- handle DPoP htu validation when mounted in express (f34526c), closes #572
- use sha512 for Ed25519 and shake256 for Ed448 ID Token
*_hash claims (fd3c9e9)
- autosubmit logout when there’s no accountId in the session (c6b1770), closes #566
- omit
*_hash ID Token claims if signed with “none” (code flow only) (5c540c0)
- add interaction<>session consistency checks (018255e)
- update DPoP implementation to indivudal draft 03 (a7f5d7d)
- respect mountPath when rendering device flow html views (74b434c), closes #561
- typescript: add findByUserCode to DeviceCode types (df58cff)
- remove registration access token when client is deleted (e24ad4a), closes #555
- typescript: allow registration policies type to be async (0a46a65), closes #551
- cookies: use ctx.secure from the mount context when available (c8d8fe6)
- mounted devInteractions now honour the mount path (8fb8af5), closes #549 #548
- typescript: add missing OIDCContext cookies property (0c04af6)
- forbid redirect_uri with an empty fragment component (ca196a0)
- v6.12.6 native app uris regression fixed (fd56ef6)
- typescript: revert void/undefined changes from 6.12.3 (e0bbaae), closes #541
- use updated jose package (ee17022)
- typescript: fix void/undefined inconsistencies and ts lint (96c9415)
- do not send empty secret to adapter in a DCR edge case (af9ecd9)
- fixed session management state fallback cookie name (91b0dea)
- handle sameSite=none incompatible user-agents (4e68415)
- typescript: provider.callback getter type regression fixed (5cea116), closes #534
- token TTL being a helper function is now accepted (a930355)
- default refresh token TTL policy for SPAs follows the updated BCP (d6a2a34)
- update JWT Response for OAuth Token Introspection to draft 08 (5f917e2)
- update FAPI RW behaviours (a7ed27a)
- update pushed authorization requests draft (aaf5740)
- update fapiRW draft feature (8b927fc)
- update pushed request objects to b6cd952 (43fa8aa)
- correct ssl offloading proxy documentation url in console warning (b871e99)
- handle server_error on expired unsigned request objects (7172a85)
- ignore secret and expiration timestamp on dynamic create edge case (d532fb2)
- allow authorization requests with only a Request Object (e3fa143)
- allow structured access token customizations (4be3bb2), closes #520
- experimental support for pushed request objects (4ac3905)
- strategies for parameter merging Request Object <> OAuth 2.0 (3ad1744)
- support non-0 expiring client secrets (client_secret_expires_at) (02877f6)
- do not use mounted app’s ctx.cookies (ce0c06d), closes #517
- extend interactionDetails to allow (req, res) (e1d69cf), closes #517
- properly apply samesite=none for non-webkit browsers (ec2ffc6)
- added Node.js lts/dubnium support (52e914c)
- empty params are handled as if they were not provided at all (a9e0f8c)
- basic and post client auth methods are now interchangeable (a019fc9)
- enable RSA-OAEP-256 when node runtime supports it (cfada87)
- new experimental support for FAPI RW Security Profile added (0c69553)
- RFC8628 has been published, device flow is now a stable feature (98a3bd4)
- make structured token’s end-user “sub” pairwise if configured (24a08c2)
- use correct postLogoutRedirectUri for resume’s logout when mounted (a72b27d)
- bring paseto token claims inline with jwt-ietf (265e400)
- paseto formatted access token audience is a single string (1fd45f5)
- properly check if resourceIndicators is enabled (bbcdca2)
- added a helper for validating provided resource indicator values (a97ffdc), closes #487
- allow audiences helper to return a single string audience (4c7a3a8)
- draft implementation of IETF JWT Access Token profile (e690462)
- new option for resolving JWT Access Token signing algorithm (28e85ef)
← Newer entries | Older entries →
