Releases: panva/node-oidc-provider
Releases · panva/node-oidc-provider
v8.6.0
v8.5.3
v8.5.2
v8.5.1
v8.5.0
Features
- add a Client static validate() method (d1f7d73)
- add a helper allowing custom claims parameter validations (ec2a1f5)
- add experimental support for RFC9396 - Rich Authorization Requests (e9fb573)
- add response_modes client metadata allow list (76f9af0)
- allow extraParams to define validations for extra parameters (b7d3322)
- DPoP: add a setting to disable DPoP Proof Replay Detection (2744fc8)
- DPoP: send a dpop-nonce when the proof's iat check fails and nonces are configured but not required (1b073c0)
- FAPI: add FAPI 2.0 profile behaviours (5212609)
- JAR: add a helper allowing custom JWT claim and header validations (be9242a)
- PAR: add a setting to allow use of unregistered redirect_uri values (a7e73fa)
- update Web Message Response Mode and remove its Relay Mode (a91add8)
Fixes
- DPoP,mTLS: reject client configuration in which binding is required but response types include an implicit token response (cd7e0f4)
Refactor
- deprecate FAPI 1.0 ID2, lax request objects, plain PKCE (3e8a784)
- don't use overwrite cookie option by default (dfbcb94)
- DPoP: move the accepted timespan into a constant (a8e8006)
- DPoP: omit sending the dpop-nonce header if the existing one used is fresh (4d635e2)
- ensure param-assigned max_age from client.defaultMaxAge is a string (0c52469)
- FAPI: deprecate FAPI profile hardcoded PKCE checks (56641ec)
- JAR: authorization requests with JAR now require a client_id parameter (9131cd5)
- JAR: Request Objects are no longer checked for one time use (18efa70)
- PAR: consume PAR after user interactions instead of before (53babe6)
- store claims value parsed in non-JAR PAR (9cd865b)
- use invalid_request instead of unauthorized_client (7947d87)
v8.4.7
v8.4.6
Documentation
- adds events and debugging recipe (#1246) (0bf7696)
- fix client_secret_basic special characters encoding example (73baae1)
- re-run update docs (99cc84a)
Refactor
- avoid iteration resource iteration in client_credentials (e306640)
- avoid use of prototype attributes in object-hash (270af1d)
- use logical or assignment (8f55588)
Fixes
- ensure each individual resource indicator is a valid URI (d9e1ad2)
v8.4.5
v8.4.4
v8.4.3
This release contains only code refactoring, dependency, or documentation updates.