Releases
v8.5.0
Features
add a Client static validate() method (d1f7d73 )
add a helper allowing custom claims parameter validations (ec2a1f5 )
add experimental support for RFC9396 - Rich Authorization Requests (e9fb573 )
add response_modes client metadata allow list (76f9af0 )
allow extraParams to define validations for extra parameters (b7d3322 )
DPoP: add a setting to disable DPoP Proof Replay Detection (2744fc8 )
DPoP: send a dpop-nonce when the proof's iat check fails and nonces are configured but not required (1b073c0 )
FAPI: add FAPI 2.0 profile behaviours (5212609 )
JAR: add a helper allowing custom JWT claim and header validations (be9242a )
PAR: add a setting to allow use of unregistered redirect_uri values (a7e73fa )
update Web Message Response Mode and remove its Relay Mode (a91add8 )
Fixes
DPoP,mTLS: reject client configuration in which binding is required but response types include an implicit token response (cd7e0f4 )
Refactor
deprecate FAPI 1.0 ID2, lax request objects, plain PKCE (3e8a784 )
don't use overwrite cookie option by default (dfbcb94 )
DPoP: move the accepted timespan into a constant (a8e8006 )
DPoP: omit sending the dpop-nonce header if the existing one used is fresh (4d635e2 )
ensure param-assigned max_age from client.defaultMaxAge is a string (0c52469 )
FAPI: deprecate FAPI profile hardcoded PKCE checks (56641ec )
JAR: authorization requests with JAR now require a client_id parameter (9131cd5 )
JAR: Request Objects are no longer checked for one time use (18efa70 )
PAR: consume PAR after user interactions instead of before (53babe6 )
store claims value parsed in non-JAR PAR (9cd865b )
use invalid_request instead of unauthorized_client (7947d87 )
You can’t perform that action at this time.