oauth4webapi

Fixes

• handle Response objects with empty string url in processDpopNonce (f2c9415)

Revert "fix: encode client_secret_basic - _ . ! ~ * ' ( ) characters"

This reverts commit f926175cdf6caa467029a57e76375054fff7c57b, even though it is the correct implementation some of the most widely used identity providers don't follow the specification.

Documentation

• add distribution links to README.md (29bb947)

Fixes

• encode client_secret_basic - _ . ! ~ * ' ( ) characters (f926175)

Refactor

• create Request instances before passing them to fetch (02ab110)
• types: mark always lowercased values and keys as Lowercase (89e7a77)

Documentation

• categorize APIs in docs/README.md (c28efda)
• expose Indexed Access Types (54c4393)
• update EdDSA description (9765e7a)

Features

• add the cause property to errors where possible (07c95f7)

Refactor

• use AlgorithmIdentifier instead of Algorithm where possible (e2ae2f3)

Fixes

• base64url decode errors are OperationProcessingError (7f4a878)

Features

• allow Record<string, string> and string[][] as parameter arguments (021b85f)

Refactor

• brand URLSearchParams instead of extending URLSearchParams (8e62c8a)

This release was merely to test release automation. NPM releases now include provenance statements.

Refactor

• types: enforce flat interfaces (c958d61)

Fixes

• return undefined from getValidatedIdTokenClaims as documented (678b12d)

Features

• allow the client's assumed current time to be adjusted (5051a5d), closes #49 #50

// client's local clock is mistakenly 1 hour in the past
const client: oauth.Client = {
  client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
  // ... other metadata
  [oauth.clockSkew]: +(60 * 60),
}

// client's local clock is mistakenly 1 hour in the future
const client: oauth.Client = {
  client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
  // ... other metadata
  [oauth.clockSkew]: -(60 * 60),
}

• allow the client's DateTime claims tolerance to be adjusted (3936a56), closes #49 #50

// Tolerate 30 seconds clock skew when validating JWT claims like `exp` or `nbf`.
const client: oauth.Client = {
client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
  // ... other metadata
  [oauth.clockTolerance]: 30,
}

Features

• add more asymmetric JWS algorithms (af43ec7)

Fixes

• build: fixup user agent version after version bump (e1c3ed8)

This release contains only code refactoring and documentation updates.

Refactor

• weak maps instead of symbols (e551edc)

Fixes

• omit zealous response cloning() to reduce edge compute memory bills (a785223), closes #37

Fixes

• claims parameter encoding in issued request objects (3eb165a)

Performance

• cache public DPoP CryptoKey's JWK representation for re-use (2858d06)

⚠ BREAKING CHANGES

• Use the TLS server validation in processAuthorizationCodeOpenIDResponse to validate the issuer instead of checking the ID Token's signature. The function's options argument was removed.
• Use the TLS server validation in processDeviceCodeResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
• Use the TLS server validation in processIntrospectionResponse to validate the issuer instead of checking the optional JWT Introspection Response signature. The function's options argument was removed.
• Use the TLS server validation in processRefreshTokenResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
• Use the TLS server validation in processUserInfoResponse to validate the issuer instead of checking the optional JWT UserInfo Response signature. The function's options argument was removed.
• PAR w/ DPoP no longer automatically adds dpop_jkt to the authorization request.
• Removed calculateJwkThumbprint function export.
• Removed jwksRequest function export.
• Removed processJwksResponse function export.

Refactor

• remove ignored and unused exports (4a545df)
• use TLS server validation instead of jwt signature validations (f728110)

Refactor

• deno: add mod.ts to deno.land/x (0778278)
• use RsaHashedKeyAlgorithm in checkRsaKeyAlgorithm (94aa31c)

Features

• add bun as a supported runtime (707efd1)