v7.1.2

Bug Fixes

• v1.paseto token alg keystore value to be PS384 instead of RS384 (ae1f879)

v7.1.1

Bug Fixes

• save the grantId reference field with an interaction session (6cab64e)
• typo in consent detail missingOIDClaims -> missingOIDCClaims (1427383)

v7.1.0

Features

• allow control of which errors flow back to client's redirect_uri (219cd45)
• server_error codes no longer redirect back to clients (b591d7f)

v7.0.0

⚠ BREAKING CHANGES

• PAR no longer remaps all errors as invalid_request_object.
• IdToken.prototype.issue now requires the use option.
• JWT Header Parameter client_id in Request Objects is now ignored.
• Request Objects now require iss and aud claims.
• OIDCContext.prototype.dPoP getter was removed.
• BaseToken.prototype.setThumbprint jkt mode now expects the string thumbprint value instead of the jose.JWK instance.
• Client JWKS kid values are no longer automatically calculated per RFC7638 when missing. As a result when client's public keys are used to encrypt assertions the kid header will be missing when such keys are used.
• Provider constructor will now reject JWKS that serve no purpose (e.g. are only usable for encryption but encryption is disabled).
• Client and Provider JWKS are validated to be syntactically correct as before but only resolve to a crypto.KeyObject when they're used.
• sector_identifier_uri is now verified regardless of client's subject_type when provided.
• response_type=token is no longer supported
• Session.prototype.accountId function was removed, it is just a property access now.
• Session adapter payload property account was renamed to accountId.
• Interactions result login.account was renamed to login.accountId
• Session.prototype.loginAccount option account was renamed to accountId
• TypeScript type definitions are no longer bundled with the package, instead these will be re-published to DefinitelyTyped.
• configuration.features.resourceIndicators was completely re-implemented.
• configuration.audiences helper function was removed, use the resourceIndicators feature instead.
• Access Tokens with an audience can no longer be used to access the userinfo endpoint.
• Only a single audience ("aud") is permitted in Access Tokens and Client Credential tokens.
• Structured (JWT and PASETO) access tokens Access Tokens no longer default to using the clientId as audience, if no audience is specified an Error is throw indicating that issuing a structured token is probably not needed for a token only usable at the userinfo_endpoint.
• Only opaque access tokens without an audience may be used to access the userinfo_endpoint.
• Only opaque access tokens may be introspected using the introspection_endpoint.
• Only opaque access tokens may be revoked using the revocation_endpoint.
• Only opaque access tokens get stored using the adapter.
• Structured (JWT and PASETO) access tokens do not get stored by the adapter anymore.
• access_token.saved event is only emitted for opaque access tokens, non-opaque tokens get emitted via access_token.issued.
• PASETO tokens were re-implemented from scratch using the new resourceIndicators implementation.
• client_credentials.saved event is only emitted for opaque access tokens, non-opaque tokens get emitted via client_credentials.issued.
• Structured (JWT and PASETO) access tokens MUST contain an audience, an error will be thrown if they don't.
• formats.jwtAccessTokenSigningAlg configuration was removed in favour of Resource Server configuration helpers.
• The default consent prompt interaction details have changed, these now include missingOIDCScopes(string[]), missingOIDClaims(string[]), missingResourceScope({ [resourceIndicator]: string[]).
• The interaction result consent structure changed. It may now only contain a single property, grantId (string) which is the identifier of a Grant (returned by calling Grant.prototype.save()).
• Session-bound artifacts no longer fail to load when the session's grant has less scopes than the artifact, instead the action will work with the intersection of currently granted scopes with the ones on the artifact.
• Sessions no longer hold the "granted" set of scopes/claims. This is now tracked in the Grant artifact instead. The following properties are no longer present on the session.authorizations[client_id] object: rejectedScopes, rejectedClaims, promptedClaims, promptedScopes.
• The following Session prototype methods have been removed: acceptedClaimsFor, acceptedScopesFor, promptedClaimsFor, promptedScopesFor, rejectedClaimsFor, rejectedScopesFor.
• OpenID Connect Session Management draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
• OpenID Connect Front-Channel Logout draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
• The jwt-ietf token format is now just jwt. The ietfJWTAccessTokenProfile feature is therefore obsolete and removed. The prior jwt format may be emulated using the formats.customizers.jwt helper function.
• Default PKCE use policy now enforces the use of PKCE code_challenge for all requests where PKCE applies. Use the pkce.required helper to revert to the old policy if you have a reason to exempt some clients from this policy.
• ctx.oidc.uid is now undefined, no random values are now generated. In places where ctx.oidc.uid was used as a source of a random value, an always fresh random value is now generated instead.
• Removed every DEBUG=* code other than error ones. Ways to debug the code will surface through logging in the future.
• The Device Flow feature resume path now longer contains the user code in the URL. Instead, deviceCode is now attached to Interaction models when part of a device authorization grant flow.
• The DeviceCode model now gets grantId property assigned only after successful consent interaction.
• Every interaction now gets a totally unique identifier, "same grant", which never actually was about grants, or consequent bounces through interaction will now each get a unique identifier.
• The features.webMessageResponseMode.scriptNonce helper was removed, all inline scripts will now have their sha256 automatically added to CSP script-src directives when one is present.
• client_id and client_secret values are now checked to conform to their ABNF syntax (%x20-7E).
• Allowing to omit a redirect_uri parameter for clients with a single one registered is now disabled by default. You can re-enable this using the allowOmittingSingleRegisteredRedirectUri configuration option.
• Configuration option cookies.short.maxAge was removed. Use ttl.Interaction configuration to define the Interaction TTL which in turn controls the cookie expiration.
• Configuration option cookies.long.maxAge was removed. Use ttl.Session configuration to define the Session TTL which in turn controls the cookie expiration.
• Configuration option cookies.short.expires was removed.
• Configuration option cookies.long.expires was removed.
• Interaction.prototype.save ttl argument is now required.
• Session.prototype.save ttl argument is now required.
• Provider.prototype.requestUriCache getter was removed.
• features.jwtUserinfo is disabled by default now.
• Removed "whitelist" Request Object merging strategy
• requestObjects.mergingStrategy configuration is now a string valued "strict" or "lax"
• requestObjects.mergingStrategy configuration is now requestObjects.mode.
• Configuration option whitelistedJWA is now enabledJWA.
• Removed HS256 as a default-enabled algorithm from the following configuration values so that all AS-issued assertions are firm to only come from the AS: whitelistedJWA.idTokenSigningAlgValues, whitelistedJWA.userinfoSigningAlgValues, whitelistedJWA.introspectionSigningAlgValues, whitelistedJWA.authorizationSigningAlgValues
• Default JWE Algorithms ("alg") now includes "dir".
• ECDH-ES KW variants are not enabled by default anymore.
• The default for JWT Access Tokens' signing algorithm is no longer the client's id_token_signed_response_alg falling back to RS256 but rather only the provider's default id_token_signed_response_alg.
• Removed built in support for urn: request uris.
• Renamed RequestUriCache.prototype.resolveWebUri to RequestUriCache.prototype.resolve
• The claims configuration property can no longer be a Map instance, only plain objects are allowed.
• request_object_signing_alg no longer means a request object must be provided, require_signed_request_object boolean value serves that purpose now as per the clarifications made in OIDF and IETF Working Groups.
• The deprecated postLogoutSuccessSource configuration property was removed, use features.rpInitiatedLogout.postLogoutSuccessSource instead.
• The deprecated logoutSource configuration property was removed, use features.rpInitiatedLogout.logoutSource instead.
• RedirectUriMismatch error was removed.
• redirect_uri_mismatch error codes are now invalid_redirect_uri.
• Only www-urlencoded bodies recognize RFC6750 payload bearer token. On the authorization server this only affects the dynamic registration features and removes an unintended side effect.
• extraAccessTokenClaims helper function is renamed to extraTokenClaims.
• The jwks_uri response is now using the proper content type application/jwk-set+json.
• Default Interaction TTL increased from 10 minutes to 1 hour.
• The following Provider instance getters/setters are removed: subdomainOffset, proxyIpHeader, maxIpsCount, keys. You can access the underlying Koa app via provider.app if you have the need to use these.
• Default clientBasedCORS helper return value is now false, you must ergo use this helper to open up cors based on your policy.
• The deprecated setS256Thumbprint token instance method is removed.
• The deprecated OIDCContext.prototype.bearer method is removed.
• removed dynamicScopes configuration option, scope configuration using pre-configured values is gone in favour of Resource Indicators refactor.
• httpOptions helper function argument is now just a URL instance. It no longer receives the "to be exec...

v6.31.1

Bug Fixes

• typescript: Interaction.prototype.session structure (#924) (76c36c7)

v6.31.0

Features

• end_session_endpoint now recognizes client_id and logout_hint (9dd2b0e)

Bug Fixes

• keep grants that persist if logged out by that grant's client (26449f5), closes #857

Performance

• use native node's base64url encoding when available (6149bd3)

v6.30.1

Features

• Authorization Server Issuer Identifier in Authorization Response (3f67ee9)
• update JARM feature draft version to Implementer's Draft 01 (0a021de)

v6.29.11

Bug Fixes

• missing login prompt details (c7b0036), closes #853

v6.29.10

Bug Fixes

• html safe guard the action attribute in form post responses (7cd6025)

v6.29.9

Bug Fixes

• typescript: interaction result may be undefined (#833) (44aa53e)
• unrecognized EC curves and OKP subtypes are ignored (660f46d)