You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
minimal version of node lts/carbon is required (>=8.9.0)
Client Metadata - null property values are no longer ignored
clients pushed through #initialize() must not submit properties with null values
clients stored via an adapter must be updated in your storage not to have null or
null-deserialized values, alternatively you can update your adapter not to return these
properties back to the provider
const_=require('lodash');// your adapter implementationclassMyAdapter{// ...asyncfind(id){// load entity properties and then drop the null properties if its a Client adapter instance// this is implementation specificconstdata=awaitDB.query(...);if(this.name==='Client'){return_.omitBy(data,_.isNull);}returndata;}// ...}
Client Authentication
Errors related to authentication details parsing and format are now 400 Bad Request and invalid_request. Errors related to actual authentication check are now 401 Unauthorized and invalid_client with no details in the description.
This means that errors related to client authentication will no longer leak details back to the
client, instead the provider may be configured to get these errors from e.g. provider.on('grant.error') and provide the errors to clients out of bands.
functionhandleClientAuthErrors(err,{headers: { authorization },oidc: { body, client }}){if(errinstanceofProvider.errors.InvalidClientAuth){// save error details out-of-bands for the client developers, `authorization`, `body`, `client`// are just some details available, you can dig in ctx object for more.console.log(err);}}provider.on('grant.error',handleClientAuthErrors);provider.on('introspection.error',handleClientAuthErrors);provider.on('revocation.error',handleClientAuthErrors);
added WWW-Authenticate response header to token endpoints when 401 is returned and Authorization
scheme was used to authenticate and changed client authentication related errors to be 401 Unauthorized
fixed several issues with token client authentication related to client_id lookup, it is no longer
possible to:
submit multiple authentication mechanisms
send Authorization header to identify a none authentication method client
send both Authorization header and client_secret or client_assertion in the body
all error classes the provider emits/throws are now exported in Provider.errors[class] instead of Provider[class] and the class names are no longer suffixed by Error. See console.log(Provider.errors)
removed the non-spec rt_hash ID Token claim
features.pkce now only enables S256 by default, this is sufficient for most deployments. If plain is needed enable pkce with { features: { pkce: { supportedMethods: ['plain', 'S256'] } }.
client.backchannelLogout no longer suppresses any errors, instead rejects the promise
token introspection endpoint no longer returns the wrong token_type claim - #189
to continue the support of this non-standardized claim from introspection you may register the following middleware
fetched request_uri contents are no longer cached for 15 minutes default, cache headers are
honoured and responses without one will fall off the LRU-Cache when this one is full
audiences is now in addition to existing id_token and signed userinfo
cases called for client_credentials and access_token, this is useful for pushing additional audiences
to an Access Token, these are now returned by token introspection and can be used when serializing
an Access Token as a JWT
the provider will no longer use the first value from acrValues to denote a "session" like acr.
In cases where acr is requested as a voluntary claim and no result is available this claim will
not be returned.
to continue the support of the removed behaviour you can change the OIDCContext acr getter
