node-openid-client
OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
Bot releases are visible (Hide)
Fixes
- typescript: add client_id and logout_hint to EndSessionParameters (b7b5438)
Refactor
- engines: remove package.json engines restriction (9aefba3)
Fixes
- improve support of electron BrowserWindow with nodeIntegration (9e5ea0f)
Fixes
- typescript: add types export for nodenext module resolution (92fd33d)
Fixes
- dpop: htu without querystring (f6fa149)
Fixes
- passing null as checks.nonce should not disable it (5120a07)
Bug Fixes
- explicitly set accept: application/json again (89cdbe2)
⚠ BREAKING CHANGES
- The 'query' way of passing access token to userinfo was removed.
- Access Token is now asserted to be present for userinfo and requestResource calls.
- The registry export was removed.
- FAPIClient is renamed to FAPI1Client
- FAPI1Client has default algorithms set to PS256 rather than RS256
- FAPI1Client has default tls_client_certificate_bound_access_tokens set to true
- FAPI1Client has default response_types set to
id_token codeand grant_types accordingly - FAPI1Client has no token_endpoint_auth_method set, one must be set explicitly
- Client methods
unpackAggregatedClaimsandfetchDistributedClaimswere removed with no replacement. - DPoP option inputs must be a private crypto.KeyObject or a valid crypto.createPrivateKey input.
- Issuer.prototype.keystore is now private API
- HTTP(S) request customization now only recognizes the following options 'agent', 'ca', 'cert', 'crl', 'headers', 'key', 'lookup', 'passphrase', 'pfx', and 'timeout'. These are standard node http/https module request options, got-library specific options such as 'followRedirect', 'retry', or 'throwHttpErrors' are no longer recognized.
- The arguments inside individual HTTP request customization changed, first argument is now an instance of URL, the http request options object is passed in as a second argument.
- The
responseproperty attached to some RPError or OPError instances is now an instance of http.IncomingMessage. Its body is available on itsbodyproperty as either JSON if it could be parsed, or a Buffer if it failed to pass as JSON. - Drop support for Node.js v10.x
- Only Node.js LTS releases Codename Erbium (^12.19.0) and newer are supported. Currently this means ^12.19.0 (Erbium), ^14.15.0 (Fermium), and ^16.13.0 (Gallium).
- Issuer.discover will no longer attempt to load
/.well-known/oauth-authorization-server. To load such discovery documents pass full well-known URL to Issuer.discover.
Refactor
- DPoP input must be a private KeyObject or valid crypto.createPrivateKey input (d69af6f)
- FAPIClient is renamed to FAPI1Client (59a4e73)
- Issuer.prototype.keystore is now private API (0c23248)
- only use the native http(s) client (83376ac)
- remove automatic lookup of /.well-known/oauth-authorization-server (fc87d2b)
- remove client.unpackAggregatedClaims and client.fetchDistributedClaims (b7f261f)
- remove Registry public API export (6b91d58)
- remove the 'query' option for userinfo, assert access token (eb9d139)
- update Node.js semver support matrix (8b3044e)
Features
- OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable feature (327f366)
Package Rankings
Top 0.78% on Npmjs.org