Bug Fixes

• Return impl Future instead of Pin<Box<dyn Future>> (#158)

Full Changelog: https://github.com/ramosbugs/openidconnect-rs/compare/4.0.0-alpha.1...4.0.0-alpha.2

This is an API-unstable release intended for gathering feedback about breaking API changes in 4.0. It should be safe to use in applications, but further breaking API changes MAY occur before stabilizing the API for the 4.0.0 release.

Refer to the Upgrade Guide for tips on how to upgrade from 3.x.

Breaking Changes

• Bump oauth2 to 5.0.0-alpha.4 (19043b103b74f38137d2c0b563eadd4165d2f827)
• Fix EdDSA signature verification (1d97e0e1fcbab6dbcea60abb5f33c895c8499848)
• Replace JWT-related generic traits with associated types (5f039ee4c7233147199febe98e8dadd35491c523)
• Bump oauth2 to 5.0.0-alpha.3 along with http, reqwest, and base64 (7efc8943a8f699aff2db742827fc3d0fc2b3f34d)
• Remove unused nightly feature (c67ffe94af24b65dbb596a68b6623baecf080eb8)
• Update oauth2 to 5.0.0-alpha.2 (fd404985ef6c8e546f951191f4e1bc791615f5ca)
• Remove jwk-alg Cargo feature (73ee82f4243ef6e0e52896b97081c9b7b7226fa4)

New Features

• Implement From<> for unwrapping newtypes
• Derive Eq for types that already derive PartialEq (898ead2e849f9fd7b3afc506d0763d3c9000a6f7)

Bug Fixes

• Propagate timing-resistant-secret-traits feature flag to oauth2 (1c9f77071dd29d8039e65cfeac4345584fdad56b)
• Fix doc comment URL (1131afa2c5a9702c36ddfb400d24d2e241a02ef2)

Other Changes

• Add upgrade guide (6852dcc8fbfc4cbf814b0eea48050d406069698c)
• Address clippy lints from Rust 1.77 (29aad1cfccb32397f02cb889b115cb949c68db6a)
• Update list of example OIDC providers (fcada1718118cfebfaa874e8b1920cd1dbc2b358)
• Update README (fd077bde028e24f2a698fdc450138e85482981bb)
• Remove private JsonCurveType trait (ffde16ad678a8a1e2fda7ccd1d87e12eb4ccfee3)
• Refactor crate into smaller private modules (e87580c99233a77c4263cd3224c5b2840f6e5b15)
• Remove empty leading and trailing lines from doc comments (38baa1a1473896020af0809062f337fa27de7f30)
• Improve Display output of ClientRegistrationError (3a801c9666589450322b710ca2f38f2f99fb24f2)
• Address clippy lints and clean up examples (9aadf673dcaa94172bb287191fd5ca37c4b93ab4)
• Add keywords to Cargo.toml (06e9d6cd0218a9350252f8a6a6163b16cd142f60

Full Changelog: https://github.com/ramosbugs/openidconnect-rs/compare/3.5.0...4.0.0-alpha.1

New Features

• Add UserInfoRequest::set_response_type by @FabianLars in https://github.com/ramosbugs/openidconnect-rs/pull/146

Bug Fixes

• Remove #[non_exhaustive] from LogoutProviderMetadata (#150)
• Include the full discovery url on invalid HTTP response by @Timshel in https://github.com/ramosbugs/openidconnect-rs/pull/142

Full Changelog: https://github.com/ramosbugs/openidconnect-rs/compare/3.4.0...3.5.0

New Features

• Take JSON Web Key alg field into account during key selection (#131). This change is gated by a non-default jwk-alg feature flag, which was added to avoid introducing breaking changes. During a future major version, this feature flag will be removed and the functionality will be included unconditionally.
• Support EdDSA signatures (#130)

Full Changelog: https://github.com/ramosbugs/openidconnect-rs/compare/3.3.1...3.4.0

Bug Fixes

• Enable chrono wasmbind feature to fix panic in WASM environments (#127)

This release increases the Minimum Supported Rust Version (MSRV) of this crate to 1.65.

Bug Fixes

• Support standard OIDC birthdate claim (#119). This crate supports a typo'ed birthday claim, which continues to work as before. In addition, it now supports the standardized birthdate claim.

Other Changes

• Update rsa, p256, p384, serde_with, and url dependencies to their latest versions (#117)
• Implement Eq trait on structs and enums already implementing PartialEq to address Clippy lint

Full Changelog: https://github.com/ramosbugs/openidconnect-rs/compare/3.2.0...3.3.0

New Features

• Add support for OAuth 2.0 Device Authorization Grant, along with an example of how to use this flow with Okta (#114). This feature updates the minimum required oauth2 crate version to 4.4.1.

Bug Fixes

• Fix various cargo doc warnings and rustdoc links

Bug Fixes

• Export PostLogoutRedirectUrl and LogoutHint

New Features

• Add support for OpenID Connect RP-Initiated Logout (#112).

  Special thanks to @jsimonrichard for contributing this feature!

🚀 WASM is now supported! 🚀

Changes since 3.0.0-alpha.1

Bug Fixes

• Don't set empty JWK signing algorithms in Client::new() (#104). This fixes a bug introduced in 3.0.0-alpha.1/2.5.0 (#87) that caused clients constructed via Client::new() not to allow any signature algorithms for ID tokens and user info JWTs unless they manually set the allowed algorithms on the IdTokenVerifier. This patch restores the original behavior of defaulting to accepting only RS256 for clients constructed via Client::new(), as indicated in the spec.

  Clients constructed via Client::from_provider_metadata() will continue to receive the signing algorithms specified in the provider metadata during OpenID Connect Discovery (as introduced in 3.0.0-alpha.1/2.5.0 via #87).

New Features

• Add AuthorizationRequest::add_scopes (#105)

Other Changes

• Remove unnecessary 'static bound from ProviderMetadata::discover_async (#107)

Summary of changes since 2.5.1

Breaking Changes

• Replace ring with RustCrypto crates (#96). This change increases the minimum supported Rust version (MSRV) to 1.57 and adds support for WASM targets.

  Special thanks to @sbihel for contributing this change!

• Establish new MSRV policy: this crate will maintain a policy of supporting Rust releases going back at least 6 months. Changes that break compatibility with Rust releases older than 6 months will no longer be considered SemVer breaking changes and will not result in a new major version number for this crate (f3dedb3c3e74802cdf0c20d7d87ce35ffa846eb1).

Other Changes

• Make CoreRsaPrivateSigningKey Send and Sync (bc09d22afc140e1d2d6caf8756dda4a17cc991fa).

Bug Fixes

• Don't set empty JWK signing algorithms in Client::new() (#104). This fixes a bug introduced in 2.5.0 (#87) that caused clients constructed via Client::new() not to allow any signature algorithms for ID tokens and user info JWTs unless they manually set the allowed algorithms on the IdTokenVerifier. This patch restores the original behavior of defaulting to accepting only RS256 for clients constructed via Client::new(), as indicated in the spec.

  Clients constructed via Client::from_provider_metadata() will continue to receive the signing algorithms specified in the provider metadata during OpenID Connect Discovery (as introduced in 2.5.0 via #87).

Breaking Changes

• Replace ring with RustCrypto crates (#96). This change increases the minimum supported Rust version (MSRV) to 1.57 and adds support for WASM targets.

  Special thanks to @sbihel for contributing this change!

• Establish new MSRV policy: this crate will maintain a policy of supporting Rust releases going back at least 6 months. Changes that break compatibility with Rust releases older than 6 months will no longer be considered SemVer breaking changes and will not result in a new major version number for this crate (f3dedb3c3e74802cdf0c20d7d87ce35ffa846eb1).

Other Changes

• Make CoreRsaPrivateSigningKey Send and Sync (bc09d22afc140e1d2d6caf8756dda4a17cc991fa).

New Features

• Ignore unrecognized signature algorithms, encryption algorithms, and public keys when parsing provider metadata and JWK sets (#99).

  Previously, this crate would return a deserialization error if it encountered any unrecognized signature/encryption algorithms or public keys in the ProviderMetadata and JsonWebKeySet. This release changes the behavior to instead ignore these unexpected values, with the aim of improving compatibility with OIDC providers that support other algorithms but don't necessarily use them to sign JWTs. The OIDC spec allows for new algorithms and key types to be used, so these OIDC providers are fully compliant with the spec.

• Propagate signature algorithms from OIDC discovery to token verifier (#87). Previously, these had to be configured manually when instantiating the token verifier.

Bug Fixes

• Use serde_plain instead of the oauth2 crate's variant_name helper to convert algorithm names and other values to strings. This should ensure compatibility with arbitrary Serialize implementations for these types.

Other Changes

• Replace constant time from ring with subtle in preparation for removing ring entirely in 3.0 (#89).

New Features

• Add CoreJsonWebKeyUse::Other variant to avoid JWK deserialization errors when unsupported keys are present in a provider's JWK set (c25eb06ba7e64e14cb94d34a564d77a4ff4e9d1b)
• Optionally accept string boolean fields behind accept-string-booleans Cargo feature flag to interoperate with non-RFC-compliant Apple OAuth (#84)

Bug Fixes

• Make CoreRsaPrivateSigningKey implement Send (#93)
• Fix typos in documentation (#81)

Bug Fixes

• Fix PKCE documentation link (#76)
• Only use HTTP Basic auth with a client secret (see ramosbugs/oauth2-rs#176)
• Improve issuer URL mismatch error message (see #77)

Patch Changes

• Bump oauth2 dependency to 4.2
• Bump itertools, serde-value, and various dev dependencies. Remove untrusted crate as a dependency. (#73)

New Features

• Add new_insecure_without_verification() to IdTokenVerifier (#61)

Bug Fixes

• Fix clippy lints and other code cleanup (#69)
• Fix deserialization of optional ClientRegistrationResponse fields (#66)

New Features

• Implement FromStr for IdToken (#59)
• Expose ureq feature of oauth2 (#56)
• Add optional feature to accept RFC 3339 timestamps, for compatibility with Auth0 (#55)

Bug fixes

• Support JWKs with leading zeroes in their RSA modulus (n) and public exponent (e) values (#53)

• Update rand and base64 dependencies to their latest versions (#49)
• Address RUSTSEC-2020-0071 by disabling chrono's oldtime feature flag