Skip to content

Latest commit

 

History

History
208 lines (170 loc) · 9.45 KB

CHANGELOG.md

File metadata and controls

208 lines (170 loc) · 9.45 KB

openid-client CHANGELOG

Yay for SemVer.

Table of Contents

Version 1.12.0

  • DIFF
  • Allow session key to be specified in passport strategy options

Version 1.11.0

Version 1.11.1

  • DIFF
  • relaxed #callbackParams to allow IncomingMessage lookalikes
  • update internal dependencies

Version 1.11.0

  • DIFF
  • fixed default application_type from ['web'] to 'web'
  • added barebones Issuer.httpClient setter to help advanced developers in complex environments to change the used http request client

Version 1.10.0

  • DIFF
  • added pure OAuth 2.0 stripped down callback function #oauthCallback
  • added an extra option for #userinfo requests to have extra params in either query or body

Version 1.9.0

  • DIFF
  • added introspection/revocation specific client and issuer properties. To remain backwards compatible they default to their token endpoint counterparts
    • issuer.revocation_endpoint_auth_methods_supported
    • issuer.introspection_endpoint_auth_methods_supported
    • issuer.revocation_endpoint_auth_signing_alg_values_supported
    • issuer.introspection_endpoint_auth_signing_alg_values_supported
    • client.revocation_endpoint_auth_method
    • client.introspection_endpoint_auth_method
    • client.revocation_endpoint_auth_signing_alg
    • client.introspection_endpoint_auth_signing_alg

Version 1.8.0

Version 1.8.2

  • DIFF
  • bumped node-jose dependency to avoid github tar.gz dependencies
  • adjusted token_endpoint_auth_method=none to how it should be

Version 1.8.0

  • DIFF
  • Issuer and Client now recognize custom properties, this is so that new Registry Contents do not require a new release of openid-client to be picked up. Custom properties are exposed as getters so long as they do not interfere with the object's Prototype and they are always available in #metadata getter.

Version 1.7.0

Version 1.7.2

  • DIFF
  • added missing check for webfinger issuer location protocol

Version 1.7.1

  • DIFF
  • added authorizationCallback support for submitting code_verifier
  • example now includes session management OP and RP frames

1.7.0 failed to publish properly, use 1.7.1 instead

Version 1.6.0

Version 1.6.4

  • DIFF
  • fixed receiving (correct) empty responses from revocation endpoints (#21)

Version 1.6.3

Version 1.6.2

  • DIFF
  • fixed verify callback skipping userinfo when userinfo_endpoint is not configured (#19)
  • removed mandatory checks from passport strategy, allowing i.e. implicit only OPs (#19)

Version 1.6.1

  • DIFF
  • fixed verify callback skipping userinfo call when arity says it should but no access token is present (#18)

Version 1.6.0

  • DIFF
  • added at_hash presence assertion for applicable (implicit) ID Token validation
  • added c_hash presence assertion for applicable (hybrid) ID Token validation from the authorization_endpoint

Version 1.5.0

Version 1.5.3

  • DIFF
  • fixed an ID Token validation for ID Token returned by Token Endpoint that includes c_hash

Version 1.5.2

  • DIFF
  • fixed passport strategy, have it use prototype instead of ES6 class syntax

Version 1.5.1

  • DIFF
  • fixed client_assertion aud claim for _jwt auth methods when used in introspection and revocation

Version 1.5.0

  • DIFF
  • added a passport.js strategy
  • added missing max_age, default_max_age related functionality
    • authorizationCallback now supports max_age check
    • clients with default_max_age use this default value automatically
    • when max_age is checked auth_time claim is mandatory and must be a number
  • added missing require_auth_time related functionality
    • clients with require_auth_time = true have the presence and format of auth_time claim validated
  • authorizationUrl and authorizationPost now removes null and undefined values and ensures parameters are stringified before passed to url.format
  • added client.CLOCK_TOLERANCE property, to allow for clock skew (in seconds)

Version 1.4.0

  • DIFF
  • deprecated passing keystore directly to Client#register, pass an object with keystore property instead
  • added the option to provide InitialAccessToken value to Client#register

Version 1.3.0

Version 1.3.1

  • DIFF
  • added error messages when expected response is missing

Version 1.3.0

  • DIFF
  • added #requestObject method to Client to return signed and/or encrypted Request Object

Version 1.2.0

  • DIFF
  • added #claims getter to TokenSets returned from authorizationCallback and refresh;

Version 1.1.0

  • DIFF
  • fixed unpacking aggregated claims with alg=none and no iss claim
  • fetching distributed claims now expects a JWT response, previously expected invalid OP responses

Version 1.0.0

Version 1.0.2

  • DIFF
  • fixed signed userinfo response validation in case iss, aud and similar ID Token claims are missing

Version 1.0.1

  • DIFF
  • Updated uuid dependency

Version 1.0.0

RP test tools are passing, no changes required from the library, API is declared stable, hence 1.0.0 release.

Migrating from 0.x to 1.0

  1. update your package.json file to "^1.0.0"
  2. sit back and relax, no breaking changes

pre 1.x changelog

4. Major version zero (0.y.z) is for initial development. Anything may change at any time.
   The public API should not be considered stable.

5. Version 1.0.0 defines the public API.