Releases: panva/node-oidc-provider
Releases · panva/node-oidc-provider
v2.4.0
- added BaseToken public API, this API enables advanced users in search of features such as JWT-formatted
Bearer tokens or not being able to reconstruct client token values from a DB backup to overload
these methods and get those features. - fixed keystore initialize method to allow for servers only supporting authorization flow not needing
RS256 signature key - fixed token introspection disclosing details for expired but found tokens
- fixed exception during token introspection auth
none
clients looking up non-existing tokens
v2.3.2
v2.3.1
v2.3.0
- added
s_hash
support for ID Tokens returned by authorization endpoint - added Request Object symmetrical encryption support
- fixed PBES2 encryption to use client_secret derived symmetrical key instead of its full octet value
- fixed
claims
parameter handling when part of a Request object as an object - removed bugged? and/or previously not working
A(128|192|256)GCMKW
symmetrical encryption algs
v2.2.1
v2.2.0
- added a
clientCacheDuration
option (defaults toInfinity
), this option defines the time a client
configuration loaded from an adapter will be kept in cache before being loaded again with the next
request - removed
valid-url
dependency in favor of STDLIB's WHATWGurl.URL
v2.1.0
- added a third parameter for
findById
helper, whenfindById
is used in relation to an access
token or an authorization code the token instance will be passed - added
ctx.oidc.signed
with an array of parameter names which were received using a signed or
encrypted request/Uri parameter. signed
array of strings is available in the short lived session for interactions- added basic sequelize adapter example
- fixed a bug where extraParams weren't recognized when part of a
request
orrequest_uri
parameters - fixed a bug where client credential and refresh token adapter instances were used even if these
grants/tokens weren't enabled - fixed a bug which allowed for non-enabled scopes to be added in client_credential grants
v2.0.1
v2.0.0
Breaking Changes
- oidc-provider now requires node v8.0.0 or higher for ES2015, async function and utils.promisify support
- internal koa (and related) dependencies updated to their respective 'next' or koa2 middleware
compatible versions - adapter must now be passed into
#initialize()
- helper functions which returned or accepted generators will no longer work, use async functions
- helper functions no longer have koa ctx bound to
this
, instead their signature is changed - interactionUrl helper signature changed to (ctx, interaction) and is now awaited
- renderError helper signature changed to (ctx, error) and is now awaited
- uniqueness helper signature changed to (ctx, jti, expiresAt)
- interactionCheck helper signature changed to (ctx)
- default interactionCheck helper requires all native application client authorizations to pass
through interactions - findById helper signature changed to (ctx, accountId)
postLogoutRedirectUri
configuration option is now a helper function and is awaited to- default acrValues configuration option is now empty, if you used the old values
['0', '1', '2']
,
you must configure the value explicitly ctx.prompted
renamed to more descriptivectx.promptPending
- default refreshTokenRotation changed from 'none' to 'rotateAndConsume'
- pkce.skipClientAuth removed, native clients not willing to submit secrets should be registered
with method none features.requestUri
enabled by default with requireRequestUriRegistrationfeatures.oauthNativeApps
enabled by defaultfeatures.oauthNativeApps
automatically enablesfeatures.pkce
with{ forcedForNative: true }
- interaction details no longer utilize cookies to store the details and request parameters,
short lived sessions are created and maintained via the adapter instead - Integrity keystore is no longer used, random strings are used to generate a lengthy token,
a none signed JWT is used to store the metadata, keeping the datasets the same as 1.x - interaction helper
provider#interactionDetails
now returns a Promise, it reads the short lived
session id and loads the details using your adapter - interaction helper
provider.interactionFinished
now returns a Promise, it reads the short lived
session id and stores the interaction results there - default token TTLs shortened
- Request Object
iss
(issuer) andaud
(audience) values are now being validated to be equal to
Client's identifier (iss
) and the OP Issuer identifier (aud
) when present in a Request Object
New features
static
function namedconnect
can now be present on an Adapter prototype, this will be awaited
during initialization, use to establish the necessary adapter connections- introspection and revocation endpoint authentication now has dedicated settings and properties,
unless specific settings for those are provided they default to what's provided for token_endpoint
equivalents, this allows for fine-tuning while not disrupting existing behavior - new client metadata supported:
- introspection_endpoint_auth_method
- introspection_endpoint_auth_signing_alg
- revocation_endpoint_auth_method
- revocation_endpoint_auth_signing_alg
- new configuration properties:
- introspectionEndpointAuthMethods
- introspectionEndpointAuthSigningAlgValues
- unsupported.introspectionEndpointAuthSigningAlgValues
- revocationEndpointAuthMethods
- revocationEndpointAuthSigningAlgValues
- unsupported.revocationEndpointAuthSigningAlgValues
- new discovery properties:
- introspection_endpoint_auth_methods_supported
- introspection_endpoint_auth_signing_alg_values_supported
- revocation_endpoint_auth_methods_supported
- revocation_endpoint_auth_signing_alg_values_supported