v6.0.0

This release has been on and off in development since the major v5.x release in September 2018, it
is the biggest and most breaking release to date and a massive accomplishment, most of the new
features you saw added to the v5.x release line have been backports from a privately worked on v6.x
branch of the project.

~ 334 changed files with 19,617 additions and 13,322 deletions.

With the API just slightly evolving with each version for over more than 3 years it was in need of
a big overhaul, albeit in the configuration or adapter API department. Knowing the next release is a
breaking one just welcomed innovation and refactoring, hence the endless stream of alpha and beta
releases with breaking changes in them.

Notable changes

Fully embraced browser based apps using Authorization Code flow + PKCE

Browser-based public clients are now able to get Refresh Tokens that are
not offline_access, are end-user session bound and rotate with each use.

This is in line with the BCPs being worked on by the OAuth WG and it is
also ready for new sender-constraining mechanisms such as DPoP being
implemented as soon as they are adopted as WG drafts.

Issuing refresh tokens without offline_access is not enabled by default
and is controlled by a new issueRefreshToken configuration policy.

By default all tokens that do not have offline_access scope are now
handled is invalid or expired when the session they came from is gone,
i.e. when the end-user logs out or a shorter-lived session simply expires
due to inactivity. This behaviour is controled by a new expiresWithSession
configuration policy.

CORS is not an afterthought

Also related to browser based apps using the AS. It is now possible to
have CORS control per request and implement request context based policies
using new clientBasedCORS configuration policy. By default this policy's
value enables * CORS on all CORS-intended endpoints.

You can see a client-metadata based approach in /recipes.

Authorization Requests without the openid scope

The provider can now process authorization requests that do not contain
the openid scope, pure OAuth 2.0 mode.

Optimized crypto

All crypto is now done using node's crypto module with the use KeyObject
keys and secrets.
Node.js >= 12.0.0 added a KeyObject class to represent a symmetric or
asymmetric key
and it is recommended that applications to use this new KeyObject API instead
of passing keys as strings or Buffers due to improved security features
as well as optimized operation.

EdDSA & PASETO

The provider can now sign ID Tokens, JWT Access Tokens, Userinfo and
everything JOSE using EdDSA.
With Ed25519 now being supported you can also have your Access Tokens in
PASETO format.

Upgrade / Migration path

5 -> 6 migration path is not clearly laid out, i'd much more recommend starting just with
new Provider('...') and then backporting your configuration and code, please note some changed
configuration defaults which, if you relied upon them, you need to now configure to their v5.x
values explicitly. Should you require assistance with an upgrade please don't hesitate to get in
touch via the issue tracker (limited support capacity) or via email for a more direct and involved
conversation.

Bug Fixes

• fixed symmetric key derivation for JWT introspection endpoint response (1a50c82)
• fixed symmetric key derivation for JWT authorization endpoint response (1a50c82)
• *_jwt client auth method alg no longer mixes up (a)symmetrical (1771655)
• acceptedClaimsFor filtering out claims not scopes (fd8f886)
• added scope to implicit responses when different from request (71b2e7e)
• allow all incoming headers for CORS requests (3d2c8e4)
• also reject client jwks/jwks_uri symmetric keys (df18f62), closes #481
• avoid sending "samesite=none" to webkit browsers due to their bug (9c6e05b)
• base accepted scope off the accepted scopes, not param scopes (ccec5d3)
• break endless login loop with too short max_age values (66c7968)
• check id_token_hint even if the interaction check is disabled (7528220)
• check PKCE verifier and challenge ABNF, remove it from device flow (849b964)
• check sameSite cookie option for none case-insensitive (523d1b2)
• client key agreement with ECDH-ES is not possible in two cases (5c39f6e)
• clientDefaults is now used in resolving defaults of some edge props (e7bcfd2)
• correctly use the secret value, not its SHA digest, for PBES2-* (43256ba)
• device flow - mark codes as already used at the right time (7b913fd)
• do not send empty error_descriptions with some responses (663fadc)
• enable debugging session bound tokens not being returned (cc66876)
• enable Secure cookies with the default settings if on secure req (a056bfd)
• expose correct discovery metadata jwt introspection signing algs (cf4e442), closes #475
• fail logout when post_logout_redirect_uri is not actionable (b3a50ac)
• handle client jwks x5c when kty is OKP, use client jwks key_ops (f052f6b)
• handle invalid interaction policies with access_denied (1b6104c)
• html-rendered response modes now honour 400 and 500 status codes (9771581)
• jwt client assertion audience now also accepts issuer and token url (38706e7)
• rendered OP views are no longer dead ends with javascript disabled (c2f17d7)
• request object processing order related and general fixes (9fd3fba)
• session required client properties control the iss & sid return (ab08cbe)
• short cookie options dont affect the resume cookie path scope (4c7e877)
• use fixed scope to claim mapping over dynamic ones (03a6130), closes #466
• subsequent authorization requests for the same combination of client, end-user and sessionUid will
  all have the same grantId value now
• PKCE is no longer forced for grant_type=urn:ietf:params:oauth:grant-type:device_code
• response_type code token no longer requires nonce parameter to be present. See
  OIDC Core 1.0 Errata 2 changeset
• provider no longer reject client registration when the jwks.keys is empty
• provider now rejects client's jwks and jwks_uri if they contain private key or symmetric key material. See
  OIDC Core 1.0 Errata 2 changeset
• Client will no longer be looked up twice during failed authorization due to client not being found
• max_age parameter is now validated to be a non-negative safe integer
• client secrets no longer need to have minimal length to support HS signing
• established session acr/amr is now available for any authorization request, not just the one it
  was established with

Code Refactoring

• change certificates to jwks (a75e478)
• consolidate interaction policy and url configuration (5c0ba04)
• disable "token" including response types defaults (78e4ebb)
• merge interactions and interactionUrl configuration (1193719)
• provider.registerGrantType accepts the handler directly (e822918)
• remove provider.initialize() (ec71ed0)
• remove request/request http client handling and methods (683e6c2)
• rename findById to findAccount to follow the helper convention ...

v5.5.6

Bug Fixes

• use fixed scope to claim mapping over dynamic ones (046f99a) (backport)

v5.5.5

Bug Fixes

• expose only supported cors methods (4a81104)
• replace router again to fix CORS preflights (d642f8b)

v5.5.4

Refactored

• removed koa-router in favor of koa-trie-router (fe812e0), closes #436

v5.5.3

Bug Fixes

• handle server_error when refresh tokens are missing gty (75046ca)

v5.5.2

Bug Fixes

• JWKStore prototype jwksUri undefined client (#413) (ba69fb6)

v5.5.1

Bug Fixes

• added aud and azp validations for ID Tokens passed by clients (4df8160)
• aud for jwt oauth tokens no longer gets the client id pushed in (14c556e)

v5.5.0

Bug Fixes

• gracefully handle mixed up response_type(s) order (b775591)
• http2 is also stable in ^8.13.0 (3d240d9)

Features

• initial and registration access token policies (452000c), closes #394

v5.4.2

Bug Fixes

• ignore *_endpoint_auth_signing_alg client metadata when _jwt auth is not allowed (d0346a8)

v5.4.1

Bug Fixes

• require consent result to save accepted scopes and claims (7720367)