All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
2.4.3 (2018-10-10)
- assign Discovery 1.0 defaults when discovering with .well-known (74b593e)
2.4.2 (2018-09-27)
2.4.1 (2018-09-16)
- lts/boron unsupported syntax fix (5289188)
2.4.0 (2018-09-16)
- OpenIdConnectError also returns session_state (95fae3d)
- stop sending state on the authorisation code token grant (c4c9e50)
2.3.1 (2018-08-23)
- apply safer, simpler www-authenticate parsing regex (ffce55a)
- only assign Discovery 1.0 defaults when Issuer is discovered (dca60b8)
2.3.0 (2018-08-11)
- authorization response parameter checking based on response_type (6e0ac57)
- passport strategy automatically checks response REQUIRED params (902eeed)
- 2018-07-10 DIFF
- improved discovery support of custom .well-known suffixes
- chores - refactoring, missing tests, cleanup
- 2018-07-04 DIFF
- added support for RFC8414 - OAuth 2.0 Authorization Server Metadata discovery
- 2018-06-28 DIFF
- fixed handling of bearer endpoint responses with www-authenticate headers only. fixes #102
- 2018-05-31 DIFF
node-josedependency bumped to major ^1.0.0 - fixesA\d{3}GCMKWsymmetrical encryption support- dependency updates
- 2018-05-25 DIFF
- fixed circular when serializing OpenIdConnectError
- base64url dependency update
- 2018-05-15 DIFF
- base64url dependency replaced
- 2018-05-10 DIFF
- dependency tree updates
- 2018-04-26 DIFF
- fixed
client_secret_basicrequiring the username and password tokens to bex-www-form-urlencodedaccording to https://tools.ietf.org/html/rfc6749#section-2.3.1- NOTE: Although technically a fix, this is a breaking change when used with providers that also
don't currently follow the standard. A proper way of submitting client_id and client_secret using
client_secret_basicisAuthorization: base64(formEncode(client_id):formEncode(client_secret)). If your client_id and client_secret does contain special characters that need encoding this does not affect you. If it does, try usingclient_secret_postinstead.
- NOTE: Although technically a fix, this is a breaking change when used with providers that also
don't currently follow the standard. A proper way of submitting client_id and client_secret using
- 2018-04-12 DIFF
- dropped support for Node.js v4.x due to its End-of-Life on 2018-04-30
- removed deprecated
client#grantAuth - removed deprecated way of passing keystore directly to
Client#register - removed support for passing client to
OpenIDConnectStrategyas single argument, usenew Strategy({ client })instead ofnew Strategy(client). - fixed a bug requiring nonce to be passed for
response_type=none
- 2018-03-13 DIFF
- added documentation for
OpenIdConnectError - added
error_urifrom IdP responses toOpenIdConnectErrorinstances - fixed
OpenIdConnectErrormessages to includeerror_description
- 2018-03-10 DIFF
Issuer.discovernow parses the provided URI instead of just inspecting the string. #80
- 2018-01-30 DIFF
- fixed edge cases of (and simplified) private id token decryption method
- 2018-01-22 DIFF
- fix return values of
#authorizationCallback()forresponse_type=noneto resolve a TokenSet
- 2018-01-16 DIFF
- fixed
authorizationUrlto respect existing issuer authorization_endpoint query parameters
- 2018-01-15 DIFF
- adjusted the passport state mismatch related error message to hint developers at a local setup issue
- 2017-12-12 DIFF
- added maintained request wrapper and a simple api to use request instead of
got
- 2017-12-05 DIFF
- bumped node-jose dependency
- 2017-11-25 DIFF
- fixed the order of several
assert.equalcalls to swap actual/expected descriptions - added assertion error messages for passport strategy
- 2017-11-19 DIFF
- added option for the passport strategy to use PKCE
- updated http request library
gotdependency
- 2017-10-31 DIFF
- now uses
client_secret_postas default for Issuer instances that do not supportclient_secret_basicbut do signal support forclient_secret_postin their discovery document
- 2017-10-13 DIFF
- added
s_hashvalue validation support for ID Tokens returned by authorization endpoint - fixed edge cases where valid
_hashbut from invalid sha-length was accepted
- 2017-09-11 DIFF
- added support for Request Objects encrypted with symmetrical keys
- fixed PBES2 encryption to use client_secret derived symmetrical key instead of its full octet value
- 2017-09-09 DIFF
- added Passport Strategy
passReqToCallbackoption, defaults to false
- 2017-08-24 DIFF
- added an optional keystore argument to
Client#fromUri(uri, token, [keystore])to pass a keystore with private asymmetrical keys - fixed keystore check during constructor
Client#newcalls to check that only private asymmetrical keys are added
- 2017-08-11 DIFF
- explicitly specified accepted response type via
accept: application/jsonheader - added state to token_endpoint calls for servers supporting mixup mitigation
- 2017-07-17 DIFF
- Allow session key to be specified in passport strategy options
- 2017-07-14 DIFF
- relaxed #callbackParams to allow IncomingMessage lookalikes
- update internal dependencies
- 2017-05-19 DIFF
- fixed default application_type from
['web']to'web' - added barebones
Issuer.httpClientsetter to help advanced developers in complex environments to change the used http request client
- 2017-05-04 DIFF
- added pure OAuth 2.0 stripped down callback function
#oauthCallback - added an extra option for
#userinforequests to have extra params in either query or body
- 2017-04-30 DIFF
- added introspection/revocation specific client and issuer properties. To remain backwards
compatible they default to their token endpoint counterparts
- issuer.revocation_endpoint_auth_methods_supported
- issuer.introspection_endpoint_auth_methods_supported
- issuer.revocation_endpoint_auth_signing_alg_values_supported
- issuer.introspection_endpoint_auth_signing_alg_values_supported
- client.revocation_endpoint_auth_method
- client.introspection_endpoint_auth_method
- client.revocation_endpoint_auth_signing_alg
- client.introspection_endpoint_auth_signing_alg
- 2017-04-29 DIFF
- bumped node-jose dependency to avoid github tar.gz dependencies
- adjusted token_endpoint_auth_method=none to how it should be
- 2017-04-07 DIFF
- Issuer and Client now recognize custom properties, this is so that new Registry Contents do not
require a new release of openid-client to be picked up. Custom properties are exposed as getters
so long as they do not interfere with the object's Prototype and they are always available in
#metadatagetter.
- 2017-03-28 DIFF
- added missing check for webfinger issuer location protocol
- 2017-03-28 DIFF
- added authorizationCallback support for submitting code_verifier
- example now includes session management OP and RP frames
1.7.0 failed to publish properly, use 1.7.1 instead
- 2017-03-14 DIFF
- fixed receiving (correct) empty responses from revocation endpoints (#21)
- 2017-03-14 DIFF
- bumped minimum node-jose version to cover http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
- 2017-03-09 DIFF
- fixed verify callback skipping userinfo when userinfo_endpoint is not configured (#19)
- removed mandatory checks from passport strategy, allowing i.e. implicit only OPs (#19)
- 2017-03-07 DIFF
- fixed verify callback skipping userinfo call when arity says it should but no access token is present (#18)
- 2017-02-15 DIFF
- added at_hash presence assertion for applicable (implicit) ID Token validation
- added c_hash presence assertion for applicable (hybrid) ID Token validation from the authorization_endpoint
- 2017-02-15 DIFF
- fixed an ID Token validation for ID Token returned by Token Endpoint that includes c_hash
- 2017-02-01 DIFF
- fixed passport strategy, have it use prototype instead of ES6 class syntax
- 2017-01-29 DIFF
- fixed client_assertion aud claim for
_jwtauth methods when used in introspection and revocation
- 2017-01-26 DIFF
- added a passport.js strategy
- added missing max_age, default_max_age related functionality
- authorizationCallback now supports max_age check
- clients with default_max_age use this default value automatically
- when max_age is checked auth_time claim is mandatory and must be a number
- added missing require_auth_time related functionality
- clients with require_auth_time = true have the presence and format of auth_time claim validated
- authorizationUrl and authorizationPost now removes null and undefined values and ensures parameters are stringified before passed to url.format
- added client.CLOCK_TOLERANCE property, to allow for clock skew (in seconds)
- 2017-01-10 DIFF
- deprecated passing keystore directly to Client#register, pass an object with keystore property instead
- added the option to provide InitialAccessToken value to Client#register
- 2016-12-18 DIFF
- added error messages when expected response is missing
- 2016-12-13 DIFF
- added
#requestObjectmethod to Client to return signed and/or encrypted Request Object
- 2016-12-09 DIFF
- added
#claimsgetter to TokenSets returned fromauthorizationCallbackandrefresh;
- 2016-11-23 DIFF
- fixed unpacking aggregated claims with alg=none and no iss claim
- fetching distributed claims now expects a JWT response, previously expected invalid OP responses
- 2016-11-22 DIFF
- fixed signed userinfo response validation in case iss, aud and similar ID Token claims are missing
- 2016-11-18 DIFF
- Updated uuid dependency
RP test tools are passing, no changes required from the library, API is declared stable, hence 1.0.0 release.
- 2016-11-16 DIFF
- See 1.x migration to update your 0.x deployment into 1.x.
- update your package.json file to
"^1.0.0" - sit back and relax, no breaking changes
4. Major version zero (0.y.z) is for initial development. Anything may change at any time.
The public API should not be considered stable.
5. Version 1.0.0 defines the public API.
- https://github.com/panva/node-openid-client/compare/v0.6.0...v0.7.0
- added: webfinger discovery
- added: callback parameter helper for node's http.IncomingMessage
- tested for lts/argon (4), lts/boron (6) and current stable (7)
- https://github.com/panva/node-openid-client/compare/v0.5.4...v0.6.0
- added: handling of symmetrically encrypted responses (A...GCMKW, A...KW, PBES2-HS...+A...KW)
- fix: state check supersedes error check, still not sure about it though
- https://github.com/panva/node-openid-client/compare/v0.5.0...v0.5.4
- added: token_type_hint for introspection and revocation
- fix: handle refresh w/o id_token
- fix: ignore nonce values when refreshing w/ id_token
- fix: validateIdToken only checks at_hash and c_hash values when TokenSet is passed in
- fix: session_state now part of returned TokenSet
- https://github.com/panva/node-openid-client/compare/v0.4.1...v0.5.0
- aggregated and distributed claim handling
- https://github.com/panva/node-openid-client/compare/v0.3.0...v0.4.1
- fix: issuer with path component discovery
- built-in signed and/or encrypted userinfo handling
- authorizationCallback handling of implicit and hybrid responses
- https://github.com/panva/node-openid-client/compare/v0.2.0...v0.3.0
- encrypted userinfo and idtoken response handling
- https://github.com/panva/node-openid-client/compare/v0.1.0...v0.2.0
- httpOptions configurable on a library level
- signed userinfo response handling