Releases · panva/node-oidc-provider

28 Jun 21:28

v8.5.0 Latest

Latest

add a Client static validate() method (d1f7d73)
add a helper allowing custom claims parameter validations (ec2a1f5)
add experimental support for RFC9396 - Rich Authorization Requests (e9fb573)
add response_modes client metadata allow list (76f9af0)
allow extraParams to define validations for extra parameters (b7d3322)
DPoP: add a setting to disable DPoP Proof Replay Detection (2744fc8)
DPoP: send a dpop-nonce when the proof's iat check fails and nonces are configured but not required (1b073c0)
FAPI: add FAPI 2.0 profile behaviours (5212609)
JAR: add a helper allowing custom JWT claim and header validations (be9242a)
PAR: add a setting to allow use of unregistered redirect_uri values (a7e73fa)
update Web Message Response Mode and remove its Relay Mode (a91add8)

DPoP,mTLS: reject client configuration in which binding is required but response types include an implicit token response (cd7e0f4)

deprecate FAPI 1.0 ID2, lax request objects, plain PKCE (3e8a784)
don't use overwrite cookie option by default (dfbcb94)
DPoP: move the accepted timespan into a constant (a8e8006)
DPoP: omit sending the dpop-nonce header if the existing one used is fresh (4d635e2)
ensure param-assigned max_age from client.defaultMaxAge is a string (0c52469)
FAPI: deprecate FAPI profile hardcoded PKCE checks (56641ec)
JAR: authorization requests with JAR now require a client_id parameter (9131cd5)
JAR: Request Objects are no longer checked for one time use (18efa70)
PAR: consume PAR after user interactions instead of before (53babe6)
store claims value parsed in non-JAR PAR (9cd865b)
use invalid_request instead of unauthorized_client (7947d87)