All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
8.6.0 (2024-11-21)
- add a helper for asserting JWT Client Auth claims and header (82d4e50)
- update verbiage "provider" > "authorization server" (3768192)
- move assertJwtClaimsAndHeader after regular JWT claims set validation (05f6bf4)
8.5.3 (2024-11-05)
- normalize single string set-cookie headers (6effeed)
8.5.2 (2024-10-19)
- remove use of node:url in favour of WHATWG URL (0dc59a1)
- update docs/README.md (07f6333)
8.5.1 (2024-07-03)
- update README.md (41a7a0b)
- build: export Provider also as a named export (083c7c4)
8.5.0 (2024-06-28)
- add a Client static validate() method (d1f7d73)
- add a helper allowing custom claims parameter validations (ec2a1f5)
- add experimental support for RFC9396 - Rich Authorization Requests (e9fb573)
- add response_modes client metadata allow list (76f9af0)
- allow extraParams to define validations for extra parameters (b7d3322)
- DPoP: add a setting to disable DPoP Proof Replay Detection (2744fc8)
- DPoP: send a dpop-nonce when the proof's iat check fails and nonces are configured but not required (1b073c0)
- FAPI: add FAPI 2.0 profile behaviours (5212609)
- JAR: add a helper allowing custom JWT claim and header validations (be9242a)
- PAR: add a setting to allow use of unregistered redirect_uri values (a7e73fa)
- update Web Message Response Mode and remove its Relay Mode (a91add8)
- DPoP,mTLS: reject client configuration in which binding is required but response types include an implicit token response (cd7e0f4)
- deprecate FAPI 1.0 ID2, lax request objects, plain PKCE (3e8a784)
- don't use overwrite cookie option by default (dfbcb94)
- DPoP: move the accepted timespan into a constant (a8e8006)
- DPoP: omit sending the dpop-nonce header if the existing one used is fresh (4d635e2)
- ensure param-assigned max_age from client.defaultMaxAge is a string (0c52469)
- FAPI: deprecate FAPI profile hardcoded PKCE checks (56641ec)
- JAR: authorization requests with JAR now require a client_id parameter (9131cd5)
- JAR: Request Objects are no longer checked for one time use (18efa70)
- PAR: consume PAR after user interactions instead of before (53babe6)
- store claims value parsed in non-JAR PAR (9cd865b)
- use invalid_request instead of unauthorized_client (7947d87)
8.4.7 (2024-06-20)
- include ID Token auth_time when client's default_max_age is zero (bebda04)
8.4.6 (2024-04-23)
- adds events and debugging recipe (#1246) (0bf7696)
- fix client_secret_basic special characters encoding example (73baae1)
- re-run update docs (99cc84a)
- avoid iteration resource iteration in client_credentials (e306640)
- avoid use of prototype attributes in object-hash (270af1d)
- use logical or assignment (8f55588)
- ensure each individual resource indicator is a valid URI (d9e1ad2)
8.4.5 (2024-01-17)
- use doc argument in web_message js code (da3198b)
- add missing opening html tags (23997c5)
- DPoP: mark defaulted dpop_jkt parameter as trusted (ee633f3)
8.4.4 (2024-01-08)
- test decoded basic auth tokens for their VSCHAR pattern (3f86cc0)
- DPoP,PAR,JAR: validate DPoP before invalidating JAR during PAR (ca0f999)
8.4.3 (2023-12-14)
8.4.2 (2023-12-02)
8.4.1 (2023-10-25)
8.4.0 (2023-09-08)
- DPoP: remove experimental flag, DPoP is now RFC9449 (89d133e)
8.3.2 (2023-09-02)
- assign extraTokenClaims return to the model (e296dc7)
8.3.1 (2023-08-30)
- DPoP: compare htu scheme and hostname case independent (b72d668)
8.3.0 (2023-08-27)
- allow specifying the user-agent header for outgoing requests (95f24ef)
8.2.2 (2023-05-30)
8.2.1 (2023-05-06)
8.2.0 (2023-04-24)
8.1.2 (2023-04-21)
8.1.1 (2023-03-09)
8.1.0 (2023-01-23)
- mTLS.getCertificate helper can return a X509Certificate object (be3f47f)
8.0.0 (2022-12-03)
- Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the
clockTolerance
configuration option. - The userinfo endpoint will no longer echo back
x-fapi-interaction-id
headers. This can be reverted using a custom pre-middleware. request_uri
parameter is no longer supported at the Device Authorization Endpoint.- The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set
features.requestObjects.requireSignedRequestObject
totrue
as a global policy or setrequire_signed_request_object
orbackchannel_authentication_request_signing_alg
client metadata. - PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both
features.pushedAuthorizationRequests
andfeatures.requestObjects.request
. - CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both
features.ciba
andfeatures.requestObjects.request
. - Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the
features.pushedAuthorizationRequests.enabled
configuration option. - Completely removed v6.x way of setting access token formats.
expiresWithSession()
for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.- Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the
enabledJWA.dPoPSigningAlgValues
configuration option. - Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the
allowOmittingSingleRegisteredRedirectUri
configuration option. features.fapi.profile
is now a required configuration option whenfeatures.fapi.enabled
istrue
.id_token_signed_response_alg
now must be set whenid_token_encrypted_response_alg
is also set on a client.userinfo_signed_response_alg
now must be set whenuserinfo_encrypted_response_alg
is also set on a client.introspection_signed_response_alg
now must be set whenintrospection_encrypted_response_alg
is also set on a client.authorization_signed_response_alg
now must be set whenauthorization_encrypted_response_alg
is also set on a client.- The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
request_uri
parameter support is now disabled by default. This can be reverted using thefeatures.requestObjects.requestUri
configuration option.httpOptions
return propertylookup
was renamed todnsLookup
.httpOptions
return propertytimeout
was removed, return anAbortSignal
instance assignal
property instead.oidc-provider
is now an ESM-only module, it must now be imported using theimport
declaration or theimport()
syntax, theProvider
constructor is the module's default export, theerrors
andinteractionPolicy
exports are the package's named exports. There is noProvider
named export.httpOptions
no longer defaults to using the npm modulecacheable-lookup
as itsdnsLookup
option. It defaults tonode:dns
module'slookup
export instead.- PASETO Access Token format support was removed.
- Removed support for Node.js 12.
- Removed support for Node.js 14.
- Removed support for Node.js 16.
- Node.js LTS 18 (^18.12.0) is now required.
- Default Authorization Code duration is now 60 seconds instead of 10 minutes. This can be reverted using the
ttl.AuthorizationCode
configuration option. - Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the
features.requestObjects.mode
configuration option. - The "none" JWS algorithm, which was previously disabled by default, is now completely removed.
- The PBKDF2 based JWE Key Management Algorithms, which were previously disabled by default, are now completely removed.
- The client registration management update action now rotates registration access tokens by default. This can be reverted using the
features.registrationManagement.rotateRegistrationAccessToken
configuration option. - It is no longer possible to pass Bearer tokens using the
access_token
query string parameter. This can be reverted using theacceptQueryParamAccessTokens
configuration option. - The
tokenEndpointAuthMethods
configuration method was renamed toclientAuthMethods
. - The
enabledJWA.tokenEndpointAuthSigningAlgValues
configuration method was renamed toenabledJWA.clientAuthSigningAlgValues
. - The non-standard
introspection_endpoint_auth_method
, andintrospection_endpoint_auth_signing_alg
client metadata properties were removed. The client'stoken_endpoint_auth_method
, andtoken_endpoint_auth_signing_alg
properties are now used as the only indication of how a client must authenticate at the introspection endpoint. The accompanying JWA and authentication methods configuration properties were also removed. - The non-standard
revocation_endpoint_auth_method
, andrevocation_endpoint_auth_signing_alg
client metadata properties were removed. The client'stoken_endpoint_auth_method
, andtoken_endpoint_auth_signing_alg
properties are now used as the only indication of how a client must authenticate at the revocation endpoint. The accompanying JWA and authentication methods configuration properties were also removed.
- add UnmetAuthenticationRequirements error (3f6684a)
- bump DPoP to draft-11 (917507f)
- support DPoP nonces (8d82988)
- change default on allowOmittingSingleRegisteredRedirectUri (d41bb0f)
- check request_uri_not_supported early (57b39a2)
- CIBA and PAR do not automatically turn on JAR (089fa43)
- Completely removed v6.x way of setting access token formats. (a2cf235)
- default code ttl down from 10 minutes down to 1 minute (f770e2d)
- default dPoPSigningAlgValues changed (9859969)
- default JAR mode is now strict instead of lax (cef63b6)
- disable query string bearer by default (059557b)
- disable request_uri support by default (3575584)
- enable PAR by default (4272027)
- expiresWithSession on authorization endpoint access tokens (cb67083)
- oidc-provider is now an ESM-only module (3c5ebe1)
- PBKDF2 JWE encryption algorithms are no longer supported (868ab2f)
- redo fapi profile checks, remove x-fapi-headers nonsense (7cf031a)
- remove default from FAPI profile configuration (0f93b8c)
- remove introspection and revocation client metadata (a6433d0)
- removed default outgoing cacheable-lookup use (7c10920)
- removed optional "none" JWS algorithm support (e654fe6)
- removed PASETO access token format support (079e2f2)
- removed support for issuing
"cty": "json"
JWEs (b4b837b) - renamed client auth related configuration (b8e8ce9)
- require Node.js LTS 18 (ff26cf6)
- rotated registration management access tokens by default (2eb5c63)
- RSA1_5 JWE encryption algorithm is no longer supported (a967a4e)
- set default clock skew tolerance to 15 seconds (42c00da)
- update http request options (2fd5eda)
7.14.3 (2022-12-01)
- memory adapter grant references for intended models (357ced3)
7.14.2 (2022-11-30)
- build client symmetric keys from all client signing alg properties (a26f87d)
7.14.1 (2022-11-22)
- url encode client_id returned in registration responses (500dfeb)
7.14.0 (2022-11-09)
- graduate jwtResponseModes (JARM) feature as stable (7b878cd)
7.13.0 (2022-10-26)
- enable v18 LTS in package.json (e423b4d)
7.12.0 (2022-09-13)
- graduate backchannelLogout feature as stable (617e260)
- ignore instead of throw on unverified post_logout_redirect_uri (04b1096)
7.11.5 (2022-07-16)
- PAR: set additional stored PAR object properties on plain requests (1be15fa)
- PAR: skip stored PAR object alg validation when it's being used (406caa4)
7.11.4 (2022-07-04)
7.11.3 (2022-06-13)
7.11.2 (2022-05-16)
7.11.1 (2022-04-25)
- client schema invalidation code not set (edf22fb)
7.11.0 (2022-04-20)
- allow native app callbacks in client post_logout_redirect_uris (3fca22b)
- bump backchannelLogout to draft-07 (95611d9)
- graduate issAuthResp feature as stable and enable by default (e774f60)
- ensure jwt replay detection takes clockTolerance into account (f167233)
7.10.6 (2022-01-07)
- substr > slice change in mountPath should have been substring (adc0d63)
7.10.5 (2022-01-04)
7.10.4 (2021-12-05)
- add iss to error responses when issAuthResp is enabled (05ac3a8)
7.10.3 (2021-12-04)
- expose invalid_dpop_proof error code and set it to 401 on userinfo (2628d7e)
7.10.2 (2021-11-28)
7.10.1 (2021-11-16)
- clearly mark that multiple pop mechanisms are not allowed (49eed4c)
7.10.0 (2021-11-04)
- duplicate iss and aud as JWE Header Parameters (b26ea44)
7.9.0 (2021-10-26)
- add LTS Gallium as a supported runtime version (19b4d0d)
7.8.1 (2021-10-12)
- use insufficient_scope instead of invalid_scope at userinfo_endpoint (ba8a8f0)
7.8.0 (2021-09-15)
- OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable feature (3c54d8d)
7.7.0 (2021-09-02)
- CIBA Core 1.0 is now a stable feature (cc8bc0d)
7.6.0 (2021-08-03)
- support v3.local, v3.public, and v4.public paseto access tokens format (aca5813)
7.5.4 (2021-07-21)
7.5.3 (2021-07-19)
- memory adapter grant references for intended models (2fe4dc8)
7.5.2 (2021-07-19)
- use correct keystore select method for paseto access tokens (ce394bc)
7.5.1 (2021-06-24)
7.5.0 (2021-06-23)
- use 303 See Other HTTP response status code for built in redirects (c243bf6)
7.4.1 (2021-05-29)
- handle backchannel requests in grant revocation (8fe9aec)
7.4.0 (2021-05-28)
- fapi: Draft feature
fapiRW
was replaced by a stablefapi
feature. - fapi: The default profile for the new
fapi
feature is Financial-grade API Security Profile 1.0 - Part 2: Advanced (Final) rather than Financial-grade API - Part 2: Read and Write API Security Profile (ID2). ID2 albeit being an Implementer's Draft remains a possiblefeatures.fapi.profile
option
- fapi: FAPI (Final and ID2) is now a stable feature (4f52a4c)
- resourceIndicators: allow omitting resource parameter at the token endpoint (0309ec0), closes /github.com/panva/node-oidc-provider/discussions/989#discussioncomment-676812 #989
- Client Initiated Backchannel Authentication (CIBA) and FAPI-CIBA-ID1 (a217484)
- deviceFlow: ensure pairwise device flow clients prove ownership of their jwks_uri (ec99201)
- remove default got user-agent (d65187c)
- skip validating client redirect_uris presence when not required (90965bb)
7.3.2 (2021-05-13)
7.3.1 (2021-04-09)
- store original PAR signed request object after decryption (fa26e55)
7.3.0 (2021-04-08)
- DPoP implementation updated to draft-ietf-oauth-dpop-03
- update DPoP implementation to ietf draft 03 (d08126f)
7.2.0 (2021-04-01)
- enable customizing client auth jwt assertion expected audience (e6286a6)
7.1.3 (2021-03-24)
- interaction uid is now an alias to its jti, it is not stored anymore either (2d85768)
- keyselection for ecdh when both OKP and EC are present (a0f8f7d)
7.1.2 (2021-03-15)
- v1.paseto token alg keystore value to be PS384 instead of RS384 (ae1f879)
7.1.1 (2021-03-10)
- save the grantId reference field with an interaction session (6cab64e)
- typo in consent detail missingOIDClaims -> missingOIDCClaims (1427383)
7.1.0 (2021-03-05)
- allow control of which errors flow back to client's redirect_uri (219cd45)
- server_error codes no longer redirect back to clients (b591d7f)
7.0.0 (2021-03-03)
- PAR no longer remaps all errors as invalid_request_object.
IdToken.prototype.issue
now requires theuse
option.- JWT Header Parameter
client_id
in Request Objects is now ignored. - Request Objects now require
iss
andaud
claims. OIDCContext.prototype.dPoP
getter was removed.- BaseToken.prototype.setThumbprint
jkt
mode now expects the string thumbprint value instead of the jose.JWK instance. - Client JWKS
kid
values are no longer automatically calculated per RFC7638 when missing. As a result when client's public keys are used to encrypt assertions thekid
header will be missing when such keys are used. - Provider constructor will now reject JWKS that serve no purpose (e.g. are only usable for encryption but encryption is disabled).
- Client and Provider JWKS are validated to be
syntactically correct as before but only resolve to a
crypto.KeyObject
when they're used. sector_identifier_uri
is now verified regardless of client'ssubject_type
when provided.response_type=token
is no longer supportedSession.prototype.accountId
function was removed, it is just a property access now.- Session adapter payload property
account
was renamed toaccountId
. - Interactions result
login.account
was renamed tologin.accountId
Session.prototype.loginAccount
optionaccount
was renamed toaccountId
- TypeScript type definitions are no longer bundled with the package, instead these will be re-published to DefinitelyTyped.
configuration.features.resourceIndicators
was completely re-implemented.configuration.audiences
helper function was removed, use theresourceIndicators
feature instead.- Access Tokens with an audience can no longer be used to access the userinfo endpoint.
- Only a single audience ("aud") is permitted in Access Tokens and Client Credential tokens.
- Structured (JWT and PASETO) access tokens Access Tokens no longer default to using the clientId as audience, if no audience is specified an Error is throw indicating that issuing a structured token is probably not needed for a token only usable at the userinfo_endpoint.
- Only opaque access tokens without an audience may be used to access the userinfo_endpoint.
- Only opaque access tokens may be introspected using the introspection_endpoint.
- Only opaque access tokens may be revoked using the revocation_endpoint.
- Only opaque access tokens get stored using the adapter.
- Structured (JWT and PASETO) access tokens do not get stored by the adapter anymore.
access_token.saved
event is only emitted for opaque access tokens, non-opaque tokens get emitted viaaccess_token.issued
.- PASETO tokens were re-implemented from scratch using the new resourceIndicators implementation.
client_credentials.saved
event is only emitted for opaque access tokens, non-opaque tokens get emitted viaclient_credentials.issued
.- Structured (JWT and PASETO) access tokens MUST contain an audience, an error will be thrown if they don't.
formats.jwtAccessTokenSigningAlg
configuration was removed in favour of Resource Server configuration helpers.- The default consent prompt interaction details have
changed, these now include
missingOIDCScopes
(string[]
),missingOIDClaims
(string[]
),missingResourceScope
({ [resourceIndicator]: string[]
). - The interaction result
consent
structure changed. It may now only contain a single property,grantId
(string) which is the identifier of a Grant (returned by calling Grant.prototype.save()). - Session-bound artifacts no longer fail to load when the session's grant has less scopes than the artifact, instead the action will work with the intersection of currently granted scopes with the ones on the artifact.
- Sessions no longer hold the "granted" set of
scopes/claims. This is now tracked in the Grant artifact instead. The
following properties are no longer present on the
session.authorizations[client_id]
object: rejectedScopes, rejectedClaims, promptedClaims, promptedScopes. - The following Session prototype methods have been removed: acceptedClaimsFor, acceptedScopesFor, promptedClaimsFor, promptedScopesFor, rejectedClaimsFor, rejectedScopesFor.
- OpenID Connect Session Management draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
- OpenID Connect Front-Channel Logout draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
- The
jwt-ietf
token format is now justjwt
. TheietfJWTAccessTokenProfile
feature is therefore obsolete and removed. The priorjwt
format may be emulated using theformats.customizers.jwt
helper function. - Default PKCE use policy now enforces the use of PKCE
code_challenge
for all requests where PKCE applies. Use thepkce.required
helper to revert to the old policy if you have a reason to exempt some clients from this policy. ctx.oidc.uid
is now undefined, no random values are now generated. In places wherectx.oidc.uid
was used as a source of a random value, an always fresh random value is now generated instead.- Removed every
DEBUG=*
code other than error ones. Ways to debug the code will surface through logging in the future. - The Device Flow feature resume path now longer contains
the user code in the URL. Instead,
deviceCode
is now attached toInteraction
models when part of a device authorization grant flow. - The DeviceCode model now gets
grantId
property assigned only after successful consent interaction. - Every interaction now gets a totally unique identifier, "same grant", which never actually was about grants, or consequent bounces through interaction will now each get a unique identifier.
- The
features.webMessageResponseMode.scriptNonce
helper was removed, all inline scripts will now have their sha256 automatically added to CSP script-src directives when one is present. client_id
andclient_secret
values are now checked to conform to their ABNF syntax (%x20-7E).- Allowing to omit a redirect_uri parameter for
clients with a single one registered is now disabled by default. You can
re-enable this using the
allowOmittingSingleRegisteredRedirectUri
configuration option. - Configuration option
cookies.short.maxAge
was removed. Usettl.Interaction
configuration to define the Interaction TTL which in turn controls the cookie expiration. - Configuration option
cookies.long.maxAge
was removed. Usettl.Session
configuration to define the Session TTL which in turn controls the cookie expiration. - Configuration option
cookies.short.expires
was removed. - Configuration option
cookies.long.expires
was removed. - Interaction.prototype.save
ttl
argument is now required. - Session.prototype.save
ttl
argument is now required. - Provider.prototype.requestUriCache getter was removed.
features.jwtUserinfo
is disabled by default now.- Removed "whitelist" Request Object merging strategy
requestObjects.mergingStrategy
configuration is now a string valued "strict" or "lax"requestObjects.mergingStrategy
configuration is nowrequestObjects.mode
.- Configuration option
whitelistedJWA
is nowenabledJWA
. - Removed HS256 as a default-enabled algorithm from the
following configuration values so that all AS-issued assertions are
firm to only come from the AS:
whitelistedJWA.idTokenSigningAlgValues
,whitelistedJWA.userinfoSigningAlgValues
,whitelistedJWA.introspectionSigningAlgValues
,whitelistedJWA.authorizationSigningAlgValues
- Default JWE Algorithms ("alg") now includes "dir".
- ECDH-ES KW variants are not enabled by default anymore.
- The default for JWT Access Tokens' signing algorithm
is no longer the client's
id_token_signed_response_alg
falling back to RS256 but rather only the provider's defaultid_token_signed_response_alg
. - Removed built in support for urn: request uris.
- Renamed RequestUriCache.prototype.resolveWebUri to RequestUriCache.prototype.resolve
- The
claims
configuration property can no longer be aMap
instance, only plain objects are allowed. request_object_signing_alg
no longer means a request object must be provided,require_signed_request_object
boolean value serves that purpose now as per the clarifications made in OIDF and IETF Working Groups.- The deprecated
postLogoutSuccessSource
configuration property was removed, usefeatures.rpInitiatedLogout.postLogoutSuccessSource
instead. - The deprecated
logoutSource
configuration property was removed, usefeatures.rpInitiatedLogout.logoutSource
instead. - RedirectUriMismatch error was removed.
redirect_uri_mismatch
error codes are nowinvalid_redirect_uri
.- Only www-urlencoded bodies recognize RFC6750 payload bearer token. On the authorization server this only affects the dynamic registration features and removes an unintended side effect.
extraAccessTokenClaims
helper function is renamed toextraTokenClaims
.- The jwks_uri response is now using the proper content
type
application/jwk-set+json
. - Default Interaction TTL increased from 10 minutes to 1 hour.
- The following Provider instance getters/setters are
removed: subdomainOffset, proxyIpHeader, maxIpsCount, keys. You can
access the underlying Koa app via
provider.app
if you have the need to use these. - Default clientBasedCORS helper return value is now
false
, you must ergo use this helper to open up cors based on your policy. - The deprecated
setS256Thumbprint
token instance method is removed. - The deprecated
OIDCContext.prototype.bearer
method is removed. - removed
dynamicScopes
configuration option, scope configuration using pre-configured values is gone in favour of Resource Indicators refactor. - httpOptions helper function argument is now just a URL instance. It no longer receives the "to be executed" http request options.
- httpOptions helper changed. It can now only return
three properties {
timeout
: number,agent
: instanceof https.Agent || http.Agent,lookup
: dns.lookup like option } - The deprecated
pkceMethods
configuration property was removed, usepkce.methods
instead. provider.setInteractionSession
function was removed.meta
interaction result was removed.- Structured token constructors now require a client property with a client instance rather than a clientId property.
extraClientMetadata.validator
ctx
argument is now the first one.- Single member audience arrays are now transformed to a single audience string value instead.
- Introspection response
jti
is not returned for opaque tokens. OIDCContext
andInteraction
instance propertysigned
renamed totrusted
.provider.interactionDetails
now only works if bothreq
andres
are provided.Provider.prototype.callback
is now a function instead of a getter.- Node.js runtime version policy changed. Version 12.19.0 is now the minimum required runtime and ONLY LTS releases are supported. This means "Current" Node releases are not officially supported and you may get mixed results when using them.
- added configurable policy for issuing registration access tokens (f18395f)
- allow dynamic session and interaction expiration TTL (afcb375)
- allow pre-existing Grants to be loaded during authorization (9dc7921)
- apply max expiration on PAR objects created from a JWT (03f9d8f)
- automatically add inline scripts to CSP script-src directives (85c3f4d), closes #850 #584
- check client_id and client_secret ABNF syntax (3d0d078)
- control whether underlying Grant gets destroyed during logout and revocation (ee74dcf)
- features.resourceIndicators (RFC 8707) is now a stable feature (84c3a5c)
- helper function to decide whether to validate client.sector_identifier_uri (72058a5)
- JWT Access Tokens are now just issued and not stored anymore (d1ee6b7)
- JWT Access Tokens can now be encrypted with a symmetric secret shared with the recipient (0f76c65)
- JWT Access Tokens can now be encrypted with an asymmetric public key of the recipient (d2a63b7)
- JWT Access Tokens can now be HMAC-signed with a symmetric secret shared with the recipient (5041158)
- omitting redirect_uri for clients with a single one is now optional (329c577)
- opaque token length can now be influenced (f35764f), closes #760
- PAR no longer requires otherwise enabled
features.requestObjects
(33f3a83) - PASETO Access Tokens are now just issued and not stored anymore (4efe741)
- PASETO Access Tokens can now be encrypted with a symmetric secret shared with the recipient using v1.local (2e78582)
- PASETO Access Tokens now support both v1.public and v2.public (dff2a72)
- require Node.js version ^12.19.0 || ^14.15.0 (2a54e33)
- require use of PKCE (aa2bd51)
- sector_identifier_uri can be used without pairwise subject_type (202e4c5)
- The key used to asymmetrically sign JWT Access Tokens can now be chosen based on its Key ID. (8b32707)
- The key used to asymmetrically sign PASETO Access Tokens can now be chosen based on its Key ID. (efd3dab)
- check DPoP htm as case-sensitive (33223ff)
- delay FAPI response type/mode check when request_uri is present (78916b7)
- ignore clockTolerance when verifying stored PAR objects (c3c2276)
- only www-urlencoded bodies recognize RFC6750 payload bearer token (4553bd5)
- remap
invalid_redirect_uri
asinvalid_request
in PAR (ceb3cd1) - remove legacy accept header value from request uri requests (4cc28ef)
- typescript: Interaction.prototype.session structure (#924) (76c36c7)
OIDCContext
andInteraction
propertysigned
renamed (0ed56bd)- audience arrays with 1 member are changed to a single value (d156983)
- by default disabled JWT Userinfo Responses (5931a59)
- changed default signing algorithm selection method (995d2d4)
- clean up RequestUriCache (8c0b9c5)
- configuration
whitelistedJWA
is nowenabledJWA
(d77fd4f) - default clientBasedCORS helper is now false (4cf4cc6)
- default enabled JWAs (d8ebde0)
- default Interaction TTL increased from 10 minutes to 1 hour (f6c7b5e)
- extraClientMetadata.validator arguments reordered (ea6dc73)
- idToken.issue() now requires the
use
option (d1d9421) - introspection response
jti
not returned for opaque tokens (a333aaa) - only allow objects as
claims
configuration parameter (2ac59b7) - provider.callback is now a function instead of a getter (e78e573)
- provider.interactionDetails(req, res) now requires res (2c3a667)
- provider's jwks_uri is now application/jwk-set+json content (285eb41)
- remove bundled TypeScript type defintions (3a6b671)
- remove deprecated
pkceMethods
configuration property (65712d0) - remove deprecated
setS256Thumbprint
token instance method (6afaf31) - remove few deprecated configuration properties (1767c8f)
- remove Provider.prototype.requestUriCache (e8b411c)
- remove the deprecated
OIDCContext.prototype.bearer
method (52000d5) - removed
dynamicScopes
configuration option (285fc7a) - removed a bunch of proxied methods from provider to app (3fb32e7)
- removed oidc.uid, removed a lot of debug (801d28f)
- Removed OpenID Connect Front-Channel Logout (feecb5e)
- Removed OpenID Connect Session Management (224dd38)
- removed provider.setInteractionSession and result meta object (ac1b0f6)
- rename session.account to session.accountId for consistency (3e81740)
- renamed
extraAccessTokenClaims
helper function (ce57d6d) - replaced the
jwt
format withjwt-ietf
as it is stable now (d61b515) - request_object_signing_alg no longer forces request object use (e7309af)
- requestObjects.mergingStrategy "whitelist" was removed (7b10e9f)
- require client in structured tokens constructors (a4e02bd)
- response_type value
token
is no longer supported (0c74a1a) - updated
got
http request library (b395a0d) - use invalid_redirect_uri over redirect_uri_mismatch error (2565cce)
- use jose@3 instead of jose@2 (5572e0e)
6.31.0 (2021-01-19)
- end_session_endpoint now recognizes client_id and logout_hint (9dd2b0e)
- use native node's base64url encoding when available (6149bd3)
6.30.1 (2021-01-13)
- botched 6.30.0 release with a syntax error (cd5f02a)
6.30.0 (2021-01-13)
- Authorization Server Issuer Identifier in Authorization Response (3f67ee9)
- update JARM feature draft version to Implementer's Draft 01 (0a021de)
6.29.11 (2021-01-12)
6.29.10 (2021-01-04)
- html safe guard the action attribute in form post responses (7cd6025)
6.29.9 (2020-12-10)
- typescript: interaction result may be undefined (#833) (44aa53e)
- unrecognized EC curves and OKP subtypes are ignored (660f46d)
6.29.8 (2020-11-30)
6.29.7 (2020-11-10)
6.29.6 (2020-11-08)
6.29.5 (2020-10-03)
6.29.4 (2020-09-19)
- typescript: findAccount may return undefined (#786) (6689cdb)
- updated request object mime-type as per draft-ietf-oauth-jwsreq-30 (f15524a)
6.29.3 (2020-08-25)
6.29.2 (2020-08-20)
6.29.1 (2020-08-13)
- typescript: add missing rpInitiatedLogout types (59c389b)
6.29.0 (2020-08-12)
- allow RP-Initiated Logout 1.0 feature to be disabled (a2ef044)
- update backchannelLogout feature draft version (9a9dd7e)
- update frontchannelLogout feature draft version (d54cc8f)
- update sessionManagement feature draft version (aa62927)
6.28.0 (2020-07-14)
- ensure client is still valid after custom metadata processing (fded7c6)
- incorporate behaviours and metadata from jwsreq-25 (cb12761)
- update PAR implementation to ietf draft 02 (fd2ccee)
6.27.5 (2020-07-06)
6.27.4 (2020-06-30)
6.27.3 (2020-06-19)
6.27.2 (2020-06-16)
- remove unintended client_id from post_logout_redirect_uri callbacks (57d07cd)
6.27.1 (2020-06-15)
- correct jwtIntrospection draft ack version (#735) (62b97d4)
- typescript: static IdToken.validate (#733) (a0d997e)
6.27.0 (2020-06-01)
- allow any JSON numeric value for timestamp values for DPoP JWTs (0700fde)
- secp256k1 EC curve and ES256K JWS alg feature flag removed (f74f6bd)
- secp256k1 and ES256K have been registered in IANA a few days ago so the flag is not needed anymore.
Note: Updates to draft specification versions are released as MINOR
library versions, if you utilize these specification implementations
consider using the tilde ~
operator in your package.json since
breaking changes may be introduced as part of these version updates.
Alternatively, acknowledge the version and
be notified of breaking changes as part of your CI.
6.26.1 (2020-05-18)
- typescript: claims/scopes as Set in rejected/prompted functions (#719) (950c21d)
- typescript: undefined return for DefaultPolicy.get and Checks.get (b61e9d8)
6.26.0 (2020-05-12)
- A192CBC-HS384 and A256CBC-HS512 direct encryption key derivation (ead23a7)
- helper to define PKCE use requirement (0c2e208)
6.25.0 (2020-05-05)
- update DPoP implementation to ietf draft 01 (330d13c)
- DPoP implementation updated to draft-ietf-oauth-dpop-01
Note: Updates to draft specification versions are released as MINOR
library versions, if you utilize these specification implementations
consider using the tilde ~
operator in your package.json since
breaking changes may be introduced as part of these version updates.
Alternatively, acknowledge the version and
be notified of breaking changes as part of your CI.
6.24.0 (2020-04-27)
- typescript: added types of prompt.checks in interaction policy (3b97bde)
- typescript: export the DefaultPolicy interface (b36190b), closes #707
- add server-wide policy configuration on accepting tokens in query (90b400a)
- introspection response allowedPolicy helper function added (e59cc66), closes #642
- update features.jwtIntrospection to draft 09 (219e8c3)
6.23.5 (2020-04-09)
6.23.4 (2020-04-03)
- typescript: added revokeByGrantId types to appropriate models (883b038)
6.23.3 (2020-03-22)
- client jwks_uri are now fetched with a lock, cooldown improvements (b193010)
6.23.2 (2020-03-16)
6.23.1 (2020-03-04)
6.23.0 (2020-03-03)
- client credentials exchange checks the client's scope whitelist (5e4defc)
- stable features with ack now throw to indicate a possible breaking change (cf58d35)
- typescript: adapter methods typings and interface name typo (e086fc6)
- features.mTLS (RFC 8705) is now a stable feature (cfeaca8)
6.22.1 (2020-02-28)
6.22.0 (2020-02-28)
6.21.1 (2020-02-27)
6.21.0 (2020-02-18)
- add support for RSA-OAEP-384 and RSA-OAEP-512 JWE algorithms (c669bd1)
6.20.3 (2020-02-14)
6.20.2 (2020-02-11)
6.20.1 (2020-02-04)
6.20.0 (2020-01-31)
6.19.2 (2020-01-25)
6.19.1 (2020-01-25)
- allow ECDH-ES with AES_CBC_HMAC_SHA2 key sizes larger than 256 bits (a65e9c4)
6.19.0 (2020-01-23)
6.18.2 (2020-01-16)
- number of default should-change notices using a wrong property (8e51724)
- principal-change triggered logout fixes (fa860cf), closes #628 #600
6.18.1 (2020-01-07)
- fix client secret based algorithm keys for clients with jwks (75d82a0)
6.18.0 (2019-12-31)
- update PAR implementation to an ietf WG draft version (d3a772b)
6.17.7 (2019-12-28)
- typescript: rotateRefreshToken boolean, ES256K, async customizers (22ab1e3)
6.17.6 (2019-12-17)
- skip JWT validating iat is in the past when exp is present (a7dd855)
6.17.5 (2019-12-16)
- properly handle routes ending with a trailing slash (again) (d8a3a67)
6.17.4 (2019-12-13)
- properly handle routes ending with a trailing slash (c4b06de)
6.17.3 (2019-12-09)
- allow empty body without content-type on userinfo (d5148ad)
6.17.2 (2019-12-07)
- forbid "none" id token algorithm when backchannel logout is used (797919e)
6.17.1 (2019-12-05)
- registered native loopback redirect_uris do not get normalized (96e035f)
6.17.0 (2019-12-02)
- add support for secp256k1 elliptic curve use (30aa706)
6.16.1 (2019-11-26)
- use shake256(m, 114) for Ed448 ID Token
*_hash
claims (7e6ba6f)
6.16.0 (2019-11-16)
- add script tag nonce resolution helper for session management and wmrm (#584) (b32b8e6), closes #583
6.15.2 (2019-11-15)
6.15.1 (2019-11-14)
6.15.0 (2019-11-14)
- regression introduced in 58f7348 (4738a8b)
- add jwsreq Accept value to request_uri resolver (cec4016)
- expose client schema invalidate(err, code) to enable customization (d672ee8)
6.14.2 (2019-11-10)
6.14.1 (2019-11-07)
- handle DPoP htu validation when mounted in express (f34526c), closes #572
- use sha512 for Ed25519 and shake256 for Ed448 ID Token
*_hash
claims (fd3c9e9)
6.14.0 (2019-11-07)
- autosubmit logout when there's no accountId in the session (c6b1770), closes #566
- omit
*_hash
ID Token claims if signed with "none" (code flow only) (5c540c0)
- add interaction<>session consistency checks (018255e)
6.13.0 (2019-10-31)
- update DPoP implementation to indivudal draft 03 (a7f5d7d)
6.12.13 (2019-10-24)
6.12.12 (2019-10-23)
- typescript: add findByUserCode to DeviceCode types (df58cff)
- remove registration access token when client is deleted (e24ad4a), closes #555
6.12.11 (2019-10-20)
6.12.10 (2019-10-15)
- cookies: use ctx.secure from the mount context when available (c8d8fe6)
6.12.9 (2019-10-14)
6.12.8 (2019-10-14)
- typescript: add missing OIDCContext cookies property (0c04af6)
6.12.7 (2019-10-09)
- forbid redirect_uri with an empty fragment component (ca196a0)
- v6.12.6 native app uris regression fixed (fd56ef6)
6.12.5 (2019-10-04)
6.12.4 (2019-10-03)
6.12.3 (2019-10-01)
- use updated jose package (ee17022)
- typescript: fix void/undefined inconsistencies and ts lint (96c9415)
6.12.2 (2019-09-28)
- do not send empty secret to adapter in a DCR edge case (af9ecd9)
6.12.1 (2019-09-27)
- fixed session management state fallback cookie name (91b0dea)
6.12.0 (2019-09-27)
- handle sameSite=none incompatible user-agents (4e68415)
6.11.1 (2019-09-24)
6.11.0 (2019-09-24)
- token TTL being a helper function is now accepted (a930355)
- default refresh token TTL policy for SPAs follows the updated BCP (d6a2a34)
- update JWT Response for OAuth Token Introspection to draft 08 (5f917e2)
6.10.0 (2019-09-21)
6.9.0 (2019-09-17)
6.8.0 (2019-09-06)
6.7.0 (2019-08-30)
- correct ssl offloading proxy documentation url in console warning (b871e99)
- handle server_error on expired unsigned request objects (7172a85)
- ignore secret and expiration timestamp on dynamic create edge case (d532fb2)
- allow authorization requests with only a Request Object (e3fa143)
- allow structured access token customizations (4be3bb2), closes #520
- experimental support for pushed request objects (4ac3905)
- strategies for parameter merging Request Object <> OAuth 2.0 (3ad1744)
- support non-0 expiring client secrets (client_secret_expires_at) (02877f6)
6.6.2 (2019-08-26)
6.6.1 (2019-08-25)
6.6.0 (2019-08-23)
- properly apply samesite=none for non-webkit browsers (ec2ffc6)
- added Node.js lts/dubnium support (52e914c)
6.5.0 (2019-08-20)
- empty params are handled as if they were not provided at all (a9e0f8c)
- basic and post client auth methods are now interchangeable (a019fc9)
- enable RSA-OAEP-256 when node runtime supports it (cfada87)
- new experimental support for FAPI RW Security Profile added (0c69553)
- RFC8628 has been published, device flow is now a stable feature (98a3bd4)
6.4.2 (2019-08-18)
- make structured token's end-user "sub" pairwise if configured (24a08c2)
- use correct postLogoutRedirectUri for resume's logout when mounted (a72b27d)
6.4.1 (2019-08-13)
- bring paseto token claims inline with jwt-ietf (265e400)
6.4.0 (2019-08-07)
- paseto formatted access token audience is a single string (1fd45f5)
- properly check if resourceIndicators is enabled (bbcdca2)
- added a helper for validating provided resource indicator values (a97ffdc), closes #487
- allow audiences helper to return a single string audience (4c7a3a8)
- draft implementation of IETF JWT Access Token profile (e690462)
6.3.0 (2019-08-04)
- new option for resolving JWT Access Token signing algorithm (28e85ef)
6.2.2 (2019-08-02)
- do not assign the defaulted to response_mode to params (18867ad)
- dynamic format gets a ctx as a first argument as documented (f62eb4b)
6.2.1 (2019-07-25)
- bump dependencies and compatible draft versions (97738e3)
- revert missing mTLS cert errors to invalid_grant (afac459)
6.2.0 (2019-07-21)
- mTLS stable release candidate (a999452)
6.1.2 (2019-07-12)
- acknowledging tls client auth draft fixed (02df82a)
6.1.1 (2019-07-12)
- bump acknowledgable draft versions that don't need code changes (55b4770)
6.1.0 (2019-07-10)
- authorization header scheme is checked case-insensitive (773ec52)
- block static client registration read action (edgiest of cases) (18db430)
- update dependencies, plug reported lodash vulnerability (a2cdfd0)
- add experimental support for DPoP (61edb8c)
6.0.3 (2019-07-04)
6.0.2 (2019-07-03)
- device flow refresh tokens for public clients are now be certificate bound as well (904ad2d)
6.0.1 (2019-06-29)
- correctly apply mergeWithLastSubmission for interactionFinished (eb67723)
6.0.0 (2019-06-28)
This release has been on and off in development since the major v5.x release in September 2018, it is the biggest and most breaking release to date and a massive accomplishment, most of the new features you saw added to the v5.x release line have been backports from a privately worked on v6.x branch of the project.
~ 334 changed files with 19,617 additions and 13,322 deletions.
With the API just slightly evolving with each version for over more than 3 years it was in need of a big overhaul, albeit in the configuration or adapter API department. Knowing the next release is a breaking one just welcomed innovation and refactoring, hence the endless stream of alpha and beta releases with breaking changes in them.
Browser-based public clients are now able to get Refresh Tokens that are not
offline_access
, are end-user session bound and rotate with each use.This is in line with the BCPs being worked on by the OAuth WG and it is also ready for new sender-constraining mechanisms such as DPoP being implemented as soon as they are adopted as WG drafts.
Issuing refresh tokens without
offline_access
is not enabled by default and is controlled by a newissueRefreshToken
configuration policy.By default all tokens that do not have
offline_access
scope are now handled as invalid or expired when the session they came from is gone, i.e. when the end-user logs out or a shorter-lived session simply expires due to inactivity. This behaviour is controled by a newexpiresWithSession
configuration policy.
Also related to browser based apps using the AS. It is now possible to have CORS control per request and implement request context based policies using new
clientBasedCORS
configuration policy. By default this policy's value enables * CORS on all CORS-intended endpoints.You can see a client-metadata based approach in /recipes.
The provider can now process authorization requests that do not contain the
openid
scope, pure OAuth 2.0 mode.
All crypto is now done using node's
crypto
module with the use KeyObject keys and secrets. Node.js >= 12.0.0 added a KeyObject class to represent a symmetric or asymmetric key and it is recommended that applications to use this new KeyObject API instead of passing keys as strings or Buffers due to improved security features as well as optimized operation.
The provider can now sign ID Tokens, JWT Access Tokens, Userinfo and everything JOSE using EdDSA.
With Ed25519 now being supported you can also have your Access Tokens in PASETO format.
5 -> 6 migration path is not clearly laid out, i'd much more recommend starting just with
new Provider('...')
and then backporting your configuration and code, please note some changed
configuration defaults which, if you relied upon them, you need to now configure to their v5.x
values explicitly. Should you require assistance with an upgrade please don't hesitate to get in
touch via the issue tracker (limited support capacity) or via email for a more direct and involved
conversation.
- fixed symmetric key derivation for JWT introspection endpoint response (1a50c82)
- fixed symmetric key derivation for JWT authorization endpoint response (1a50c82)
*_jwt
client auth method alg no longer mixes up (a)symmetrical (1771655)- acceptedClaimsFor filtering out claims not scopes (fd8f886)
- added scope to implicit responses when different from request (71b2e7e)
- allow all incoming headers for CORS requests (3d2c8e4)
- also reject client jwks/jwks_uri symmetric keys (df18f62), closes #481
- avoid sending "samesite=none" to webkit browsers due to their bug (9c6e05b)
- base accepted scope off the accepted scopes, not param scopes (ccec5d3)
- break endless login loop with too short max_age values (66c7968)
- check id_token_hint even if the interaction check is disabled (7528220)
- check PKCE verifier and challenge ABNF, remove it from device flow (849b964)
- check sameSite cookie option for none case-insensitive (523d1b2)
- client key agreement with ECDH-ES is not possible in two cases (5c39f6e)
- clientDefaults is now used in resolving defaults of some edge props (e7bcfd2)
- correctly use the secret value, not its SHA digest, for PBES2-* (43256ba)
- device flow - mark codes as already used at the right time (7b913fd)
- do not send empty error_descriptions with some responses (663fadc)
- enable debugging session bound tokens not being returned (cc66876)
- enable Secure cookies with the default settings if on secure req (a056bfd)
- expose correct discovery metadata jwt introspection signing algs (cf4e442), closes #475
- fail logout when post_logout_redirect_uri is not actionable (b3a50ac)
- handle client jwks x5c when kty is OKP, use client jwks key_ops (f052f6b)
- handle invalid interaction policies with access_denied (1b6104c)
- html-rendered response modes now honour 400 and 500 status codes (9771581)
- jwt client assertion audience now also accepts issuer and token url (38706e7)
- rendered OP views are no longer dead ends with javascript disabled (c2f17d7)
- request object processing order related and general fixes (9fd3fba)
- session required client properties control the iss & sid return (ab08cbe)
- short cookie options dont affect the resume cookie path scope (4c7e877)
- use fixed scope to claim mapping over dynamic ones (03a6130), closes #466
- subsequent authorization requests for the same combination of client, end-user and sessionUid will
all have the same
grantId
value now PKCE
is no longer forced forgrant_type=urn:ietf:params:oauth:grant-type:device_code
- response_type
code token
no longer requires nonce parameter to be present. See OIDC Core 1.0 Errata 2 changeset - provider no longer reject client registration when the
jwks.keys
is empty - provider now rejects client's
jwks
andjwks_uri
if they contain private key or symmetric key material. See OIDC Core 1.0 Errata 2 changeset - Client will no longer be looked up twice during failed authorization due to client not being found
max_age
parameter is now validated to be a non-negative safe integer- client secrets no longer need to have minimal length to support HS signing
- established session acr/amr is now available for any authorization request, not just the one it was established with
- change certificates to jwks (a75e478)
- consolidate interaction policy and url configuration (5c0ba04)
- disable "token" including response types defaults (78e4ebb)
- merge interactions and interactionUrl configuration (1193719)
- provider.registerGrantType accepts the handler directly (e822918)
- remove provider.initialize() (ec71ed0)
- remove request/request http client handling and methods (683e6c2)
- rename findById to findAccount to follow the helper convention (43f5ecc)
- rename idToken.sign to idToken.issue (1c6d556)
- added support for direct symmetric key encryption alg 'dir' (1a50c82)
- added extraAccessTokenClaims configuration option (25915ef)
- added options to disable userinfo and userinfo jwt responses (3620aed)
- added per-request http options helper function configuration (4aee414)
- added v2.public PASETOs as an available issued token format (7b149cf)
- added EdDSA support (2cdb0a2)
- added postLogoutSuccessSource helper for logouts without redirects (a979af8)
- allow for client default metadata to be changed (8f20a69)
- allow non-conform instances (f772f97)
- always return scope with token implicit response (ea7b394)
- default refresh token rotation policy changed (7310765)
- discovery must now always be enabled (5c3c0c7)
- enable client-based CORS origin whitelisting (8b4fd9e)
- passthrough cors middleware if pre-existing headers are present (6ec09ef), closes #447
- replay prevention for client assertions is now built in (a22d6ce)
- request objects are now one-time use if they have iss, jti and exp (1dc44dd)
- set default sameSite cookie values, short: lax, long: none (cfb1a70)
- it is now possible to issue Refresh Tokens without the offline_access scope, these refresh tokens
and all access tokens issued from it will be unusable when the session they're tied to gets
removed or its subject changes
- Session now has a
uid
property which persists throughout the cookie identifier rotations and its value is stored in the related tokens assessionUid
, it is based on this value that the provider will perform session lookups to ensure that session bound tokens are still considered valid - by default a session bound grant is one without offline_access, this can be changed, or
completely disabled to restore previous behaviour with a new
expiresWithSession
helper
- Session now has a
issueRefreshToken
configuration helper has been added, it allows to define specific client and context based policy about whether a refresh token should be issued or not to a client- interactions will now be requested multiple times if the authorization request context cannot be
resolved yet. This means you can now resolve one prompt at a time. When you load the interaction
details (using
provider.interactionDetails()
), in addition todetails.params
containing the complete parsed authorization parameters object, you now also have access todetails.prompt
containing an object with the prompt details.details.prompt.name
has the name prompt, e.g.login
details.prompt.reasons
has an array of reasons the prompt is being requested, e.g.["max_age"]
details.prompt.details
contains is an object of details you might need to resolve the promptdetails.session
is an object containing details about the OP session as-is at the moment of requesting interactiondetails.session.uid
is the internal session's uiddetails.session.cookie
is the session cookie valuedetails.session.acr
is the current session's acr if there's onedetails.session.amr
is the current session's amr if there's onedetails.session.accountId
- interactions results
consent.rejectedScopes
andconsent.rejectedClaims
will no longer replace the existing values, the rejected scopes and claims will accumulate instead, the same happens with what's assumed accepted (that is everything thats been requested and wasn't rejected) end_session_endpoint
now accepts a POST with the parameters being in the body of the request, this is so that clients avoid URL length limits and exposing PII in the URL. See OIDC Issues tracker- Updated OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens draft
implementation - draft 13
- client's
certificate_bound_access_tokens
, now also binds the Refresh Token if the client is using "none" endpoint auth method - SAN based client properties are now recognized, they are not however, supported and will throw when presented
- client's
- Updated Device Flow draft implementation - draft 15
- the same client authentication as for token_endpoint is now used at the device_authorization_endpoint
- once a user code passes the device confirmation prompt it cannot be used again
end_session_endpoint
is now always available, it is not bound to any of the session or logout specification features- clients may now have a
scope
property, when set authorization requests for this client must stay within those whitelisted scopes end_session_endpoint
will now drop session-bound tokens for the clients/grants encountered in the session- when the existing session's subject (end-user identifier) differs from one inside interaction results the provider will bounce the user agent through the end_session_endpoint to perform a "clean" logout - drop the session, perform front and back-channel logout notifications (if enabled) and revoke grants (if bound to session)
- end session endpoint will now revoke tokens bound to the user-agent session by grantId for the clients that have had their authorization removed
rotateRefreshToken
configuration added, it can be a function to allow for client and context based policy for deciding whether refresh token should rotated or not- the provider can now process non-openid authorization requests
- requests without an
openid
scope orscope
parameter altogether will be processed as plain OAuth2.0 authorization requests - this has a few exceptions:
- response types that include id_token still require the
openid
scope - use of openid feature related parameters such as
claims
,acr_values
,id_token_hint
andmax_age
still require theopenid
scope - use of openid feature related client attributes such as
default_acr_values
,default_max_age
,require_auth_time
still require theopenid
scope
- response types that include id_token still require the
- use of the
userinfo_endpoint
is only possible with access tokens that have theopenid
scope - note: the scope claim in JWT access tokens will be missing if the parameter was missing as well, dtto for the scope property in your persitent storage
- requests without an
- authorization parameter
max_age=0
now behaves likeprompt=login
(dtto client'sdefault_max_age=0
) - every model now has its own
saved
anddestroyed
event emitted by the provider, sessions and interactions too, the convention is{snake_cased_model_name}.{saved|destroyed}
urn:
request_uri support added, provided that one overloadsprovider.Client.prototype.requestUriAllowed
andprovider.requestUriCache.resolveUrn
http:
request_uris are now allowed under the assumption that the request object it yields is verifiable (signed and/or symmetrically encrypted)- added
invalid_software_statement
andunapproved_software_statement
exported errors
- node.js minimal version is now v12.0.0 due to its added EdDSA support (crypto.sign, crypto.verify and EdDSA key objects)
- the default enabled response types now omit all that
result in access tokens being issued by the authorization endpoint
and delivered via a fragment. If you're upgrading just configure
responseTypes
to include the ones you need for legacy purposes. interactionUrl
is nowinteractions.url
interactionCheck
has been removed and replaced with a new format optioninteractions.policy
interactionUrl
configuration option is nowinteractions.url
- the route name for jwks_uri is now
jwks
(wascertificates
). If you're upgrading and use a custom path forcertificates
make sure to use theroutes.jwks
now to configure the path - the default path for route
jwks
(certificates) is now/jwks
. If you're upgrading and want to (you probably do) keep using the old path, make sure to configureroutes.jwks
with the old value/certs
- PBES2-* Content Encryption Key encryption now correctly
uses the
client_secret
value rather than its SHA digest. - when neither interactions nor custom middlewares result in the authorization chain having an account identifier the server will now resolve the request with access_denied error.
- when neither interactions nor custom middlewares result in the authorization chain having resolved an accepted scope the server will now resolve the request with access_denied error.
- default
rotateRefreshToken
configuration value is now a function with a described policy that follows OAuth 2.0 Security Best Current Practice - removed features.discovery and it is now always-on, no point in disabling discovery, ever.
- logoutPendingSource no longer receives a
timeout
argument provider.defaultHttpOptions
setter was removed, use the newhttpOptions
configuration helper function instead- provider now asserts that client's
backchannel_logout_uri
returns a 200 OK response as per specification. - provider.IdToken.prototype.sign is renamed to provider.IdToken.prototype.issue
- PKCE code_challenge and code_verifier is now checked
to be 43-128 characters long and conforms to the allowed character set
of [A-Z] / [a-z] / [0-9] /
-
/.
/_
/~
. PKCE is now also ignored for the Device Code authorization request and token exchange. - findById helper was renamed to findAccount
postLogoutRedirectUri
configuration option is removed in favour ofpostLogoutSuccessSource
. This is used to render a success page out of the box rather then redirecting nowhere.- since provider is now available on
ctx.oidc.provider
the registerGrantType now expects the second argument to be the handler directly provider.initialize()
has been removed.- what was previously passed to
initialize()
askeystore
must now be passed as configuration property (asjwks
and it must be a JWKS formatted object, no longer a KeyStore instance. - what was previously passed to
initialize()
asclients
must now be passed as configuration property (asclients
). These "static" clients are no longer validated during the instantiation but just like with adapter-loaded clients - when they're first needed. - what was previously passed to
initialize()
asadapter
must now be passed as configuration property (asadapter
). - provider will no longer call
adapter
'sconnect
method. - Due to request's maintenance mode and inevitable deprecation (see request/request#3142) the option to switch the provider to use request has been removed.
- end_session_endpoint will now throw an error when clients provide post_logout_redirect_uri but fail to provide an id_token_hint. See https://bitbucket.org/openid/connect/issues/1032
- all exported JWK related methods have been removed
- JWT Access Token can now only be signed using the provider's asymmetric keys, client's HS will no longer be used
sid
ID Token claim is now only returned when the client requests it using theclaims
parameter or has the appropriate back/front channel logout uris enabled and front/backchannel_logout_session_required set to true- clients with
request_object_signing_alg
set must now always provide a request object, authorization requests will fail withinvalid_request
whenrequest
orrequest_uri
is missing for such clients - adapter changes to accomodate new functionality
- it is no longer desired to drop all related tokens when
#destroy
is called - Session adapter instance expects to have a
findByUid
method which resolves with the same data asfind
does only the reference is the session'suid
property. This is only needed when utilizing the new session-bound tokens - AccessToken, RefreshToken, AuthorizationCode & DeviceCode adapter instances expect to have
revokeByGrantId
method which accepts a string parametergrantId
and revokes all tokens with its matching value in thegrantId
property
- it is no longer desired to drop all related tokens when
- only
AccessToken
andClientCredentials
may have a format. All other tokens are now forced to be opaque clientCacheDuration
configuration option andprovider.Client.cacheClear
method have been removed, the provider now handles everything internally and Client objects are re-instantiated automatically if the client's configuration changes.token.*
events are no longer emitted, instead each token has its own event, sessions and interactions too, the convention issnake_cased_model_name.*
features.pkce
andfeatures.oauthNativeApps
have been removed and they are always in effect, PKCE is always forced on native clientsiss
is no longer pushed to token/model storage payloadsfeatures.sessionManagement.thirdPartyCheckUrl
has been removedfeatures.alwaysIssueRefresh
has been removedfeatures.refreshTokenRotation
has been renamed tofeatures.rotateRefreshToken
and its values are now true/false or a function that returns true/false when a refresh token should or should not be rotatedfeatures.conformIdTokenClaims
is not a feature anymore, it is justconformIdTokenClaims
in the configuration object's root- revoking an Access Token via the
revocation_endpoint
will not revoke the whole grant any more - default
interaction
cookie name value changed from_grant
to_interaction
- default
resume
cookie name value changed from_grant
to_interaction_resume
- all references to
ctx.oidc.uuid
are nowctx.oidc.uid
and the format is now a random string, not a uuid - nearly all emitted events have had their arguments shuffled and/or changed to allow for
ctx
to be first - nearly all helper functions have had their arguments shuffled and/or changed to allow for
ctx
to be the first amongst them (oh yeah,ctx
has been added almost everywhere) - all configuration
features
are no longer booleans, they're objects with all their relevant configuration in thedefaults.js
file anddocs/README.md
. Old configuration format is not accepted anymore - some configuration properties that only relate to a specific features were moved from the root
level to the feature's configuration level and have been renamed, these are
deviceFlowSuccess
->features.deviceFlow.successSource
frontchannelLogoutPendingSource
->features.frontchannelLogout.logoutPendingSource
userCodeConfirmSource
->features.deviceFlow.userCodeConfirmSource
userCodeInputSource
->features.deviceFlow.userCodeInputSource
- Session model has been split to Session and Interaction
- interaction login result now defaults to
remember: true
legacy
storage format has been removed- adding additional audiences through the
audiences
helper is now only possible for Access Tokens (AccessToken and ClientCredentials) - the
.well-known/webfinger
endpoint that always returned success is removed - default
deviceFlow.deviceInfo
userAgent
property is nowua
- example mongo and redis adapters revised
- example redis with ReJSON module adapter added
- example unmaintained adapters removed
5.5.5 (2019-02-20)
5.5.4 (2019-02-15)
5.5.3 (2019-01-22)
- handle server_error when refresh tokens are missing
gty
(75046ca)
5.5.2 (2018-12-20)
5.5.1 (2018-11-26)
- added aud and azp validations for ID Tokens passed by clients (4df8160)
- aud for jwt oauth tokens no longer gets the client id pushed in (14c556e)
5.5.0 (2018-11-22)
- gracefully handle mixed up response_type(s) order (b775591)
- http2 is also stable in ^8.13.0 (3d240d9)
5.4.2 (2018-11-19)
- ignore
*_endpoint_auth_signing_alg
client metadata when_jwt
auth is not allowed (d0346a8)
5.4.1 (2018-11-19)
- require consent result to save accepted scopes and claims (7720367)
5.4.0 (2018-11-18)
- handle potentially unvalidated response mode in authz error handler (ee501d1)
- issue new session identifiers when session changes (56d04e6)
- omit saving an empty session on initial authorize request (d0b7069)
- allow omitting redirect_uri in code exchange at the token endpoint when there is just one registered (8cdd407)
- update of draft-ietf-oauth-resource-indicators from 00 to 01 (1302a54), closes #385
5.3.0 (2018-11-05)
- upgrade min node-jose version to fix its performance in node (f1cb4c6)
- sessionManagement frame uses Storage Access API to detect errors (156e12d)
5.2.0 (2018-11-01)
- sessionManagement feature doesn't set a default thirdPartyCheckUrl anymore (0015c38)
With the sunset of https://rawgit.com i'm not going to look for a replacement CDN that hosts github content using the right content-type. This addition to sessionManagement is a gimmick helping only in a small % of cases anyway.
Note: Updates to draft and experimental specification versions are released as MINOR library versions,
if you utilize these specification implementations consider using the tilde ~
operator in your
package.json since breaking changes such as this one may be introduced as part of these version updates.
5.1.2 (2018-10-23)
5.1.0 (2018-10-03)
- ignore sector_identifier_uri when subject_type is not pairwise (416e379)
- added Resource Indicators for OAuth 2.0 - draft 00 implementation (1bc2994)
5.0.1 (2018-09-27)
5.0.0 (2018-09-26)
- change conformIdTokenClaims default value to true (ef40f6d)
- devInteractions also have no-cache headers, doesn't set acr (9d7a032)
- ensure non-whitelisted JWA algs cannot be used by
*_jwt
client auth (186de0d) - extraClientMetadata.properties keys do not get transformed (837beca)
- fixed 500 in client update checking client_secret equality (bad6348)
- remove deprecated passing of scope with consent results (35f13bc)
- remove deprecated Session.find upsert behaviour (73e07bd)
- remove deprecated unused exported errors (fc3f509)
- remove got 8 > 9(retries > retry) option re-assign behaviour (db31d32)
- secretFactory is now used in client update (0923f52)
- validate secret length for client_secret_jwt with no alg specified (ab64268)
- IdToken constructor and
#sign()
method changes (bb4269f) - moved thirdPartyCheckUrl under features.sessionManagement (c3f84b2)
- renamed deviceCode feature to deviceFlow (cd57d77)
- added self_signed_tls_client_auth client authentication method (9a1f0a3)
- added tls_client_auth client authentication method (ce2bf66)
- allow custom mechanisms for handling pairwise identifiers (57ce6d7)
- back and front-channel can be enabled without sessionManagement (8cb37ff)
- dynamic token expiration (6788b83)
- enable Certificate Bound Access Tokens (f43d820)
- enable explicit whitelist of JWA algorithms (0604e08)
- enable token storage and representation format to be dynamic (8487bd8)
- invalid_token errors now have a detail to aid in debugging or logs (b8324b7)
- JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (c759415)
- opaque is the default adapter format now (75e7a3f)
- unify audiences helper function signature (fd38600)
- the configuration option
pairwiseSalt
is replaced withpairwiseIdentifier
async helper function. This allows for different means of generating the pairwise identifier to be implemented, such as the ones mentioned in Core 1.0 - Passing
scope
to interaction result'sconsent
property is no longer supported cookies.thirdPartyCheckUrl
is now configured withfeatures.sessionManagement.thirdPartyCheckUrl
insteadfeatures.deviceCode
is nowfeatures.deviceFlow
anddeviceCodeSuccess
helper function is nowdeviceFlowSuccess
- In order for dynamic token expiration to be able to
pass a client instance to the helpers it is now better to pass a
client
property being the client instance to a new token instance rather then aclientId
. When passing a client theclientId
will be set automatically. - the default adapter format is now set to opaque, the legacy "legacy" value is still available for legacy deployments but cannot be combined with the new dynamic format feature option and is considered deprecated and will be removed in the next major release.
- the
default
enabled JWA algorithms have changed. See the newwhitelistedJWA
configuration option to re-enable the ones you need. - the configuration
unsupported
property is removed, use the configurationwhitelistedJWA
object instead. This isn't a 1:1 renaming of a configuration value, while theunsupported
option was essentually a blacklist thewhitelistedJWA
as the name suggests is a whitelist. - the
RSA-OAEP-256
key wrapping algorithm has been removed and is not configurable since it is not supported natively in nodejs. - IdToken constructor now requires the client instance
to be passed in as a second argument. IdToken instance
.sign()
now takes just one argument with the options. - when a symmetric endpoint authentication signing alg is not specified the secret will be validated such that it can be used with all available HS bit lengths
- audience helper
token
argument will no longer be a reference to other tokens than the one to which the audiences will be pushed. - audience helper
scope
argument is no longer available generateTokenId
format method is now a prototype method instead of a class one- the http request option
retries
will no longer be transformed intoretry
, seegot@^9.0.0
package for theretry
options - exported errors
RestrictedGrantType
andRestrictedResponseType
are no longer available - Session.find default upsert behaviour is changed to return a new empty session instead
- change conformIdTokenClaims default value to true
- custom client metadata properties will not get
transformed between snake_case and camelCase anymore to allow for
namespaced metadata properties such as
custom://metadata