oidc-provider

This module provides an OAuth 2.0 (RFC 6749) Authorization Server with support for OpenID Connect (OIDC) and many other additional features and standards.

Table of Contents

• Implemented specs & features
• Certification
• Documentation & Configuration
• Community Guides
• Events

Implemented specs & features

The following specifications are implemented by oidc-provider (not exhaustive):

Note that not all features are enabled by default, check the configuration section on how to enable them.

• RFC6749 - OAuth 2.0 & OIDC Core 1.0
• OIDC Discovery 1.0
• Dynamic Client Registration
  • OIDC Dynamic Client Registration 1.0
  • RFC7591 - OAuth 2.0 Dynamic Client Registration Protocol
  • RFC7592 - OAuth 2.0 Dynamic Client Registration Management Protocol
• OIDC RP-Initiated Logout 1.0
• OIDC Back-Channel Logout 1.0
• RFC7009 - OAuth 2.0 Token Revocation
• RFC7636 - Proof Key for Code Exchange (PKCE)
• RFC7662 - OAuth 2.0 Token Introspection
• RFC8252 - OAuth 2.0 for Native Apps BCP (AppAuth)
• RFC8628 - OAuth 2.0 Device Authorization Grant (Device Flow)
• RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS)
• RFC8707 - OAuth 2.0 Resource Indicators
• RFC9101 - OAuth 2.0 JWT-Secured Authorization Request (JAR)
• RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR)
• RFC9207 - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
• RFC9449 - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
• RFC9701 - JWT Response for OAuth Token Introspection
• FAPI 1.0 Security Profile - Part 2: Advanced (FAPI 1.0)
• FAPI 2.0 Security Profile (FAPI 2.0)
• JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
• OIDC Client Initiated Backchannel Authentication Flow (CIBA)

Supported Access Token formats:

• Opaque
• JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

The following draft specifications are implemented by oidc-provider:

• Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01
• FAPI 2.0 Message Signing (FAPI 2.0) - Implementer's Draft 01

Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively acknowledge the version and be notified of breaking changes as part of your CI.

Certification

Filip Skokan has certified that oidc-provider conforms to the following profiles of the OpenID Connect™ protocol.

• Basic, Implicit, Hybrid, Config, Form Post, and 3rd Party-Init
• Back-Channel Logout and RP-Initiated Logout
• FAPI 1.0
• FAPI CIBA
• FAPI 2.0

Sponsor

If you want to quickly add OpenID Connect authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan. Create an Auth0 account; it's free!

Support

If you or your company use this module, or you need help using/upgrading the module, please consider becoming a sponsor so I can continue maintaining it and adding new features carefree. The only way to guarantee you get feedback from the author & sole maintainer of this module is to support the package through GitHub Sponsors.

Documentation & Configuration

oidc-provider can be mounted to existing connect, express, fastify, hapi, or koa applications, see how. The authorization server allows to be extended and configured in various ways to fit a variety of uses. See the documentation and example folder.

import * as oidc from "oidc-provider";

const provider = new oidc.Provider("http://localhost:3000", {
  // refer to the documentation for other available configuration
  clients: [
    {
      client_id: "foo",
      client_secret: "bar",
      redirect_uris: ["http://lvh.me:8080/cb"],
      // ... other client properties
    },
  ],
});

const server = oidc.listen(3000, () => {
  console.log(
    "oidc-provider listening on port 3000, check http://localhost:3000/.well-known/openid-configuration",
  );
});

External type definitions are available via DefinitelyTyped.

Community Guides

Collection of Community-maintained configuration use cases are in the Community Guides Discussions section

Events

oidc-provider instances are event emitters, using event handlers you can hook into the various actions and i.e. emit metrics that react to specific triggers. See the list of available emitted event names and their description.

Supported Versions

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

9.0.1 (2025-04-17)

Documentation

• mark experimental features more distinctly (986adc5)
• update references and styling of spec links (a4787b8)

Fixes

• DCR endpoints only include www-authenticate for non-registration related errors (9a864d6)

Refactor

• client schema defaults and static props (843943d)
• handle frame-ancestors in wmrm without a regexp (4f85585)
• push multiple elements to the recognized array in client_schema (d478a8b)
• simpler DCR validate registration access token (5f01eda)

9.0.0 (2025-04-15)

⚠ BREAKING CHANGES

• authorization and logout endpoints no longer support the HTTP POST method by default, this can be re-enabled using the enableHttpPostMethods boolean configuration, this also requires that cookies.long.sameSite is set to none
• cookie session sameSite attribute default is now "lax" instead of "none"
• userinfo requests with bearer tokens will now fail if they also include DPoP
• userinfo now includes both dpop and bearer challenges when dpop is enabled
• accessing protected resources without an access token will now yield a 401 HTTP Status Code instead of a 400
• default PKCE configuration no longer requires PKCE to be used unless RFC9700 or a given profile says so
• removed the provider.Account getter
• all Provider routes will now end the HTTP request when finished, koa middlewares that are "downstream" will no longer be executed after a route is matched in oidc-provider, "upstream" control flows are unaffected
• the Provider no longer includes a catch-all 404 Not Found error handler
• FAPI profile behaviours no longer force PKCE, these should be forced by configuring the pkce.required configuration helper the default of which already does so.
• the server's JWK Key IDs (JWK kid parameter) now must be unique, no two keys must use the same kid.
• the revokeGrantPolicy configuration helper is now also invoked during opaque Access Token revocation, its default return remains false for this case though
• CIBA ping and poll delivery mode ID Tokens no longer include at_hash, urn:openid:params:jwt:claim:rt_hash, and urn:openid:params:jwt:claim:auth_req_id
• authorization code grant type issued ID Tokens no longer include at_hash
• device authorization grant type issued ID Tokens no longer include at_hash
• refresh token grant type issued ID Tokens no longer include at_hash
• implicit grant type issued ID Tokens no longer include s_hash unless the request is a FAPI 1.0 Final request
• global fetch() API is now used to make outgoing HTTP requests instead of the "got" module.
• the httpOptions configuration option was removed and a new option to accomodate the use of fetch() interface was added. This options is aptly called "fetch" and its call signature and expected returns mirror the fetch() API.
• Enabling JAR (Request Objects by Value) is now enabled via features.requestObjects.enabled boolean instead of features.requestObjects.request boolean
• removed support for Passing a Request Object by Reference (JAR request_uri)
• removed legacy sameSite cookie fallback
• removed support for Node.js 18.x
• removed support for Node.js 20.x
• removed the pkce.methods configuration
• removed the features.requestObjects.mode configuration
• removed support for Ed448
• removed support for X448
• removed support for secp256k1 / ES256K
• removed support for FAPI 1.0 ID2

Features

• Access Token revocation may now also optionally revoke the underlying grant (4f69668)
• add support for the fully-specified Ed25519 JWS Algorithm Identifier (645b900)
• DPoP support is now enabled by default (a5694af)
• Experimental support for external signing keys, e.g. in a KMS or HSM (8b3ceff)
• expose current requests' ctx via Provider.ctx static getter (1fbd81b)
• update FAPI 2.0 implementation to FAPI 2.0 Final (eff3115)

Documentation

• auto-format code blocks (c2c520f)
• dpop cannot acked anymore, it is stable (a48c51f)
• improvements to linked resources (cf77770)
• mention external types (5f8a450)
• move adapters to the Community Guides Discussions section (ba806ca)
• move recipes to the Community Guides Discussions section (cd8da28)
• remove mentions of the connect server framework (7cb1aaa)
• update README to use named exports (8355886)
• update version support matrix (abbfe2f)

Fixes

• no access token provided error is now a 401 (8493e2d)
• userinfo now includes both dpop and bearer challenges when dpop is enabled (1093f6b)

Refactor

• change default PKCE usage requirement (fdf8ad8)
• change default session cookie from sameSite none to lax (b47eee8)
• cleanup unused azp claim code (6c57e63)
• deprecate the .app getter (9b61212)
• disable HTTP POST Method handling of authorization and logout endpoints (d56304c)
• encryption and key derivation is not blocking the main thread (73a422f)
• ensure all route handlers are final (8cc44e6)
• escape www-authenticate backslashes despite not directly using them (e789b98)
• increase all random identifiers from ~126 bits of randomness to ~256 (45721f8)
• minimal change to support koa@3 (925cee5)
• no more warnings if cookie keys are missing (7ab6157)
• omit generic "typ: JWT" in issued JSON Web Tokens (4eb4004)
• pass over internal configuration getters (0243964)
• Provider is now the Koa application instance (167216e)
• remove hardcoded require PKCE checks (be0b2fd)
• remove object-hash dependency (fda9385)
• remove optional ID Token _hash claims (58ca2c2)
• remove the provider.Account getter (dd2bde4)
• remove unused code (e5fc3cb)
• remove uses of randomFill and Buffer.allocUnsafe (00fe106)
• removed legacy sameSite cookie fallback (2defa70)
• removed support for FAPI 1.0 ID2 (311e3e2)
• removed support for Passing a Request Object by Reference (JAR request_uri) (bacf375)
• removed the features.requestObjects.mode configuration (4ec8327)
• removed the pkce.methods configuration (4a736b8)
• Request Object (JAR) is now enabled with features.requestObjects.enabled (20d60a4)
• simplify default assertJwtClaimsAndHeader configuration (1ea27a6)
• update Node.js support matrix (db57556)
• use fetch() api to make outgoing HTTP requests (cc70e5a)
• use hkdf in dpop's rolling nonce calculation (7b77967)
• use more optional chaining (e5539ae)
• use oneshot hash methods instead of intermediate Hash objects (2dc4bd1)
• use structuredClone instead of JSON.stringify then parse (ad02170)
• use URL.parse (11e1b33)
• userinfo requests with bearer tokens will now fail if they also include DPoP (e5efa5c)

8.8.1 (2025-03-06)

Fixes

• add "exp" to Logout Tokens (c6c01f1), closes #1295

Documentation

• update spec links (076ee58)

8.8.0 (2025-02-17)

Features

• mark RFC9701 (features.jwtIntrospection) as stable (e2a2de2)

8.7.0 (2025-02-13)

Features

• allow own KeyGrip instances in cookies.keys configuration (d5d2900)

8.6.1 (2025-01-19)

Fixes

• allow specifying the user-agent header for outgoing requests (#1287) (c77513c)

8.6.0 (2024-11-21)

Features

• add a helper for asserting JWT Client Auth claims and header (82d4e50)

Documentation

• update verbiage "provider" > "authorization server" (3768192)

Refactor

• move assertJwtClaimsAndHeader after regular JWT claims set validation (05f6bf4)

8.5.3 (2024-11-05)

Fixes

• normalize single string set-cookie headers (6effeed)

8.5.2 (2024-10-19)

Refactor

• remove use of node:url in favour of WHATWG URL (0dc59a1)

Documentation

• update docs/README.md (07f6333)

8.5.1 (2024-07-03)

Documentation

• update README.md (41a7a0b)

Refactor

• build: export Provider also as a named export (083c7c4)

8.5.0 (2024-06-28)

Features

• add a Client static validate() method (d1f7d73)
• add a helper allowing custom claims parameter validations (ec2a1f5)
• add experimental support for RFC9396 - Rich Authorization Requests (e9fb573)
• add response_modes client metadata allow list (76f9af0)
• allow extraParams to define validations for extra parameters (b7d3322)
• DPoP: add a setting to disable DPoP Proof Replay Detection (2744fc8)
• DPoP: send a dpop-nonce when the proof's iat check fails and nonces are configured but not required (1b073c0)
• FAPI: add FAPI 2.0 profile behaviours (5212609)
• JAR: add a helper allowing custom JWT claim and header validations (be9242a)
• PAR: add a setting to allow use of unregistered redirect_uri values (a7e73fa)
• update Web Message Response Mode and remove its Relay Mode (a91add8)

Fixes

• DPoP,mTLS: reject client configuration in which binding is required but response types include an implicit token response (cd7e0f4)

Refactor

• deprecate FAPI 1.0 ID2, lax request objects, plain PKCE (3e8a784)
• don't use overwrite cookie option by default (dfbcb94)
• DPoP: move the accepted timespan into a constant (a8e8006)
• DPoP: omit sending the dpop-nonce header if the existing one used is fresh (4d635e2)
• ensure param-assigned max_age from client.defaultMaxAge is a string (0c52469)
• FAPI: deprecate FAPI profile hardcoded PKCE checks (56641ec)
• JAR: authorization requests with JAR now require a client_id parameter (9131cd5)
• JAR: Request Objects are no longer checked for one time use (18efa70)
• PAR: consume PAR after user interactions instead of before (53babe6)
• store claims value parsed in non-JAR PAR (9cd865b)
• use invalid_request instead of unauthorized_client (7947d87)

8.4.7 (2024-06-20)

Fixes

• include ID Token auth_time when client's default_max_age is zero (bebda04)

8.4.6 (2024-04-23)

Documentation

• adds events and debugging recipe (#1246) (0bf7696)
• fix client_secret_basic special characters encoding example (73baae1)
• re-run update docs (99cc84a)

Refactor

• avoid iteration resource iteration in client_credentials (e306640)
• avoid use of prototype attributes in object-hash (270af1d)
• use logical or assignment (8f55588)

Fixes

• ensure each individual resource indicator is a valid URI (d9e1ad2)

8.4.5 (2024-01-17)

Refactor

• use doc argument in web_message js code (da3198b)

Fixes

• add missing opening html tags (23997c5)
• DPoP: mark defaulted dpop_jkt parameter as trusted (ee633f3)

8.4.4 (2024-01-08)

Refactor

• test decoded basic auth tokens for their VSCHAR pattern (3f86cc0)

Fixes

• DPoP,PAR,JAR: validate DPoP before invalidating JAR during PAR (ca0f999)

8.4.3 (2023-12-14)

8.4.2 (2023-12-02)

Fixes

• reject client JSON Web Key Set null value (#1237) (cce6d43)

8.4.1 (2023-10-25)

8.4.0 (2023-09-08)

Features

• DPoP: remove experimental flag, DPoP is now RFC9449 (89d133e)

8.3.2 (2023-09-02)

Fixes

• assign extraTokenClaims return to the model (e296dc7)

8.3.1 (2023-08-30)

Fixes

• DPoP: compare htu scheme and hostname case independent (b72d668)

8.3.0 (2023-08-27)

Features

• allow specifying the user-agent header for outgoing requests (95f24ef)

8.2.2 (2023-05-30)

Fixes

• ignore non-existent resource scopes during refresh (#1222) (bdf23ba)

8.2.1 (2023-05-06)

Fixes

• ignore post_logout_redirect_uris when logout is disabled (#1221) (d7dd6cf)

8.2.0 (2023-04-24)

Features

• add correlation identifier to interactions (#1218) (c072352)

8.1.2 (2023-04-21)

8.1.1 (2023-03-09)

8.1.0 (2023-01-23)

Features

• mTLS.getCertificate helper can return a X509Certificate object (be3f47f)

8.0.0 (2022-12-03)

⚠ BREAKING CHANGES

• Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the clockTolerance configuration option.
• The userinfo endpoint will no longer echo back x-fapi-interaction-id headers. This can be reverted using a custom pre-middleware.
• request_uri parameter is no longer supported at the Device Authorization Endpoint.
• The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set features.requestObjects.requireSignedRequestObject to true as a global policy or set require_signed_request_object or backchannel_authentication_request_signing_alg client metadata.
• PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both features.pushedAuthorizationRequests and features.requestObjects.request.
• CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both features.ciba and features.requestObjects.request.
• Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the features.pushedAuthorizationRequests.enabled configuration option.
• Completely removed v6.x way of setting access token formats.
• expiresWithSession() for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.
• Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the enabledJWA.dPoPSigningAlgValues configuration option.
• Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the allowOmittingSingleRegisteredRedirectUri configuration option.
• features.fapi.profile is now a required configuration option when features.fapi.enabled is true.
• id_token_signed_response_alg now must be set when id_token_encrypted_response_alg is also set on a client.
• userinfo_signed_response_alg now must be set when userinfo_encrypted_response_alg is also set on a client.
• introspection_signed_response_alg now must be set when introspection_encrypted_response_alg is also set on a client.
• authorization_signed_response_alg now must be set when authorization_encrypted_response_alg is also set on a client.
• The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
• request_uri parameter support is now disabled by default. This can be reverted using the features.requestObjects.requestUri configuration option.
• httpOptions return property lookup was renamed to dnsLookup.
• httpOptions return property timeout was removed, return an AbortSignal instance as signal property instead.
• oidc-provider is now an ESM-only module, it must now be imported using the import declaration or the import() syntax, the Provider constructor is the module's default export, the errors and interactionPolicy exports are the package's named exports. There is no Provider named export.
• httpOptions no longer defaults to using the npm module cacheable-lookup as its dnsLookup option. It defaults to node:dns module's lookup export instead.
• PASETO Access Token format support was removed.
• Removed support for Node.js 12.
• Removed support for Node.js 14.
• Removed support for Node.js 16.
• Node.js LTS 18 (^18.12.0) is now required.
• Default Authorization Code duration is now 60 seconds instead of 10 minutes. This can be reverted using the ttl.AuthorizationCode configuration option.
• Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the features.requestObjects.mode configuration option.
• The "none" JWS algorithm, which was previously disabled by default, is now completely removed.
• The PBKDF2 based JWE Key Management Algorithms, which were previously disabled by default, are now completely removed.
• The client registration management update action now rotates registration access tokens by default. This can be reverted using the features.registrationManagement.rotateRegistrationAccessToken configuration option.
• It is no longer possible to pass Bearer tokens using the access_token query string parameter. This can be reverted using the acceptQueryParamAccessTokens configuration option.
• The tokenEndpointAuthMethods configuration method was renamed to clientAuthMethods.
• The enabledJWA.tokenEndpointAuthSigningAlgValues configuration method was renamed to enabledJWA.clientAuthSigningAlgValues.
• The non-standard introspection_endpoint_auth_method, and introspection_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint. The accompanying JWA and authentication methods configuration properties were also removed.
• The non-standard revocation_endpoint_auth_method, and revocation_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the revocation endpoint. The accompanying JWA and authentication methods configuration properties were also removed.

Features

• add UnmetAuthenticationRequirements error (3f6684a)
• bump DPoP to draft-11 (917507f)
• support DPoP nonces (8d82988)

Performance

• replace native asserts (1f77781), closes #1204 #1205

Refactor

• change default on allowOmittingSingleRegisteredRedirectUri (d41bb0f)
• check request_uri_not_supported early (57b39a2)
• CIBA and PAR do not automatically turn on JAR (089fa43)
• Completely removed v6.x way of setting access token formats. (a2cf235)
• default code ttl down from 10 minutes down to 1 minute (f770e2d)
• default dPoPSigningAlgValues changed (9859969)
• default JAR mode is now strict instead of lax (cef63b6)
• disable query string bearer by default (059557b)
• disable request_uri support by default (3575584)
• enable PAR by default (4272027)
• expiresWithSession on authorization endpoint access tokens (cb67083)
• oidc-provider is now an ESM-only module (3c5ebe1)
• PBKDF2 JWE encryption algorithms are no longer supported (868ab2f)
• redo fapi profile checks, remove x-fapi-headers nonsense (7cf031a)
• remove default from FAPI profile configuration (0f93b8c)
• remove introspection and revocation client metadata (a6433d0)
• removed default outgoing cacheable-lookup use (7c10920)
• removed optional "none" JWS algorithm support (e654fe6)
• removed PASETO access token format support (079e2f2)
• removed support for issuing "cty": "json" JWEs (b4b837b)
• renamed client auth related configuration (b8e8ce9)
• require Node.js LTS 18 (ff26cf6)
• rotated registration management access tokens by default (2eb5c63)
• RSA1_5 JWE encryption algorithm is no longer supported (a967a4e)
• set default clock skew tolerance to 15 seconds (42c00da)
• update http request options (2fd5eda)

7.14.3 (2022-12-01)

Fixes

• memory adapter grant references for intended models (357ced3)

7.14.2 (2022-11-30)

Fixes

• build client symmetric keys from all client signing alg properties (a26f87d)

7.14.1 (2022-11-22)

Fixes

• url encode client_id returned in registration responses (500dfeb)

7.14.0 (2022-11-09)

Features

• graduate jwtResponseModes (JARM) feature as stable (7b878cd)

7.13.0 (2022-10-26)

Features

• enable v18 LTS in package.json (e423b4d)

7.12.0 (2022-09-13)

Features

• graduate backchannelLogout feature as stable (617e260)

Fixes

• ignore instead of throw on unverified post_logout_redirect_uri (04b1096)

7.11.5 (2022-07-16)

Fixes

• PAR: set additional stored PAR object properties on plain requests (1be15fa)
• PAR: skip stored PAR object alg validation when it's being used (406caa4)

7.11.4 (2022-07-04)

Fixes

• arrow & static class methods as adapter factories (#1197) (cee552f)

7.11.3 (2022-06-13)

Fixes

• httpOptions helper (#1194) (80fe961)

7.11.2 (2022-05-16)

Fixes

• updated signed to trusted in the Interaction model (#1192) (eb91aea)

7.11.1 (2022-04-25)

Fixes

• client schema invalidation code not set (edf22fb)

7.11.0 (2022-04-20)

Features

• allow native app callbacks in client post_logout_redirect_uris (3fca22b)
• bump backchannelLogout to draft-07 (95611d9)
• graduate issAuthResp feature as stable and enable by default (e774f60)

Fixes

• ensure jwt replay detection takes clockTolerance into account (f167233)

7.10.6 (2022-01-07)

Fixes

• substr > slice change in mountPath should have been substring (adc0d63)

7.10.5 (2022-01-04)

Fixes

• resourceIndicators: await the result of useGrantedResource (#1173) (64a8028)

7.10.4 (2021-12-05)

Fixes

• add iss to error responses when issAuthResp is enabled (05ac3a8)

7.10.3 (2021-12-04)

Fixes

• expose invalid_dpop_proof error code and set it to 401 on userinfo (2628d7e)

7.10.2 (2021-11-28)

Fixes

• use paseto configuration from getResourceServerInfo (#1150) (02c821d)

7.10.1 (2021-11-16)

Fixes

• clearly mark that multiple pop mechanisms are not allowed (49eed4c)

7.10.0 (2021-11-04)

Features

• duplicate iss and aud as JWE Header Parameters (b26ea44)

7.9.0 (2021-10-26)

Features

• add LTS Gallium as a supported runtime version (19b4d0d)

7.8.1 (2021-10-12)

Bug Fixes

• use insufficient_scope instead of invalid_scope at userinfo_endpoint (ba8a8f0)

7.8.0 (2021-09-15)

Features

• OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable feature (3c54d8d)

7.7.0 (2021-09-02)

Features

• CIBA Core 1.0 is now a stable feature (cc8bc0d)

7.6.0 (2021-08-03)

Features

• support v3.local, v3.public, and v4.public paseto access tokens format (aca5813)

7.5.4 (2021-07-21)

Bug Fixes

• add missing x-ua-compatible to form_post and dag input (f773669), closes #1052

7.5.3 (2021-07-19)

Bug Fixes

• memory adapter grant references for intended models (2fe4dc8)

7.5.2 (2021-07-19)

Bug Fixes

• use correct keystore select method for paseto access tokens (ce394bc)

7.5.1 (2021-06-24)

Bug Fixes

• issue id tokens with claims when resource is used (#1038) (4b16c71)

7.5.0 (2021-06-23)

Features

• use 303 See Other HTTP response status code for built in redirects (c243bf6)

7.4.1 (2021-05-29)

Bug Fixes

• handle backchannel requests in grant revocation (8fe9aec)

7.4.0 (2021-05-28)

⚠ BREAKING CHANGES

• fapi: Draft feature fapiRW was replaced by a stable fapi feature.
• fapi: The default profile for the new fapi feature is Financial-grade API Security Profile 1.0 - Part 2: Advanced (Final) rather than Financial-grade API - Part 2: Read and Write API Security Profile (ID2). ID2 albeit being an Implementer's Draft remains a possible features.fapi.profile option

Features

• fapi: FAPI (Final and ID2) is now a stable feature (4f52a4c)
• resourceIndicators: allow omitting resource parameter at the token endpoint (0309ec0), closes /github.com/panva/node-oidc-provider/discussions/989#discussioncomment-676812 #989
• Client Initiated Backchannel Authentication (CIBA) and FAPI-CIBA-ID1 (a217484)

Bug Fixes

• deviceFlow: ensure pairwise device flow clients prove ownership of their jwks_uri (ec99201)
• remove default got user-agent (d65187c)
• skip validating client redirect_uris presence when not required (90965bb)

7.3.2 (2021-05-13)

Bug Fixes

• account claims scope argument type during refresh token exchange (bd1bee1), closes #1000

7.3.1 (2021-04-09)

Bug Fixes

• store original PAR signed request object after decryption (fa26e55)

7.3.0 (2021-04-08)

⚠ BREAKING CHANGES

• DPoP implementation updated to draft-ietf-oauth-dpop-03

Features

• update DPoP implementation to ietf draft 03 (d08126f)

7.2.0 (2021-04-01)

Features

• enable customizing client auth jwt assertion expected audience (e6286a6)

7.1.3 (2021-03-24)

Bug Fixes

• interaction uid is now an alias to its jti, it is not stored anymore either (2d85768)
• keyselection for ecdh when both OKP and EC are present (a0f8f7d)

7.1.2 (2021-03-15)

Bug Fixes

• v1.paseto token alg keystore value to be PS384 instead of RS384 (ae1f879)

7.1.1 (2021-03-10)

Bug Fixes

• save the grantId reference field with an interaction session (6cab64e)
• typo in consent detail missingOIDClaims -> missingOIDCClaims (1427383)

7.1.0 (2021-03-05)

Features

• allow control of which errors flow back to client's redirect_uri (219cd45)
• server_error codes no longer redirect back to clients (b591d7f)

7.0.0 (2021-03-03)

⚠ BREAKING CHANGES

• PAR no longer remaps all errors as invalid_request_object.
• IdToken.prototype.issue now requires the use option.
• JWT Header Parameter client_id in Request Objects is now ignored.
• Request Objects now require iss and aud claims.
• OIDCContext.prototype.dPoP getter was removed.
• BaseToken.prototype.setThumbprint jkt mode now expects the string thumbprint value instead of the jose.JWK instance.
• Client JWKS kid values are no longer automatically calculated per RFC7638 when missing. As a result when client's public keys are used to encrypt assertions the kid header will be missing when such keys are used.
• Provider constructor will now reject JWKS that serve no purpose (e.g. are only usable for encryption but encryption is disabled).
• Client and Provider JWKS are validated to be syntactically correct as before but only resolve to a crypto.KeyObject when they're used.
• sector_identifier_uri is now verified regardless of client's subject_type when provided.
• response_type=token is no longer supported
• Session.prototype.accountId function was removed, it is just a property access now.
• Session adapter payload property account was renamed to accountId.
• Interactions result login.account was renamed to login.accountId
• Session.prototype.loginAccount option account was renamed to accountId
• TypeScript type definitions are no longer bundled with the package, instead these will be re-published to DefinitelyTyped.
• configuration.features.resourceIndicators was completely re-implemented.
• configuration.audiences helper function was removed, use the resourceIndicators feature instead.
• Access Tokens with an audience can no longer be used to access the userinfo endpoint.
• Only a single audience ("aud") is permitted in Access Tokens and Client Credential tokens.
• Structured (JWT and PASETO) access tokens Access Tokens no longer default to using the clientId as audience, if no audience is specified an Error is throw indicating that issuing a structured token is probably not needed for a token only usable at the userinfo_endpoint.
• Only opaque access tokens without an audience may be used to access the userinfo_endpoint.
• Only opaque access tokens may be introspected using the introspection_endpoint.
• Only opaque access tokens may be revoked using the revocation_endpoint.
• Only opaque access tokens get stored using the adapter.
• Structured (JWT and PASETO) access tokens do not get stored by the adapter anymore.
• access_token.saved event is only emitted for opaque access tokens, non-opaque tokens get emitted via access_token.issued.
• PASETO tokens were re-implemented from scratch using the new resourceIndicators implementation.
• client_credentials.saved event is only emitted for opaque access tokens, non-opaque tokens get emitted via client_credentials.issued.
• Structured (JWT and PASETO) access tokens MUST contain an audience, an error will be thrown if they don't.
• formats.jwtAccessTokenSigningAlg configuration was removed in favour of Resource Server configuration helpers.
• The default consent prompt interaction details have changed, these now include missingOIDCScopes(string[]), missingOIDClaims(string[]), missingResourceScope({ [resourceIndicator]: string[]).
• The interaction result consent structure changed. It may now only contain a single property, grantId (string) which is the identifier of a Grant (returned by calling Grant.prototype.save()).
• Session-bound artifacts no longer fail to load when the session's grant has less scopes than the artifact, instead the action will work with the intersection of currently granted scopes with the ones on the artifact.
• Sessions no longer hold the "granted" set of scopes/claims. This is now tracked in the Grant artifact instead. The following properties are no longer present on the session.authorizations[client_id] object: rejectedScopes, rejectedClaims, promptedClaims, promptedScopes.
• The following Session prototype methods have been removed: acceptedClaimsFor, acceptedScopesFor, promptedClaimsFor, promptedScopesFor, rejectedClaimsFor, rejectedScopesFor.
• OpenID Connect Session Management draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
• OpenID Connect Front-Channel Logout draft implementation was removed. This is due to front-channel becoming more and more unreliable due to browsers blocking third-party cookie access.
• The jwt-ietf token format is now just jwt. The ietfJWTAccessTokenProfile feature is therefore obsolete and removed. The prior jwt format may be emulated using the formats.customizers.jwt helper function.
• Default PKCE use policy now enforces the use of PKCE code_challenge for all requests where PKCE applies. Use the pkce.required helper to revert to the old policy if you have a reason to exempt some clients from this policy.
• ctx.oidc.uid is now undefined, no random values are now generated. In places where ctx.oidc.uid was used as a source of a random value, an always fresh random value is now generated instead.
• Removed every DEBUG=* code other than error ones. Ways to debug the code will surface through logging in the future.
• The Device Flow feature resume path now longer contains the user code in the URL. Instead, deviceCode is now attached to Interaction models when part of a device authorization grant flow.
• The DeviceCode model now gets grantId property assigned only after successful consent interaction.
• Every interaction now gets a totally unique identifier, "same grant", which never actually was about grants, or consequent bounces through interaction will now each get a unique identifier.
• The features.webMessageResponseMode.scriptNonce helper was removed, all inline scripts will now have their sha256 automatically added to CSP script-src directives when one is present.
• client_id and client_secret values are now checked to conform to their ABNF syntax (%x20-7E).
• Allowing to omit a redirect_uri parameter for clients with a single one registered is now disabled by default. You can re-enable this using the allowOmittingSingleRegisteredRedirectUri configuration option.
• Configuration option cookies.short.maxAge was removed. Use ttl.Interaction configuration to define the Interaction TTL which in turn controls the cookie expiration.
• Configuration option cookies.long.maxAge was removed. Use ttl.Session configuration to define the Session TTL which in turn controls the cookie expiration.
• Configuration option cookies.short.expires was removed.
• Configuration option cookies.long.expires was removed.
• Interaction.prototype.save ttl argument is now required.
• Session.prototype.save ttl argument is now required.
• Provider.prototype.requestUriCache getter was removed.
• features.jwtUserinfo is disabled by default now.
• Removed "whitelist" Request Object merging strategy
• requestObjects.mergingStrategy configuration is now a string valued "strict" or "lax"
• requestObjects.mergingStrategy configuration is now requestObjects.mode.
• Configuration option whitelistedJWA is now enabledJWA.
• Removed HS256 as a default-enabled algorithm from the following configuration values so that all AS-issued assertions are firm to only come from the AS: whitelistedJWA.idTokenSigningAlgValues, whitelistedJWA.userinfoSigningAlgValues, whitelistedJWA.introspectionSigningAlgValues, whitelistedJWA.authorizationSigningAlgValues
• Default JWE Algorithms ("alg") now includes "dir".
• ECDH-ES KW variants are not enabled by default anymore.
• The default for JWT Access Tokens' signing algorithm is no longer the client's id_token_signed_response_alg falling back to RS256 but rather only the provider's default id_token_signed_response_alg.
• Removed built in support for urn: request uris.
• Renamed RequestUriCache.prototype.resolveWebUri to RequestUriCache.prototype.resolve
• The claims configuration property can no longer be a Map instance, only plain objects are allowed.
• request_object_signing_alg no longer means a request object must be provided, require_signed_request_object boolean value serves that purpose now as per the clarifications made in OIDF and IETF Working Groups.
• The deprecated postLogoutSuccessSource configuration property was removed, use features.rpInitiatedLogout.postLogoutSuccessSource instead.
• The deprecated logoutSource configuration property was removed, use features.rpInitiatedLogout.logoutSource instead.
• RedirectUriMismatch error was removed.
• redirect_uri_mismatch error codes are now invalid_redirect_uri.
• Only www-urlencoded bodies recognize RFC6750 payload bearer token. On the authorization server this only affects the dynamic registration features and removes an unintended side effect.
• extraAccessTokenClaims helper function is renamed to extraTokenClaims.
• The jwks_uri response is now using the proper content type application/jwk-set+json.
• Default Interaction TTL increased from 10 minutes to 1 hour.
• The following Provider instance getters/setters are removed: subdomainOffset, proxyIpHeader, maxIpsCount, keys. You can access the underlying Koa app via provider.app if you have the need to use these.
• Default clientBasedCORS helper return value is now false, you must ergo use this helper to open up cors based on your policy.
• The deprecated setS256Thumbprint token instance method is removed.
• The deprecated OIDCContext.prototype.bearer method is removed.
• removed dynamicScopes configuration option, scope configuration using pre-configured values is gone in favour of Resource Indicators refactor.
• httpOptions helper function argument is now just a URL instance. It no longer receives the "to be executed" http request options.
• httpOptions helper changed. It can now only return three properties { timeout: number, agent: instanceof https.Agent || http.Agent, lookup: dns.lookup like option }
• The deprecated pkceMethods configuration property was removed, use pkce.methods instead.
• provider.setInteractionSession function was removed.
• meta interaction result was removed.
• Structured token constructors now require a client property with a client instance rather than a clientId property.
• extraClientMetadata.validator ctx argument is now the first one.
• Single member audience arrays are now transformed to a single audience string value instead.
• Introspection response jti is not returned for opaque tokens.
• OIDCContext and Interaction instance property signed renamed to trusted.
• provider.interactionDetails now only works if both req and res are provided.
• Provider.prototype.callback is now a function instead of a getter.
• Node.js runtime version policy changed. Version 12.19.0 is now the minimum required runtime and ONLY LTS releases are supported. This means "Current" Node releases are not officially supported and you may get mixed results when using them.

Features

• added configurable policy for issuing registration access tokens (f18395f)
• allow dynamic session and interaction expiration TTL (afcb375)
• allow pre-existing Grants to be loaded during authorization (9dc7921)
• apply max expiration on PAR objects created from a JWT (03f9d8f)
• automatically add inline scripts to CSP script-src directives (85c3f4d), closes #850 #584
• check client_id and client_secret ABNF syntax (3d0d078)
• control whether underlying Grant gets destroyed during logout and revocation (ee74dcf)
• features.resourceIndicators (RFC 8707) is now a stable feature (84c3a5c)
• helper function to decide whether to validate client.sector_identifier_uri (72058a5)
• JWT Access Tokens are now just issued and not stored anymore (d1ee6b7)
• JWT Access Tokens can now be encrypted with a symmetric secret shared with the recipient (0f76c65)
• JWT Access Tokens can now be encrypted with an asymmetric public key of the recipient (d2a63b7)
• JWT Access Tokens can now be HMAC-signed with a symmetric secret shared with the recipient (5041158)
• omitting redirect_uri for clients with a single one is now optional (329c577)
• opaque token length can now be influenced (f35764f), closes #760
• PAR no longer requires otherwise enabled features.requestObjects (33f3a83)
• PASETO Access Tokens are now just issued and not stored anymore (4efe741)
• PASETO Access Tokens can now be encrypted with a symmetric secret shared with the recipient using v1.local (2e78582)
• PASETO Access Tokens now support both v1.public and v2.public (dff2a72)
• require Node.js version ^12.19.0 || ^14.15.0 (2a54e33)
• require use of PKCE (aa2bd51)
• sector_identifier_uri can be used without pairwise subject_type (202e4c5)
• The key used to asymmetrically sign JWT Access Tokens can now be chosen based on its Key ID. (8b32707)
• The key used to asymmetrically sign PASETO Access Tokens can now be chosen based on its Key ID. (efd3dab)

Bug Fixes

• check DPoP htm as case-sensitive (33223ff)
• delay FAPI response type/mode check when request_uri is present (78916b7)
• ignore clockTolerance when verifying stored PAR objects (c3c2276)
• only www-urlencoded bodies recognize RFC6750 payload bearer token (4553bd5)
• remap invalid_redirect_uri as invalid_request in PAR (ceb3cd1)
• remove legacy accept header value from request uri requests (4cc28ef)
• typescript: Interaction.prototype.session structure (#924) (76c36c7)

Refactor

• OIDCContext and Interaction property signed renamed (0ed56bd)
• audience arrays with 1 member are changed to a single value (d156983)
• by default disabled JWT Userinfo Responses (5931a59)
• changed default signing algorithm selection method (995d2d4)
• clean up RequestUriCache (8c0b9c5)
• configuration whitelistedJWA is now enabledJWA (d77fd4f)
• default clientBasedCORS helper is now false (4cf4cc6)
• default enabled JWAs (d8ebde0)
• default Interaction TTL increased from 10 minutes to 1 hour (f6c7b5e)
• extraClientMetadata.validator arguments reordered (ea6dc73)
• idToken.issue() now requires the use option (d1d9421)
• introspection response jti not returned for opaque tokens (a333aaa)
• only allow objects as claims configuration parameter (2ac59b7)
• provider.callback is now a function instead of a getter (e78e573)
• provider.interactionDetails(req, res) now requires res (2c3a667)
• provider's jwks_uri is now application/jwk-set+json content (285eb41)
• remove bundled TypeScript type defintions (3a6b671)
• remove deprecated pkceMethods configuration property (65712d0)
• remove deprecated setS256Thumbprint token instance method (6afaf31)
• remove few deprecated configuration properties (1767c8f)
• remove Provider.prototype.requestUriCache (e8b411c)
• remove the deprecated OIDCContext.prototype.bearer method (52000d5)
• removed dynamicScopes configuration option (285fc7a)
• removed a bunch of proxied methods from provider to app (3fb32e7)
• removed oidc.uid, removed a lot of debug (801d28f)
• Removed OpenID Connect Front-Channel Logout (feecb5e)
• Removed OpenID Connect Session Management (224dd38)
• removed provider.setInteractionSession and result meta object (ac1b0f6)
• rename session.account to session.accountId for consistency (3e81740)
• renamed extraAccessTokenClaims helper function (ce57d6d)
• replaced the jwt format with jwt-ietf as it is stable now (d61b515)
• request_object_signing_alg no longer forces request object use (e7309af)
• requestObjects.mergingStrategy "whitelist" was removed (7b10e9f)
• require client in structured tokens constructors (a4e02bd)
• response_type value token is no longer supported (0c74a1a)
• updated got http request library (b395a0d)
• use invalid_redirect_uri over redirect_uri_mismatch error (2565cce)
• use jose@3 instead of jose@2 (5572e0e)

6.31.0 (2021-01-19)

Features

• end_session_endpoint now recognizes client_id and logout_hint (9dd2b0e)

Bug Fixes

• keep grants that persist if logged out by that grant's client (26449f5), closes #857

Performance

• use native node's base64url encoding when available (6149bd3)

6.30.1 (2021-01-13)

Bug Fixes

• botched 6.30.0 release with a syntax error (cd5f02a)

6.30.0 (2021-01-13)

Features

• Authorization Server Issuer Identifier in Authorization Response (3f67ee9)
• update JARM feature draft version to Implementer's Draft 01 (0a021de)

6.29.11 (2021-01-12)

Bug Fixes

• missing login prompt details (c7b0036), closes #853

6.29.10 (2021-01-04)

Bug Fixes

• html safe guard the action attribute in form post responses (7cd6025)

6.29.9 (2020-12-10)

Bug Fixes

• typescript: interaction result may be undefined (#833) (44aa53e)
• unrecognized EC curves and OKP subtypes are ignored (660f46d)

6.29.8 (2020-11-30)

Bug Fixes

• ignore client metadata valued undefined when applying defualts (d0ee50a), closes #824

6.29.7 (2020-11-10)

Bug Fixes

• client keystore refresh keeps the derived octet keys in store (024841e), closes #816

6.29.6 (2020-11-08)

Bug Fixes

• ensure decrypted request object is accessed in PAR responses (09751d7), closes #813

6.29.5 (2020-10-03)

Bug Fixes

• loopback redirectUriAllowed protocol check (#794) (da99330)

6.29.4 (2020-09-19)

Bug Fixes

• typescript: findAccount may return undefined (#786) (6689cdb)
• updated request object mime-type as per draft-ietf-oauth-jwsreq-30 (f15524a)

6.29.3 (2020-08-25)

Bug Fixes

• typescript: allows adapter factory in typings (#776) (3cfcd77)

6.29.2 (2020-08-20)

Bug Fixes

• typescript: extend AdapterPayload from AnyClientMetadata (6631a2d), closes #774

6.29.1 (2020-08-13)

Bug Fixes

• typescript: add missing rpInitiatedLogout types (59c389b)

6.29.0 (2020-08-12)

Features

• allow RP-Initiated Logout 1.0 feature to be disabled (a2ef044)
• update backchannelLogout feature draft version (9a9dd7e)
• update frontchannelLogout feature draft version (d54cc8f)
• update sessionManagement feature draft version (aa62927)

6.28.0 (2020-07-14)

Bug Fixes

• ensure client is still valid after custom metadata processing (fded7c6)

Features

• incorporate behaviours and metadata from jwsreq-25 (cb12761)
• update PAR implementation to ietf draft 02 (fd2ccee)

6.27.5 (2020-07-06)

6.27.4 (2020-06-30)

6.27.3 (2020-06-19)

Bug Fixes

• re-allow transfer-encoding chunked (f88447b), closes #739

6.27.2 (2020-06-16)

Bug Fixes

• remove unintended client_id from post_logout_redirect_uri callbacks (57d07cd)

6.27.1 (2020-06-15)

Bug Fixes

• correct jwtIntrospection draft ack version (#735) (62b97d4)
• typescript: static IdToken.validate (#733) (a0d997e)

6.27.0 (2020-06-01)

Bug Fixes

• allow any JSON numeric value for timestamp values for DPoP JWTs (0700fde)

Features

• secp256k1 EC curve and ES256K JWS alg feature flag removed (f74f6bd)

BREAKING CHANGES

• secp256k1 and ES256K have been registered in IANA a few days ago so the flag is not needed anymore.

Note: Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively, acknowledge the version and be notified of breaking changes as part of your CI.

6.26.1 (2020-05-18)

Bug Fixes

• typescript: claims/scopes as Set in rejected/prompted functions (#719) (950c21d)
• typescript: undefined return for DefaultPolicy.get and Checks.get (b61e9d8)

6.26.0 (2020-05-12)

Bug Fixes

• A192CBC-HS384 and A256CBC-HS512 direct encryption key derivation (ead23a7)

Features

• helper to define PKCE use requirement (0c2e208)

6.25.0 (2020-05-05)

Bug Fixes

• typescript: fix metaFor "value" argument type (0b31b69), closes #711

Features

• update DPoP implementation to ietf draft 01 (330d13c)

BREAKING CHANGES

• DPoP implementation updated to draft-ietf-oauth-dpop-01

Note: Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively, acknowledge the version and be notified of breaking changes as part of your CI.

6.24.0 (2020-04-27)

Bug Fixes

• typescript: added types of prompt.checks in interaction policy (3b97bde)

Features

• typescript: export the DefaultPolicy interface (b36190b), closes #707
• add server-wide policy configuration on accepting tokens in query (90b400a)
• introspection response allowedPolicy helper function added (e59cc66), closes #642
• update features.jwtIntrospection to draft 09 (219e8c3)

6.23.5 (2020-04-09)

Bug Fixes

• revert "chore: update tree router" (13e4142), closes #696

6.23.4 (2020-04-03)

Bug Fixes

• typescript: added revokeByGrantId types to appropriate models (883b038)

6.23.3 (2020-03-22)

Bug Fixes

• client jwks_uri are now fetched with a lock, cooldown improvements (b193010)

6.23.2 (2020-03-16)

Bug Fixes

• return iss to introspection responses (f1b6fb4), closes #676

6.23.1 (2020-03-04)

Bug Fixes

• allow client registration update fields to be omitted by the client (9df9bd7), closes #664

6.23.0 (2020-03-03)

Bug Fixes

• client credentials exchange checks the client's scope whitelist (5e4defc)
• stable features with ack now throw to indicate a possible breaking change (cf58d35)
• typescript: adapter methods typings and interface name typo (e086fc6)

Features

• features.mTLS (RFC 8705) is now a stable feature (cfeaca8)

6.22.1 (2020-02-28)

Bug Fixes

• typescript: correct KoaContextWithOIDC definition, take 2 (84d32fc), closes #659

6.22.0 (2020-02-28)

Bug Fixes

• typescript: correct KoaContextWithOIDC definition (655ea29), closes #659

Features

• more ctx entities to accomodate #658 (51b128d)

6.21.1 (2020-02-27)

Bug Fixes

• check that session account is a string (e1eb211), closes #650 #655

6.21.0 (2020-02-18)

Features

• add support for RSA-OAEP-384 and RSA-OAEP-512 JWE algorithms (c669bd1)

6.20.3 (2020-02-14)

Bug Fixes

• allow opt-in refresh_token grant without offline_access as in 5.x (b67a3a6), closes #647

6.20.2 (2020-02-11)

Bug Fixes

• typescript: remove @types/node from runtime dependencies (55a5074), closes #646

6.20.1 (2020-02-04)

Bug Fixes

• interaction.started listener second argument type fixed (2fe67a9), closes #643

6.20.0 (2020-01-31)

Features

• allow koa context argument in idFactory and secretFactory (76aa942), closes #455

6.19.2 (2020-01-25)

Bug Fixes

• set samesite compatibility cookie as transient when the session is (1257164), closes #636

6.19.1 (2020-01-25)

Bug Fixes

• allow ECDH-ES with AES_CBC_HMAC_SHA2 key sizes larger than 256 bits (a65e9c4)

6.19.0 (2020-01-23)

Features

• allow overloading prototype for comparing client secrets (eec36eb), closes #631

6.18.2 (2020-01-16)

Bug Fixes

• number of default should-change notices using a wrong property (8e51724)
• principal-change triggered logout fixes (fa860cf), closes #628 #600

6.18.1 (2020-01-07)

Bug Fixes

• fix client secret based algorithm keys for clients with jwks (75d82a0)

6.18.0 (2019-12-31)

Features

• update PAR implementation to an ietf WG draft version (d3a772b)

6.17.7 (2019-12-28)

Bug Fixes

• typescript: rotateRefreshToken boolean, ES256K, async customizers (22ab1e3)

6.17.6 (2019-12-17)

Bug Fixes

• skip JWT validating iat is in the past when exp is present (a7dd855)

6.17.5 (2019-12-16)

Bug Fixes

• properly handle routes ending with a trailing slash (again) (d8a3a67)

6.17.4 (2019-12-13)

Bug Fixes

• properly handle routes ending with a trailing slash (c4b06de)

6.17.3 (2019-12-09)

Bug Fixes

• allow empty body without content-type on userinfo (d5148ad)

6.17.2 (2019-12-07)

Bug Fixes

• forbid "none" id token algorithm when backchannel logout is used (797919e)

6.17.1 (2019-12-05)

Bug Fixes

• registered native loopback redirect_uris do not get normalized (96e035f)

6.17.0 (2019-12-02)

Features

• add support for secp256k1 elliptic curve use (30aa706)

6.16.1 (2019-11-26)

Bug Fixes

• use shake256(m, 114) for Ed448 ID Token *_hash claims (7e6ba6f)

6.16.0 (2019-11-16)

Features

• add script tag nonce resolution helper for session management and wmrm (#584) (b32b8e6), closes #583

6.15.2 (2019-11-15)

Bug Fixes

• ensure BaseModel descendants have an exp property (22cc547), closes #580

6.15.1 (2019-11-14)

6.15.0 (2019-11-14)

Bug Fixes

• regression introduced in 58f7348 (4738a8b)

Features

• add jwsreq Accept value to request_uri resolver (cec4016)
• expose client schema invalidate(err, code) to enable customization (d672ee8)

6.14.2 (2019-11-10)

Bug Fixes

• ignore httpOnly and domain configuration options for resume cookies (952d68e), closes #574

6.14.1 (2019-11-07)

Bug Fixes

• handle DPoP htu validation when mounted in express (f34526c), closes #572
• use sha512 for Ed25519 and shake256 for Ed448 ID Token *_hash claims (fd3c9e9)

6.14.0 (2019-11-07)

Bug Fixes

• autosubmit logout when there's no accountId in the session (c6b1770), closes #566
• omit *_hash ID Token claims if signed with "none" (code flow only) (5c540c0)

Features

• add interaction<>session consistency checks (018255e)

6.13.0 (2019-10-31)

Features

• update DPoP implementation to indivudal draft 03 (a7f5d7d)

6.12.13 (2019-10-24)

Bug Fixes

• respect mountPath when rendering device flow html views (74b434c), closes #561

6.12.12 (2019-10-23)

Bug Fixes

• typescript: add findByUserCode to DeviceCode types (df58cff)
• remove registration access token when client is deleted (e24ad4a), closes #555

6.12.11 (2019-10-20)

Bug Fixes

• typescript: allow registration policies type to be async (0a46a65), closes #551

6.12.10 (2019-10-15)

Bug Fixes

• cookies: use ctx.secure from the mount context when available (c8d8fe6)

6.12.9 (2019-10-14)

Bug Fixes

• mounted devInteractions now honour the mount path (8fb8af5), closes #549 #548

6.12.8 (2019-10-14)

Bug Fixes

• typescript: add missing OIDCContext cookies property (0c04af6)

6.12.7 (2019-10-09)

Bug Fixes

• forbid redirect_uri with an empty fragment component (ca196a0)
• v6.12.6 native app uris regression fixed (fd56ef6)

6.12.5 (2019-10-04)

Bug Fixes

• add missing constructor to index.d.ts (#542) (a5621a4)

6.12.4 (2019-10-03)

Bug Fixes

• typescript: revert void/undefined changes from 6.12.3 (e0bbaae), closes #541

6.12.3 (2019-10-01)

Bug Fixes

• use updated jose package (ee17022)
• typescript: fix void/undefined inconsistencies and ts lint (96c9415)

6.12.2 (2019-09-28)

Bug Fixes

• do not send empty secret to adapter in a DCR edge case (af9ecd9)

6.12.1 (2019-09-27)

Bug Fixes

• fixed session management state fallback cookie name (91b0dea)

6.12.0 (2019-09-27)

Features

• handle sameSite=none incompatible user-agents (4e68415)

6.11.1 (2019-09-24)

Bug Fixes

• typescript: provider.callback getter type regression fixed (5cea116), closes #534

6.11.0 (2019-09-24)

Bug Fixes

• token TTL being a helper function is now accepted (a930355)

Features

• default refresh token TTL policy for SPAs follows the updated BCP (d6a2a34)
• update JWT Response for OAuth Token Introspection to draft 08 (5f917e2)

6.10.0 (2019-09-21)

Bug Fixes

• typescript: add missing definitions (#533) (c663417)

Features

• update FAPI RW behaviours (a7ed27a)
• update pushed authorization requests draft (aaf5740)

6.9.0 (2019-09-17)

Features

• added TypeScript definitions (#530) (5adf5a8)

6.8.0 (2019-09-06)

Features

• update fapiRW draft feature (8b927fc)
• update pushed request objects to b6cd952 (43fa8aa)

6.7.0 (2019-08-30)

Bug Fixes

• correct ssl offloading proxy documentation url in console warning (b871e99)
• handle server_error on expired unsigned request objects (7172a85)
• ignore secret and expiration timestamp on dynamic create edge case (d532fb2)

Features

• allow authorization requests with only a Request Object (e3fa143)
• allow structured access token customizations (4be3bb2), closes #520
• experimental support for pushed request objects (4ac3905)
• strategies for parameter merging Request Object <> OAuth 2.0 (3ad1744)
• support non-0 expiring client secrets (client_secret_expires_at) (02877f6)

6.6.2 (2019-08-26)

Bug Fixes

• do not use mounted app's ctx.cookies (ce0c06d), closes #517

6.6.1 (2019-08-25)

Bug Fixes

• extend interactionDetails to allow (req, res) (e1d69cf), closes #517

6.6.0 (2019-08-23)

Bug Fixes

• properly apply samesite=none for non-webkit browsers (ec2ffc6)

Features

• added Node.js lts/dubnium support (52e914c)

6.5.0 (2019-08-20)

Bug Fixes

• empty params are handled as if they were not provided at all (a9e0f8c)

Features

• basic and post client auth methods are now interchangeable (a019fc9)
• enable RSA-OAEP-256 when node runtime supports it (cfada87)
• new experimental support for FAPI RW Security Profile added (0c69553)
• RFC8628 has been published, device flow is now a stable feature (98a3bd4)

6.4.2 (2019-08-18)

Bug Fixes

• make structured token's end-user "sub" pairwise if configured (24a08c2)
• use correct postLogoutRedirectUri for resume's logout when mounted (a72b27d)

6.4.1 (2019-08-13)

Bug Fixes

• bring paseto token claims inline with jwt-ietf (265e400)

6.4.0 (2019-08-07)

Bug Fixes

• paseto formatted access token audience is a single string (1fd45f5)
• properly check if resourceIndicators is enabled (bbcdca2)

Features

• added a helper for validating provided resource indicator values (a97ffdc), closes #487
• allow audiences helper to return a single string audience (4c7a3a8)
• draft implementation of IETF JWT Access Token profile (e690462)

6.3.0 (2019-08-04)

Features

• new option for resolving JWT Access Token signing algorithm (28e85ef)

6.2.2 (2019-08-02)

Bug Fixes

• do not assign the defaulted to response_mode to params (18867ad)
• dynamic format gets a ctx as a first argument as documented (f62eb4b)

6.2.1 (2019-07-25)

Bug Fixes

• bump dependencies and compatible draft versions (97738e3)
• revert missing mTLS cert errors to invalid_grant (afac459)

6.2.0 (2019-07-21)

Features

• mTLS stable release candidate (a999452)

6.1.2 (2019-07-12)

Bug Fixes

• acknowledging tls client auth draft fixed (02df82a)

6.1.1 (2019-07-12)

Bug Fixes

• bump acknowledgable draft versions that don't need code changes (55b4770)

6.1.0 (2019-07-10)

Bug Fixes

• authorization header scheme is checked case-insensitive (773ec52)
• block static client registration read action (edgiest of cases) (18db430)
• update dependencies, plug reported lodash vulnerability (a2cdfd0)

Features

• add experimental support for DPoP (61edb8c)

6.0.3 (2019-07-04)

Bug Fixes

• default renderError page escapes error props inherited from params (6aedbab), closes #489

6.0.2 (2019-07-03)

Bug Fixes

• device flow refresh tokens for public clients are now be certificate bound as well (904ad2d)

6.0.1 (2019-06-29)

Bug Fixes

• correctly apply mergeWithLastSubmission for interactionFinished (eb67723)

6.0.0 (2019-06-28)

This release has been on and off in development since the major v5.x release in September 2018, it is the biggest and most breaking release to date and a massive accomplishment, most of the new features you saw added to the v5.x release line have been backports from a privately worked on v6.x branch of the project.

~ 334 changed files with 19,617 additions and 13,322 deletions.

With the API just slightly evolving with each version for over more than 3 years it was in need of a big overhaul, albeit in the configuration or adapter API department. Knowing the next release is a breaking one just welcomed innovation and refactoring, hence the endless stream of alpha and beta releases with breaking changes in them.

Notable changes

Fully embraced browser based apps using Authorization Code flow + PKCE

Browser-based public clients are now able to get Refresh Tokens that are not offline_access, are end-user session bound and rotate with each use.

This is in line with the BCPs being worked on by the OAuth WG and it is also ready for new sender-constraining mechanisms such as DPoP being implemented as soon as they are adopted as WG drafts.

Issuing refresh tokens without offline_access is not enabled by default and is controlled by a new issueRefreshToken configuration policy.

By default all tokens that do not have offline_access scope are now handled as invalid or expired when the session they came from is gone, i.e. when the end-user logs out or a shorter-lived session simply expires due to inactivity. This behaviour is controled by a new expiresWithSession configuration policy.

CORS is not an afterthought

Also related to browser based apps using the AS. It is now possible to have CORS control per request and implement request context based policies using new clientBasedCORS configuration policy. By default this policy's value enables * CORS on all CORS-intended endpoints.

You can see a client-metadata based approach in /recipes.

Authorization Requests without the openid scope

The provider can now process authorization requests that do not contain the openid scope, pure OAuth 2.0 mode.

Optimized crypto

All crypto is now done using node's crypto module with the use KeyObject keys and secrets. Node.js >= 12.0.0 added a KeyObject class to represent a symmetric or asymmetric key and it is recommended that applications to use this new KeyObject API instead of passing keys as strings or Buffers due to improved security features as well as optimized operation.

EdDSA & PASETO

The provider can now sign ID Tokens, JWT Access Tokens, Userinfo and everything JOSE using EdDSA.
With Ed25519 now being supported you can also have your Access Tokens in PASETO format.

Upgrade / Migration path

5 -> 6 migration path is not clearly laid out, i'd much more recommend starting just with new Provider('...') and then backporting your configuration and code, please note some changed configuration defaults which, if you relied upon them, you need to now configure to their v5.x values explicitly. Should you require assistance with an upgrade please don't hesitate to get in touch via the issue tracker (limited support capacity) or via email for a more direct and involved conversation.

Bug Fixes

• fixed symmetric key derivation for JWT introspection endpoint response (1a50c82)
• fixed symmetric key derivation for JWT authorization endpoint response (1a50c82)
• *_jwt client auth method alg no longer mixes up (a)symmetrical (1771655)
• acceptedClaimsFor filtering out claims not scopes (fd8f886)
• added scope to implicit responses when different from request (71b2e7e)
• allow all incoming headers for CORS requests (3d2c8e4)
• also reject client jwks/jwks_uri symmetric keys (df18f62), closes #481
• avoid sending "samesite=none" to webkit browsers due to their bug (9c6e05b)
• base accepted scope off the accepted scopes, not param scopes (ccec5d3)
• break endless login loop with too short max_age values (66c7968)
• check id_token_hint even if the interaction check is disabled (7528220)
• check PKCE verifier and challenge ABNF, remove it from device flow (849b964)
• check sameSite cookie option for none case-insensitive (523d1b2)
• client key agreement with ECDH-ES is not possible in two cases (5c39f6e)
• clientDefaults is now used in resolving defaults of some edge props (e7bcfd2)
• correctly use the secret value, not its SHA digest, for PBES2-* (43256ba)
• device flow - mark codes as already used at the right time (7b913fd)
• do not send empty error_descriptions with some responses (663fadc)
• enable debugging session bound tokens not being returned (cc66876)
• enable Secure cookies with the default settings if on secure req (a056bfd)
• expose correct discovery metadata jwt introspection signing algs (cf4e442), closes #475
• fail logout when post_logout_redirect_uri is not actionable (b3a50ac)
• handle client jwks x5c when kty is OKP, use client jwks key_ops (f052f6b)
• handle invalid interaction policies with access_denied (1b6104c)
• html-rendered response modes now honour 400 and 500 status codes (9771581)
• jwt client assertion audience now also accepts issuer and token url (38706e7)
• rendered OP views are no longer dead ends with javascript disabled (c2f17d7)
• request object processing order related and general fixes (9fd3fba)
• session required client properties control the iss & sid return (ab08cbe)
• short cookie options dont affect the resume cookie path scope (4c7e877)
• use fixed scope to claim mapping over dynamic ones (03a6130), closes #466
• subsequent authorization requests for the same combination of client, end-user and sessionUid will all have the same grantId value now
• PKCE is no longer forced for grant_type=urn:ietf:params:oauth:grant-type:device_code
• response_type code token no longer requires nonce parameter to be present. See OIDC Core 1.0 Errata 2 changeset
• provider no longer reject client registration when the jwks.keys is empty
• provider now rejects client's jwks and jwks_uri if they contain private key or symmetric key material. See OIDC Core 1.0 Errata 2 changeset
• Client will no longer be looked up twice during failed authorization due to client not being found
• max_age parameter is now validated to be a non-negative safe integer
• client secrets no longer need to have minimal length to support HS signing
• established session acr/amr is now available for any authorization request, not just the one it was established with

Code Refactoring

• change certificates to jwks (a75e478)
• consolidate interaction policy and url configuration (5c0ba04)
• disable "token" including response types defaults (78e4ebb)
• merge interactions and interactionUrl configuration (1193719)
• provider.registerGrantType accepts the handler directly (e822918)
• remove provider.initialize() (ec71ed0)
• remove request/request http client handling and methods (683e6c2)
• rename findById to findAccount to follow the helper convention (43f5ecc)
• rename idToken.sign to idToken.issue (1c6d556)

Features

• added support for direct symmetric key encryption alg 'dir' (1a50c82)
• added extraAccessTokenClaims configuration option (25915ef)
• added options to disable userinfo and userinfo jwt responses (3620aed)
• added per-request http options helper function configuration (4aee414)
• added v2.public PASETOs as an available issued token format (7b149cf)
• added EdDSA support (2cdb0a2)
• added postLogoutSuccessSource helper for logouts without redirects (a979af8)
• allow for client default metadata to be changed (8f20a69)
• allow non-conform instances (f772f97)
• always return scope with token implicit response (ea7b394)
• default refresh token rotation policy changed (7310765)
• discovery must now always be enabled (5c3c0c7)
• enable client-based CORS origin whitelisting (8b4fd9e)
• passthrough cors middleware if pre-existing headers are present (6ec09ef), closes #447
• replay prevention for client assertions is now built in (a22d6ce)
• request objects are now one-time use if they have iss, jti and exp (1dc44dd)
• set default sameSite cookie values, short: lax, long: none (cfb1a70)
• it is now possible to issue Refresh Tokens without the offline_access scope, these refresh tokens and all access tokens issued from it will be unusable when the session they're tied to gets removed or its subject changes
  • Session now has a uid property which persists throughout the cookie identifier rotations and its value is stored in the related tokens as sessionUid, it is based on this value that the provider will perform session lookups to ensure that session bound tokens are still considered valid
  • by default a session bound grant is one without offline_access, this can be changed, or completely disabled to restore previous behaviour with a new expiresWithSession helper
• issueRefreshToken configuration helper has been added, it allows to define specific client and context based policy about whether a refresh token should be issued or not to a client
• interactions will now be requested multiple times if the authorization request context cannot be resolved yet. This means you can now resolve one prompt at a time. When you load the interaction details (using provider.interactionDetails()), in addition to details.params containing the complete parsed authorization parameters object, you now also have access to details.prompt containing an object with the prompt details.
  • details.prompt.name has the name prompt, e.g. login
  • details.prompt.reasons has an array of reasons the prompt is being requested, e.g. ["max_age"]
  • details.prompt.details contains is an object of details you might need to resolve the prompt
  • details.session is an object containing details about the OP session as-is at the moment of requesting interaction
    • details.session.uid is the internal session's uid
    • details.session.cookie is the session cookie value
    • details.session.acr is the current session's acr if there's one
    • details.session.amr is the current session's amr if there's one
    • details.session.accountId
• interactions results consent.rejectedScopes and consent.rejectedClaims will no longer replace the existing values, the rejected scopes and claims will accumulate instead, the same happens with what's assumed accepted (that is everything thats been requested and wasn't rejected)
• end_session_endpoint now accepts a POST with the parameters being in the body of the request, this is so that clients avoid URL length limits and exposing PII in the URL. See OIDC Issues tracker
• Updated OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens draft implementation - draft 13
  • client's certificate_bound_access_tokens, now also binds the Refresh Token if the client is using "none" endpoint auth method
  • SAN based client properties are now recognized, they are not however, supported and will throw when presented
• Updated Device Flow draft implementation - draft 15
  • the same client authentication as for token_endpoint is now used at the device_authorization_endpoint
  • once a user code passes the device confirmation prompt it cannot be used again
• end_session_endpoint is now always available, it is not bound to any of the session or logout specification features
• clients may now have a scope property, when set authorization requests for this client must stay within those whitelisted scopes
• end_session_endpoint will now drop session-bound tokens for the clients/grants encountered in the session
• when the existing session's subject (end-user identifier) differs from one inside interaction results the provider will bounce the user agent through the end_session_endpoint to perform a "clean" logout - drop the session, perform front and back-channel logout notifications (if enabled) and revoke grants (if bound to session)
• end session endpoint will now revoke tokens bound to the user-agent session by grantId for the clients that have had their authorization removed
• rotateRefreshToken configuration added, it can be a function to allow for client and context based policy for deciding whether refresh token should rotated or not
• the provider can now process non-openid authorization requests
  • requests without an openid scope or scope parameter altogether will be processed as plain OAuth2.0 authorization requests
  • this has a few exceptions:
    • response types that include id_token still require the openid scope
    • use of openid feature related parameters such as claims, acr_values, id_token_hint and max_age still require the openid scope
    • use of openid feature related client attributes such as default_acr_values, default_max_age, require_auth_time still require the openid scope
  • use of the userinfo_endpoint is only possible with access tokens that have the openid scope
  • note: the scope claim in JWT access tokens will be missing if the parameter was missing as well, dtto for the scope property in your persitent storage
• authorization parameter max_age=0 now behaves like prompt=login (dtto client's default_max_age=0)
• every model now has its own saved and destroyed event emitted by the provider, sessions and interactions too, the convention is {snake_cased_model_name}.{saved|destroyed}
• urn: request_uri support added, provided that one overloads provider.Client.prototype.requestUriAllowed and provider.requestUriCache.resolveUrn
• http: request_uris are now allowed under the assumption that the request object it yields is verifiable (signed and/or symmetrically encrypted)
• added invalid_software_statement and unapproved_software_statement exported errors

BREAKING CHANGES

• node.js minimal version is now v12.0.0 due to its added EdDSA support (crypto.sign, crypto.verify and EdDSA key objects)
• the default enabled response types now omit all that result in access tokens being issued by the authorization endpoint and delivered via a fragment. If you're upgrading just configure responseTypes to include the ones you need for legacy purposes.
• interactionUrl is now interactions.url
• interactionCheck has been removed and replaced with a new format optioninteractions.policy
• interactionUrl configuration option is now interactions.url
• the route name for jwks_uri is now jwks (was certificates). If you're upgrading and use a custom path for certificates make sure to use the routes.jwks now to configure the path
• the default path for route jwks (certificates) is now /jwks. If you're upgrading and want to (you probably do) keep using the old path, make sure to configure routes.jwks with the old value /certs
• PBES2-* Content Encryption Key encryption now correctly uses the client_secret value rather than its SHA digest.
• when neither interactions nor custom middlewares result in the authorization chain having an account identifier the server will now resolve the request with access_denied error.
• when neither interactions nor custom middlewares result in the authorization chain having resolved an accepted scope the server will now resolve the request with access_denied error.
• default rotateRefreshToken configuration value is now a function with a described policy that follows OAuth 2.0 Security Best Current Practice
• removed features.discovery and it is now always-on, no point in disabling discovery, ever.
• logoutPendingSource no longer receives a timeout argument
• provider.defaultHttpOptions setter was removed, use the new httpOptions configuration helper function instead
• provider now asserts that client's backchannel_logout_uri returns a 200 OK response as per specification.
• provider.IdToken.prototype.sign is renamed to provider.IdToken.prototype.issue
• PKCE code_challenge and codeverifier is now checked to be 43-128 characters long and conforms to the allowed character set of [A-Z] / [a-z] / [0-9] / - / . / `/~`. PKCE is now also ignored for the Device Code authorization request and token exchange.
• findById helper was renamed to findAccount
• postLogoutRedirectUri configuration option is removed in favour of postLogoutSuccessSource. This is used to render a success page out of the box rather then redirecting nowhere.
• since provider is now available on ctx.oidc.provider the registerGrantType now expects the second argument to be the handler directly
• provider.initialize() has been removed.
• what was previously passed to initialize() as keystore must now be passed as configuration property (as jwks and it must be a JWKS formatted object, no longer a KeyStore instance.
• what was previously passed to initialize() as clients must now be passed as configuration property (as clients). These "static" clients are no longer validated during the instantiation but just like with adapter-loaded clients - when they're first needed.
• what was previously passed to initialize() as adapter must now be passed as configuration property (as adapter).
• provider will no longer call adapter's connect method.
• Due to request's maintenance mode and inevitable deprecation (see https://github.com/request/request/issues/3142) the option to switch the provider to use request has been removed.
• end_session_endpoint will now throw an error when clients provide post_logout_redirect_uri but fail to provide an id_token_hint. See https://bitbucket.org/openid/connect/issues/1032
• all exported JWK related methods have been removed
• JWT Access Token can now only be signed using the provider's asymmetric keys, client's HS will no longer be used
• sid ID Token claim is now only returned when the client requests it using the claims parameter or has the appropriate back/front channel logout uris enabled and front/backchannel_logout_session_required set to true
• clients with request_object_signing_alg set must now always provide a request object, authorization requests will fail with invalid_request when request or request_uri is missing for such clients
• adapter changes to accomodate new functionality
  • it is no longer desired to drop all related tokens when #destroy is called
  • Session adapter instance expects to have a findByUid method which resolves with the same data as find does only the reference is the session's uid property. This is only needed when utilizing the new session-bound tokens
  • AccessToken, RefreshToken, AuthorizationCode & DeviceCode adapter instances expect to have revokeByGrantId method which accepts a string parameter grantId and revokes all tokens with its matching value in the grantId property
• only AccessToken and ClientCredentials may have a format. All other tokens are now forced to be opaque
• clientCacheDuration configuration option and provider.Client.cacheClear method have been removed, the provider now handles everything internally and Client objects are re-instantiated automatically if the client's configuration changes.
• token.* events are no longer emitted, instead each token has its own event, sessions and interactions too, the convention is snake_cased_model_name.*
• features.pkce and features.oauthNativeApps have been removed and they are always in effect, PKCE is always forced on native clients
• iss is no longer pushed to token/model storage payloads
• features.sessionManagement.thirdPartyCheckUrl has been removed
• features.alwaysIssueRefresh has been removed
• features.refreshTokenRotation has been renamed to features.rotateRefreshToken and its values are now true/false or a function that returns true/false when a refresh token should or should not be rotated
• features.conformIdTokenClaims is not a feature anymore, it is just conformIdTokenClaims in the configuration object's root
• revoking an Access Token via the revocation_endpoint will not revoke the whole grant any more
• default interaction cookie name value changed from _grant to _interaction
• default resume cookie name value changed from _grant to _interaction_resume
• all references to ctx.oidc.uuid are now ctx.oidc.uid and the format is now a random string, not a uuid
• nearly all emitted events have had their arguments shuffled and/or changed to allow for ctx to be first
• nearly all helper functions have had their arguments shuffled and/or changed to allow for ctx to be the first amongst them (oh yeah, ctx has been added almost everywhere)
• all configuration features are no longer booleans, they're objects with all their relevant configuration in the defaults.js file and docs/README.md. Old configuration format is not accepted anymore
• some configuration properties that only relate to a specific features were moved from the root level to the feature's configuration level and have been renamed, these are
  • deviceFlowSuccess -> features.deviceFlow.successSource
  • frontchannelLogoutPendingSource -> features.frontchannelLogout.logoutPendingSource
  • userCodeConfirmSource -> features.deviceFlow.userCodeConfirmSource
  • userCodeInputSource -> features.deviceFlow.userCodeInputSource
• Session model has been split to Session and Interaction
• interaction login result now defaults to remember: true
• legacy storage format has been removed
• adding additional audiences through the audiences helper is now only possible for Access Tokens (AccessToken and ClientCredentials)
• the .well-known/webfinger endpoint that always returned success is removed
• default deviceFlow.deviceInfo userAgent property is now ua

Other changes / deprecations

• example mongo and redis adapters revised
• example redis with ReJSON module adapter added
• example unmaintained adapters removed

5.5.5 (2019-02-20)

Bug Fixes

• expose only supported cors methods (4a81104)
• replace router again to fix CORS preflights (d642f8b)

5.5.4 (2019-02-15)

Refactored

• removed koa-router in favor of koa-trie-router (fe812e0), closes #436

5.5.3 (2019-01-22)

Bug Fixes

• handle server_error when refresh tokens are missing gty (75046ca)

5.5.2 (2018-12-20)

Bug Fixes

• JWKStore prototype jwksUri undefined client (#413) (ba69fb6)

5.5.1 (2018-11-26)

Bug Fixes

• added aud and azp validations for ID Tokens passed by clients (4df8160)
• aud for jwt oauth tokens no longer gets the client id pushed in (14c556e)

5.5.0 (2018-11-22)

Bug Fixes

• gracefully handle mixed up response_type(s) order (b775591)
• http2 is also stable in ^8.13.0 (3d240d9)

Features

• initial and registration access token policies (452000c), closes #394

5.4.2 (2018-11-19)

Bug Fixes

• ignore *_endpoint_auth_signing_alg client metadata when _jwt auth is not allowed (d0346a8)

5.4.1 (2018-11-19)

Bug Fixes

• require consent result to save accepted scopes and claims (7720367)

5.4.0 (2018-11-18)

Bug Fixes

• handle potentially unvalidated response mode in authz error handler (ee501d1)
• issue new session identifiers when session changes (56d04e6)
• omit saving an empty session on initial authorize request (d0b7069)

Features

• allow omitting redirect_uri in code exchange at the token endpoint when there is just one registered (8cdd407)
• update of draft-ietf-oauth-resource-indicators from 00 to 01 (1302a54), closes #385

5.3.0 (2018-11-05)

Bug Fixes

• upgrade min node-jose version to fix its performance in node (f1cb4c6)

Features

• sessionManagement frame uses Storage Access API to detect errors (156e12d)

5.2.0 (2018-11-01)

Draft Features

• sessionManagement feature doesn't set a default thirdPartyCheckUrl anymore (0015c38)

With the sunset of https://rawgit.com i'm not going to look for a replacement CDN that hosts github content using the right content-type. This addition to sessionManagement is a gimmick helping only in a small % of cases anyway.

Note: Updates to draft and experimental specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes such as this one may be introduced as part of these version updates.

5.1.2 (2018-10-23)

Bug Fixes

• allow http2 req/res in interaction detail helpers (fixes #383) (a86aba7)

5.1.0 (2018-10-03)

Bug Fixes

• ignore sector_identifier_uri when subject_type is not pairwise (416e379)

Features

• added Resource Indicators for OAuth 2.0 - draft 00 implementation (1bc2994)

5.0.1 (2018-09-27)

5.0.0 (2018-09-26)

Bug Fixes

• change conformIdTokenClaims default value to true (ef40f6d)
• devInteractions also have no-cache headers, doesn't set acr (9d7a032)
• ensure non-whitelisted JWA algs cannot be used by *_jwt client auth (186de0d)
• extraClientMetadata.properties keys do not get transformed (837beca)
• fixed 500 in client update checking client_secret equality (bad6348)
• remove deprecated passing of scope with consent results (35f13bc)
• remove deprecated Session.find upsert behaviour (73e07bd)
• remove deprecated unused exported errors (fc3f509)
• remove got 8 > 9(retries > retry) option re-assign behaviour (db31d32)
• secretFactory is now used in client update (0923f52)
• validate secret length for client_secret_jwt with no alg specified (ab64268)

Code Refactoring

• IdToken constructor and #sign() method changes (bb4269f)
• moved thirdPartyCheckUrl under features.sessionManagement (c3f84b2)
• renamed deviceCode feature to deviceFlow (cd57d77)

Features

• added self_signed_tls_client_auth client authentication method (9a1f0a3)
• added tls_client_auth client authentication method (ce2bf66)
• allow custom mechanisms for handling pairwise identifiers (57ce6d7)
• back and front-channel can be enabled without sessionManagement (8cb37ff)
• dynamic token expiration (6788b83)
• enable Certificate Bound Access Tokens (f43d820)
• enable explicit whitelist of JWA algorithms (0604e08)
• enable token storage and representation format to be dynamic (8487bd8)
• invalid_token errors now have a detail to aid in debugging or logs (b8324b7)
• JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (c759415)
• opaque is the default adapter format now (75e7a3f)
• unify audiences helper function signature (fd38600)

BREAKING CHANGES

• the configuration option pairwiseSalt is replaced with pairwiseIdentifier async helper function. This allows for different means of generating the pairwise identifier to be implemented, such as the ones mentioned in Core 1.0
• Passing scope to interaction result's consent property is no longer supported
• cookies.thirdPartyCheckUrl is now configured with features.sessionManagement.thirdPartyCheckUrl instead
• features.deviceCode is now features.deviceFlow and deviceCodeSuccess helper function is now deviceFlowSuccess
• In order for dynamic token expiration to be able to pass a client instance to the helpers it is now better to pass a client property being the client instance to a new token instance rather then a clientId. When passing a client the clientId will be set automatically.
• the default adapter format is now set to opaque, the legacy "legacy" value is still available for legacy deployments but cannot be combined with the new dynamic format feature option and is considered deprecated and will be removed in the next major release.
• the default enabled JWA algorithms have changed. See the new whitelistedJWA configuration option to re-enable the ones you need.
• the configuration unsupported property is removed, use the configuration whitelistedJWA object instead. This isn't a 1:1 renaming of a configuration value, while the unsupported option was essentually a blacklist the whitelistedJWA as the name suggests is a whitelist.
• the RSA-OAEP-256 key wrapping algorithm has been removed and is not configurable since it is not supported natively in nodejs.
• IdToken constructor now requires the client instance to be passed in as a second argument. IdToken instance .sign() now takes just one argument with the options.
• when a symmetric endpoint authentication signing alg is not specified the secret will be validated such that it can be used with all available HS bit lengths
• audience helper token argument will no longer be a reference to other tokens than the one to which the audiences will be pushed.
• audience helper scope argument is no longer available
• generateTokenId format method is now a prototype method instead of a class one
• the http request option retries will no longer be transformed into retry, see got@^9.0.0 package for the retry options
• exported errors RestrictedGrantType and RestrictedResponseType are no longer available
• Session.find default upsert behaviour is changed to return a new empty session instead
• change conformIdTokenClaims default value to true
• custom client metadata properties will not get transformed between snake_case and camelCase anymore to allow for namespaced metadata properties such as custom://metadata