Skip to content

Releases: panva/node-oidc-provider

v4.0.2

05 Jun 08:06
Compare
Choose a tag to compare
  • fixed non-spec errors restricted_response_type and restricted_grant_type to be UnauthorizedClient (unauthorized_client) instead as specified in RFC6749
  • fixed missing WWW-Authenticate response header in Bearer auth scheme endpoints when 401 is returned (was missing from registration_endpoint, registration_client_uri)
  • fixed #session.save() when cookies.*.maxAge is set to 0 to not add the exp claim - #289
  • fixed the remember=false option to apply to client session state cookies too

v4.0.1

01 Jun 11:41
Compare
Choose a tag to compare

Breaking changes

  • minimal version of node lts/carbon is required (>=8.9.0)
  • Client Metadata - null property values are no longer ignored
    • clients pushed through #initialize() must not submit properties with null values
    • clients stored via an adapter must be updated in your storage not to have null or
      null-deserialized values, alternatively you can update your adapter not to return these
      properties back to the provider
    const _ = require('lodash');
    // your adapter implementation
    class MyAdapter {
      // ...
      async find(id) {
        // load entity properties and then drop the null properties if its a Client adapter instance
        // this is implementation specific
        const data = await DB.query(...);
        if (this.name === 'Client') {
          return _.omitBy(data, _.isNull);
        }
        return data;
      }
      // ...
    }
  • Client Authentication
    • Errors related to authentication details parsing and format are now 400 Bad Request and
      invalid_request. Errors related to actual authentication check are now 401 Unauthorized and
      invalid_client with no details in the description.
      This means that errors related to client authentication will no longer leak details back to the
      client, instead the provider may be configured to get these errors from e.g.
      provider.on('grant.error') and provide the errors to clients out of bands.
      function handleClientAuthErrors(err, { headers: { authorization }, oidc: { body, client } }) {
        if (err instanceof Provider.errors.InvalidClientAuth) {
          // save error details out-of-bands for the client developers, `authorization`, `body`, `client`
          // are just some details available, you can dig in ctx object for more.
          console.log(err);
        }
      }
      provider.on('grant.error', handleClientAuthErrors);
      provider.on('introspection.error', handleClientAuthErrors);
      provider.on('revocation.error', handleClientAuthErrors);
    • added WWW-Authenticate response header to token endpoints when 401 is returned and Authorization
      scheme was used to authenticate and changed client authentication related errors to be 401 Unauthorized
    • fixed several issues with token client authentication related to client_id lookup, it is no longer
      possible to:
      • submit multiple authentication mechanisms
      • send Authorization header to identify a none authentication method client
      • send both Authorization header and client_secret or client_assertion in the body
  • all error classes the provider emits/throws are now exported in Provider.errors[class] instead of
    Provider[class] and the class names are no longer suffixed by Error. See console.log(Provider.errors)
  • removed the non-spec rt_hash ID Token claim
  • features.pkce now only enables S256 by default, this is sufficient for most deployments. If
    plain is needed enable pkce with { features: { pkce: { supportedMethods: ['plain', 'S256'] } }.
  • client.backchannelLogout no longer suppresses any errors, instead rejects the promise
  • token introspection endpoint no longer returns the wrong token_type claim - #189
    • to continue the support of this non-standardized claim from introspection you may register the following middleware
      provider.use(async function introspectionTokenType(ctx, next) {
        await next();
        if (ctx._matchedRouteName === 'introspection') {
          const token = ctx.oidc.entities.AccessToken || ctx.oidc.entities.ClientCredentials || ctx.oidc.entities.RefreshToken;
      
          switch (token && token.kind) {
            case 'AccessToken':
              ctx.body.token_type = 'access_token';
              break;
            case 'ClientCredentials':
              ctx.body.token_type = 'client_credentials';
              break;
            case 'RefreshToken':
              ctx.body.token_type = 'refresh_token';
              break;
          }
        }
      });
  • fetched request_uri contents are no longer cached for 15 minutes default, cache headers are
    honoured and responses without one will fall off the LRU-Cache when this one is full
  • audiences is now in addition to existing id_token and signed userinfo
    cases called for client_credentials and access_token, this is useful for pushing additional audiences
    to an Access Token, these are now returned by token introspection and can be used when serializing
    an Access Token as a JWT
  • the provider will no longer use the first value from acrValues to denote a "session" like acr.
    In cases where acr is requested as a voluntary claim and no result is available this claim will
    not be returned.
    • to continue the support of the removed behaviour you can change the OIDCContext acr getter
      const _ = require('lodash');
      const sessionAcr = '...';
      Object.defineProperty(provider.OIDCContext.prototype, 'acr', {
        get() {
          return _.get(this, 'result.login.acr', sessionAcr);
        },
      });
    • removed deprecated #provider.setSessionAccountId() helper method. Use #provider.setProviderSession()
      instead

Enhancements

  • Session Changes
    • stored sessions now have an exp property allowing the provider to ignore expired but
      still returned sessions
      • existing sessions without this property will be accepted and the exp property will be added
        with the next save
  • bumped the semantic version of every dependency to the latest as of release
  • added aud to the introspection response if a token has one
  • audiences helper gets called with additional parameters use and scope
  • renderError helper is now called with a third argument that's the actual Error instance.
  • node-jose dependency bumped to major ^1.0.0 - fixes A\d{3}GCMKW symmetrical encryption support
  • added cookies.thirdPartyCheckUrl option and a warning to host it
  • moved middleware handling missing optionally redirect_uri parameter case right after loading
    the client

v3.0.3

23 May 14:27
Compare
Choose a tag to compare
  • all options passed to defaultHttpOptions now also reach request when #useRequest() is used
  • fixed a case when RS256 key presence check was wrongly omitted during #initialize()
  • fixed client jwks_uri refresh error to be invalid_client_metadata and propagated to the client

v3.0.2

15 May 20:52
Compare
Choose a tag to compare
  • base64url dependency replaced with base64-url

v3.0.1

10 May 12:17
Compare
Choose a tag to compare

only dependency tree updates

v3.0.0

02 May 08:45
Compare
Choose a tag to compare

NOTE: Although technically a fix, this is a breaking change for clients with client secrets that need to be encoded according to the standard and don't currently do so. A proper way of submitting client_id and client_secret using client_secret_basic is Authorization: base64(formEncode(client_id):formEncode(client_secret)). This is only becoming apparent for client ids and secrets with special characters that need encoding. Update with care, if you have client identifiers or secrets with special characters that need encoding and they worked before, they will not anymore and you should reach out to your client maintainers to fix how client_secret_basic is submitted.

v2.18.2

02 May 08:23
Compare
Choose a tag to compare
  • republished 2.18.0 following deprecation of 2.18.1

v2.18.0

12 Apr 16:02
Compare
Choose a tag to compare
  • added ctx.oidc.entities with all loaded model/entity instances during a given request
  • added cookies.keys configuration option for KeyGrip key app passthrough
  • added #provider.setProviderSession for setting provider session from outside of a regular context
  • deprecated #provider.setSessionAccountId in favor of #provider.setProviderSession

v2.17.0

29 Mar 16:41
Compare
Choose a tag to compare
  • fixed alternative verb routes to be named as well
  • fixed default interactionCheck passing /resume when users click cancel or just navigate back to auth resume route
  • added client_update and client_delete as named routes
  • added extraClientMetadata configuration option that allows for custom client properties as well as for additional validations for existing properties to be defined
  • when provider is configured with only pairwise subject type support then it is the client default and does not have to be explicitly provided anymore

v2.16.0

26 Mar 17:30
Compare
Choose a tag to compare
  • supported PKCE code challenge methods are now configurable, use to i.e. disable plain for stricter OIDC profiles and new deployments where legacy clients without S256 support aren't to be expected.
  • added configuration validations for subjectTypes and pkce supportedMethods