Skip to content

v9.0.0-rc.1 #1318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
panva wants to merge 59 commits into from
Closed

v9.0.0-rc.1 #1318

panva wants to merge 59 commits into from

Conversation

@panva
Copy link
Owner

@panva panva commented Apr 2, 2025
edited
Loading

v9.0.0-rc.1

npm install panva/node-oidc-provider#v9.0.0-rc.1

⚠ BREAKING CHANGES

  • default PKCE configuration no longer requires PKCE to be used unless RFC9700 or a given profile says so
  • removed the provider.Account getter
  • all Provider routes will now end the HTTP request when finished, koa middlewares that are "downstream" will no longer be executed after a route is matched in oidc-provider, "upstream" control flows are unaffected
  • the Provider no longer includes a catch-all 404 Not Found error handler
  • FAPI profile behaviours no longer force PKCE, these should be forced by configuring the pkce.required configuration helper the default of which already does so.
  • the server's JWK Key IDs (JWK kid parameter) now must be unique, no two keys must use the same kid.
  • the revokeGrantPolicy configuration helper is now also invoked during opaque Access Token revocation, its default return remains false for this case though
  • CIBA ping and poll delivery mode ID Tokens no longer include at_hash, urn:openid:params:jwt:claim:rt_hash, and urn:openid:params:jwt:claim:auth_req_id
  • authorization code grant type issued ID Tokens no longer include at_hash
  • device authorization grant type issued ID Tokens no longer include at_hash
  • refresh token grant type issued ID Tokens no longer include at_hash
  • implicit grant type issued ID Tokens no longer include s_hash unless the request is a FAPI 1.0 Final request
  • global fetch() API is now used to make outgoing HTTP requests instead of the "got" module.
  • the httpOptions configuration option was removed and a new option to accomodate the use of fetch() interface was added. This options is aptly called "fetch" and its call signature and expected returns mirror the fetch() API.
  • Enabling JAR (Request Objects by Value) is now enabled via features.requestObjects.enabled boolean instead of features.requestObjects.request boolean
  • removed support for Passing a Request Object by Reference (JAR request_uri)
  • removed legacy sameSite cookie fallback
  • removed support for Node.js 18.x
  • removed support for Node.js 20.x
  • removed the pkce.methods configuration
  • removed the features.requestObjects.mode configuration
  • removed support for Ed448
  • removed support for X448
  • removed support for secp256k1 / ES256K
  • removed support for FAPI 1.0 ID2

Features

  • Access Token revocation may now also optionally revoke the underlying grant (2d19552)
  • add support for the fully-specified Ed25519 JWS Algorithm Identifier (4a6fb87)
  • DPoP support is now enabled by default (a320882)
  • Experimental support for external signing keys, e.g. in a KMS or HSM (4240824)
  • expose current requests' ctx via Provider.ctx static getter (df633ff)
  • update FAPI 2.0 implementation to FAPI 2.0 Final (1d3507b)

Documentation

  • auto-format code blocks (4a7daf6)
  • dpop cannot acked anymore, it is stable (a48c51f)
  • improvements to linked resources (81583d7)
  • mention external types (f3cb117)
  • move adapters to the Community Guides Discussions section (394c5ff)
  • move recipes to the Community Guides Discussions section (655ee09)
  • remove mentions of the connect server framework (d240bf0)
  • update README to use named exports (8355886)
  • update version support matrix (6480a26)

Refactor

  • change default PKCE usage requirement (9871586)
  • cleanup unused azp claim code (f257c1f)
  • deprecate the .app getter (f2fc768)
  • encryption and key derivation is not blocking the main thread (f7da485)
  • ensure all route handlers are final (10111ed)
  • increase all random identifiers from ~126 bits of randomness to ~256 (a5622a9)
  • minimal change to support koa@3 (925cee5)
  • no more warnings if cookie keys are missing (6d9ce7e)
  • omit generic "typ: JWT" in issued JSON Web Tokens (c7f24c9)
  • pass over internal configuration getters (b06a0a2)
  • Provider is now the Koa application instance (f6eb262)
  • remove hardcoded require PKCE checks (1baec12)
  • remove object-hash dependency (ed0fcbb)
  • remove optional ID Token _hash claims (310206b)
  • remove the provider.Account getter (2c24df2)
  • remove unused code (7d147dd)
  • remove uses of randomFill and Buffer.allocUnsafe (2a5114f)
  • removed legacy sameSite cookie fallback (7c950de)
  • removed support for FAPI 1.0 ID2 (dab5859)
  • removed support for Passing a Request Object by Reference (JAR request_uri) (b1d387d)
  • removed the features.requestObjects.mode configuration (80bdf28)
  • removed the pkce.methods configuration (db5d411)
  • Request Object (JAR) is now enabled with features.requestObjects.enabled (95ee7f7)
  • simplify default assertJwtClaimsAndHeader configuration (1f9387a)
  • update Node.js support matrix (fae4f6d)
  • use fetch() api to make outgoing HTTP requests (c732c4f)
  • use hkdf in dpop's rolling nonce calculation (91e779a)
  • use more optional chaining (3d36df2)
  • use oneshot hash methods instead of intermediate Hash objects (8932343)
  • use structuredClone instead of JSON.stringify then parse (d9accd9)
  • use URL.parse (2d4c1a5)

panva added 30 commits April 1, 2025 17:44
@panva
feat: update FAPI 2.0 implementation to FAPI 2.0 Final
1d3507b
@panva
refactor!: removed support for FAPI 1.0 ID2
dab5859
@panva
refactor: encryption and key derivation is not blocking the main thread
f7da485 
BREAKING CHANGE: removed support for Ed448
BREAKING CHANGE: removed support for X448
BREAKING CHANGE: removed support for secp256k1 / ES256K
@panva
feat: add support for the fully-specified Ed25519 JWS Algorithm Ident…
4a6fb87 
…ifier
@panva
refactor!: removed the features.requestObjects.mode configuration
80bdf28
@panva
refactor!: removed the pkce.methods configuration
db5d411
@panva
refactor: update Node.js support matrix
fae4f6d 
BREAKING CHANGE: removed support for Node.js 18.x
BREAKING CHANGE: removed support for Node.js 20.x
@panva
chore: bump packages
feca427
@panva
refactor!: removed legacy sameSite cookie fallback
7c950de
@panva
refactor: no more warnings if cookie keys are missing
6d9ce7e
@panva
refactor: omit generic "typ: JWT" in issued JSON Web Tokens
c7f24c9
@panva
refactor: cleanup unused azp claim code
f257c1f
@panva
docs: update version support matrix
6480a26
@panva
refactor: use oneshot hash methods instead of intermediate Hash objects
8932343
@panva
refactor!: removed support for Passing a Request Object by Reference …
b1d387d 
…(JAR request_uri)
@panva
refactor!: Request Object (JAR) is now enabled with features.requestO…
95ee7f7 
…bjects.enabled

BREAKING CHANGE: Enabling JAR (Request Objects by Value) is now enabled via features.requestObjects.enabled boolean instead of features.requestObjects.request boolean
@panva
refactor: use more optional chaining
3d36df2
@panva
refactor!: use fetch() api to make outgoing HTTP requests
c732c4f 
BREAKING CHANGE: global fetch() API is now used to make outgoing HTTP requests instead of the "got" module.

BREAKING CHANGE: the httpOptions configuration option was removed and a new option to accomodate the use of fetch() interface was added. This options is aptly called "fetch" and its call signature and expected returns mirror the fetch() API.
@panva
refactor: use hkdf in dpop's rolling nonce calculation
91e779a
@panva
feat: DPoP support is now enabled by default
a320882
@panva
refactor!: remove optional ID Token _hash claims
310206b 
BREAKING CHANGE: CIBA ping and poll delivery mode ID Tokens no longer include at_hash, urn:openid:params:jwt:claim:rt_hash, and urn:openid:params:jwt:claim:auth_req_id

BREAKING CHANGE: authorization code grant type issued ID Tokens no longer include at_hash

BREAKING CHANGE: device authorization grant type issued ID Tokens no longer include at_hash

BREAKING CHANGE: refresh token grant type issued ID Tokens no longer include at_hash

BREAKING CHANGE: implicit grant type issued ID Tokens no longer include s_hash unless the request is a FAPI 1.0 Final request
@panva
docs: move recipes to the Community Guides Discussions section
655ee09
@panva
docs: move adapters to the Community Guides Discussions section
394c5ff
@panva
test: use globalThis over global
ebde85b
@panva
refactor: use structuredClone instead of JSON.stringify then parse
d9accd9
@panva
feat!: Access Token revocation may now also optionally revoke the und…
2d19552 
…erlying grant

BREAKING CHANGE: the revokeGrantPolicy configuration helper is now also invoked during opaque Access Token revocation, its default return remains false for this case though
@panva
ci: update CI test command name
fe25d04
@panva
feat: Experimental support for external signing keys, e.g. in a KMS o…
4240824 
…r HSM

BREAKING CHANGE: the server's JWK Key IDs (JWK kid parameter) now must be unique, no two keys must use the same kid.
@panva
refactor: increase all random identifiers from ~126 bits of randomnes…
a5622a9 
…s to ~256
@panva
refactor: remove object-hash dependency
ed0fcbb
panva added 26 commits April 1, 2025 17:44
@panva
refactor: remove uses of randomFill and Buffer.allocUnsafe
2a5114f
@panva
test: remove use of Math.random
4f3de71
@panva
docs: mention external types
f3cb117
@panva
docs: remove mentions of the connect server framework
d240bf0
@panva
ci: test mounting with both express v4 and v5
5305e29
@panva
docs: improvements to linked resources
81583d7
@panva
refactor: deprecate the .app getter
f2fc768
@panva
docs: auto-format code blocks
4a7daf6
@panva
test: remove use of nock in favour of undici MockAgent
066679d
@panva
chore: bump packages
932f621
@panva
test: remove use of clear-module
affdc0e
@panva
ci: update release steps
9033b36
@panva
refactor!: Provider is now the Koa application instance
f6eb262 
BREAKING CHANGE: the Provider no longer includes a catch-all 404 Not Found error handler
@panva
refactor: pass over internal configuration getters
b06a0a2
@panva
refactor!: ensure all route handlers are final
10111ed 
BREAKING CHANGE: all Provider routes will now end the HTTP request when finished, koa middlewares that are "downstream" will no longer be executed after a route is matched in oidc-provider, "upstream" control flows are unaffected
@panva
feat: expose current requests' ctx via Provider.ctx static getter
df633ff
@panva
refactor: remove unused code
7d147dd
@panva
refactor!: remove the provider.Account getter
2c24df2 
BREAKING CHANGE: removed the provider.Account getter
@panva
example: remove mongodb from heroku postinstall
1145edf
@panva
ci: test express mounting with only v5.x
2315711
@panva
refactor!: change default PKCE usage requirement
9871586 
BREAKING CHANGE: default PKCE configuration no longer requires PKCE to be used unless RFC9700 or a given profile says so
@panva
test: add requested_expiry test
26226d2
@panva
refactor: simplify default assertJwtClaimsAndHeader configuration
1f9387a
@panva
test: remove use of got
5b33af1
@panva
example: update example federated login to use code flow w/ PKCE
1f068ca
@panva
ci: skip certification tests that need fixing
676a885
Repository owner locked and limited conversation to collaborators Apr 2, 2025
@panva
Copy link
Owner Author

panva commented Apr 13, 2025

Superseded by v9.0.0-rc.2

@panva panva closed this Apr 13, 2025
@panva panva deleted the v9.0.0-rc.1 branch April 15, 2025 14:24
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@panva