All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
5.5.1 (2018-11-26)
- added aud and azp validations for ID Tokens passed by clients (4df8160)
- aud for jwt oauth tokens no longer gets the client id pushed in (14c556e)
5.5.0 (2018-11-22)
- gracefully handle mixed up response_type(s) order (b775591)
- http2 is also stable in ^8.13.0 (3d240d9)
5.4.2 (2018-11-19)
- ignore
*_endpoint_auth_signing_alg
client metadata when_jwt
auth is not allowed (d0346a8)
5.4.1 (2018-11-19)
- require consent result to save accepted scopes and claims (7720367)
5.4.0 (2018-11-18)
- handle potentially unvalidated response mode in authz error handler (ee501d1)
- issue new session identifiers when session changes (56d04e6)
- omit saving an empty session on initial authorize request (d0b7069)
- allow omitting redirect_uri in code exchange at the token endpoint when there is just one registered (8cdd407)
- update of draft-ietf-oauth-resource-indicators from 00 to 01 (1302a54), closes #385
5.3.0 (2018-11-05)
- upgrade min node-jose version to fix its performance in node (f1cb4c6)
- sessionManagement frame uses Storage Access API to detect errors (156e12d)
5.2.0 (2018-11-01)
- sessionManagement feature doesn't set a default thirdPartyCheckUrl anymore (0015c38)
With the sunset of https://rawgit.com i'm not going to look for a replacement CDN that hosts github content using the right content-type. This addition to sessionManagement is a gimmick helping only in a small % of cases anyway.
Note: Updates to draft and experimental specification versions are released as MINOR library versions,
if you utilize these specification implementations consider using the tilde ~
operator in your
package.json since breaking changes such as this one may be introduced as part of these version updates.
5.1.2 (2018-10-23)
5.1.0 (2018-10-03)
- ignore sector_identifier_uri when subject_type is not pairwise (416e379)
- add Resource Indicators for OAuth 2.0 - draft 00 implementation (1bc2994)
5.0.1 (2018-09-27)
5.0.0 (2018-09-26)
- change conformIdTokenClaims default value to true (ef40f6d)
- devInteractions also have no-cache headers, doesn't set acr (9d7a032)
- ensure non-whitelisted JWA algs cannot be used by
*_jwt
client auth (186de0d) - extraClientMetadata.properties keys do not get transformed (837beca)
- fixed 500 in client update checking client_secret equality (bad6348)
- remove deprecated passing of scope with consent results (35f13bc)
- remove deprecated Session.find upsert behaviour (73e07bd)
- remove deprecated unused exported errors (fc3f509)
- remove got 8 > 9(retries > retry) option re-assign behaviour (db31d32)
- secretFactory is now used in client update (0923f52)
- validate secret length for client_secret_jwt with no alg specified (ab64268)
- IdToken constructor and
#sign()
method changes (bb4269f) - moved thirdPartyCheckUrl under features.sessionManagement (c3f84b2)
- renamed deviceCode feature to deviceFlow (cd57d77)
- add self_signed_tls_client_auth client authentication method (9a1f0a3)
- add tls_client_auth client authentication method (ce2bf66)
- allow custom mechanisms for handling pairwise identifiers (57ce6d7)
- back and front-channel can be enabled without sessionManagement (8cb37ff)
- dynamic token expiration (6788b83)
- enable Certificate Bound Access Tokens (f43d820)
- enable explicit whitelist of JWA algorithms (0604e08)
- enable token storage and representation format to be dynamic (8487bd8)
- invalid_token errors now have a detail to aid in debugging or logs (b8324b7)
- JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (c759415)
- opaque is the default adapter format now (75e7a3f)
- unify audiences helper function signature (fd38600)
- the configuration option
pairwiseSalt
is replaced withpairwiseIdentifier
async helper function. This allows for different means of generating the pairwise identifier to be implemented, such as the ones mentioned in Core 1.0 - Passing
scope
to interaction result'sconsent
property is no longer supported cookies.thirdPartyCheckUrl
is now configured withfeatures.sessionManagement.thirdPartyCheckUrl
insteadfeatures.deviceCode
is nowfeatures.deviceFlow
anddeviceCodeSuccess
helper function is nowdeviceFlowSuccess
- In order for dynamic token expiration to be able to
pass a client instance to the helpers it is now better to pass a
client
property being the client instance to a new token instance rather then aclientId
. When passing a client theclientId
will be set automatically. - the default adapter format is now set to opaque, the legacy "legacy" value is still available for legacy deployments but cannot be combined with the new dynamic format feature option and is considered deprecated and will be removed in the next major release.
- the
default
enabled JWA algorithms have changed. See the newwhitelistedJWA
configuration option to re-enable the ones you need. - the configuration
unsupported
property is removed, use the configurationwhitelistedJWA
object instead. This isn't a 1:1 renaming of a configuration value, while theunsupported
option was essentually a blacklist thewhitelistedJWA
as the name suggests is a whitelist. - the
RSA-OAEP-256
key wrapping algorithm has been removed and is not configurable since it's not supported natively in nodejs. - IdToken constructor now requires the client instance
to be passed in as a second argument. IdToken instance
.sign()
now takes just one argument with the options. - when a symmetrical endpoint authentication signing alg is not specified the secret will be validated such that it can be used with all available HS bit lengths
- audience helper
token
argument will no longer be a reference to other tokens than the one to which the audiences will be pushed. - audience helper
scope
argument is no longer available generateTokenId
format method is now a prototype method instead of a class one- the http request option
retries
will no longer be transformed intoretry
, seegot@^9.0.0
package for theretry
options - exported errors
RestrictedGrantType
andRestrictedResponseType
are no longer available - Session.find default upsert behaviour is changed to return a new empty session instead
- change conformIdTokenClaims default value to true
- custom client metadata properties will not get
transformed between snake_case and camelCase anymore to allow for
namespaced metadata properties such as
custom://metadata
4.8.3 (2018-09-20)
- reference correct param names in
features.webMessageResponseMode
(e495c6b)
4.8.2 (2018-09-16)
- do not overwrite custom response mode implementations with defaults (7f7ea79), closes #365
- remove unnecessary catchall in fallback session save (3bfb8f0), closes #363
4.8.1 (2018-09-06)
- claim definition also detects dynamic scopes (d8c8170)
- custom registered grants do not get overriden by defaults (d4185f9), closes #349
4.8.0 (2018-08-29)
- add dynamic scope value support (caa8f0e)
4.7.1 (2018-08-27)
- check_session regression fix (32975d9)
4.7.0 (2018-08-26)
4.6.0 (2018-08-13)
- add client meta to setProviderSession (1174c76), closes #352
- check session client Origin check (6c27f10)
- option to set interactionResult without redirecting to resume right away (6aeedf2), closes #350
- session management client helper is now inline with other helpers (96802df)
- update JWT Response for OAuth Token Introspection draft (039ab90)
4.5.0 (2018-08-03)
- message displayed on blank /device (86541df)
- update device flow to draft-12 (e00fa52)
4.4.0 (2018-07-22)
- JWT Response for OAuth Token Introspection (72142fd)
4.3.2 (2018-07-21)
- add a clear error description when sector uri isn't a valid json (05c14d1)
- allow clients that do not use authorization to utilize pairwise (c24ea70)
4.3.1 (2018-07-17)
- device_authorization w/ offline_access scope (19a85ac)
4.3.0 (2018-07-16)
- allow for pkce to be disabled (3aca2c8)
- debug revocation after yield (bf4c012)
- pathFor returns a valid route for issuers with terminating "/" (9e4b1a0), closes #315
- add Device Flow experimental/draft feature (461a8e3)
- add gty storage claim for access and refresh token (a492a5e)
- change the requests's uuid to a previous value of grantId (28673e2)
- 2018-07-13 DIFF
- fixed
expiresIn
sent to adapter#upsert when interaction session are saved using interactionFinished()
- 2018-07-13 DIFF
- fixed form_post regression for response types including
token
from 4.2.0
- 2018-07-12 DIFF
New Feature - OAuth 2.0 Web Message Response Mode
Based on OAuth 2.0 Web Message Response Mode response_mode=web_message is a new response mode that uses HTML5 Web Messaging instead of a redirect for the Authorization Response from the Authorization Endpoint. It defines two modes: simple mode and relay mode. Relay mode can be used to protect the response by confining it within the origins of a resource server and preventing it from being read by the client.
This is released as an experimental/draft feature so as with the others it is disabled by default and
breaking changes to this feature will be released as MINOR releases. When using Web Message Response
Mode be sure to lock down oidc-provider
in your package.json with the tilde ~
operator and pay
close attention to this changelog when updates are released.
To enable configure:
const configuration = { features: { webMessageResponseMode: true } };
Note: Although a general advise to use a helmet
(express,
koa) it is especially advised for your interaction views
routes if Web Message Response Mode is available on your deployment.
Enhancements
- added no-cache headers to the authorization endpoint
#provider.setProviderSession()
now returns the created session object#provider.registerGrantType()
also accepts additional parameter to indicate parameters for which duplicates are allowed (e.g.audience
andresource
in OAuth 2.0 Token Exchange)
Fixes
- fixed some edge cases where authorization error responses would still reach the redirect_uri even when it could not have been validated
- fixed parameters coming from Request Objects to be always used as strings
- fixed upstream body parser params to be always strings (unless json)
- fixed parameters coming multiple times still being used in error handlers (e.g. state)
- fixed form post values not being html escaped
- 2018-06-28 DIFF
- fixed
www-authenticate
header uses in bearer token endpoints according to Core 1.0 and RFC6750
- 2018-06-26 DIFF
- fixed missing
sid
claim in access tokens - fixed non-consumable tokens having
consumed
stored and#consume()
instance method
- 2018-06-25 DIFF
- fixed missing
sub
claim from tokens when using thejwt
format - chores (lint, tests, refactors, default error and logout screen styles)
- 2018-06-22 DIFF
New Feature - Storage Formats
Added formats
configuration option. This option allows to configure the token storage and value
formats. The different values change how a token value is generated as well as what properties get
sent to the adapter for storage. Three formats are defined:
legacy
is the current and default format until next major release. no changes in the format sent to adapteropaque
formatted tokens have a different value thenlegacy
and in addition store what was in legacy format encoded underpayload
as root properties, this makes analysing the data in your storage way easierjwt
formatted tokens are issued as JWTs and stored the same asopaque
only with additional propertyjwt
. The signing algorithm for these tokens uses the client'sid_token_signed_response_alg
value and falls back toRS256
for tokens with no relation to a client or when the client's alg isnone
This feature uses the previously defined public token API of [klass].prototype.getValueAndPayload, [klass].prototype.constructor.getTokenId, [klass].prototype.constructor.verify
and adds a new one
[klass].prototype.constructor.generateTokenId
. See the inline comment docs for more detail on those.
Further format ideas and suggestions are welcome.
New Feature - conformIdTokenClaims
feature toggle
Added conformIdTokenClaims
feature toggle.
This toggle makes the OP only include End-User claims in the ID Token as defined by Core 1.0 section 5.4 - when the response_type is id_token or unless requested using the claims parameter.
Fixes
- fixed edge cases where client and provider signing keys would be used for encryption and vice versa
- fixed client
request_object_signing_alg
andcontact
validations - fixed
defaultHttpOptions
to be as documented - fixed an end_session server error in case where session.authorizations is missing - #295
- adjusted error_description to be more descriptive when PKCE plain value fallback is not possible due to the plain method not being supported
- fixed
audiences
helper results to assert that an array of strings is returned - fixed issues with interaction sessions and the back button, assertions are now in place and both resume endpoint and interaction helpers will now reject with SessionNotFound named error, which is essentially just InvalidRequest with a more descriptive name.
- 2018-06-09 DIFF
- fixed token endpoint
grant_type=refresh_token
scope parameter related bugs- a rotated refresh token will retain the original scope, its only the access and id token that has the requested scope as specified in section 6 of RFC6749
openid
scope must be provided in the list of requested scopes
- 2018-06-05 DIFF
- fixed non-spec errors
restricted_response_type
andrestricted_grant_type
to be UnauthorizedClient (unauthorized_client
) instead as specified in RFC6749 - fixed missing
WWW-Authenticate
response header in Bearer auth scheme endpoints when 401 is returned (was missing fromregistration_endpoint
,registration_client_uri
) - fixed
#session.save()
whencookies.*.maxAge
is set to0
to not add theexp
claim - #289 - fixed the
remember=false
option to apply to client session state cookies too
- 2018-06-01 DIFF
Breaking changes
- minimal version of node lts/carbon is required (>=8.9.0)
- Client Metadata - null property values are no longer ignored
- clients pushed through
#initialize()
must not submit properties with null values - clients stored via an adapter must be updated in your storage not to have null or null-deserialized values, alternatively you can update your adapter not to return these properties back to the provider
const _ = require('lodash'); // your adapter implementation class MyAdapter { // ... async find(id) { // load entity properties and then drop the null properties if its a Client adapter instance // this is implementation specific const data = await DB.query(...); if (this.name === 'Client') { return _.omitBy(data, _.isNull); } return data; } // ... }
- clients pushed through
- Client Authentication
- Errors related to authentication details parsing and format are now
400 Bad Request
andinvalid_request
. Errors related to actual authentication check are now401 Unauthorized
andinvalid_client
with no details in the description. This means that errors related to client authentication will no longer leak details back to the client, instead the provider may be configured to get these errors from e.g.provider.on('grant.error')
and provide the errors to clients out of bands.function handleClientAuthErrors(err, { headers: { authorization }, oidc: { body, client } }) { if (err instanceof Provider.errors.InvalidClientAuth) { // save error details out-of-bands for the client developers, `authorization`, `body`, `client` // are just some details available, you can dig in ctx object for more. console.log(err); } } provider.on('grant.error', handleClientAuthErrors); provider.on('introspection.error', handleClientAuthErrors); provider.on('revocation.error', handleClientAuthErrors);
- added
WWW-Authenticate
response header to token endpoints when 401 is returned and Authorization scheme was used to authenticate and changed client authentication related errors to be401 Unauthorized
- fixed several issues with token client authentication related to
client_id
lookup, it is no longer possible to:- submit multiple authentication mechanisms
- send Authorization header to identify a
none
authentication method client - send both Authorization header and client_secret or client_assertion in the body
- Errors related to authentication details parsing and format are now
- all error classes the provider emits/throws are now exported in
Provider.errors[class]
instead ofProvider[class]
and the class names are no longer suffixed byError
. Seeconsole.log(Provider.errors)
- removed the non-spec
rt_hash
ID Token claim features.pkce
now only enablesS256
by default, this is sufficient for most deployments. Ifplain
is needed enable pkce with{ features: { pkce: { supportedMethods: ['plain', 'S256'] } }
.client.backchannelLogout
no longer suppresses any errors, instead rejects the promise- token introspection endpoint no longer returns the wrong
token_type
claim - #189- to continue the support of this non-standardized claim from introspection you may register the following middleware
provider.use(async function introspectionTokenType(ctx, next) { await next(); if (ctx.oidc.route === 'introspection') { const token = ctx.oidc.entities.AccessToken || ctx.oidc.entities.ClientCredentials || ctx.oidc.entities.RefreshToken; switch (token && token.kind) { case 'AccessToken': ctx.body.token_type = 'access_token'; break; case 'ClientCredentials': ctx.body.token_type = 'client_credentials'; break; case 'RefreshToken': ctx.body.token_type = 'refresh_token'; break; } } });
- to continue the support of this non-standardized claim from introspection you may register the following middleware
- fetched
request_uri
contents are no longer cached for 15 minutes default, cache headers are honoured and responses without one will fall off the LRU-Cache when this one is full - default configuration values for
cookies.short.maxAge
andcookies.long.maxAge
changed audiences
is now in addition to existingid_token
and signeduserinfo
cases called forclient_credentials
andaccess_token
, this is useful for pushing additional audiences to an Access Token, these are now returned by token introspection and can be used when serializing an Access Token as a JWT- the provider will no longer use the first value from
acrValues
to denote a "session" like acr. In cases where acr is requested as a voluntary claim and no result is available this claim will not be returned.- to continue the support of the removed behaviour you can change the OIDCContext acr getter
const _ = require('lodash'); const sessionAcr = '...'; Object.defineProperty(provider.OIDCContext.prototype, 'acr', { get() { return _.get(this, 'result.login.acr', sessionAcr); }, });
- removed deprecated
#provider.setSessionAccountId()
helper method. Use#provider.setProviderSession()
instead
- to continue the support of the removed behaviour you can change the OIDCContext acr getter
Enhancements
- Session Changes
- stored sessions now have an
exp
property allowing the provider to ignore expired but still returned sessions- existing sessions without this property will be accepted and the exp property will be added with the next save
- stored sessions now have an
- bumped the semantic version of every dependency to the latest as of release
- added
aud
to the introspection response if a token has one audiences
helper gets called with additional parametersuse
andscope
renderError
helper is now called with a third argument that's the actual Error instance.node-jose
dependency bumped to major ^1.0.0 - fixesA\d{3}GCMKW
symmetrical encryption support- added
cookies.thirdPartyCheckUrl
option and a warning to host it - moved middleware handling missing optionally
redirect_uri
parameter case right after loading the client
- 2018-05-23 DIFF
- all options passed to defaultHttpOptions now also reach
request
when#useRequest()
is used - fixed a case when RS256 key presence check was wrongly omitted during
#initialize()
- fixed client
jwks_uri
refresh error to be invalid_client_metadata and propagated to the client
- 2018-05-15 DIFF
- base64url dependency replaced
- 2018-05-10 DIFF
- dependency tree updates
- 2018-05-02 DIFF
- fixed
client_secret_basic
requiring the username and password tokens to bex-www-form-urlencoded
according to https://tools.ietf.org/html/rfc6749#section-2.3.1- NOTE: Although technically a fix, this is a breaking change for clients with client secrets that
need to be encoded according to the standard and don't currently do so. A proper way of submitting
client_id and client_secret using
client_secret_basic
isAuthorization: base64(formEncode(client_id):formEncode(client_secret))
. This is only becoming apparent for client ids and secrets with special characters that need encoding.
- NOTE: Although technically a fix, this is a breaking change for clients with client secrets that
need to be encoded according to the standard and don't currently do so. A proper way of submitting
client_id and client_secret using
- re-released 2.18.0 as 2.18.2 following deprecation of 2.18.1
- 2018-04-12 DIFF
- added
ctx.oidc.entities
with all loaded model/entity instances during a given request - added
cookies.keys
configuration option for KeyGrip key app passthrough - added
#provider.setProviderSession
for setting provider session from outside of a regular context - deprecated
#provider.setSessionAccountId
in favor of#provider.setProviderSession
- 2018-03-29 DIFF
- fixed alternative verb routes to be named as well
- fixed default
interactionCheck
passing/resume
when users click cancel or just navigate back to auth resume route - added
client_update
andclient_delete
as named routes - added
extraClientMetadata
configuration option that allows for custom client properties as well as for additional validations for existing properties to be defined - when provider is configured with only
pairwise
subject type support then it is the client default and does not have to be explicitly provided anymore
- 2018-03-26 DIFF
- supported PKCE code challenge methods are now configurable, use to i.e. disable
plain
for stricter OIDC profiles and new deployments where legacy clients withoutS256
support aren't to be expected. - added configuration validations for subjectTypes and pkce supportedMethods
- 2018-03-23 DIFF
- added
provider.use((ctx, next) => {})
middleware support - added
provider.listen(port_or_socket)
- added attribute delegates
proxy
,keys
,env
,subdomainOffset
from provider to the underlying koa app - updated docs
- 2018-03-13 DIFF
- bumped minimal
debug
dependency version due to its found vulnerability in lesser versions - adjusted documentation on
refreshTokenRotation
configuration option - adjusted documentation on TLS offloading
- 2018-03-05 DIFF
- added current account id from OP session to interaction sessions
- added
provider.setSessionAccountId(req, id, [ts])
helper for setting OP session from other contexts, such as interrupted interactions or password reset flows.
- 2018-02-14 DIFF
clientCacheDuration
no longer has any effect on static clients passed through the#provider.initialize()
call
- 2018-01-29 DIFF
#provider.Client.cacheClear([id])
can now optionally drop just one specific client from provider cache when provided its client_id
- 2018-01-24 DIFF
findById
returned struct's#claims()
method is now called with two parameters (use and scope) allowing to fine-tune the returned claims depending on the intended place for these claims.
- 2018-01-21 DIFF
- aligned
oidc-provider:token
DEBUG format - exposed client validation schema prototype under
provider.Client.Schema
- 2018-01-17 DIFF
- fixed a bug where non global logouts would not trigger back and front-channel logout features for the one client that gets logged out.
- added missing
backchannel.success
andbackchannel.error
events
- 2018-01-16 DIFF
- added no-cache headers to userinfo responses
- added optional support for draft02 of Front-Channel Logout 1.0
- enable with configuration
features.frontchannelLogout = true
; - adds new client properties
frontchannel_logout_uri
andfrontchannel_logout_session_required
- adds new discovery properties
frontchannel_logout_supported
andfrontchannel_logout_session_supported
- added
frontchannelLogoutPendingSource
helper for customizing the pending frontchannel web page HTML source
- enable with configuration
- 2018-01-15 DIFF
- added
audiences
helper function to allow for pushing additional audiences to issued ID Tokens, this will additionally push anazp
claim with theclient_id
value as per Core 1.0 spec defined ID Token validations.
- 2018-01-03 DIFF
- added used http verb to error debug messages
- added a descriptive "method not allowed" error message
- 2017-12-18 DIFF
- fixed
useRequest
to be a static method as documented
- 2017-12-14 DIFF
- added and documented the optional use of request instead of got for deployments requiring http(s) proxies to reach out to the internet wilderness
- 2017-12-12 DIFF
- fixed token expires_in to be based off an overloadable BaseToken expiration() instance method
- fixed token introspection response for consumed tokens
- 2017-12-11 DIFF
- changed grant_type requires to resolve oidc-provider loading through webpack
- 2017-12-05 DIFF
- added provider
clockTolerance
option - fixed clients with jwks_uri failing to be fetched blocking the initialize call
- fixed successful client keystore refresh after failed verification to pass
- bumped node-jose dependency
2017-11-30 DIFF
- adjusted the client schema to ignore extra properties for disabled features
- fixed encrypted ID Tokens without a used alg (json payload) to have
cty
(content-type)json
- fixed unsigned ID Tokens missing
*_hash
properties request_uri
response caching now also handlesexpires
response headers
Note: 2.7.0 and 2.7.1 yanked for the bugs they introduced
- 2017-11-23 DIFF
- added
scope
to successful token (authorization_code, refresh_token) responses - updated dependencies (
[email protected]
, removed deprecatedbuffer-equals-constant
)
- 2017-11-14 DIFF
- fixed already authorized application_type=native prompt=none authorizations to be able to check if the authorization is still present
- bumped session management
jsSHA
cdn dependency version
- 2017-10-28 DIFF
- added an option to return metadata alongside with interaction results, this metadata is then retrievable i.e. during the interactionCheck call. #164, #165
- added an option to return error instead of the standard interaction results, the provider will take this error (and error_description when provided) and resolve the authorization request with it. #167, #168
- fixed
Token#find()
swallowingadapter#find
errors - fixed introspection swallowing rethrown
adapter#find
errors
- 2017-10-12 DIFF
- fixed token upsert expiration to respect token's instance expiration
- 2017-10-05 DIFF
- added BaseToken public API, this API enables advanced users in search of features such as JWT-formatted Bearer tokens or not being able to reconstruct client token values from a DB backup to overload these methods and get those features.
- fixed keystore initialize method to allow for servers only supporting authorization flow not needing RS256 signature key
- fixed token introspection disclosing details for expired but found tokens
- fixed exception during token introspection auth
none
clients looking up non-existing tokens
- 2017-09-25 DIFF
- fixed
interactionFinished
,interactionDetails
andSession#find
expecting an id retrieved from a cookie. When not found will throw.
- 2017-09-15 DIFF
- fixed
devInteractions
reported with the same grantuuid
- 2017-09-11 DIFF
- added
s_hash
support for ID Tokens returned by authorization endpoint - added Request Object symmetrical encryption support
- fixed PBES2 encryption to use client_secret derived symmetrical key instead of its full octet value
- fixed
claims
parameter handling when part of a Request object as an object - removed bugged? and/or previously not working
A(128|192|256)GCMKW
symmetrical encryption algs
- 2017-09-09 DIFF
- fixed encrypted parameters incorrectly assumed as signed (request object asymmetrical encryption)
- 2017-08-27 DIFF
- added a
clientCacheDuration
option (defaults toInfinity
), this option defines the time a client configuration loaded from an adapter will be kept in cache before being loaded again with the next request - removed
valid-url
dependency in favor of STDLIB's WHATWGurl.URL
- 2017-08-04 DIFF
- added a third parameter for
findById
helper, whenfindById
is used in relation to an access token or an authorization code the token instance will be passed - added
ctx.oidc.signed
with an array of parameter names which were received using a signed or encrypted request/Uri parameter. signed
array of strings is available in the short lived session for interactions- added basic sequelize adapter example
- fixed a bug where extraParams weren't recognized when part of a
request
orrequest_uri
parameters - fixed a bug where client credential and refresh token adapter instances were used even if these grants/tokens weren't enabled
- fixed a bug which allowed for non-enabled scopes to be added in client_credential grants
- 2017-08-04 DIFF
- fixed infinite interactionCheck loop for
application_type=native
clients
Breaking Changes
- oidc-provider now requires node v8.0.0 or higher for ES2015, async function and utils.promisify support
- internal koa (and related) dependencies updated to their respective 'next' or koa2 middleware compatible versions
- adapter must now be passed into
#initialize()
- helper functions which returned or accepted generators will no longer work, use async functions
- helper functions no longer have koa ctx bound to
this
, instead their signature is changed - interactionUrl helper signature changed to (ctx, interaction) and is now awaited
- renderError helper signature changed to (ctx, error) and is now awaited
- uniqueness helper signature changed to (ctx, jti, expiresAt)
- interactionCheck helper signature changed to (ctx)
- default interactionCheck helper requires all native application client authorizations to pass through interactions
- findById helper signature changed to (ctx, accountId)
postLogoutRedirectUri
configuration option is now a helper function and is awaited to- default acrValues configuration option is now empty, if you used the old values
['0', '1', '2']
, you must configure the value explicitly ctx.prompted
renamed to more descriptivectx.promptPending
- default refreshTokenRotation changed from 'none' to 'rotateAndConsume'
- pkce.skipClientAuth removed, native clients not willing to submit secrets should be registered with method none
features.requestUri
enabled by default with requireRequestUriRegistrationfeatures.oauthNativeApps
enabled by defaultfeatures.oauthNativeApps
automatically enablesfeatures.pkce
with{ forcedForNative: true }
- interaction details no longer utilize cookies to store the details and request parameters, short lived sessions are created and maintained via the adapter instead
- Integrity keystore is no longer used, random strings are used to generate a lengthy token, a none signed JWT is used to store the metadata, keeping the datasets the same as 1.x
- interaction helper
provider#interactionDetails
now returns a Promise, it reads the short lived session id and loads the details using your adapter - interaction helper
provider.interactionFinished
now returns a Promise, it reads the short lived session id and stores the interaction results there - default token TTLs shortened
- Request Object
iss
(issuer) andaud
(audience) values are now being validated to be equal to Client's identifier (iss
) and the OP Issuer identifier (aud
) when present in a Request Object
New features
static
function namedconnect
can now be present on an Adapter prototype, this will be awaited during initialization, use to establish the necessary adapter connections- introspection and revocation endpoint authentication now has dedicated settings and properties, unless specific settings for those are provided they default to what's provided for token_endpoint equivalents, this allows for fine-tuning while not disrupting existing behavior
- new client metadata supported:
- introspection_endpoint_auth_method
- introspection_endpoint_auth_signing_alg
- revocation_endpoint_auth_method
- revocation_endpoint_auth_signing_alg
- new configuration properties:
- introspectionEndpointAuthMethods
- introspectionEndpointAuthSigningAlgValues
- unsupported.introspectionEndpointAuthSigningAlgValues
- revocationEndpointAuthMethods
- revocationEndpointAuthSigningAlgValues
- unsupported.revocationEndpointAuthSigningAlgValues
- new discovery properties:
- introspection_endpoint_auth_methods_supported
- introspection_endpoint_auth_signing_alg_values_supported
- revocation_endpoint_auth_methods_supported
- revocation_endpoint_auth_signing_alg_values_supported