Releases: panva/node-oidc-provider
Releases · panva/node-oidc-provider
v4.0.1
Breaking changes
- minimal version of node lts/carbon is required (>=8.9.0)
- Client Metadata - null property values are no longer ignored
- clients pushed through
#initialize()must not submit properties with null values - clients stored via an adapter must be updated in your storage not to have null or
null-deserialized values, alternatively you can update your adapter not to return these
properties back to the provider
const _ = require('lodash'); // your adapter implementation class MyAdapter { // ... async find(id) { // load entity properties and then drop the null properties if its a Client adapter instance // this is implementation specific const data = await DB.query(...); if (this.name === 'Client') { return _.omitBy(data, _.isNull); } return data; } // ... }
- clients pushed through
- Client Authentication
- Errors related to authentication details parsing and format are now
400 Bad Requestand
invalid_request. Errors related to actual authentication check are now401 Unauthorizedand
invalid_clientwith no details in the description.
This means that errors related to client authentication will no longer leak details back to the
client, instead the provider may be configured to get these errors from e.g.
provider.on('grant.error')and provide the errors to clients out of bands.function handleClientAuthErrors(err, { headers: { authorization }, oidc: { body, client } }) { if (err instanceof Provider.errors.InvalidClientAuth) { // save error details out-of-bands for the client developers, `authorization`, `body`, `client` // are just some details available, you can dig in ctx object for more. console.log(err); } } provider.on('grant.error', handleClientAuthErrors); provider.on('introspection.error', handleClientAuthErrors); provider.on('revocation.error', handleClientAuthErrors);
- added
WWW-Authenticateresponse header to token endpoints when 401 is returned and Authorization
scheme was used to authenticate and changed client authentication related errors to be401 Unauthorized - fixed several issues with token client authentication related to
client_idlookup, it is no longer
possible to:- submit multiple authentication mechanisms
- send Authorization header to identify a
noneauthentication method client - send both Authorization header and client_secret or client_assertion in the body
- Errors related to authentication details parsing and format are now
- all error classes the provider emits/throws are now exported in
Provider.errors[class]instead of
Provider[class]and the class names are no longer suffixed byError. Seeconsole.log(Provider.errors) - removed the non-spec
rt_hashID Token claim features.pkcenow only enablesS256by default, this is sufficient for most deployments. If
plainis needed enable pkce with{ features: { pkce: { supportedMethods: ['plain', 'S256'] } }.client.backchannelLogoutno longer suppresses any errors, instead rejects the promise- token introspection endpoint no longer returns the wrong
token_typeclaim - #189- to continue the support of this non-standardized claim from introspection you may register the following middleware
provider.use(async function introspectionTokenType(ctx, next) { await next(); if (ctx._matchedRouteName === 'introspection') { const token = ctx.oidc.entities.AccessToken || ctx.oidc.entities.ClientCredentials || ctx.oidc.entities.RefreshToken; switch (token && token.kind) { case 'AccessToken': ctx.body.token_type = 'access_token'; break; case 'ClientCredentials': ctx.body.token_type = 'client_credentials'; break; case 'RefreshToken': ctx.body.token_type = 'refresh_token'; break; } } });
- to continue the support of this non-standardized claim from introspection you may register the following middleware
- fetched
request_uricontents are no longer cached for 15 minutes default, cache headers are
honoured and responses without one will fall off the LRU-Cache when this one is full audiencesis now in addition to existingid_tokenand signeduserinfo
cases called forclient_credentialsandaccess_token, this is useful for pushing additional audiences
to an Access Token, these are now returned by token introspection and can be used when serializing
an Access Token as a JWT- the provider will no longer use the first value from
acrValuesto denote a "session" like acr.
In cases where acr is requested as a voluntary claim and no result is available this claim will
not be returned.- to continue the support of the removed behaviour you can change the OIDCContext acr getter
const _ = require('lodash'); const sessionAcr = '...'; Object.defineProperty(provider.OIDCContext.prototype, 'acr', { get() { return _.get(this, 'result.login.acr', sessionAcr); }, });
- removed deprecated
#provider.setSessionAccountId()helper method. Use#provider.setProviderSession()
instead
- to continue the support of the removed behaviour you can change the OIDCContext acr getter
Enhancements
- Session Changes
- stored sessions now have an
expproperty allowing the provider to ignore expired but
still returned sessions- existing sessions without this property will be accepted and the exp property will be added
with the next save
- existing sessions without this property will be accepted and the exp property will be added
- stored sessions now have an
- bumped the semantic version of every dependency to the latest as of release
- added
audto the introspection response if a token has one audienceshelper gets called with additional parametersuseandscoperenderErrorhelper is now called with a third argument that's the actual Error instance.node-josedependency bumped to major ^1.0.0 - fixesA\d{3}GCMKWsymmetrical encryption support- added
cookies.thirdPartyCheckUrloption and a warning to host it - moved middleware handling missing optionally
redirect_uriparameter case right after loading
the client
v3.0.3
- all options passed to defaultHttpOptions now also reach
requestwhen#useRequest()is used - fixed a case when RS256 key presence check was wrongly omitted during
#initialize() - fixed client
jwks_urirefresh error to be invalid_client_metadata and propagated to the client
v3.0.2
v3.0.1
v3.0.0
- fixed
client_secret_basicrequiring the username and password tokens to bex-www-form-urlencodedaccording to https://tools.ietf.org/html/rfc6749#section-2.3.1
NOTE: Although technically a fix, this is a breaking change for clients with client secrets that need to be encoded according to the standard and don't currently do so. A proper way of submitting client_id and client_secret using client_secret_basic is Authorization: base64(formEncode(client_id):formEncode(client_secret)). This is only becoming apparent for client ids and secrets with special characters that need encoding. Update with care, if you have client identifiers or secrets with special characters that need encoding and they worked before, they will not anymore and you should reach out to your client maintainers to fix how client_secret_basic is submitted.
v2.18.2
v2.18.0
- added
ctx.oidc.entitieswith all loaded model/entity instances during a given request - added
cookies.keysconfiguration option for KeyGrip key app passthrough - added
#provider.setProviderSessionfor setting provider session from outside of a regular context - deprecated
#provider.setSessionAccountIdin favor of#provider.setProviderSession
v2.17.0
- fixed alternative verb routes to be named as well
- fixed default
interactionCheckpassing/resumewhen users click cancel or just navigate back to auth resume route - added
client_updateandclient_deleteas named routes - added
extraClientMetadataconfiguration option that allows for custom client properties as well as for additional validations for existing properties to be defined - when provider is configured with only
pairwisesubject type support then it is the client default and does not have to be explicitly provided anymore
v2.16.0
- supported PKCE code challenge methods are now configurable, use to i.e. disable
plainfor stricter OIDC profiles and new deployments where legacy clients withoutS256support aren't to be expected. - added configuration validations for subjectTypes and pkce supportedMethods