oauth4webapi

Refactor

• add a type check on AbortSignal (b013fef)
• align argument and function names in assert functions (8ea65f6)
• update "as" error messages (3e894f5)

Features

• allow to skip JWT signature validation on select responses (44d9114)

This release

• moves the package on npm from @panva/oauth4webapi to just oauth4webapi
• moves the package on deno.land/x from doauth to oauth4webapi

Otherwise this release contains only code refactoring and documentation updates.

NB: @panva/oauth4webapi had last npm version released and it now simply re-exports oauth4webapi to allow existing consumers to obtain updates within the ^1.2.1 semver range.

Features

• add experimental EdDSA (Ed25519) JWS algorithm support (f70d4d5)

Fixes

• typescript: resolve ts4.8 issue (572c6de)

This release contains only code refactoring and documentation updates.

This release contains only code refactoring and documentation updates.

Fixes

• processing pure oauth2 code response ignores invalid id_token parameter values (282705a)

Features

• allow AbortSignal-returning function as well as an instance (90d21b8)

Fixes

• allow zero-length scope in token endpoint responses (#15) (d54c821)

Fixes

• do not set a user-agent in CORS-enabled runtimes (8899a6b), closes #13

Fixes

• skip recalculating dpop_jkt in PAR if already set (9499ccd)

This release contains only code refactoring and documentation updates.

Fixes

• reject unsupported token_type values (3d2cc0c)

This software is a collection of routines upon which framework-specific client modules may be written. Its objective is to support and, where possible, enforce secure and current best practices using only capabilities common to Browser and Non-Browser JavaScript-based runtime environments.

Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the latest Security BCP, and FAPI 2.0. Where applicable Open ID Connect is also supported.

In Scope & Implemented

• Authorization Server Metadata discovery
• Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), PKCE
• Refresh Token, Device Authorization, and Client Credentials Grants
• Demonstrating Proof-of-Possession at the Application Layer (DPoP)
• Token Introspection and Revocation
• Pushed Authorization Requests (PAR)
• UserInfo and Protected Resource Requests
• Authorization Server Issuer Identification
• JWT Secured Introspection, Response Mode, Authorization Request, and UserInfo

Out of scope

• CommonJS
• Implicit, Hybrid, and Resource Owner Password Credentials Flows
• Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
• JSON Web Encryption (JWE)
• JSON Web Signature (JWS) rarely used algorithms and HMAC
• Automatic polyfills of any kind