Releases: panva/node-oidc-provider
Releases · panva/node-oidc-provider
v4.0.2
- fixed non-spec errors
restricted_response_type
andrestricted_grant_type
to be UnauthorizedClient (unauthorized_client
) instead as specified in RFC6749 - fixed missing
WWW-Authenticate
response header in Bearer auth scheme endpoints when 401 is returned (was missing fromregistration_endpoint
,registration_client_uri
) - fixed
#session.save()
whencookies.*.maxAge
is set to0
to not add theexp
claim - #289 - fixed the
remember=false
option to apply to client session state cookies too
v4.0.1
Breaking changes
- minimal version of node lts/carbon is required (>=8.9.0)
- Client Metadata - null property values are no longer ignored
- clients pushed through
#initialize()
must not submit properties with null values - clients stored via an adapter must be updated in your storage not to have null or
null-deserialized values, alternatively you can update your adapter not to return these
properties back to the provider
const _ = require('lodash'); // your adapter implementation class MyAdapter { // ... async find(id) { // load entity properties and then drop the null properties if its a Client adapter instance // this is implementation specific const data = await DB.query(...); if (this.name === 'Client') { return _.omitBy(data, _.isNull); } return data; } // ... }
- clients pushed through
- Client Authentication
- Errors related to authentication details parsing and format are now
400 Bad Request
and
invalid_request
. Errors related to actual authentication check are now401 Unauthorized
and
invalid_client
with no details in the description.
This means that errors related to client authentication will no longer leak details back to the
client, instead the provider may be configured to get these errors from e.g.
provider.on('grant.error')
and provide the errors to clients out of bands.function handleClientAuthErrors(err, { headers: { authorization }, oidc: { body, client } }) { if (err instanceof Provider.errors.InvalidClientAuth) { // save error details out-of-bands for the client developers, `authorization`, `body`, `client` // are just some details available, you can dig in ctx object for more. console.log(err); } } provider.on('grant.error', handleClientAuthErrors); provider.on('introspection.error', handleClientAuthErrors); provider.on('revocation.error', handleClientAuthErrors);
- added
WWW-Authenticate
response header to token endpoints when 401 is returned and Authorization
scheme was used to authenticate and changed client authentication related errors to be401 Unauthorized
- fixed several issues with token client authentication related to
client_id
lookup, it is no longer
possible to:- submit multiple authentication mechanisms
- send Authorization header to identify a
none
authentication method client - send both Authorization header and client_secret or client_assertion in the body
- Errors related to authentication details parsing and format are now
- all error classes the provider emits/throws are now exported in
Provider.errors[class]
instead of
Provider[class]
and the class names are no longer suffixed byError
. Seeconsole.log(Provider.errors)
- removed the non-spec
rt_hash
ID Token claim features.pkce
now only enablesS256
by default, this is sufficient for most deployments. If
plain
is needed enable pkce with{ features: { pkce: { supportedMethods: ['plain', 'S256'] } }
.client.backchannelLogout
no longer suppresses any errors, instead rejects the promise- token introspection endpoint no longer returns the wrong
token_type
claim - #189- to continue the support of this non-standardized claim from introspection you may register the following middleware
provider.use(async function introspectionTokenType(ctx, next) { await next(); if (ctx._matchedRouteName === 'introspection') { const token = ctx.oidc.entities.AccessToken || ctx.oidc.entities.ClientCredentials || ctx.oidc.entities.RefreshToken; switch (token && token.kind) { case 'AccessToken': ctx.body.token_type = 'access_token'; break; case 'ClientCredentials': ctx.body.token_type = 'client_credentials'; break; case 'RefreshToken': ctx.body.token_type = 'refresh_token'; break; } } });
- to continue the support of this non-standardized claim from introspection you may register the following middleware
- fetched
request_uri
contents are no longer cached for 15 minutes default, cache headers are
honoured and responses without one will fall off the LRU-Cache when this one is full audiences
is now in addition to existingid_token
and signeduserinfo
cases called forclient_credentials
andaccess_token
, this is useful for pushing additional audiences
to an Access Token, these are now returned by token introspection and can be used when serializing
an Access Token as a JWT- the provider will no longer use the first value from
acrValues
to denote a "session" like acr.
In cases where acr is requested as a voluntary claim and no result is available this claim will
not be returned.- to continue the support of the removed behaviour you can change the OIDCContext acr getter
const _ = require('lodash'); const sessionAcr = '...'; Object.defineProperty(provider.OIDCContext.prototype, 'acr', { get() { return _.get(this, 'result.login.acr', sessionAcr); }, });
- removed deprecated
#provider.setSessionAccountId()
helper method. Use#provider.setProviderSession()
instead
- to continue the support of the removed behaviour you can change the OIDCContext acr getter
Enhancements
- Session Changes
- stored sessions now have an
exp
property allowing the provider to ignore expired but
still returned sessions- existing sessions without this property will be accepted and the exp property will be added
with the next save
- existing sessions without this property will be accepted and the exp property will be added
- stored sessions now have an
- bumped the semantic version of every dependency to the latest as of release
- added
aud
to the introspection response if a token has one audiences
helper gets called with additional parametersuse
andscope
renderError
helper is now called with a third argument that's the actual Error instance.node-jose
dependency bumped to major ^1.0.0 - fixesA\d{3}GCMKW
symmetrical encryption support- added
cookies.thirdPartyCheckUrl
option and a warning to host it - moved middleware handling missing optionally
redirect_uri
parameter case right after loading
the client
v3.0.3
- all options passed to defaultHttpOptions now also reach
request
when#useRequest()
is used - fixed a case when RS256 key presence check was wrongly omitted during
#initialize()
- fixed client
jwks_uri
refresh error to be invalid_client_metadata and propagated to the client
v3.0.2
v3.0.1
v3.0.0
- fixed
client_secret_basic
requiring the username and password tokens to bex-www-form-urlencoded
according to https://tools.ietf.org/html/rfc6749#section-2.3.1
NOTE: Although technically a fix, this is a breaking change for clients with client secrets that need to be encoded according to the standard and don't currently do so. A proper way of submitting client_id and client_secret using client_secret_basic
is Authorization: base64(formEncode(client_id):formEncode(client_secret))
. This is only becoming apparent for client ids and secrets with special characters that need encoding. Update with care, if you have client identifiers or secrets with special characters that need encoding and they worked before, they will not anymore and you should reach out to your client maintainers to fix how client_secret_basic
is submitted.
v2.18.2
v2.18.0
- added
ctx.oidc.entities
with all loaded model/entity instances during a given request - added
cookies.keys
configuration option for KeyGrip key app passthrough - added
#provider.setProviderSession
for setting provider session from outside of a regular context - deprecated
#provider.setSessionAccountId
in favor of#provider.setProviderSession
v2.17.0
- fixed alternative verb routes to be named as well
- fixed default
interactionCheck
passing/resume
when users click cancel or just navigate back to auth resume route - added
client_update
andclient_delete
as named routes - added
extraClientMetadata
configuration option that allows for custom client properties as well as for additional validations for existing properties to be defined - when provider is configured with only
pairwise
subject type support then it is the client default and does not have to be explicitly provided anymore
v2.16.0
- supported PKCE code challenge methods are now configurable, use to i.e. disable
plain
for stricter OIDC profiles and new deployments where legacy clients withoutS256
support aren't to be expected. - added configuration validations for subjectTypes and pkce supportedMethods