This file is no longer being updated and kept for historical reasons. Please check the GitHub releases instead!
Table of Contents
- 0.0.0 (2022-09-22)
- 0.42.2 (2022-04-17)
- 0.42.1 (2022-02-03)
- 0.42.0 (2022-01-06)
- 0.41.0 (2021-11-13)
- 0.40.2 (2021-05-28)
- 0.40.1 (2021-05-23)
- 0.40.0 (2021-05-21)
- 0.39.0 (2021-03-08)
- 0.38.0 (2021-02-23)
- 0.37.0 (2021-02-05)
- 0.36.1 (2021-01-11)
- 0.36.0 (2020-11-16)
- 0.35.1 (2020-10-11)
- 0.35.0 (2020-10-06)
- 0.34.1 (2020-10-02)
- 0.34.0 (2020-09-24)
- 0.33.0 (2020-09-16)
- 0.32.4 (2020-09-15)
- 0.32.3 (2020-09-12)
- 0.32.2 (2020-06-22)
- 0.32.1 (2020-06-05)
- 0.32.0 (2020-05-28)
- 0.31.3 (2020-05-09)
- 0.31.2 (2020-04-16)
- 0.31.1 (2020-04-16)
- 0.31.0 (2020-03-29)
- 0.30.6 (2020-03-26)
- 0.30.5 (2020-03-25)
- 0.30.4 (2020-03-17)
- 0.30.3 (2020-03-04)
- 0.30.2 (2019-11-21)
- 0.30.1 (2019-09-23)
- 0.30.0 (2019-09-16)
- 0.29.8 (2019-08-29)
- 0.29.7 (2019-08-06)
- 0.29.6 (2019-04-26)
- 0.29.5 (2019-04-25)
- 0.29.3 (2019-04-17)
- 0.29.2 (2019-04-11)
- 0.29.1 (2019-03-27)
- 0.29.0 (2018-12-23)
- 0.28.1 (2018-12-04)
- 0.28.0 (2018-11-16)
- 0.27.4 (2018-11-12)
- 0.27.3 (2018-11-08)
- 0.27.2 (2018-11-07)
- 0.27.1 (2018-11-03)
- 0.27.0 (2018-10-31)
- 0.26.1 (2018-10-25)
- 0.26.0 (2018-10-24)
- 0.25.1 (2018-10-23)
- 0.25.0 (2018-10-08)
- 0.24.0 (2018-09-27)
- 0.23.0 (2018-09-22)
- 0.22.0 (2018-09-19)
- 0.21.5 (2018-08-31)
- 0.21.4 (2018-08-26)
- 0.21.3 (2018-08-22)
- 0.21.2 (2018-08-07)
- 0.21.1 (2018-07-22)
- 0.21.0 (2018-06-23)
- 0.20.3 (2018-06-07)
- 0.20.2 (2018-05-29)
- 0.20.1 (2018-05-29)
- 0.20.0 (2018-05-28)
- 0.19.8 (2018-05-24)
- 0.19.7 (2018-05-24)
- 0.19.6 (2018-05-24)
- 0.19.5 (2018-05-23)
- 0.19.4 (2018-05-20)
- 0.19.3 (2018-05-20)
- 0.19.2 (2018-05-19)
- 0.19.1 (2018-05-19)
- 0.19.0 (2018-05-17)
- 0.18.1 (2018-05-01)
- 0.18.0 (2018-04-30)
- 0.17.2 (2018-04-26)
- 0.17.1 (2018-04-22)
- 0.17.0 (2018-04-08)
- 0.16.5 (2018-03-17)
- 0.16.4 (2018-02-07)
- 0.16.3 (2018-02-07)
- 0.16.2 (2018-01-25)
- 0.16.1 (2017-12-23)
- 0.16.0 (2017-12-23)
- 0.15.6 (2017-12-21)
- 0.15.5 (2017-12-17)
- 0.15.4 (2017-12-17)
- 0.15.3 (2017-12-17)
- 0.15.2 (2017-12-10)
- 0.15.1 (2017-12-10)
- 0.15.0 (2017-12-09)
- 0.14.2 (2017-12-06)
- 0.14.1 (2017-12-06)
- 0.14.0 (2017-12-06)
- 0.13.1 (2017-12-04)
- 0.13.0 (2017-10-25)
- 0.12.0 (2017-10-25)
- 0.11.4 (2017-10-10)
- 0.11.3 (2017-08-21)
- 0.11.2 (2017-07-09)
- 0.11.1 (2017-07-09)
- 0.11.0 (2017-07-09)
- 0.10.0 (2017-07-06)
- 0.9.7 (2017-06-28)
- 0.9.6 (2017-06-21)
- 0.9.5 (2017-06-08)
- 0.9.4 (2017-06-05)
- 0.9.3 (2017-06-05)
- 0.9.2 (2017-06-05)
- 0.9.1 (2017-06-04)
- 0.9.0 (2017-06-03)
- 0.8.0 (2017-05-18)
- 0.7.0 (2017-05-03)
- 0.6.19 (2017-05-03)
- 0.6.18 (2017-04-14)
- 0.6.17 (2017-02-24)
- 0.6.15 (2017-02-11)
- 0.6.14 (2017-01-08)
- 0.6.13 (2017-01-08)
- 0.6.12 (2017-01-02)
- 0.6.11 (2017-01-02)
- 0.6.10 (2016-12-29)
- 0.6.9 (2016-12-29)
- 0.6.8 (2016-12-20)
- 0.6.7 (2016-12-06)
- 0.6.6 (2016-12-06)
- 0.6.5 (2016-12-04)
- 0.6.4 (2016-11-29)
- 0.6.2 (2016-11-25)
- 0.6.1 (2016-11-17)
- 0.6.0 (2016-11-17)
- 0.5.1 (2016-10-22)
- 0.5.0 (2016-10-17)
- 0.4.0 (2016-10-16)
- 0.3.6 (2016-10-07)
- 0.3.5 (2016-10-06)
- 0.3.4 (2016-10-04)
- 0.3.3 (2016-10-03)
- 0.3.2 (2016-09-22)
- 0.3.1 (2016-09-22)
- 0.3.0 (2016-08-22)
- 0.2.4 (2016-08-09)
- 0.2.3 (2016-08-08)
- 0.2.2 (2016-08-08)
- 0.2.1 (2016-08-08)
- 0.2.0 (2016-08-06)
- 0.1.0 (2016-08-01)
0.0.0 (2022-09-22)
Please be aware that several internal APIs have changed, as well as public methods. Most notably, we added the context to all Write*
metods.
type OAuth2Provider interface {
- WriteAuthorizeError(rw http.ResponseWriter, requester AuthorizeRequester, err error)
+ WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)
- WriteAuthorizeResponse(rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)
+ WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)
- WriteAccessError(rw http.ResponseWriter, requester AccessRequester, err error)
+ WriteAccessError(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, err error)
- WriteAccessResponse(rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
+ WriteAccessResponse(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
- WriteRevocationResponse(rw http.ResponseWriter, err error)
+ WriteRevocationResponse(ctx context.Context, rw http.ResponseWriter, err error)
- WriteIntrospectionError(rw http.ResponseWriter, err error)
+ WriteIntrospectionError(ctx context.Context, rw http.ResponseWriter, err error)
- WriteIntrospectionResponse(rw http.ResponseWriter, r IntrospectionResponder)
+ WriteIntrospectionResponse(ctx context.Context, rw http.ResponseWriter, r IntrospectionResponder)
}
The default config struct has moved from package github.com/ory/fosite/compose.Config
to github.com/ory/fosite.Config
. Struct github.com/ory/fosite.Fosite
no longer has any configuration parameters
itself.
Please note that the HMAC / global secret has to be set no longer in the compose call, but in the config initialization:
-compose.ComposeAllEnabled(&compose.Config{}, store, secret, privateKey)
+compose.ComposeAllEnabled(&fosite.Config{GlobalSecret: secret}, store, privateKey)
Many internal interfaces have been changed, usually adding ctx context.Context
as the first parameter.
- Bump dependencies (5dab818)
- Cves in deps (f5782c3)
- Include
at_hash
claim in authcode flow's ID token (#679) (c3b7bab) - Linting (222ca97)
- rfc7523: Comment mentioned incorrect granttype (#668) (b41f187)
- State check for hybrid flow (#670) (37f8a0a)
-
config: Support hot reloading (1661401), closes #666:
This patch updates the config system to be replacable and uses functions instead of struct fields. This allows implementing hot reloading mechanisms easily.
-
Move to go 1.17 (d9d0fed)
-
Add
ory_at|pt|ac
prefixes to HMAC tokens (b652335):See ory/hydra#2845
-
Add json mappings to default session and its contents (#688) (d8ecac4)
-
Add json mappings to generic session to match openid session (#690) (2386b25)
-
Implement client token lifespan customization (#684) (cfffe8c):
This change introduces the ability to control the lifespan of tokens for each valid combination of Client, GrantType, and TokenType.
-
Introduce cache strategy for JWKS fetcher (452f377)
-
Make http source contextualized (9fc89e9)
-
PAR implementation (#660) (3de78db), closes #628:
Implements RFC9126 - Pushed Authorization Request.
-
Support variety of JWT formats when
jose.JSONWebKey
is used (2590eb8)
-
Revert "chore: delete .circleci folder (#699)" (#705) (ef753d5), closes #699 #705:
This reverts commit 2eea63bddcbdf50771adf670391e495e339f619f since CircleCI is still used here.
0.42.2 (2022-04-17)
autogen(docs): regenerate and update changelog
-
Empty client secret via basic auth header means "none" authn (#655) (7a2d972), closes /github.com/golang/oauth2/blob/ee480838109b20d468babcb00b7027c82f962065/internal/token.go#L174-L176:
The existing client authentication code treats an empty client_secret query parameter to be equivalent to "none" authentication instead of "client_secret_post."
This change updates the basic auth check to be consistent with this. That is, an empty secret via the basic auth header is considered to mean "none" instead of "client_secret_basic."
The "golang.org/x/oauth2" library probes for both methods of authentication, starting with the basic auth header approach first.
As required, both client ID and secret are encoded in one header:
-
Handle invalid_token error for refresh_token is expired (#664) (76bb274)
-
Handle token_inactive error for multiple concurrent refresh requests (#652) (7c8f4ae):
See ory/hydra#3004
-
Url-encode the fragment in the redirect URL of the authorize response (#649) (beec138), closes #648:
This patch reverts the encoding logic for the fragment of the redirect URL returned as part of the authorize response to what was the one before version
0.36.0
. In that version, the code was refactored and the keys and values of the fragment ceased to be url-encoded. This in turn reflected on all Ory Hydra versions starting from1.9.0
and provoked a breaking change that made the parsing of the fragment impossible if any of the params contain a character like&
or=
because they get treated as separators instead of as text -
Use the correct algorithm for at_hash and c_hash (#659) (8cb4b4b), closes #630
- docs: Regenerate and update changelog (5dbfa9a)
-
Add deprecation to communicate ropc discouragement (#665) (df491be):
This adds godoc deprecations to the compose.OAuth2ResourceOwnerPasswordCredentialsFactory and oauth2.ResourceOwnerPasswordCredentialsGrantHandler in order to clearly communicate the discouragement of the ROPC grant type to users implementing this library.
0.42.1 (2022-02-03)
autogen(docs): regenerate and update changelog
- docs: Regenerate and update changelog (dcc6550)
0.42.0 (2022-01-06)
autogen(docs): regenerate and update changelog
- docs: Regenerate and update changelog (cf2c545)
0.41.0 (2021-11-13)
autogen(docs): regenerate and update changelog
- Force HTTP GET for redirect responses (#636) (f6c6523)
- Include
typ
in jwt header (#607) (7644a74), closes #606 - Make
amr
claim an array to match the OIDC spec (#625) (8a6f66a) - Resolve nancy warning (b6cf0a6)
- docs: Regenerate and update changelog (1777ad5)
- Add missing word (#626) (c7a553b)
- Document that DeleteOpenIDConnectSession is deprecated (#634) (4e2c03d)
- Add client secret rotation support (#608) (a4ce354), closes #590
- Add prettier and format (d682bdf)
- Add ResponseModeHandler to support custom response modes (#592) (10ec003), closes #591
- I18n support added (#627) (cf02af9), closes #615
- Support jose.opaquesigner for JWTs (#611) (1121a0a)
- Use bitwise comparison for jwt validation errors (#633) (52ee93f)
0.40.2 (2021-05-28)
feat: use int64 type for claims with timestamps (#600)
Co-authored-by: Nestor [email protected]
0.40.1 (2021-05-23)
fix: revert float64 auth_time claim (#599)
Closes #598
0.40.0 (2021-05-21)
feat: transit from jwt-go to go-jose (#593)
Closes #514
Co-authored-by: hackerman [email protected]
- 582memory store authentication error code (#583) (51b4424)
- Do not include nonce in ID tokens when not used (#570) (795dee2)
- Sha alg name in error message and go doc (#571) (0f2e289)
- Upgrade gogo protubuf (#573) (9a9467a)
- Allow extra fields in introspect response (#579) (294a0bf), closes #441
- Allow omitting scope in authorization redirect uri (#588) (6ad9264)
- Pass requests through context (#596) (2f96bb8), closes #537
- Transit from jwt-go to go-jose (#593) (d022bbc), closes #514
0.39.0 (2021-03-08)
feat: token reuse detection (#567)
See ory/hydra#2022
-
Token reuse detection (#567) (db7f981):
See ory/hydra#2022
0.38.0 (2021-02-23)
feat: add ClientAuthenticationStrategy extension point (#565)
Closes #564
Replaces token_expired
error ID with invalid_token
which is the correct value according to https://tools.ietf.org/html/rfc6750#section-3.1
0.37.0 (2021-02-05)
feat: add support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523� (#560)
Closes #546 Closes #305
Co-authored-by: Vladimir Kalugin [email protected] Co-authored-by: i.seliverstov [email protected]
- Add support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523� (#560) (9720241), closes #546 #305
0.36.1 (2021-01-11)
chore: bump deps
- Bump deps (c2375de)
0.36.0 (2020-11-16)
fix: be more permissive in time checks
Time equality should not cause failures in OpenID Connect validation.
This patch removes fields error_hint
, error_debug
from error responses. To use the legacy error format where these fields are included, set UseLegacyErrorFormat
to true in your compose config or directly on the Fosite
struct. If UseLegacyErrorFormat
is set, the error_description
no longer merges error_hint
nor error_debug
messages which reverts a change introduced in v0.33.0
. Instead, error_hint
and error_debug
are included and the merged message can be constructed from those fields.
As part of this change, the error interface and its fields have changed:
RFC6749Error.Name
was renamed toRFC6749Error.ErrorField
.RFC6749Error.Description
was renamed toRFC6749Error.DescriptionField
.RFC6749Error.Hint
was renamed toRFC6749Error.HintField
.RFC6749Error.Code
was renamed toRFC6749Error.CodeField
.RFC6749Error.Hint
was renamed toRFC6749Error.HintField
.RFC6749Error.WithCause()
was renamed toRFC6749Error.WithWrap() *RFC6749Error
and alternatively toRFC6749Error.Wrap()
(without return value) to standardize naming conventions around the new Go 1.14+ error interfaces.
As part of this change, methods GetResponseMode
, SetDefaultResponseMode
, GetDefaultResponseMode
where added to interface AuthorizeRequester
. Also, methods GetQuery
, AddQuery
, and GetFragment
were merged into one function GetParameters
and AddParameter
on the AuthorizeResponder
interface. Methods on AuthorizeRequest
and AuthorizeResponse
changed accordingly and will need to be updated in your codebase. Additionally, the field Debug
was renamed to DebugField
and a new method Debug() string
was added to RFC6749Error
.
Co-authored-by: hackerman [email protected]
-
Allow all request object algs when client value is unset (1d14636):
Allows all request object signing algorithms when the client has not explicitly allowed a certain algorithm. This follows the spec:
*request_object_signing_alg - OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.
-
Always return non-error response for inactive tokens (#517) (5f2cae3)
-
Be more permissive in time checks (839d000):
Time equality should not cause failures in OpenID Connect validation.
-
Do not accidentally leak jwks fetching errors (6d2092d), closes /github.com/ory/fosite/pull/526#discussion_r517491738
-
Do not require nonce for hybrid flows (de5c8f9):
This patch resolves an issue where nonce was required for hybrid flows, which does not comply with the OpenID Connect conformity test suite, specifically the
oidcc-ensure-request-without-nonce-succeeds-for-code-flow
test. -
Guess default response mode in
NewAuthorizeRequest
(a2952d7) -
Improve claims handling for jwts (a72ca9a)
-
Improve error stack wrapping (620d4c1)
-
Kid header is not required for key lookup (27cc5c0)
-
Only use allowed characters in error_description (431f9a5), closes #525:
Replace LF and quotes with
.
and'
to match allowed and recommended character set defined in various RFCs. -
Prevent debug details from leaking during key lookup (c0598fb), closes /github.com/ory/fosite/pull/526#discussion_r517490461
-
Reset jti and hash ID token claims on refresh (#523) (ce2de73)
-
Use state from request object (8cac1a0):
Resolves failing OIDC conformity test "oidcc-request-uri-unsigned".
- Use rfc compliant error formating (edbbda3)
-
Add support for response_mode=form_post (#509) (3e3290f):
This patch introduces support for
response_mode=form_post
as well asresponse_mode
ofnone
andquery
andfragment
.To support this new feature your OAuth2 Client must implement the
fosite.ResponseModeClient
interface. We suggest to always return all response modes there unless you want to explicitly disable one of the response modes:func (c *Client) GetResponseModes() []fosite.ResponseModeType { return []fosite.ResponseModeType{ fosite.ResponseModeDefault, fosite.ResponseModeFormPost, fosite.ResponseModeQuery, fosite.ResponseModeFragment, } }
-
Introduce WithExposeDebug to error interface (625a521)
-
Support passing repeated audience parameter in URL query (#518) (47f2a31), closes #504:
Added
GetAudiences
helper function which tries to have current behavior and also support multiple/repeated audience parameters. If there are parameter is repeated, then it is not split by space. If there is only one then it is split by space. I think this is the best balance between standard/backwards behavior and allowing repeated parameter and allowing also URIs/audiences with spaces in them (which we probably all agree is probably not something anyone should be doing).Also added
ExactAudienceMatchingStrategy
which is slightly more suitable to use for audiences which are not URIs. In OIDC spec audience is described as:Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
client_id
is generally not an URI, but some UUID or some other random string.
0.35.1 (2020-10-11)
autogen(docs): regenerate and update changelog
- docs: Regenerate and update changelog (c598cc7)
- Allow configuring redirect secure checker everywhere (#489) (e87d091)
- Scope can now be space delimited in access tokens (#482) (8225935), closes #362
0.35.0 (2020-10-06)
autogen(docs): regenerate and update changelog
Type fosite.TokenType
has been renamed to fosite.TokenUse
.
-
Redirct_url with query escape character outside of query is failing (#480) (6e49c57):
See ory/hydra#2055
Co-authored-by: ajanthan
-
Rename TokenType to TokenUse in introspection (#486) (4b81316), closes ory/hydra#1762
-
Return allowed redirect url with preference (f0badc4)
- docs: Regenerate and update changelog (3f0bc87)
0.34.1 (2020-10-02)
fix: make redirect URL checking more strict
The OAuth 2.0 Client's Redirect URL and the Redirect URL used in the OAuth 2.0 flow do not check if the query string is equal:
- Registering a client with allowed redirect URL
https://example.com/callback
- Performing OAuth2 flow and requesting redirect URL
https://example.com/callback?bar=foo
- Instead of an error, the browser is redirected to
https://example.com/callback?bar=foo
with a potentially successful OAuth2 response.
Additionally, matching Redirect URLs used strings.ToLower
normalization:
- Registering a client with allowed redirect URL
https://example.com/callback
- Performing OAuth2 flow and requesting redirect URL
https://example.com/CALLBACK
- Instead of an error, the browser is redirected to
https://example.com/CALLBACK
with a potentially successful OAuth2 response.
This patch addresses all of these issues and adds regression tests to keep the implementation secure in future releases.
-
Make redirect URL checking more strict (cdee51e):
The OAuth 2.0 Client's Redirect URL and the Redirect URL used in the OAuth 2.0 flow do not check if the query string is equal:
- Registering a client with allowed redirect URL
https://example.com/callback
- Performing OAuth2 flow and requesting redirect URL
https://example.com/callback?bar=foo
- Instead of an error, the browser is redirected to
https://example.com/callback?bar=foo
with a potentially successful OAuth2 response.
Additionally, matching Redirect URLs used
strings.ToLower
normalization:- Registering a client with allowed redirect URL
https://example.com/callback
- Performing OAuth2 flow and requesting redirect URL
https://example.com/CALLBACK
- Instead of an error, the browser is redirected to
https://example.com/CALLBACK
with a potentially successful OAuth2 response.
This patch addresses all of these issues and adds regression tests to keep the implementation secure in future releases.
- Registering a client with allowed redirect URL
0.34.0 (2020-09-24)
chore: fix unused const linter error (#484)
fosite.ErrRevocationClientMismatch
was removed because it is not part of RFC 6749. Instead, fosite.ErrUnauthorizedClient
will be returned when calling RevokeToken
with an OAuth2 Client which does not match the Access or Refresh Token to be revoked.
- Merge pull request from GHSA-7mqr-2v3q-v2wm (03dd558)
0.33.0 (2020-09-16)
feat: error_hint and error_debug are now exposed through error_description (#460)
BREAKING CHANGE: Merges the error description with error hint and error debug, making it easier to consume error messages in standardized OAuth2 clients.
Merges the error description with error hint and error debug, making it easier to consume error messages in standardized OAuth2 clients.
0.32.4 (2020-09-15)
autogen(docs): regenerate and update changelog
- docs: Regenerate and update changelog (1f16df0)
0.32.3 (2020-09-12)
fix: add missing OAuth2TokenRevocationFactory to ComposeAllEnabled (#472)
-
Add missing OAuth2TokenRevocationFactory to ComposeAllEnabled (#472) (88587fd)
-
Align error returned when a grant_type was requested that's not allowed for a client (#467) (3c30c0d), closes /tools.ietf.org/html/rfc6749#section-5:
Returned error was 'invalid_grant'.
-
All responses now contain headers to not cache them (#465) (2012cb7)
- Add empty session example explanation (#450) (36d65cb)
- Better section reference for GetRedirectURIFromRequestValues (#463) (48a3daf)
- Deprecate history.md (b0d5fea), closes /github.com/ory/fosite/issues/414#issuecomment-662538622
- Add locking to memory storage (#471) (4687147)
- Make MinParameterEntropy configurable (#461) (2c793e6), closes #267
- New compose strategies for ES256 (#446) (39053ee)
0.32.2 (2020-06-22)
feat: new factory with default issuer for JWT tokens (#444)
0.32.1 (2020-06-05)
feat: makeRemoveEmpty public (#443)
0.32.0 (2020-05-28)
feat: added support for ES256 token strategy and client authentication (#439)
I added to DefaultOpenIDConnectClient
a field TokenEndpointAuthSigningAlgorithm
to be able to configure what GetTokenEndpointAuthSigningAlgorithm
returns. I also cleaned some other places where there were assumptions about only RSA keys.
Closes #429
-
arguments: Fixes a logic bug in MatchesExact and adds documentation (#433) (10fd67b):
-
Double-decoding of client credentials in request body (#434) (48c9b41):
I noticed that client credentials are URL-decoded after being extracted from the POST body form, which was already URL-decoded by Go. The accompanying error message suggests this was copied and pasted from the HTTP basic authorization header handling, which is the only place where the extra URL-decoding was needed (as per the OAuth 2.0 spec). The result is that client credentials containing %-prefixed sequences, whether valid sequences or not, are going to fail validation.
Remove the extra URL decoding. Add tests that ensure client credentials work with special characters in both the HTTP basic auth header and in the request body.
-
Added support for ES256 token strategy and client authentication (#439) (36eb661), closes #429:
I added to
DefaultOpenIDConnectClient
a fieldTokenEndpointAuthSigningAlgorithm
to be able to configure whatGetTokenEndpointAuthSigningAlgorithm
returns. I also cleaned some other places where there were assumptions about only RSA keys.
0.31.3 (2020-05-09)
feat(pkce): add EnforcePKCEForPublicClients config flag (#431)
Alternative proposal for the issue discussed in #389 and #391, where enforcement of PKCE is wanted only for certain clients.
Add a new flag EnforcePKCEForPublicClients which enforces PKCE only for public clients. The error hint is slightly different, as it mentions PKCE is enforced for "this client" rather than "clients". (It intentionally does not mention why it's enforced, as I think basing it on public clients is an implementation detail that servers may want to change without adding to the error hints).
Closes #389 Closes #391
0.31.2 (2020-04-16)
fix: introduce better linting pipeline and resolve Go issues (#428)
0.31.1 (2020-04-16)
fix: return invalid_grant instead of invalid_request in refresh flow (#427)
Return invalid_grant instead of invalid_request when in authorization code flow when the user is not the owner of the authorization code or if the redirect uri doesn't match from the authorization request.
Co-authored-by: Damien Bravin [email protected]
-
List all response types in example memory store (#413) (427d40d), closes #304
-
Return invalid_grant instead of invalid_request in refresh flow (#427) (f5a0e96):
Return invalid_grant instead of invalid_request when in authorization code flow when the user is not the owner of the authorization code or if the redirect uri doesn't match from the authorization request.
- Fix various typos (#415) (719aaa0)
- Replace Discord with Slack (#412) (d8591bb)
- Update github templates (#424) (d37fc4b)
- Update github templates (#425) (0399871)
- Update SetSession comment (#423) (32951ab)
- Updates issue and pull request templates (#419) (d804da1)
0.31.0 (2020-03-29)
Merge pull request from GHSA-v3q9-2p3m-7g43
-
u
-
u
-
Merge pull request from GHSA-v3q9-2p3m-7g43 (0c9e0f6):
-
u
-
u
-
0.30.6 (2020-03-26)
fix: handle serialization errors that can be thrown by call to 'Commit' (#403)
- Update forum and chat links (b1ba04e)
0.30.5 (2020-03-25)
fix: handle concurrent transactional errors in the refresh token grant handler (#402)
This commit provides the functionality required to address ory/hydra#1719 & ory/hydra#1735 by adding error checking to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method so it can deal with errors due to concurrent access. This will allow the authorization server to render a better error to the user-agent.
No longer returns fosite.ErrServerError in the event the storage. Instead a wrapped fosite.ErrNotFound is returned when fetching the refresh token fails due to it no longer being present. This scenario is caused when the user sends two or more request to refresh using the same token and one request gets into the handler just after the prior request finished and successfully committed its transaction.
Adds unit test coverage for transaction error handling logic added to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method
-
Handle concurrent transactional errors in the refresh token grant handler (#402) (b17190b):
This commit provides the functionality required to address ory/hydra#1719 & ory/hydra#1735 by adding error checking to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method so it can deal with errors due to concurrent access. This will allow the authorization server to render a better error to the user-agent.
No longer returns fosite.ErrServerError in the event the storage. Instead a wrapped fosite.ErrNotFound is returned when fetching the refresh token fails due to it no longer being present. This scenario is caused when the user sends two or more request to refresh using the same token and one request gets into the handler just after the prior request finished and successfully committed its transaction.
Adds unit test coverage for transaction error handling logic added to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method
0.30.4 (2020-03-17)
fix: add ability to specify amr values natively in id_token payload (#401)
See ory/hydra#1756
- Add ability to specify amr values natively in id_token payload (#401) (f99bb80), closes ory/hydra#1756
0.30.3 (2020-03-04)
fix: Support RFC8252#section-7.3 Loopback Interface Redirection (#400)
Closes #284
- Merge request ID as well (#398) (67c081c), closes #386
- Support RFC8252#section-7.3 Loopback Interface Redirection (#400) (4104135), closes RFC8252#section-7 #284
- Add undocumented ExactScopeStrategy (#395) (387cade)
- Updates issue and pull request templates (#393) (cdefb3e)
- Updates issue and pull request templates (#394) (119e6ab)
-
Add ExactOne and MatchesExact to Arguments (#399) (cf23400):
Previously Arguments.Exact had vague semantic where it coudln't distinguish between value with a space and multiple values. Split it into 2 functions with clear semantic.
Old .Exact() remains for compatibility and marked as deprecated
0.30.2 (2019-11-21)
Return state parameter in authorization error conditions (#388)
Related to ory/hydra#1642
- Return state parameter in authorization error conditions (#388) (3ece795), closes #388 ory/hydra#1642
- Revert incorrect license changes (40a49f7)
0.30.1 (2019-09-23)
pkce: Enforce verifier formatting (#383)
0.30.0 (2019-09-16)
handler/pkce: Enable PKCE for private clients (#382)
-
handler/pkce: Enable PKCE for private clients (#382) (e21830e), closes #382
-
Add RefreshTokenScopes Config (#371) (bcc7859), closes #371:
When set to true, this will return refresh tokens even if the user did not ask for the offline or offline_access Oauth Scope.
0.29.8 (2019-08-29)
handler/revoke: respecting ErrInvalidRequest code (#380)
This commit modifies the case for ErrInvalidRequest in WriteRevocationResponse to respect the 400 error code and not fallthrough to ErrInvalidClient.
Author: DefinitelyNotAGoat [email protected]
- Updates issue and pull request templates (#376) (165e93e)
- Updates issue and pull request templates (#377) (40590cb)
- Updates issue and pull request templates (#378) (54426bb)
-
handler/revoke: respecting ErrInvalidRequest code (#380) (cc34bfb), closes #380:
This commit modifies the case for ErrInvalidRequest in WriteRevocationResponse to respect the 400 error code and not fallthrough to ErrInvalidClient.
Author: DefinitelyNotAGoat [email protected]
0.29.7 (2019-08-06)
pkce: Return error when PKCE is used with private clients (#375)
- Fix method/struct documents (#360) (ad06f22)
- Updates issue and pull request templates (#361) (35157e2)
- Updates issue and pull request templates (#365) (90a3c50)
- Updates issue and pull request templates (#366) (27c64ec)
- Updates issue and pull request templates (#367) (01cd955)
- Updates issue and pull request templates (#373) (5962474)
- Updates issue and pull request templates (#374) (9f7cf40)
0.29.6 (2019-04-26)
openid: Allow promp=none for https/localhost (#359)
Signed-off-by: aeneasr [email protected]
0.29.5 (2019-04-25)
core: Add debug log to invalid_client error(#358)
Signed-off-by: nerocrux [email protected]
0.29.3 (2019-04-17)
Export IsLocalhost
Signed-off-by: aeneasr [email protected]
0.29.2 (2019-04-11)
Allow providing a custom redirect URI checker (#355)
Signed-off-by: aeneasr [email protected]
0.29.1 (2019-03-27)
token: Improve rotated secret error reporting in HMAC strategy (#354)
Signed-off-by: aeneasr [email protected]
-
Improve rotated secret error reporting in HMAC strategy (#354) (f21d930)
-
Propagate session data properly (#353) (5ba0f04):
This example is slightly inaccurate; the session data will need to come from the returned AccessRequester, not the pre-created session. The session passed to IntrospectToken isn't mutated.
-
Update HISTORY.md, README.md, CONTRIBUTING.md (#347) (de5e61e):
- README: Breaks out
0.26.0
as was stuck inside a code block. - README: Ensures the later versions formats code blocks as Go code.
- Runs doctoc to ensure TOCs are up to date.
- README: Breaks out
0.29.0 (2018-12-23)
oauth2: add test coverage to exercise the transactional support in the AuthorizeExplicitGrantHandler's PopulateTokenEndpointResponse method.
Signed-off-by: Amir Aslaminejad [email protected]
- Add mock for storage.Transactional + update generate-mocks.sh (03f7bc8)
- Add test coverage to exercise the transactional support in the AuthorizeExplicitGrantHandler's PopulateTokenEndpointResponse method. (2f58f9e)
- Add test coverage to exercise the transactional support in the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method. (b38d7c8)
- Adds new interface
Transactional
which is to be implemented by storage providers that can support transactions. (c364b33) - Don't double encode URL fragments (#346) (1f41934), closes #345
- Use transactions in the auth code token flow (if the storage implementation implements the
Transactional
interface) to address #309 (e00c567) - Use transactions in the refresh token flow (if the storage implementation implements the
Transactional
interface) to address #309 (07d1a39)
0.28.1 (2018-12-04)
compose: Expose token entropy setting (#342)
Signed-off-by: nerocrux [email protected]
- Remove cryptopasta dependency (#339) (b156e6b), closes #339
- Expose token entropy setting (#342) (0761fca)
0.28.0 (2018-11-16)
oauth2: Add ability to specify refresh token lifespan (#337)
Set it to -1
to disable this feature. Defaults to 30 days.
Closes #319
Signed-off-by: arekkas [email protected]
-
Add ability to specify refresh token lifespan (#337) (fa65408), closes #319:
Set it to
-1
to disable this feature. Defaults to 30 days.
0.27.4 (2018-11-12)
docs: Fix quickstart (#335)
- replace NewMemoryStore with NewExampleStore
- fix length of signing key
- fix config type
Signed-off-by: Peter Schultz [email protected]
-
Fix quickstart (#335) (25cc6c4):
- replace NewMemoryStore with NewExampleStore
- fix length of signing key
- fix config type
0.27.3 (2018-11-08)
oauth2: Set exp for authorize code issued by hybrid flow (#333)
Signed-off-by: nerocrux [email protected]
0.27.2 (2018-11-07)
pkce: Allow hybrid flows (#328)
Signed-off-by: Adam Shannon [email protected] Signed-off-by: Wenhao Ni [email protected]
-
Allow hybrid flows (#328) (cdfddc8):
Signed-off-by: Wenhao Ni [email protected]
0.27.1 (2018-11-03)
oauth2: Improve refresh security and reliability (#332)
This patch resolves several issues regarding the refresh flow. First, an issue has been resolved which caused the audience to not be set in the refreshed access tokens.
Second, scope and audience are validated against the client's whitelisted values and if the values are no longer allowed, the grant is canceled.
Closes #331 Closes #325 Closes #324
-
Improve refresh security and reliability (#332) (4e4121b), closes #331 #325 #324:
This patch resolves several issues regarding the refresh flow. First, an issue has been resolved which caused the audience to not be set in the refreshed access tokens.
Second, scope and audience are validated against the client's whitelisted values and if the values are no longer allowed, the grant is canceled.
0.27.0 (2018-10-31)
oauth2: Update jwt access token interface (#330)
The interface needed to change in order to natively handle the audience claim.
Signed-off-by: arekkas [email protected]
-
Introduce audience capabilities (#327) (e2441d2), closes #326:
This patch allows clients to whitelist audiences and request that audiences are set for oauth2 access and refresh tokens
-
Update jwt access token interface (#330) (2da9764):
The interface needed to change in order to natively handle the audience claim.
0.26.1 (2018-10-25)
hash: Raise bcrypt cost factor lower bound (#321)
Users of this library can easily create the following:
hasher := fosite.BCrypt{} hasher.Hash(..)
This is a problem because WorkFactor will default to 0 and x/crypto/bcrypt will default that to 4 (See https://godoc.org/golang.org/x/crypto/bcrypt).
Instead this should be some higher cost factor. Callers who need a lower WorkFactor can still lower the cost, if needed.
Signed-off-by: Adam Shannon [email protected]
-
Raise bcrypt cost factor lower bound (#321) (799fc70):
Users of this library can easily create the following:
hasher := fosite.BCrypt{} hasher.Hash(..)
This is a problem because WorkFactor will default to 0 and x/crypto/bcrypt will default that to 4 (See https://godoc.org/golang.org/x/crypto/bcrypt).
Instead this should be some higher cost factor. Callers who need a lower WorkFactor can still lower the cost, if needed.
0.26.0 (2018-10-24)
all: Rearrange commits with goreturns
Signed-off-by: aeneasr [email protected]
0.25.1 (2018-10-23)
handler/openid: Populate at_hash in explicit/refresh flows (#315)
Signed-off-by: Wenhao Ni [email protected]
- Updates issue and pull request templates (#313) (53c7b55)
- Updates issue and pull request templates (#314) (73ae623)
- Updates issue and pull request templates (#316) (64299bb)
- handler/openid: Populate at_hash in explicit/refresh flows (#315) (189589c), closes #315
- Fix typo in README.md (#312) (dcb83ae), closes #312
0.25.0 (2018-10-08)
Fix broken go modules tests (#311)
Signed-off-by: arekkas [email protected]
- Fix broken go modules tests (#311) (02ea4b1), closes #311
- Switch from dep to go modules (#310) (ac46a67), closes #310
0.24.0 (2018-09-27)
Propagate context in jwt strategies (#308)
Closes #307
Signed-off-by: Prateek Malhotra [email protected]
- Propagate context in jwt strategies (#308) (e1e18d6), closes #308 #307
- Use test tables for Hasher unit tests (#306) (499af11), closes #306
0.23.0 (2018-09-22)
Add breaking change to the Hasher interface to the change log
Signed-off-by: Amir Aslaminejad [email protected]
- Add breaking change to the Hasher interface to the change log (805e0e9)
- Update BCrypt to adhere to new Hasher interface (938e50a)
- Update Hasher to take in context (02f19fa)
0.22.0 (2018-09-19)
jwt: update JWTStrategy to take in context (#302)
Signed-off-by: Amir Aslaminejad [email protected]
- Update PR template (3920be2)
- Add github issue and PR templates (b630f54)
- Update JWTStrategy to take in context (#302) (514fdbd)
0.21.5 (2018-08-31)
openid: Allow JWT from id_token_hint to be expired (#299)
Signed-off-by: arekkas [email protected]
0.21.4 (2018-08-26)
token/hmac: Add ability to rotate HMAC keys (#298)
Signed-off-by: arekkas [email protected]
0.21.3 (2018-08-22)
compose: Pass ID Token configuration to strategy (#297)
Resolves an issue where expiry and issuer where not properly configurable in the strategy.
See ory/hydra#985
Signed-off-by: arekkas [email protected]
-
Pass ID Token configuration to strategy (#297) (a07ce27):
Resolves an issue where expiry and issuer where not properly configurable in the strategy.
See ory/hydra#985
0.21.2 (2018-08-07)
openid: Validate id_token_hint only via ID claims (#296)
Signed-off-by: arekkas [email protected]
0.21.1 (2018-07-22)
Improve token_endpoint_auth_method error message (#294)
Signed-off-by: arekkas [email protected]
-
Improve token_endpoint_auth_method error message (#294) (7820fb2), closes #294
-
Run standard gofmt command on project root.
- go version go1.10.3 darwin/amd64
0.21.0 (2018-06-23)
Makes error messages easier to debug for end-users
- Fixes header image in README (4907d60)
-
Makes error messages easier to debug for end-users (5688a1c)
-
Adds errors for request and registration parameters (920ed71)
-
Adds OIDC request/request_uri support (c7abcca)
-
Adds private_key_jwt authentication method (baa4cf1)
-
Adds proper error responses to request object (f483262)
-
Disallow empty response_type in request (cf2eb85)
-
Do not require id_token response type for auth_code (#288) (edc4910):
Before this patch, the
id_token
response type was required whenever an ID Token was requested. This patch changes that. -
Implements oidc compliant response_type validation (f950b9e)
-
Return unsupported_response_type in validator (a24708e)
-
Uses JWTStrategy in oauth2.DefaultStrategy (e2d2e75)
-
Uses JWTStrategy interface in openid.DefaultStrategy (517fdc5), closes #252
0.20.3 (2018-06-07)
Allows multipart content type as alternative to x-www-form-urlencoded (#285)
0.20.2 (2018-05-29)
openid: Merge duplicate aud claim values (#283)
0.20.1 (2018-05-29)
Uses query instead of fragment when handling unsupported response type (#282)
- Uses query instead of fragment when handling unsupported response type (#282) (57b1471), closes #282
- Updates upgrade guide (a958ab8)
0.20.0 (2018-05-28)
oauth2: Resolves several issues related to revokation (#281)
This patch resolves several issues related to token revokation as well as duplicate authorize code usage:
- oauth2: Revoking access or refresh tokens should revoke past and future tokens too
- oauth2: Revoke access and refresh tokens when authorize code is used twice
Additionally, this patch resolves an issue where refreshing a token would not revoke previous tokens.
Closes #278 Closes #280
-
Resolves several issues related to revokation (#281) (72bff7f), closes #278 #280:
This patch resolves several issues related to token revokation as well as duplicate authorize code usage:
- oauth2: Revoking access or refresh tokens should revoke past and future tokens too
- oauth2: Revoke access and refresh tokens when authorize code is used twice
Additionally, this patch resolves an issue where refreshing a token would not revoke previous tokens.
-
Sets audience to a string array (#279) (2d58a58), closes #215
0.19.8 (2018-05-24)
authorize: Fixes implicit detection in error writer (#277)
0.19.7 (2018-05-24)
openid: Use claims.RequestedAt for a reference of "now" (#276)
Previously, time.Now() was used to get a reference of "now". However, this caused short max_age values to fail if, for example, the consent screen took a long time. This patch now uses the "requested_at" claim value to determine a sense of "now" which should resolve the mentioned issue.
-
Use claims.RequestedAt for a reference of "now" (#276) (91e7a4c):
Previously, time.Now() was used to get a reference of "now". However, this caused short max_age values to fail if, for example, the consent screen took a long time. This patch now uses the "requested_at" claim value to determine a sense of "now" which should resolve the mentioned issue.
0.19.6 (2018-05-24)
openid: Issue ID Token on implicit code flow as well
- Issue ID Token on implicit code flow as well (180c749)
0.19.5 (2018-05-23)
jwt: Add JTI to counter missing nonce
0.19.4 (2018-05-20)
core: Checks scopes before dispatching handlers (#272)
0.19.3 (2018-05-20)
openid: Resolves timing issues in JWT strategy (#271)
0.19.2 (2018-05-19)
openid: Resolves timing issues by setting now to the future (#270)
0.19.1 (2018-05-19)
openid: Improves validation errors and uses UTC everywhere (#269)
0.19.0 (2018-05-17)
openid: Improves prompt, max_age and id_token_hint validation (#268)
This patch improves the OIDC prompt, max_age, and id_token_hint validation.
-
Improves prompt, max_age and id_token_hint validation (#268) (7ccad77):
This patch improves the OIDC prompt, max_age, and id_token_hint validation.
0.18.1 (2018-05-01)
openid: Adds a validator used to validate OIDC parameters (#266)
The validator, for now, validates the prompt parameter of OIDC requests.
-
Adds a validator used to validate OIDC parameters (#266) (91c9d19):
The validator, for now, validates the prompt parameter of OIDC requests.
0.18.0 (2018-04-30)
oauth2: Introspection should return token type (#265)
Closes #264
This patch allows the introspection handler to return the token type (e.g. access_token
, refresh_token
) of the
introspected token. To achieve that, some breaking API changes have been introduced:
OAuth2.IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scope ...string) (AccessRequester, error)
is nowOAuth2.IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scope ...string) (TokenType, AccessRequester, error)
.TokenIntrospector.IntrospectToken(ctx context.Context, token string, tokenType TokenType, accessRequest AccessRequester, scopes []string) (error)
is nowTokenIntrospector.IntrospectToken(ctx context.Context, token string, tokenType TokenType, accessRequest AccessRequester, scopes []string) (TokenType, error)
.
This patch also resolves a misconfigured json key in the IntrospectionResponse
struct. AccessRequester AccessRequester json:",extra"
is now properly declared as AccessRequester AccessRequester json:"extra"
.
0.17.2 (2018-04-26)
core: Regression fix for request ID in refresh token flow (#262)
Signed-off-by: Beorn Facchini [email protected]
- handler/oauth2: Returns request unauthorized error on invalid password credentials (#261) (cca6af4), closes #261
- Regression fix for request ID in refresh token flow (#262) (99029e0)
0.17.1 (2018-04-22)
core: Adds ExactScopeStrategy (#260)
The ExactScopeStrategy performs a simple string match (case sensitive) of scopes.
-
Adds ExactScopeStrategy (#260) (0fcdf33):
The ExactScopeStrategy performs a simple string match (case sensitive) of scopes.
0.17.0 (2018-04-08)
core: Sanitizes request body before sending it to the storage adapter (#258)
This release resolves a security issue (reported by platform.sh) related to potential storage implementations. This library used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused, with the addition of enabling POST-body based client authentication, the client secret to be leaked.
The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This lead to two breaking changes in the API:
- The
fosite.Requester
interface has a new methodSanitize(allowedParameters []string) Requester
which returns a sanitized clone of the method receiver. If you do not use your ownfosite.Requester
implementation, this won't affect you. - If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods
to be added work exactly like, for example
CreateAuthorizeCodeSession
. The method signatures are as follows:
type PKCERequestStorage interface {
GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
DeletePKCERequestSession(ctx context.Context, signature string) error
}
We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.
We would like to thank platform.sh for sponsoring the development of a patch that resolves this issue.
-
Sanitizes request body before sending it to the storage adapter (#258) (018b5c1):
This release resolves a security issue (reported by platform.sh) related to potential storage implementations. This library used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused, with the addition of enabling POST-body based client authentication, the client secret to be leaked.
The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This lead to two breaking changes in the API:
- The
fosite.Requester
interface has a new methodSanitize(allowedParameters []string) Requester
which returns a sanitized clone of the method receiver. If you do not use your ownfosite.Requester
implementation, this won't affect you. - If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods
to be added work exactly like, for example
CreateAuthorizeCodeSession
. The method signatures are as follows:
type PKCERequestStorage interface { GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error DeletePKCERequestSession(ctx context.Context, signature string) error }
We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.
We would like to thank platform.sh for sponsoring the development of a patch that resolves this issue.
- The
0.16.5 (2018-03-17)
introspection: Improves debug messages (#254)
- Resolves minor code documentation misspellings (#248) (c580d79)
- Resolves minor spelling mistakes (#250) (7fbd246)
- Updates chat badge to discord (b6380be)
- docs : Fixes typo in README (#249) (d05fadf), closes #249
- Adds email to license notice (77fa262)
- Improves debug messages (#254) (338399b)
- Updates license header (85bdbcb)
- Updates license notice (917401c)
- Updates years in license headers (77df218)
- Updates years in license headers (d8458ab)
0.16.4 (2018-02-07)
handler: Adds PKCE implementation for none and S256 (#246)
This patch adds support for PKCE (https://tools.ietf.org/html/rfc7636) which is used by native apps (mobile) and prevents eavesdropping attacks against authorization codes.
PKCE is enabled by default but not enforced. Challenge method plain is disabled by default. Both settings can be changed using compose.Config.EnforcePKCE
and compose.config.EnablePKCEPlainChallengeMethod
.
Closes #213
-
Adds PKCE implementation for none and S256 (#246) (4512853), closes #213:
This patch adds support for PKCE (https://tools.ietf.org/html/rfc7636) which is used by native apps (mobile) and prevents eavesdropping attacks against authorization codes.
PKCE is enabled by default but not enforced. Challenge method plain is disabled by default. Both settings can be changed using
compose.Config.EnforcePKCE
andcompose.config.EnablePKCEPlainChallengeMethod
.
0.16.3 (2018-02-07)
introspection: Adds missing http header to response writer (#247)
The introspection response writer was missing application/json
in header Content-Type
. This patch fixes that.
Closes #209
-
Adds missing http header to response writer (#247) (f345ec1), closes #209:
The introspection response writer was missing
application/json
in headerContent-Type
. This patch fixes that.
0.16.2 (2018-01-25)
introspection: Decodes of Basic Authorization username/password (#245)
Signed-off-by: Dmitry Dolbik [email protected]
0.16.1 (2017-12-23)
compose: Makes SendDebugMessages first class citizen (#243)
0.16.0 (2017-12-23)
Adds ability to forward hints and debug messages to clients (#242)
0.15.6 (2017-12-21)
handler/oauth2: Adds offline_access alias for refresh flow
- handler/oauth2: Adds offline_access alias for refresh flow (2aa8e70)
0.15.5 (2017-12-17)
Returns the correct error on duplicate auth code use
- Returns the correct error on duplicate auth code use (95d5f58)
0.15.4 (2017-12-17)
Improves http error codes
- Improves http error codes (6831f75)
0.15.3 (2017-12-17)
Resolves overriding auth_time with wrong value
- Resolves overriding auth_time with wrong value (c85b32d)
0.15.2 (2017-12-10)
Adds ability to catch non-conform OIDC authorizations
Fosite is now capable of detecting authorization flows that are not conformant with the OpenID Connect spec.
-
Adds ability to catch non-conform OIDC authorizations (97fbeb3):
Fosite is now capable of detecting authorization flows that are not conformant with the OpenID Connect spec.
-
Forces use of UTC time zone everywhere (4c7e4e5)
0.15.1 (2017-12-10)
token/jwt: Adds ability to specify acr value natively in id token payload
- token/jwt: Adds ability to specify acr value natively in id token payload (b87ca49)
0.15.0 (2017-12-09)
Upgrades history.md
- Updates history.md (9fc25a8)
- Upgrades history.md (87c37c3)
- Improves test coverage report by removing internal package from it (831f56a)
- Resolves test issues and reverts auth code revokation patch (59fc47b)
- Improves error debug messages across the project (7ec8d19)
- handler/oauth2: Adds token revokation on authorize code reuse (2341dec)
- handler/oauth2: Improves authorization code error handling (d6e0fbd)
- Allows client credentials in POST body and solves public client auth (392c191), closes #231 #217
- Updates mocks and mock generation (1f9d07d)
0.14.2 (2017-12-06)
Makes use of rfcerr in access error endpoint writer explicit
- Makes use of rfcerr in access error endpoint writer explicit (701d850)
0.14.1 (2017-12-06)
Exports ErrorToRFC6749Error again (#228)
0.14.0 (2017-12-06)
Simplifies error contexts (#227)
Simplifies how errors are instantiated. Errors now contain all necessary information without relying on fosite.ErrorToRFC6749Error
any more. fosite.ErrorToRFC6749Error
is now an internal method and was renamed to fosite.errorToRFC6749Error
.
-
Simplifies error contexts (#227) (8961d86), closes #227:
Simplifies how errors are instantiated. Errors now contain all necessary information without relying on
fosite.ErrorToRFC6749Error
any more.fosite.ErrorToRFC6749Error
is now an internal method and was renamed tofosite.errorToRFC6749Error
.
0.13.1 (2017-12-04)
handler/oauth2: Client IDs in revokation requests must match now (#226)
Closes #225
- handler/oauth2: Client IDs in revokation requests must match now (#226) (83136a3), closes #226 #225
- Add license header to all source files (#222) (dd9398e), closes #222 #221
- Update go version (#220) (ff751ee)
0.13.0 (2017-10-25)
vendor: replace glide with dep
- Replace glide with dep (ec43e3a)
0.12.0 (2017-10-25)
scripts: fix goimports import path
- token/hmac: replace custom logic with copypasta (b4b9be5)
- Add 0.12.0 to TOC (a2e3a47)
- Add format helper scripts (92c73ae)
- Add goimports to install section (4f5df70)
- Fix goimports import path (65743b4)
- Format files with goimports (c87defe)
- Replace nil checks with Error/NoError (7fe1f94)
- Update to go 1.9 (c17222c)
- Use go-acc and test format (47fd477)
0.11.4 (2017-10-10)
handler/oauth2: set expiration time before the access token is generated (#216)
Signed-off-by: Nikita Vorobey [email protected]
- Update banner (d6cf027)
- handler/oauth2: set expiration time before the access token is generated (#216) (0911eb0), closes #216
0.11.3 (2017-08-21)
oauth2/ropc: Set expires at for password credentials flow (#210)
Signed-off-by: Beorn Facchini [email protected]
-
Fixes documentation oauth2 variable and updates old method (#205) (fa50c80):
It seems that the documentation was declaring as OAuth2Provider the variable
oauth2Provider
whereas it used a non-declared variableoauth2
. I renamedoauth2
into the variable declaredoauth2Provider
.Furthermore, on line 333, the IntrospectToken method was called without the TokenType argument. I added the fosite.AccessToken type.
-
Update docs on scope strategy (68119ca)
- oauth2/ropc: Set expires at for password credentials flow (#210) (461b38f), closes #210
- oauth2/introspection: configure core validator with access only option (#208) (80cae74), closes #208
- Add more test cases (c45a37d)
0.11.2 (2017-07-09)
scope: resolve haystack needle mixup - closes #201
0.11.1 (2017-07-09)
token/jwt: add claims tests
- token/jwt: add claims tests (c55d679)
- handler/openid: only refresh id token with id_token response type (dd2463a), closes #199
- Add tests for nil sessions (d67d52d)
0.11.0 (2017-07-09)
handler/oauth2: update docs
- handler/oauth2: update docs (63f329b)
- handler/oauth2: remove code validity check from test (664d1a6)
- handler/oauth2: first retrieve, then validate (ab72cba)
- handler/oauth2: set requested at date in auth code test (edd4084)
- handler/oauth2: resolve travis time mismatch (ec6534c)
- handler/oauth2: simplify storage interface (361b368), closes #194
- handler/oauth2: use hmac strategy for jwt refresh tokens (#190) (56c88c0), closes #190 #180
- handler/openid: refresh token handler for oidc (#193) (04888c5), closes #193 #181
- Gofmt (7a998fe)
- Implement new wildcard strategy - closes #188 (e03e99e)
- Revoke access tokens when refreshing (bb74955), closes #167
- Run goimports (35941c2)
- Use deepcopy not gob encoding - closes #191 (823db5b)
0.10.0 (2017-07-06)
oauth2/introspector: remove auth code, refresh scopes (#187)
Removes authorize code introspection in the HMAC-based strategy and now checks scopes of refresh tokens as well.
-
oauth2/introspector: remove auth code, refresh scopes (#187) (ef8f175), closes #187:
Removes authorize code introspection in the HMAC-based strategy and now checks scopes of refresh tokens as well.
-
Separate test dependencies (#186) (71451f0):
- vendor: Move testify to testImport
- test: Move Assert/Require helpers to _test pkg
0.9.7 (2017-06-28)
handler/openid: remove forced nonce (#185)
Signed-off-by: Wyatt Anderson [email protected]
0.9.6 (2017-06-21)
oauth2: basic auth should decode client id and secret
closes #182
0.9.5 (2017-06-08)
handler/oauth2: grant scopes before the access token is generated (#177)
Signed-off-by: Nikita Vorobey [email protected]
0.9.4 (2017-06-05)
introspection: return with active set false on token error (#176)
0.9.3 (2017-06-05)
vendor: remove unnecessary go-jose import (#175)
0.9.2 (2017-06-05)
Resolve issues with error handling (#174)
-
errors: do not convert errors compliant with rfcerrors
-
handler/oauth2: improve redirect message for insecure http
-
Resolve issues with error handling (#174) (9abdfd0), closes #174:
-
errors: do not convert errors compliant with rfcerrors
-
handler/oauth2: improve redirect message for insecure http
-
0.9.1 (2017-06-04)
vendor: clean up dependencies (#173)
- vendor: remove stray github.com/Sirupsen/logrus
- vendor: remove common lib
-
Clean up dependencies (#173) (524d3b6):
- vendor: remove stray github.com/Sirupsen/logrus
- vendor: remove common lib
0.9.0 (2017-06-03)
docs: add 0.9.0 release note
- Add 0.9.0 release note (852cf82)
- Enable fosite composing with custom hashers. (#170) (d70d882)
- Removed implicit storage as its never used - closes #165 (#171) (fe74027)
0.8.0 (2017-05-18)
docs: add notes for breaking changes that come with 0.8.0
- Add notes for breaking changes that come with 0.8.0 (d5fafb8)
-
Added context to GetClient storage interface (#162) (974585d), closes #161
-
Removed *http.Request from interfaces that access request objects (786b971):
-
removed the requirement to *http.Request for endpoints and response object, they are resolvable trough the request.GetRequestForm
-
updated readme to reflect changes to implementation
-
run goimports on internal dir added goimports command to generate-mocks.sh to force first run after generating the mock files
-
-
Set authorize code expire time before persist (#166) (305a74f)
0.7.0 (2017-05-03)
vendor: glide update
- Add breaking changes note (7d726e1)
- Glide update (575dd79)
- Goimports (1cb7e26)
- Move to new org (bd13085)
- Replace golang.org/x/net/context with context (6b1d931)
0.6.19 (2017-05-03)
access: revert regression issue introduced by #150
- Revert regression issue introduced by #150 (6f13d58)
- Revert regression issue introduced by #150 (6bb4135)
0.6.18 (2017-04-14)
oauth2: basic auth should www-url-decode client id and secret - closes #150
-
handler/oauth2: removes RevokeHandler from JWT introspector (#155) (344dbef), closes #155:
- Removes RevokeHandler from JWT Introspector
RevokeHandler has been removed because it conflicts with Stateless JWT accesstokens and revocable hmac refresh tokens. The readme has been updated to warn users about possible misconfiguration.
- Moves text back to correct section
-
Allow localhost subdomains such as blog.localhost:1234 (5e1c890)
-
Basic auth should www-url-decode client id and secret - closes #150 (ad395bf)
-
Get the token from the access_token query parameter (#156) (9edac04)
0.6.17 (2017-02-24)
readme: update badges to ory
- revert unintentional change (14a18a7)
- make stateless validator return an error on revocation (f8f7978)
- dont client id for aud (a39200b)
- handler/oauth2: allow stateless introspection of jwt access tokens (c2d2ac2)
- Redirect uris should ignore cases during matching - closes #144 (4b88774)
- Update badges to ory (9b33931)
0.6.15 (2017-02-11)
errors: fixed typo in acccess_error
- Fixed typo in acccess_error (08b2242)
0.6.14 (2017-01-08)
allow public clients to revoke tokens with just an ID
This functionality is described in the OAuth2 spec here: https://tools.ietf.org/html/rfc7009#section-5
-
allow public clients to revoke tokens with just an ID (7b94f47), closes /tools.ietf.org/html/rfc7009#section-5
-
Conform to RFC 6749 (c404554), closes /tools.ietf.org/html/rfc6749#section-5:
Section 5.2 specifies the parameters for access error responses; the "error" and "error_description" parameters are misnamed.
0.6.13 (2017-01-08)
request: fix SetRequestedScopes (#139)
Signed-off-by: Peter Schultz [email protected]
0.6.12 (2017-01-02)
authorize: allow custom redirect url schemas
0.6.11 (2017-01-02)
openid: c_hash / at_hash should use url-safe base64 encoding
- C_hash / at_hash should use url-safe base64 encoding (33d4414)
0.6.10 (2016-12-29)
openid: c_hash / at_hash should be string not byte slice
- C_hash / at_hash should be string not byte slice (b489cc9)
0.6.9 (2016-12-29)
oauth2/implicit: fix redirect url on error Signed-off-by: Nikita Vorobey [email protected]
- oauth2/implicit: fix redirect url on error (435288c)
0.6.8 (2016-12-20)
lint: gofmt -w -s .
0.6.7 (2016-12-06)
access: response expires in should be int, not string
- Response expires in should be int, not string (a2080a3)
0.6.6 (2016-12-06)
errors: add inactive token error
- Add content type to error response (75aad53)
- Add inactive token error (0151f1e)
- Resolve broken test (51ab7bb)
0.6.5 (2016-12-04)
introspection: always return the error
- Always return the error (366b4c1)
0.6.4 (2016-11-29)
token/jwt: Allow single element string arrays to be treated as strings
This commit allows aud
to be passed in as a single element array
during consent validation on Hydra. This fixes
ory/hydra#314.
Signed-off-by: Son Dinh [email protected]
-
token/jwt: Allow single element string arrays to be treated as strings (5388e10):
This commit allows
aud
to be passed in as a single element array during consent validation on Hydra. This fixes ory/hydra#314.
0.6.2 (2016-11-25)
oauth2/introspection: endpoint responds to invalid requests appropriately (#126)
- oauth2/introspection: endpoint responds to invalid requests appropriately (#126) (9360f64), closes #126
0.6.1 (2016-11-17)
core: resolve issues with token introspection and sessions
- Resolve issues with token introspection and sessions (895d169)
0.6.0 (2016-11-17)
core: resolve session referencing issue (#125)
- Comply with Go license terms - closes #123 (4c4507f)
- Resolve session referencing issue (#125) (81a3229)
0.5.1 (2016-10-22)
handler/oauth2: set JWT ExpiresAt claim per TokenType from the session (#121)
Signed-off-by: Cristian Graziano [email protected]
- handler/oauth2: set JWT ExpiresAt claim per TokenType from the session (#121) (66170ae), closes #121
- oauth2/introspection: do not include the session in the response (daad271)
0.5.0 (2016-10-17)
0.5.0 (#119)
- all: resolve regression issues introduced by 0.4.0 - closes #118
- oauth2: introspection handler excess calls - closes #117
- oauth2: inaccurate expires_in time - closes #72
0.4.0 (2016-10-16)
all: clean up, resolve broken tests
- Add danilobuerger and jrossiter to hall of fame (f864e26)
- Add offline note to readme (60a7672)
- Document reasoning for interface{} in compose package - closes #94 (f193012)
- Allow public clients to access token endpoint - closes #78 (cbe433e)
- Clean up, resolve broken tests (1041e67)
- Flatten package hierarchy and merge files - closes #93 (9b7ba80)
- Reduce third party dependencies - closes #116 (5ec5cff)
- Split library and example - closes #92 (6d76d35)
0.3.6 (2016-10-07)
oauth2: added refresh token generation for password grant type (#107)
- oauth2: added refresh token generation for password grant type when offline scope is requested
Signed-off-by: Jason Rossiter [email protected]
-
Added refresh token generation for password grant type (#107) (81c3cbd):
- oauth2: added refresh token generation for password grant type when offline scope is requested
0.3.5 (2016-10-06)
handler/oauth2: resolve issues with refresh token flow (#110)
- handler/oauth2/refresh: requestedAt time is not reset - closes #109
- handler/oauth2/refresh: session is not transported to new access token - closes #108
- handler/oauth2: resolve issues with refresh token flow (#110) (bef6197), closes #110 #109 #108
- Add tests to request state (8c7c77e)
0.3.4 (2016-10-04)
handler/oauth2: refresh token does not migrate original access data - closes #103 (#104)
- handler/oauth2: refresh token does not migrate original access data - closes #103 (#104) (8ffa0bc), closes #103 #104
0.3.3 (2016-10-03)
authorize: scopes should be separated by %20 and not +, to ensure javascript compatibility - closes #101 (#102)
- Scopes should be separated by %20 and not +, to ensure javascript compatibility - closes #101 (#102) (e61a25f)
0.3.2 (2016-09-22)
openid: resolves an issue with the explicit token flow
- Resolves an issue with the explicit token flow (aa1b854)
0.3.1 (2016-09-22)
0.3.1 (#98)
- all: better error handling - closes #100
- oauth2/implicit: bad HTML encoding of the scope parameter - closes #95
- oauth2: state parameter is missing when response_type=id_token - closes #96
- oauth2: id token hashes are not base64 url encoded - closes #97
- openid: hybrid flow using
token+code+id_token
returns multiple tokens of the same type - closes #99
- 0.3.1 (#98) (b16e3fc), closes #98 #100 #95 #96 #97 #99
- Add additional tests to HierarchicScopeStrategy (#81) (64e869c)
- Corrected grant type in comment (#82) (27ddd19)
- Removed unnecessary logging (#86) (cb328ca)
- Simplify scope comparison logic (7fb850e)
0.3.0 (2016-08-22)
vendor: jwt-go is now v3.0.0 (#77)
Signed-off-by: Alexander Widerberg [email protected]
- HierarchicScopeStrategy worngly accepts missing scopes (7faee6b)
- Jwt-go is now v3.0.0 (#77) (76ef7ea)
0.2.4 (2016-08-09)
all: resolve race condition and package fosite with glide
- Resolve race condition and package fosite with glide (66b53a9)
0.2.3 (2016-08-08)
vendor: commit missing lock file
- Commit missing lock file (be30574)
0.2.2 (2016-08-08)
vendor: updated go-jwt to use semver instead of gopkg
- Updated go-jwt to use semver instead of gopkg (3b66309)
0.2.1 (2016-08-08)
core: remove unused fields and methods from client
0.2.0 (2016-08-06)
all: composable factories, better token validation, better scope handling and simplify structure
- readme: add gitter chat badge closes #67
- handler: flatten packages closes #70
- openid: don't autogrant openid scope - closes #68
- all: clean up scopes / arguments - closes #66
- all: composable factories - closes #64
- all: refactor token validation - closes #63
- all: remove mandatory scope - closes #62
- Composable factories, better token validation, better scope handling and simplify structure (a92c755), closes #67 #70 #68 #66 #64 #63 #62
0.1.0 (2016-08-01)
oauth2: implicit handlers do not require tls over https (#61)
closes #60
- New api signatures (8a830d3)
-
Add -d option to go get (0e63038)
-
Define implicitHandler (745a4df):
Someone forgot to rename the variable name when copy-pasting in the example.
-
Document new token generation and validation (ddef55b)
-
Drafted workflows (4ad1d14)
-
Explain what handlers are (48ca03b)
-
Fix typos in readme (b9ed7ac)
-
Readme (a5aa697)
-
Readme (f77fd41)
-
Readme (e143d8c)
-
Readme (d483568)
-
Updated authorize section (9c21afb)
-
Updated readme docs (336a2cd)
-
updated gif (39c239f)
-
gofmt (f813288)
-
updated example gif (29b39ea)
-
added open id connect to example (6f0ce68)
-
added integration tests (8d47f80)
-
added doc to fix travis (a0db129)
-
Add go report card (204c5d6)
-
Clean-up fosite-example/main.go link in README.md (497ff80):
The README url to the suggested example was broken.
-
Added jti as parameter to claims helper to privide better interface to developers (bde3822)
-
Added missing jti claim (26f41a0)
-
Added NOTE (64516f8)
-
Removed unnecessary print. Added bugfix from Arekkas. (96458b6)
-
Example updated (5022339)
-
Added working example of jwt token (9410fca)
-
Added tests. Still need to verify implemtation with test (1ebdd88)
-
WIP (caaa43a)
-
readme (c97d844)
-
readme (fe24f26)
-
readme (be8cd23)
-
refactor done (unstaged) (625f168)
-
unstaged (6c616b1)
-
unstaged (17ad70b)
-
Include user session data in all calls to storage handlers. (2be3fc1)
-
unstaged (fde7c80)
-
unstaged (e775aad)
-
unstaged (ae2fc16)
-
handler/core: fixed tests (7f5938a)
-
core handlers: added tests (e9affb7)
-
authorize/explicit ✓ (d61635b)
-
authorize/explicit: minor name refactoring and tests for authorize endpoint (4736e28)
-
plugin/token: fix import path (fdba2f7)
-
unstaged (f939597)
-
Initial commit (7adad58)
-
Access code request workflow finalized (0232918)
-
Access request api draft (9f482ef)
-
Add api stability section (3ca6ec9)
-
Add go-rethink tags (49c82bc)
-
Add ValidateToken to CoreValidator (4c2b9d8)
-
Added authorize code grant example (269c5fa)
-
Added client grant and did some renaming (75c8179)
-
Added cristiangraz to the hall of fame (1b6e2b4)
-
Added danielchatfield to the hall of fame (2b988a8)
-
Added go 1.6 (ae41a0a)
-
Added go1.4 to allowed failures (49aa920)
-
Added grant and response type validation (f524fc2)
-
Added json and gorethink tags (99c836c)
-
Added missing file (8fc1615)
-
Added owner method (78012ed)
-
Added tests fragment capabilities to writeresponse (6df0eca)
-
Api cleanup, gofmt (3d6e8b6)
-
Api refactor (d936c91)
-
Basic draft (480af91)
-
Defined OAuth2.HandleResponseTypes (30b6e74):
Incorporated feedback from GitHub, did refactoring and renaming, added tests
-
Enforce https for all redirect endpoints except localhost (d65b45a)
-
Finalized auth endpoint, added tests, added integration tests (c6dcb90)
-
Finalized token endpoint api (8de3f10)
-
Finished up integration tests (a6d027e)
-
Fix broken test (653e324)
-
Fix config (82e9332)
-
Fix deps (bcc6a07)
-
Fix unique scope tests (3ac3a79)
-
Fixed granted scope match (13b7efa)
-
Fixed racy tests (f0b691d)
-
Fixed tests (8bf73e3)
-
Fixed tests refactor broke (5da857b)
-
Fixed urls (58908b8)
-
Fixed wrongfully set constant ErrTemporaryUnvailableName (71a9105), closes #9
-
Generic claims and headers (1f2e97f)
-
Godep save (c457104)
-
Goimports (8b9816c)
-
Goimports (96be194)
-
Implemented all core grant types (ce0a849)
-
Implemented and documented examples (8c625c9)
-
Implemented new token generator based on hmac-sha256 (01f9ede), closes #11
-
Implemented validator for access tokens (4140422)
-
Implicit handlers do not require tls over https (#61) (6c40c08), closes #60
-
Improve handling of expiry and include a protected api example (dfb047d)
-
Improve strategy API (21f5e8c)
-
Increased coverage (83194b6)
-
Issue refresh token only when 'offline' scope is set (34068b9), closes #47
-
Made hybrid flow optional (08ddbae)
-
Major refactor, use enigma, finalized authorize skeleton (38bacd3), closes #8 #11
-
More test cases (1188750)
-
More tests (164506a)
-
Moved to root package, updated docs (1871702)
-
Moved to root package, updated docs (5b9b20c)
-
No "session" secret required (d1f45ad)
-
Preview (ba84987)
-
Refactor (eb9153c)
-
Refactor, fixed tests, incorporated feedback (9e59df2)
-
Refactoring, more tests (df79a81)
-
Refactoring, renaming, docs (e5476d1)
-
Refactoring, renaming, more tests (9467ca8)
-
Remove duplicate field (e134351)
-
Remove store mock (80c14f7)
-
Rename fields name to client_name and secret to client_secret (99ce066)
-
Renaming and refactoring (d3697bd)
-
Replace pkg.ErrNotFound with fosite.ErrNotFound (4390c49)
-
Request should return unique scopes (af66918)
-
Resolve an issue where query params could be used instead of post body (7eb85c6)
-
Resolve danger of not reading enough bytes (c68a3e9)
-
Resolve id token issues with empty claims (89c60c9)
-
Resolve scope issues (#55) (9d54b98):
handler: resolve scope issues
-
Sanitized tests and apis (12c70bb)
-
Tests for client credentials flow (c13298c)
-
Tests for resource owner password credentials grant (f503615)
-
Update (88e84de)
-
Updated example and added implicit grant (d12fa5c)
-
Use jwt-go.v2 and fix bc break (f731d88)