v9.0.0

[panva]

⚠ BREAKING CHANGES

• authorization and logout endpoints no longer support the HTTP POST method by default, this can be re-enabled using the enableHttpPostMethods boolean configuration, this also requires that cookies.long.sameSite is set to none
• cookie session sameSite attribute default is now "lax" instead of "none"
• userinfo requests with bearer tokens will now fail if they also include DPoP
• userinfo now includes both dpop and bearer challenges when dpop is enabled
• accessing protected resources without an access token will now yield a 401 HTTP Status Code instead of a 400
• default PKCE configuration no longer requires PKCE to be used unless RFC9700 or a given profile says so
• removed the provider.Account getter
• all Provider routes will now end the HTTP request when finished, koa middlewares that are "downstream" will no longer be executed after a route is matched in oidc-provider, "upstream" control flows are unaffected
• the Provider no longer includes a catch-all 404 Not Found error handler
• FAPI profile behaviours no longer force PKCE, these should be forced by configuring the pkce.required configuration helper the default of which already does so.
• the server's JWK Key IDs (JWK kid parameter) now must be unique, no two keys must use the same kid.
• the revokeGrantPolicy configuration helper is now also invoked during opaque Access Token revocation, its default return remains false for this case though
• CIBA ping and poll delivery mode ID Tokens no longer include at_hash, urn:openid:params:jwt:claim:rt_hash, and urn:openid:params:jwt:claim:auth_req_id
• authorization code grant type issued ID Tokens no longer include at_hash
• device authorization grant type issued ID Tokens no longer include at_hash
• refresh token grant type issued ID Tokens no longer include at_hash
• implicit grant type issued ID Tokens no longer include s_hash unless the request is a FAPI 1.0 Final request
• global fetch() API is now used to make outgoing HTTP requests instead of the "got" module.
• the httpOptions configuration option was removed and a new option to accomodate the use of fetch() interface was added. This options is aptly called "fetch" and its call signature and expected returns mirror the fetch() API.
• Enabling JAR (Request Objects by Value) is now enabled via features.requestObjects.enabled boolean instead of features.requestObjects.request boolean
• removed support for Passing a Request Object by Reference (JAR request_uri)
• removed legacy sameSite cookie fallback
• removed support for Node.js 18.x
• removed support for Node.js 20.x
• removed the pkce.methods configuration
• removed the features.requestObjects.mode configuration
• removed support for Ed448
• removed support for X448
• removed support for secp256k1 / ES256K
• removed support for FAPI 1.0 ID2

Features

• Access Token revocation may now also optionally revoke the underlying grant (2d4795a)
• add support for the fully-specified Ed25519 JWS Algorithm Identifier (19377d8)
• DPoP support is now enabled by default (2562a4f)
• Experimental support for external signing keys, e.g. in a KMS or HSM (6cec10e)
• expose current requests' ctx via Provider.ctx static getter (56997a5)
• update FAPI 2.0 implementation to FAPI 2.0 Final (137a891)

Documentation

• auto-format code blocks (4f99708)
• dpop cannot acked anymore, it is stable (a48c51f)
• improvements to linked resources (42570b9)
• mention external types (6cc05d7)
• move adapters to the Community Guides Discussions section (dcb0efe)
• move recipes to the Community Guides Discussions section (4bb4118)
• remove mentions of the connect server framework (1dd49e6)
• update README to use named exports (8355886)
• update version support matrix (95a729c)

Fixes

• no access token provided error is now a 401 (c60e727)
• userinfo now includes both dpop and bearer challenges when dpop is enabled (c711c91)

Refactor

• change default PKCE usage requirement (4b1dc0c)
• change default session cookie from sameSite none to lax (904753b)
• cleanup unused azp claim code (7ddef51)
• deprecate the .app getter (774c820)
• disable HTTP POST Method handling of authorization and logout endpoints (693a1db)
• encryption and key derivation is not blocking the main thread (9755669)
• ensure all route handlers are final (c1165af)
• escape www-authenticate backslashes despite not directly using them (e3596a6)
• increase all random identifiers from ~126 bits of randomness to ~256 (ef8610e)
• minimal change to support koa@3 (925cee5)
• no more warnings if cookie keys are missing (5a763f8)
• omit generic "typ: JWT" in issued JSON Web Tokens (cfb5825)
• pass over internal configuration getters (832c6db)
• Provider is now the Koa application instance (4dcefc8)
• remove hardcoded require PKCE checks (2c3d64a)
• remove object-hash dependency (e8ce31b)
• remove optional ID Token _hash claims (df46d47)
• remove the provider.Account getter (0652b12)
• remove unused code (ae4d491)
• remove uses of randomFill and Buffer.allocUnsafe (a4e891a)
• removed legacy sameSite cookie fallback (d522580)
• removed support for FAPI 1.0 ID2 (6881a51)
• removed support for Passing a Request Object by Reference (JAR request_uri) (3d13e32)
• removed the features.requestObjects.mode configuration (0ee2d00)
• removed the pkce.methods configuration (60f6918)
• Request Object (JAR) is now enabled with features.requestObjects.enabled (e6b4cf0)
• simplify default assertJwtClaimsAndHeader configuration (2094fe9)
• update Node.js support matrix (798a294)
• use fetch() api to make outgoing HTTP requests (62dd4d3)
• use hkdf in dpop's rolling nonce calculation (f04ac4a)
• use more optional chaining (c7a9761)
• use oneshot hash methods instead of intermediate Hash objects (a82d4c8)
• use structuredClone instead of JSON.stringify then parse (712e9e3)
• use URL.parse (6066d4a)
• userinfo requests with bearer tokens will now fail if they also include DPoP (b9e9313)