node-openid-client

⚠ BREAKING CHANGES

openid-client v6.x is a complete rewrite of the openid-client module, this is the first time since 0.1.0 (8 years ago) that the API has drastically changed. The new module structure and API focuses on three core principles:

• runtime compatibility (adding support for Deno, Cloudflare Workers, Bun, and other Web API interoperable runtimes)
• tree-shakeability (bundles should not contain features that don't end up being used)
• less options (removing support for processing deprecated response types, cutting down on the number of combinations that need to handled)

To that end openid-client@6 no longer supports the full cartesian matrix of response types and response modes, it no longer supports issuing encrypted assertions, decrypting assertions is limited to only a few algorithms, it no longer supports Dynamic Client Registration or Management, and Self-Issued OpenID Provider responses are also not supported.

The new API makes basic setups simple while allowing some degree of complexity where needed.

openid-client@6 is an ESM module using ES2022 syntax and it depends on WebCryptoAPI and Fetch API globals being available in the JS runtime.

openid-client@6 is written in TypeScript and its exported types come with comment annotations.

(Node.js) Versions 20.x and newer have all the necessary globals. v18.x is being tested in CI as well with the --experimental-global-webcrypto CLI flag.

(Node.js) CJS style let client = require('openid-client') is possible in versions where process.features.require_module is true. This is a new Node.js feature slated to be released without a CLI flag in 23.x and 22.x

Link to docs and examples

Features

• allow third party initiated login requests to trigger strategy (568709a), closes #510 #564

Refactor

• remove use of Node.js v8 builtin (f1881bc), closes #442 #475 #555

Fixes

• regression introduced in v5.3.3 (4f6e847)

Fixes

• passport: ignore static state and nonce passed to Strategy() (#556) (43daff3)

Fixes

• typescript: requestResource returns a Promise (#546) (8bc9519), closes #488

Features

• JARM is now a stable feature (10e3a37)

Fixes

• typescript: add client_id and logout_hint to EndSessionParameters (b7b5438)

Features

• add client_id to endSessionUrl query strings (6fd9350)

Fixes

• allow endSessionUrl defaults to be overriden (7cc2402)

Refactor

• engines: remove package.json engines restriction (9aefba3)

Fixes

• safeguard TokenSet prototype methods (7468674), closes #511

Fixes

• ignore non-conform "unrecognized" id_token in oauthCallback() (3425110), closes #503

Fixes

• improve support of electron BrowserWindow with nodeIntegration (9e5ea0f)

Fixes

• typescript: add types export for nodenext module resolution (92fd33d)

Fixes

• interoperable audience array value for JWT Client auth assertions (again) (96b367d)
• typescript: add error constructors (#483) (9505cba)

Fixes

• dpop: htu without querystring (f6fa149)

Fixes

• add application/jwk-set+json to accept header for JWKS calls (#467) (f94d42b), closes #466

Fixes

• passing null as checks.nonce should not disable it (5120a07)

Fixes

• allow setting timeout to 0 to disable it (32b28b5), closes #443

Features

• support OAuth 2.0 Authorization Server Issuer Identification (fb6a141)
• support server-provided DPoP nonces (update DPoP to draft-04) (a84950a)

Fixes

• reject oauthCallback when id_token is detected (92ffee5)
• typescript: ts-ignore missing AbortSignal global (d975c11), closes #433

Bug Fixes

• explicitly set content-length again (956c34b), closes #420