node-openid-client

Bug Fixes

• explicitly set accept: application/json again (89cdbe2)

⚠ BREAKING CHANGES

• The 'query' way of passing access token to userinfo was removed.
• Access Token is now asserted to be present for userinfo and requestResource calls.
• The registry export was removed.
• FAPIClient is renamed to FAPI1Client
• FAPI1Client has default algorithms set to PS256 rather than RS256
• FAPI1Client has default tls_client_certificate_bound_access_tokens set to true
• FAPI1Client has default response_types set to id_token code and grant_types accordingly
• FAPI1Client has no token_endpoint_auth_method set, one must be set explicitly
• Client methods unpackAggregatedClaims and fetchDistributedClaims were removed with no replacement.
• DPoP option inputs must be a private crypto.KeyObject or a valid crypto.createPrivateKey input.
• Issuer.prototype.keystore is now private API
• HTTP(S) request customization now only recognizes the following options 'agent', 'ca', 'cert', 'crl', 'headers', 'key', 'lookup', 'passphrase', 'pfx', and 'timeout'. These are standard node http/https module request options, got-library specific options such as 'followRedirect', 'retry', or 'throwHttpErrors' are no longer recognized.
• The arguments inside individual HTTP request customization changed, first argument is now an instance of URL, the http request options object is passed in as a second argument.
• The response property attached to some RPError or OPError instances is now an instance of http.IncomingMessage. Its body is available on its body property as either JSON if it could be parsed, or a Buffer if it failed to pass as JSON.
• Drop support for Node.js v10.x
• Only Node.js LTS releases Codename Erbium (^12.19.0) and newer are supported. Currently this means ^12.19.0 (Erbium), ^14.15.0 (Fermium), and ^16.13.0 (Gallium).
• Issuer.discover will no longer attempt to load /.well-known/oauth-authorization-server. To load such discovery documents pass full well-known URL to Issuer.discover.

Refactor

• DPoP input must be a private KeyObject or valid crypto.createPrivateKey input (d69af6f)
• FAPIClient is renamed to FAPI1Client (59a4e73)
• Issuer.prototype.keystore is now private API (0c23248)
• only use the native http(s) client (83376ac)
• remove automatic lookup of /.well-known/oauth-authorization-server (fc87d2b)
• remove client.unpackAggregatedClaims and client.fetchDistributedClaims (b7f261f)
• remove Registry public API export (6b91d58)
• remove the 'query' option for userinfo, assert access token (eb9d139)
• update Node.js semver support matrix (8b3044e)

Bug Fixes

• do not implicitly calculate key ids for Client instances (46e44e7), closes #379

Features

• update DPoP support to draft-03 (#407) (5565ee1), closes #406

Features

• OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable feature (327f366)

Bug Fixes

• typescript: add remaining properties from RFC7662 (#398) (166e89b)

Bug Fixes

• typescript: add a missing PATCH method to requestResource (6b2c3ce), closes #368

Bug Fixes

• fapi: validate ID Token's iat regardless of which channel it came from (b68b9ab)

Bug Fixes

• typescript: add types for 4.6.0 additions (9064136)

Bug Fixes

• typescript: add types for 4.7.0 additions (2c1d2ab)

Features

• add abort control over Device Flow Handle polling (#357) (f6faa68), closes #355 #356

Features

• added OAuth 2.0 Pushed Authorization Requests client API (e7af9f5), closes #259

Bug Fixes

• interoperable audience array value for JWT Client auth assertions (da7d2f0)

Bug Fixes

• use mtls token endpoint alias as audience when using jwt auth with mtls constrained tokens (c463359)

Features

• include nbf in FAPIClient Request Objects (0be56ba)

Bug Fixes

• resolve discovery URIs one by one to yield consistent results (6b18218), closes #260 #267

Bug Fixes

• hide AggregateError message stack (3011cca), closes #336

Features

• allow options.https.pfx for mTSL (075cad7), closes #326

Features

• typescript: add userinfo response generics (b176b2f)

Performance

• use base64url encoding in node when available (24ab5b4)