Skip to content

Releases: panva/node-oidc-provider

v5.4.0

18 Nov 19:30
@panva panva
v5.4.0
f0b9344
Compare
Choose a tag to compare
v5.4.0

Bug Fixes

  • handle potentially unvalidated response mode in authz error handler (ee501d1)
  • issue new session identifiers when session changes (56d04e6)
  • omit saving an empty session on initial authorize request (d0b7069)

Features

  • allow omitting redirect_uri in code exchange at the token endpoint when there is just one registered (8cdd407)
  • update of draft-ietf-oauth-resource-indicators from 00 to 01 (1302a54), closes #385
Assets 2
Loading

v5.3.0

05 Nov 20:59
@panva panva
v5.3.0
3833296
Compare
Choose a tag to compare
v5.3.0

Bug Fixes

  • upgrade min node-jose version to fix its performance in node (f1cb4c6)

Features

  • sessionManagement frame uses Storage Access API to detect errors (156e12d)
Assets 2
Loading

v5.2.0

01 Nov 09:06
@panva panva
v5.2.0
f154ff5
Compare
Choose a tag to compare
v5.2.0

Draft Features

  • sessionManagement feature doesn't set a default thirdPartyCheckUrl anymore (0015c38)

With the sunset of https://rawgit.com i'm not going to look for a replacement CDN that hosts github content using the right content-type. This addition to sessionManagement is a gimmick helping only in a small % of cases anyway.

Note: Updates to draft and experimental specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes such as this one may be introduced as part of these version updates.

Assets 2
Loading

v5.1.2

23 Oct 08:48
@panva panva
v5.1.2
0f843f9
Compare
Choose a tag to compare
v5.1.2

same as v5.1.1 but with koa version bumped to ensure koajs/koa#1262 and koajs/koa#1263 are in place

Assets 2
Loading

v5.1.1

19 Oct 18:25
@panva panva
v5.1.1
1809fbc
Compare
Choose a tag to compare
v5.1.1

Bug Fixes

  • allow http2 req/res in interaction detail helpers (fixes #383) (a86aba7)
Assets 2
Loading

v5.1.0

03 Oct 20:35
@panva panva
v5.1.0
e781c9e
Compare
Choose a tag to compare
v5.1.0

Bug Fixes

  • ignore sector_identifier_uri when subject_type is not pairwise (416e379)

Features

  • add Resource Indicators for OAuth 2.0 - draft 00 implementation (1bc2994)
Assets 2
Loading

v5.0.1

27 Sep 08:52
@panva panva
v5.0.1
b14a258
Compare
Choose a tag to compare
v5.0.1

just readme and dependency updates

Assets 2
Loading

v5.0.0

26 Sep 18:48
@panva panva
v5.0.0
4ed896d
Compare
Choose a tag to compare
v5.0.0

Bug Fixes

  • change conformIdTokenClaims default value to true (ef40f6d)
  • devInteractions also have no-cache headers, doesn't set acr (9d7a032)
  • ensure non-whitelisted JWA algs cannot be used by _jwt client auth (186de0d)
  • extraClientMetadata.properties keys do not get transformed (837beca)
  • fixed 500 in client update checking client_secret equality (bad6348)
  • remove deprecated passing of scope with consent results (35f13bc)
  • remove deprecated Session.find upsert behaviour (73e07bd)
  • remove deprecated unused exported errors (fc3f509)
  • remove got 8 > 9(retries > retry) option re-assign behaviour (db31d32)
  • secretFactory is now used in client update (0923f52)
  • validate secret length for client_secret_jwt with no alg specified (ab64268)

Code Refactoring

  • IdToken constructor and #sign() method changes (bb4269f)
  • moved thirdPartyCheckUrl under features.sessionManagement (c3f84b2)
  • renamed deviceCode feature to deviceFlow (cd57d77)

Features

  • add self_signed_tls_client_auth client authentication method (9a1f0a3)
  • add tls_client_auth client authentication method (ce2bf66)
  • allow custom mechanisms for handling pairwise identifiers (57ce6d7)
  • back and front-channel can be enabled without sessionManagement (8cb37ff)
  • dynamic token expiration (6788b83)
  • enable Certificate Bound Access Tokens (f43d820)
  • enable explicit whitelist of JWA algorithms (0604e08)
  • enable token storage and representation format to be dynamic (8487bd8)
  • invalid_token errors now have a detail to aid in debugging or logs (b8324b7)
  • JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (c759415)
  • opaque is the default adapter format now (75e7a3f)
  • unify audiences helper function signature (fd38600)

BREAKING CHANGES

  • the configuration option pairwiseSalt is replaced with pairwiseIdentifier async helper function. This allows for different means of generating the pairwise identifier to be implemented, such as the ones mentioned in Core 1.0
  • Passing scope to interaction result's consent property is no longer supported
  • cookies.thirdPartyCheckUrl is now configured with features.sessionManagement.thirdPartyCheckUrl instead
  • features.deviceCode is now features.deviceFlow and deviceCodeSuccess helper function is now deviceFlowSuccess
  • In order for dynamic token expiration to be able to pass a client instance to the helpers it is now better to pass a client property being the client instance to a new token instance rather then a clientId. When passing a client the clientId will be set automatically.
  • the default adapter format is now set to opaque, the legacy "legacy" value is still available for legacy deployments but cannot be combined with the new dynamic format feature option and is considered deprecated and will be removed in the next major release.
  • the default enabled JWA algorithms have changed. See the new whitelistedJWA configuration option to re-enable the ones you need.
  • the configuration unsupported property is removed, use the configuration whitelistedJWA object instead. This isn't a 1:1 renaming of a configuration value, while the unsupported option was essentually a blacklist the whitelistedJWA as the name suggests is a whitelist.
  • the RSA-OAEP-256 key wrapping algorithm has been removed and is not configurable since it's not supported natively in nodejs.
  • IdToken constructor now requires the client instance to be passed in as a second argument. IdToken instance .sign() now takes just one argument with the options.
  • when a symmetrical endpoint authentication signing alg is not specified the secret will be validated such that it can be used with all available HS bit lengths
  • audience helper token argument will no longer be a reference to other tokens than the one to which the audiences will be pushed.
  • audience helper scope argument is no longer available
  • generateTokenId format method is now a prototype method instead of a class one
  • the http request option retries will no longer be transformed into retry, see got@^9.0.0 package for the retry options
  • exported errors RestrictedGrantType and RestrictedResponseType are no longer available
  • Session.find default upsert behaviour is changed to return a new empty session instead
  • change conformIdTokenClaims default value to true
  • custom client metadata properties will not get transformed between snake_case and camelCase anymore to allow for namespaced metadata properties such as custom://metadata
Assets 2
Loading

v4.8.3

20 Sep 11:14
@panva panva
v4.8.3
6b3d2cb
Compare
Choose a tag to compare
v4.8.3

Bug Fixes

  • reference correct param names in features.webMessageResponseMode (e495c6b)
Assets 2
Loading

v4.8.2

16 Sep 14:18
@panva panva
v4.8.2
3d2596b
Compare
Choose a tag to compare
v4.8.2

Bug Fixes

  • do not overwrite custom response mode implementations with defaults (7f7ea79), closes #365
  • remove unnecessary catchall in fallback session save (3bfb8f0), closes #363
Assets 2
Loading