node-openid-client
OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
Bot releases are hidden (Show)
Bug Fixes
- device authorization request always pushes the client_id to body (6fbf125)
Bug Fixes
- ignore runtime unsupported or malformed issuer jwks (f08b8be)
Features
- added Node.js lts/dubnium support for runtime supported features (54788c2)
Features
- electron v6.x runtime support (65ec619)
Features
- option to change http options globally (a1e0a3f)
Bug Fixes
- plug reported lodash vulnerability (b690dac)
Features
- added support for direct symmetric key encryption alg (dir) (f1b4282)
Bug Fixes
- ensure runtime @panva/jose dependency ^1.3.0 (d992deb)
Features
- add helpers for generating secure random values & PKCE challenges (44f1865)
Bug Fixes
- authorizationParams no longer requires nonce for
response_type=token - issuer's auth signing algs presence is now asserted if client is missing the relevant metadata property
- unintended (client|issuer).metadata[property] reassignment is no longer possible
- refreshed encrypted ID Tokens are now properly decrypted
- userinfo_endpoint presence on an issuer is now asserted during userinfo function call
- PBES2 symmetric encryption and decryption now correctly uses the
client_secretvalue rather then
its SHA digest - Accept header is now correctly set for all requests
- clients configured to receive signed and/or encrypted userinfo endpoints will now correctly reject
a response that isn't properapplication/jwt
Features
-
Typed Errors - openid-client now has unique errors for HTTP transport related errors, OP/AS
returned errors and RP(client-side) assertions. -
common configuration issues are now gracefully handled. I feel like many developers may be
setting properties likeredirect_uriorresponse_typeon a client instance. I sympathize and
openid-client will now take these common mistakes and accomodate. -
QoL
#client.authorizationParams()will now attempt to resolve theredirect_uriand
response_typefrom your client's metadata. If there's only one listed, it will be used
automatically. If there's more, you must continue providing it explicitly. -
per-request http request options helper function HTTP request options can now be modified on
a per request basis for the different classes or their instances. This now allows each request's
options to be altered on-demand with e.g. client mutual-TLS certificates or implementing work
arounds for specific AS quirks. -
mutual-TLS client authentication is now supported through the above mentioned helper for both
client-authentication and proof-of-possession purposes. -
custom request bodies Where the above per-request helper falls short is providing extra
token endpoint exchange parameters likeresourceto authorization code or refresh token exchange,
you can now pass those in the actual client methods. -
custom client assertion payloads You can now pass extra claims to the client authenticated
calls e.g. token, introspect, revoke. -
request objects are now set to be one-time use Generated Request Objects are secure by default
they include iat, exp and jti claims so that OPs have a way to make them one-time use depending on
their policy. - EdDSA support OKP JSON Web Keys and EdDSA signing and verification is now supported.
BREAKING CHANGES
- openid-client now uses
@panva/josefor all things JOSE. As a result of this the minimum required
node version is v12.0.0 and the client will now only function in node.js environments. -
Issuer.defaultHttpOptionsgetter and setter were removed. See documentation customization
section for its replacement. -
client.CLOCK_TOLERANCEclient property was removed. See documentation customization section for
its replacement. -
client.authorizationCallback()has been renamed toclient.callback() -
tokenset.claimsgetter is now a functiontokenset.claims() -
useRequestanduseGotmethods were removed, with the maintenance mode and inevitable
deprecation of therequestmodule i've decided to only support got as an http request library. - Instead of passing jose library keystore instances with private keys the API now
expects a JWKS formatted object.keystoreoptions argument properties are now called justjwks. -
response_type=codeis no longer defaulted to in#client.authorizationUrl()if your client
instance has multipleresponse_typesmembers. - Strict
===equality operator is now used for assertions, while unlikely the breaking change is
that should some ID Token claims be correct values but incorrect type, these will start failing now. -
#client.revoke()no longer returns or in any way processes the response body as per spec
requirements. - All http(s) responses are now strictly checked for the expected http response status code.
- All http(s) requests now assert that an absolute URL is being requested.
- Passport Strategy will now fail when userinfo is requested via the verify callback arity but no
access token is returned from the OP.
Bug Fixes
- upgrade min node-jose version to fix its performance in node (e682dfc)
Bug Fixes
- strategy code_verifier length, removed uuid dependency (60d0cb8...ea4a8fd), closes #131
Bug Fixes
- assign Discovery 1.0 defaults when discovering with .well-known (74b593e)
Package Rankings
Top 0.78% on Npmjs.org