reordered (ea6dc73)
idToken.issue() now requires the use option (d1d9421)
introspection response jti not returned for opaque tokens (a333aaa)
only allow objects as claims configuration parameter (2ac59b7)
provider.callback is now a function instead of a getter (e78e573)
provider.interactionDetails(req, res) now requires res (2c3a667)
provider’s jwks_uri is now application/jwk-set+json content (285eb41)
remove bundled TypeScript type defintions (3a6b671)
remove deprecated pkceMethods configuration property (65712d0)
remove deprecated setS256Thumbprint token instance method (6afaf31)
remove few deprecated configuration properties (1767c8f)
remove Provider.prototype.requestUriCache (e8b411c)
remove the deprecated OIDCContext.prototype.bearer method (52000d5)
removed dynamicScopes configuration option (285fc7a)
removed a bunch of proxied methods from provider to app (3fb32e7)
removed oidc.uid, removed a lot of debug (801d28f)
Removed OpenID Connect Front-Channel Logout (feecb5e)
Removed OpenID Connect Session Management (224dd38)
removed provider.setInteractionSession and result meta object (ac1b0f6)
rename session.account to session.accountId for consistency (3e81740)
renamed extraAccessTokenClaims helper function (ce57d6d)
replaced the jwt format with jwt-ietf as it is stable now (d61b515)
request_object_signing_alg no longer forces request object use (e7309af)
requestObjects.mergingStrategy “whitelist” was removed (7b10e9f)
require client in structured tokens constructors (a4e02bd)
response_type value token is no longer supported (0c74a1a)
updated got http request library (b395a0d)
use invalid_redirect_uri over redirect_uri_mismatch error (2565cce)
use jose@3 instead of jose@2 (5572e0e)

6.31.0 (2021-01-19)

Features

end_session_endpoint now recognizes client_id and logout_hint (9dd2b0e)

Bug Fixes

keep grants that persist if logged out by that grant’s client (26449f5), closes #857

Performance

use native node’s base64url encoding when available (6149bd3)

6.30.1 (2021-01-13)

Bug Fixes

botched 6.30.0 release with a syntax error (cd5f02a)

6.30.0 (2021-01-13)

Features

Authorization Server Issuer Identifier in Authorization Response (3f67ee9)
update JARM feature draft version to Implementer’s Draft 01 (0a021de)

6.29.11 (2021-01-12)

Bug Fixes

missing login prompt details (c7b0036), closes #853

6.29.10 (2021-01-04)

Bug Fixes

html safe guard the action attribute in form post responses (7cd6025)

6.29.9 (2020-12-10)

Bug Fixes

typescript: interaction result may be undefined (#833) (44aa53e)
unrecognized EC curves and OKP subtypes are ignored (660f46d)

6.29.8 (2020-11-30)

Bug Fixes

ignore client metadata valued undefined when applying defualts (d0ee50a), closes #824

6.29.7 (2020-11-10)

Bug Fixes

client keystore refresh keeps the derived octet keys in store (024841e), closes #816

6.29.6 (2020-11-08)

Bug Fixes

ensure decrypted request object is accessed in PAR responses (09751d7), closes #813

6.29.5 (2020-10-03)

Bug Fixes

loopback redirectUriAllowed protocol check (#794) (da99330)

6.29.4 (2020-09-19)

Bug Fixes

typescript: findAccount may return undefined (#786) (6689cdb)
updated request object mime-type as per draft-ietf-oauth-jwsreq-30 (f15524a)

6.29.3 (2020-08-25)

Bug Fixes

typescript: allows adapter factory in typings (#776) (3cfcd77)

6.29.2 (2020-08-20)

Bug Fixes

typescript: extend AdapterPayload from AnyClientMetadata (6631a2d), closes #774

6.29.1 (2020-08-13)

Bug Fixes

typescript: add missing rpInitiatedLogout types (59c389b)

6.29.0 (2020-08-12)

Features

allow RP-Initiated Logout 1.0 feature to be disabled (a2ef044)
update backchannelLogout feature draft version (9a9dd7e)
update frontchannelLogout feature draft version (d54cc8f)
update sessionManagement feature draft version (aa62927)

6.28.0 (2020-07-14)

Bug Fixes

ensure client is still valid after custom metadata processing (fded7c6)

Features

incorporate behaviours and metadata from jwsreq-25 (cb12761)
update PAR implementation to ietf draft 02 (fd2ccee)

6.27.5 (2020-07-06)

6.27.4 (2020-06-30)

6.27.3 (2020-06-19)

Bug Fixes

re-allow transfer-encoding chunked (f88447b), closes #739

6.27.2 (2020-06-16)

Bug Fixes

remove unintended client_id from post_logout_redirect_uri callbacks (57d07cd)

6.27.1 (2020-06-15)

Bug Fixes

correct jwtIntrospection draft ack version (#735) (62b97d4)
typescript: static IdToken.validate (#733) (a0d997e)

6.27.0 (2020-06-01)

Bug Fixes

allow any JSON numeric value for timestamp values for DPoP JWTs (0700fde)

Features

secp256k1 EC curve and ES256K JWS alg feature flag removed (f74f6bd)

BREAKING CHANGES

secp256k1 and ES256K have been registered in IANA a few days ago so the flag is not needed anymore.

Note: Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively, acknowledge the version and be notified of breaking changes as part of your CI.

6.26.1 (2020-05-18)

Bug Fixes

typescript: claims/scopes as Set in rejected/prompted functions (#719) (950c21d)
typescript: undefined return for DefaultPolicy.get and Checks.get (b61e9d8)

6.26.0 (2020-05-12)

Bug Fixes

A192CBC-HS384 and A256CBC-HS512 direct encryption key derivation (ead23a7)

Features

helper to define PKCE use requirement (0c2e208)

6.25.0 (2020-05-05)

Bug Fixes

typescript: fix metaFor “value” argument type (0b31b69), closes #711

Features

update DPoP implementation to ietf draft 01 (330d13c)

BREAKING CHANGES

DPoP implementation updated to draft-ietf-oauth-dpop-01

6.24.0 (2020-04-27)

Bug Fixes

typescript: added types of prompt.checks in interaction policy (3b97bde)

Features

typescript: export the DefaultPolicy interface (b36190b), closes #707
add server-wide policy configuration on accepting tokens in query (90b400a)
introspection response allowedPolicy helper function added (e59cc66), closes #642
update features.jwtIntrospection to draft 09 (219e8c3)

6.23.5 (2020-04-09)

Bug Fixes

revert “chore: update tree router” (13e4142), closes #696

← Newer entries | Older entries →