node-openid-client

Bug Fixes

• lts/boron unsupported syntax fix (5289188)

Bug Fixes

• OpenIdConnectError also returns session_state (95fae3d)
• stop sending state on the authorisation code token grant (c4c9e50)

Features

• add RP-Initiated Logout URL helper (7c2e030), closes #116

Bug Fixes

• apply safer, simpler www-authenticate parsing regex (ffce55a)
• only assign Discovery 1.0 defaults when Issuer is discovered (dca60b8)

Features

• authorization response parameter checking based on response_type (6e0ac57)
• passport strategy automatically checks response REQUIRED params (902eeed)

• improved discovery support of custom .well-known suffixes
• chores - refactoring, missing tests, cleanup

• added support for RFC8414 - OAuth 2.0 Authorization Server Metadata discovery
• encrypted_id_token property added to TokenSet instances with the value of the encrypted ID Token value before its decryption

• fixed handling of bearer endpoint responses with www-authenticate headers only. (#102)

• node-jose dependency bumped to major ^1.0.0 - fixes A\d{3}GCMKW symmetrical encryption support
• dependency updates

• fixed circular when serializing OpenIdConnectError
• base64url dependency update

• base64url dependency replaced with base64-url

only dependency tree updates

• fixed client_secret_basic requiring the username and password tokens to be x-www-form-urlencoded
  according to https://tools.ietf.org/html/rfc6749#section-2.3.1
  • NOTE: Although technically a fix, this is a breaking change when used with providers that also
    don't currently follow the standard. A proper way of submitting client_id and client_secret using client_secret_basic is Authorization: base64(formEncode(client_id):formEncode(client_secret)). If your client_id and client_secret does contain special characters that need encoding this does not affect you. If it does, try using client_secret_post instead.

• dropped support for Node.js v4.x due to its End-of-Life on 2018-04-30
• removed deprecated client#grantAuth
• removed deprecated way of passing keystore directly to Client#register
• removed support for passing client to OpenIDConnectStrategy as single argument, use new Strategy({ client }) instead of new Strategy(client).
• fixed a bug requiring nonce to be passed for response_type=none

• added documentation for OpenIdConnectError
• added error_uri from IdP responses to OpenIdConnectError instances
• fixed OpenIdConnectError messages to include error_description

• Issuer.discover now parses the provided URI instead of just inspecting the string. #80

• fixed edge cases of (and simplified) private id token decryption method

• fix return values of #authorizationCallback() for response_type=none to resolve a TokenSet

• fixed authorizationUrl to respect existing issuer authorization_endpoint query parameters

• adjusted the passport state mismatch related error message to hint developers at a local setup issue