Releases: panva/node-oidc-provider
Releases · panva/node-oidc-provider
v9.1.3
v9.1.2
v9.1.1
v9.1.0
Features
- experimental support for OIDC RP Metadata Choices (f3550da)
Fixes
- only include DPoP-Nonce in Access-Control-Expose-Headers when DPoP is enabled (e769aa8)
Refactor
- avoid assignment operators in conditional expressions (b7ed877)
- improve static find performance (106f94a)
- update some default helpers for readability (0818c36)
Documentation
- more clarity for features.dPoP.allowReplay (779a141)
v9.0.1
v9.0.0
⚠ BREAKING CHANGES
- authorization and logout endpoints no longer support the HTTP POST method by default, this can be re-enabled using the
enableHttpPostMethodsboolean configuration, this also requires that cookies.long.sameSite is set tonone - cookie session sameSite attribute default is now "lax" instead of "none"
- userinfo requests with bearer tokens will now fail if they also include DPoP
- userinfo now includes both dpop and bearer challenges when dpop is enabled
- accessing protected resources without an access token will now yield a 401 HTTP Status Code instead of a 400
- default PKCE configuration no longer requires PKCE to be used unless RFC9700 or a given profile says so
- removed the provider.Account getter
- all Provider routes will now end the HTTP request when finished, koa middlewares that are "downstream" will no longer be executed after a route is matched in oidc-provider, "upstream" control flows are unaffected
- the Provider no longer includes a catch-all 404 Not Found error handler
- FAPI profile behaviours no longer force PKCE, these should be forced by configuring the pkce.required configuration helper the default of which already does so.
- the server's JWK Key IDs (JWK kid parameter) now must be unique, no two keys must use the same kid.
- the revokeGrantPolicy configuration helper is now also invoked during opaque Access Token revocation, its default return remains false for this case though
- CIBA ping and poll delivery mode ID Tokens no longer include at_hash, urn:openid:params:jwt:claim:rt_hash, and urn:openid:params:jwt:claim:auth_req_id
- authorization code grant type issued ID Tokens no longer include at_hash
- device authorization grant type issued ID Tokens no longer include at_hash
- refresh token grant type issued ID Tokens no longer include at_hash
- implicit grant type issued ID Tokens no longer include s_hash unless the request is a FAPI 1.0 Final request
- global fetch() API is now used to make outgoing HTTP requests instead of the "got" module.
- the httpOptions configuration option was removed and a new option to accomodate the use of fetch() interface was added. This options is aptly called "fetch" and its call signature and expected returns mirror the fetch() API.
- Enabling JAR (Request Objects by Value) is now enabled via features.requestObjects.enabled boolean instead of features.requestObjects.request boolean
- removed support for Passing a Request Object by Reference (JAR request_uri)
- removed legacy sameSite cookie fallback
- removed support for Node.js 18.x
- removed support for Node.js 20.x
- removed the pkce.methods configuration
- removed the features.requestObjects.mode configuration
- removed support for Ed448
- removed support for X448
- removed support for secp256k1 / ES256K
- removed support for FAPI 1.0 ID2
Features
- Access Token revocation may now also optionally revoke the underlying grant (4f69668)
- add support for the fully-specified Ed25519 JWS Algorithm Identifier (645b900)
- DPoP support is now enabled by default (a5694af)
- Experimental support for external signing keys, e.g. in a KMS or HSM (8b3ceff)
- expose current requests' ctx via Provider.ctx static getter (1fbd81b)
- update FAPI 2.0 implementation to FAPI 2.0 Final (eff3115)
Documentation
- auto-format code blocks (c2c520f)
- dpop cannot acked anymore, it is stable (a48c51f)
- improvements to linked resources (cf77770)
- mention external types (5f8a450)
- move adapters to the Community Guides Discussions section (ba806ca)
- move recipes to the Community Guides Discussions section (cd8da28)
- remove mentions of the connect server framework (7cb1aaa)
- update README to use named exports (8355886)
- update version support matrix (abbfe2f)
Fixes
- no access token provided error is now a 401 (8493e2d)
- userinfo now includes both dpop and bearer challenges when dpop is enabled (1093f6b)
Refactor
- change default PKCE usage requirement (fdf8ad8)
- change default session cookie from sameSite none to lax (b47eee8)
- cleanup unused azp claim code (6c57e63)
- deprecate the
.appgetter (9b61212) - disable HTTP POST Method handling of authorization and logout endpoints (d56304c)
- encryption and key derivation is not blocking the main thread (73a422f)
- ensure all route handlers are final (8cc44e6)
- escape www-authenticate backslashes despite not directly using them (e789b98)
- increase all random identifiers from ~126 bits of randomness to ~256 (45721f8)
- minimal change to support koa@3 (925cee5)
- no more warnings if cookie keys are missing (7ab6157)
- omit generic "typ: JWT" in issued JSON Web Tokens (4eb4004)
- pass over internal configuration getters (0243964)
- Provider is now the Koa application instance (167216e)
- remove hardcoded require PKCE checks (be0b2fd)
- remove object-hash dependency (fda9385)
- remove optional ID Token _hash claims (58ca2c2)
- remove the provider.Account getter (dd2bde4)
- remove unused code (e5fc3cb)
- remove uses of randomFill and Buffer.allocUnsafe (00fe106)
- removed legacy sameSite cookie fallback (2defa70)
- removed support for FAPI 1.0 ID2 (311e3e2)
- removed support for Passing a Request Object by Reference (JAR request_uri) (bacf375)
- removed the features.requestObjects.mode configuration (4ec8327)
- removed the pkce.methods configuration (4a736b8)
- Request Object (JAR) is now enabled with features.requestObjects.enabled (20d60a4)
- simplify default assertJwtClaimsAndHeader configuration (1ea27a6)
- update Node.js support matrix (db57556)
- use fetch() api to make outgoing HTTP requests (cc70e5a)
- use hkdf in dpop's ro...