Skip to content

Releases: panva/node-oidc-provider

v2.4.0

03 Jan 10:32
Compare
Choose a tag to compare
  • added BaseToken public API, this API enables advanced users in search of features such as JWT-formatted
    Bearer tokens or not being able to reconstruct client token values from a DB backup to overload
    these methods and get those features.
  • fixed keystore initialize method to allow for servers only supporting authorization flow not needing
    RS256 signature key
  • fixed token introspection disclosing details for expired but found tokens
  • fixed exception during token introspection auth none clients looking up non-existing tokens

v2.3.2

03 Jan 10:33
Compare
Choose a tag to compare
  • fixed interactionFinished, interactionDetails and Session#find expecting an id retrieved
    from a cookie. When not found will throw.

v2.3.1

03 Jan 10:34
Compare
Choose a tag to compare
  • fixed devInteractions reported with the same grant uuid

v2.3.0

03 Jan 10:34
Compare
Choose a tag to compare
  • added s_hash support for ID Tokens returned by authorization endpoint
  • added Request Object symmetrical encryption support
  • fixed PBES2 encryption to use client_secret derived symmetrical key instead of its full octet value
  • fixed claims parameter handling when part of a Request object as an object
  • removed bugged? and/or previously not working A(128|192|256)GCMKW symmetrical encryption algs

v2.2.1

03 Jan 10:34
Compare
Choose a tag to compare
  • fixed encrypted parameters incorrectly assumed as signed (request object asymmetrical encryption)

v2.2.0

03 Jan 10:34
Compare
Choose a tag to compare
  • added a clientCacheDuration option (defaults to Infinity), this option defines the time a client
    configuration loaded from an adapter will be kept in cache before being loaded again with the next
    request
  • removed valid-url dependency in favor of STDLIB's WHATWG url.URL

v2.1.0

03 Jan 10:34
Compare
Choose a tag to compare
  • added a third parameter for findById helper, when findById is used in relation to an access
    token or an authorization code the token instance will be passed
  • added ctx.oidc.signed with an array of parameter names which were received using a signed or
    encrypted request/Uri parameter.
  • signed array of strings is available in the short lived session for interactions
  • added basic sequelize adapter example
  • fixed a bug where extraParams weren't recognized when part of a request or request_uri parameters
  • fixed a bug where client credential and refresh token adapter instances were used even if these
    grants/tokens weren't enabled
  • fixed a bug which allowed for non-enabled scopes to be added in client_credential grants

v2.0.1

03 Jan 10:34
Compare
Choose a tag to compare
  • fixed infinite interactionCheck loop for application_type=native clients

v2.0.0

03 Jan 10:34
Compare
Choose a tag to compare

Breaking Changes

  • oidc-provider now requires node v8.0.0 or higher for ES2015, async function and utils.promisify support
  • internal koa (and related) dependencies updated to their respective 'next' or koa2 middleware
    compatible versions
  • adapter must now be passed into #initialize()
  • helper functions which returned or accepted generators will no longer work, use async functions
  • helper functions no longer have koa ctx bound to this, instead their signature is changed
  • interactionUrl helper signature changed to (ctx, interaction) and is now awaited
  • renderError helper signature changed to (ctx, error) and is now awaited
  • uniqueness helper signature changed to (ctx, jti, expiresAt)
  • interactionCheck helper signature changed to (ctx)
  • default interactionCheck helper requires all native application client authorizations to pass
    through interactions
  • findById helper signature changed to (ctx, accountId)
  • postLogoutRedirectUri configuration option is now a helper function and is awaited to
  • default acrValues configuration option is now empty, if you used the old values ['0', '1', '2'],
    you must configure the value explicitly
  • ctx.prompted renamed to more descriptive ctx.promptPending
  • default refreshTokenRotation changed from 'none' to 'rotateAndConsume'
  • pkce.skipClientAuth removed, native clients not willing to submit secrets should be registered
    with method none
  • features.requestUri enabled by default with requireRequestUriRegistration
  • features.oauthNativeApps enabled by default
  • features.oauthNativeApps automatically enables features.pkce with { forcedForNative: true }
  • interaction details no longer utilize cookies to store the details and request parameters,
    short lived sessions are created and maintained via the adapter instead
  • Integrity keystore is no longer used, random strings are used to generate a lengthy token,
    a none signed JWT is used to store the metadata, keeping the datasets the same as 1.x
  • interaction helper provider#interactionDetails now returns a Promise, it reads the short lived
    session id and loads the details using your adapter
  • interaction helper provider.interactionFinished now returns a Promise, it reads the short lived
    session id and stores the interaction results there
  • default token TTLs shortened
  • Request Object iss (issuer) and aud (audience) values are now being validated to be equal to
    Client's identifier (iss) and the OP Issuer identifier (aud) when present in a Request Object

New features

  • static function named connect can now be present on an Adapter prototype, this will be awaited
    during initialization, use to establish the necessary adapter connections
  • introspection and revocation endpoint authentication now has dedicated settings and properties,
    unless specific settings for those are provided they default to what's provided for token_endpoint
    equivalents, this allows for fine-tuning while not disrupting existing behavior
  • new client metadata supported:
    • introspection_endpoint_auth_method
    • introspection_endpoint_auth_signing_alg
    • revocation_endpoint_auth_method
    • revocation_endpoint_auth_signing_alg
  • new configuration properties:
    • introspectionEndpointAuthMethods
    • introspectionEndpointAuthSigningAlgValues
    • unsupported.introspectionEndpointAuthSigningAlgValues
    • revocationEndpointAuthMethods
    • revocationEndpointAuthSigningAlgValues
    • unsupported.revocationEndpointAuthSigningAlgValues
  • new discovery properties:
    • introspection_endpoint_auth_methods_supported
    • introspection_endpoint_auth_signing_alg_values_supported
    • revocation_endpoint_auth_methods_supported
    • revocation_endpoint_auth_signing_alg_values_supported