oauth4webapi

This release was merely to test release automation. NPM releases now include provenance statements.

Fixes

• return undefined from getValidatedIdTokenClaims as documented (678b12d)

Features

• allow the client's assumed current time to be adjusted (5051a5d), closes #49 #50

// client's local clock is mistakenly 1 hour in the past
const client: oauth.Client = {
  client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
  // ... other metadata
  [oauth.clockSkew]: +(60 * 60),
}

// client's local clock is mistakenly 1 hour in the future
const client: oauth.Client = {
  client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
  // ... other metadata
  [oauth.clockSkew]: -(60 * 60),
}

• allow the client's DateTime claims tolerance to be adjusted (3936a56), closes #49 #50

// Tolerate 30 seconds clock skew when validating JWT claims like `exp` or `nbf`.
const client: oauth.Client = {
client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
  // ... other metadata
  [oauth.clockTolerance]: 30,
}

Features

• add more asymmetric JWS algorithms (af43ec7)

Fixes

• build: fixup user agent version after version bump (e1c3ed8)

This release contains only code refactoring and documentation updates.

Refactor

• weak maps instead of symbols (e551edc)

Fixes

• omit zealous response cloning() to reduce edge compute memory bills (a785223), closes #37

Fixes

• claims parameter encoding in issued request objects (3eb165a)

Performance

• cache public DPoP CryptoKey's JWK representation for re-use (2858d06)

⚠ BREAKING CHANGES

• Use the TLS server validation in processAuthorizationCodeOpenIDResponse to validate the issuer instead of checking the ID Token's signature. The function's options argument was removed.
• Use the TLS server validation in processDeviceCodeResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
• Use the TLS server validation in processIntrospectionResponse to validate the issuer instead of checking the optional JWT Introspection Response signature. The function's options argument was removed.
• Use the TLS server validation in processRefreshTokenResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
• Use the TLS server validation in processUserInfoResponse to validate the issuer instead of checking the optional JWT UserInfo Response signature. The function's options argument was removed.
• PAR w/ DPoP no longer automatically adds dpop_jkt to the authorization request.
• Removed calculateJwkThumbprint function export.
• Removed jwksRequest function export.
• Removed processJwksResponse function export.

Refactor

• remove ignored and unused exports (4a545df)
• use TLS server validation instead of jwt signature validations (f728110)

Refactor

• deno: add mod.ts to deno.land/x (0778278)
• use RsaHashedKeyAlgorithm in checkRsaKeyAlgorithm (94aa31c)

Features

• add bun as a supported runtime (707efd1)

Refactor

• add a type check on AbortSignal (b013fef)
• align argument and function names in assert functions (8ea65f6)
• update "as" error messages (3e894f5)

Features

• allow to skip JWT signature validation on select responses (44d9114)

This release

• moves the package on npm from @panva/oauth4webapi to just oauth4webapi
• moves the package on deno.land/x from doauth to oauth4webapi

Otherwise this release contains only code refactoring and documentation updates.

NB: @panva/oauth4webapi had last npm version released and it now simply re-exports oauth4webapi to allow existing consumers to obtain updates within the ^1.2.1 semver range.

Features

• add experimental EdDSA (Ed25519) JWS algorithm support (f70d4d5)

Fixes

• typescript: resolve ts4.8 issue (572c6de)

This release contains only code refactoring and documentation updates.

This release contains only code refactoring and documentation updates.

Fixes

• processing pure oauth2 code response ignores invalid id_token parameter values (282705a)