Releases: panva/node-oidc-provider
Releases · panva/node-oidc-provider
v8.1.1
v8.1.0
v8.0.0
⚠ BREAKING CHANGES
- Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the
clockTolerance
configuration option. - The userinfo endpoint will no longer echo back
x-fapi-interaction-id
headers. This can be reverted using a custom pre-middleware. request_uri
parameter is no longer supported at the Device Authorization Endpoint.- The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set
features.requestObjects.requireSignedRequestObject
totrue
as a global policy or setrequire_signed_request_object
orbackchannel_authentication_request_signing_alg
client metadata. - PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both
features.pushedAuthorizationRequests
andfeatures.requestObjects.request
. - CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both
features.ciba
andfeatures.requestObjects.request
. - Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the
features.pushedAuthorizationRequests.enabled
configuration option. - Completely removed v6.x way of setting access token formats.
expiresWithSession()
for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.- Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the
enabledJWA.dPoPSigningAlgValues
configuration option. - Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the
allowOmittingSingleRegisteredRedirectUri
configuration option. features.fapi.profile
is now a required configuration option whenfeatures.fapi.enabled
istrue
.id_token_signed_response_alg
now must be set whenid_token_encrypted_response_alg
is also set on a client.userinfo_signed_response_alg
now must be set whenuserinfo_encrypted_response_alg
is also set on a client.introspection_signed_response_alg
now must be set whenintrospection_encrypted_response_alg
is also set on a client.authorization_signed_response_alg
now must be set whenauthorization_encrypted_response_alg
is also set on a client.- The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
request_uri
parameter support is now disabled by default. This can be reverted using thefeatures.requestObjects.requestUri
configuration option.httpOptions
return propertylookup
was renamed todnsLookup
.httpOptions
return propertytimeout
was removed, return anAbortSignal
instance assignal
property instead.oidc-provider
is now an ESM-only module, it must now be imported using theimport
declaration or theimport()
syntax, theProvider
constructor is the module's default export, theerrors
andinteractionPolicy
exports are the package's named exports. There is noProvider
named export.httpOptions
no longer defaults to using the npm modulecacheable-lookup
as itsdnsLookup
option. It defaults tonode:dns
module'slookup
export instead.- PASETO Access Token format support was removed.
- Removed support for Node.js 12.
- Removed support for Node.js 14.
- Removed support for Node.js 16.
- Node.js LTS 18 (^18.12.0) is now required.
- Default Authorization Code duration is now 60 seconds instead of 10 minutes. This can be reverted using the
ttl.AuthorizationCode
configuration option. - Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the
features.requestObjects.mode
configuration option. - The "none" JWS algorithm, which was previously disabled by default, is now completely removed.
- The PBKDF2 based JWE Key Management Algorithms, which were previously disabled by default, are now completely removed.
- The client registration management update action now rotates registration access tokens by default. This can be reverted using the
features.registrationManagement.rotateRegistrationAccessToken
configuration option. - It is no longer possible to pass Bearer tokens using the
access_token
query string parameter. This can be reverted using theacceptQueryParamAccessTokens
configuration option. - The
tokenEndpointAuthMethods
configuration method was renamed toclientAuthMethods
. - The
enabledJWA.tokenEndpointAuthSigningAlgValues
configuration method was renamed toenabledJWA.clientAuthSigningAlgValues
. - The non-standard
introspection_endpoint_auth_method
, andintrospection_endpoint_auth_signing_alg
client metadata properties were removed. The client'stoken_endpoint_auth_method
, andtoken_endpoint_auth_signing_alg
properties are now used as the only indication of how a client must authenticate at the introspection endpoint. The accompanying JWA and authentication methods configuration properties were also removed. - The non-standard
revocation_endpoint_auth_method
, andrevocation_endpoint_auth_signing_alg
client metadata properties were removed. The client'stoken_endpoint_auth_method
, andtoken_endpoint_auth_signing_alg
properties are now used as the only indication of how a client must authenticate at the revocation endpoint. The accompanying JWA and authentication methods configuration properties were also removed.
Features
- add UnmetAuthenticationRequirements error (3f6684a)
- bump DPoP to draft-11 (917507f)
- support DPoP nonces (8d82988)
Performance
Refactor
- change default on allowOmittingSingleRegisteredRedirectUri (d41bb0f)
- check request_uri_not_supported early (57b39a2)
- CIBA and PAR do not automatically turn on JAR (089fa43)
- Completely removed v6.x way of setting access token formats. (a2cf235)
- default code ttl down from 10 minutes down to 1 minute (f770e2d)
- default dPoPSigningAlgValues changed (9859969)
- default JAR mode is now strict instead of lax (cef63b6)
- disable query string bearer by default (059557b)
- disable request_uri support by default (3575584)
- enable PAR by default (4272027)
- expiresWithSession on authorization endpoint access tokens (cb67083)
- oidc-provider is now an ESM-only module (3c5ebe1)
- PBKDF2 JWE encryption algorithms are no longer supported (868ab2f)
- redo fapi profile checks, remove x-fapi-headers nonsense (7cf031a)
- remove default from FAPI profile configuration (0f93b8c)
- remove introspection and revocation client metadata (a6433d0)
- removed default outgoing cacheable-lookup use (7c10920)
- removed optional "none" JWS algorithm support (e654fe6)
- removed PASETO access token format support (079e2f2)
- removed support for issuing
"cty": "json"
JWEs (b4b837b) - renamed client auth related configuration (b8e8ce9)
- require Node.js LTS 18 (ff26cf6)
- rotated registration management access tokens by default (2eb5c63)
- RSA1_5 JWE encryption algorithm is no longer supported ([a967a4e](https://github.com/p...