fix(deps): update dependency openid-client to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
openid-client	5.7.1 → 6.8.1

---

Release Notes

panva/openid-client (openid-client)

v6.8.1

Compare Source

Refactor

• workaround dpop nonce caching caveats with customFetch (a9eb50f)

v6.8.0

Compare Source

Features

• respect retry-after in CIBA and Device Authorization Grant polling (6ce3411)

Documentation

• remove mention of Edge Runtime from the readme (2e41ad5)

v6.7.1

Compare Source

Fixes

• passport: include req.host from express@​5 for ease of use in express@​4 (81f6c12)

v6.7.0

Compare Source

Features

• support for the ML-DSA Algorithm Identifiers (9543da5)

v6.6.4

Compare Source

Fixes

• recognize N_A in the token exchange grant (770b177)

v6.6.3

Compare Source

Documentation

• fix TokenEndpointResponseHelpers.claims() note (b77c786)

Refactor

• passport: allow custom logic to drive initiating auth requests (0b57115), closes #​811

v6.6.2

Compare Source

Fixes

• RFC8414: strip any terminating "/" when pathname is present (e884302)

v6.6.1

Compare Source

Refactor

• revert use 303 See Other for the redirect (54f2170)

v6.6.0

Compare Source

Features

• passport: automatically use form_post response mode when using hybrid response types (c9f2993)
• passport: easier way to use id_token_hint without overloads (afe24ae)
• passport: easier way to use login_hint without overloads (264db00)
• passport: easier way to use OAuth 2.0 Resource Indicators without overloads (7eb3076)
• passport: easier way to use OAuth 2.0 Rich Authorization Requests without overloads (af0f9d6)

Refactor

• passport: align use of callbackURL with other strategies and user expectations (333ad31)
• passport: use 303 See Other for the redirect (4004070)

Documentation

• passport: add clarity to oauth-specific AuthenticateOptions (dba27f3)
• passport: expand descriptions and structure (0a173ce)

v6.5.3

Compare Source

Fixes

• passport: handle JARM responses with authorizationCodeGrant instead of authorizationRequest (e734bec)

v6.5.2

Compare Source

Fixes

• passport: allow custom query params in the initial authenticate() invocation (deb9925)

v6.5.1

Compare Source

Documentation

• update implicitAuthentication and useIdTokenResponseType (4036242)
• use GitHub Flavored Markdown for notes and warnings (a2482c7)

Refactor

• use native Uint8Array<->base64 when available in the runtime (daf9118)

v6.5.0

Compare Source

Features

• support response_type=id_token OIDC Authentication Responses (94bba9d)

Fixes

• handle POST method Request inputs for non-hybrid responses (92faadc)

Documentation

• add WWW-Authenticate parameter descriptions and RS Metadata related parameters (38f3448)
• update implicitAuthentication and authorizationCodeGrant inline examples (b1f0a28)

v6.4.2

Compare Source

Documentation

• add more resources for DCR (e9b978d)
• hardcode spec revision links (e.g. final or errata) (afef152)

Fixes

• properly handle a number of edge-cases in www-authenticate header parsing (56f0ed1)

v6.4.1

Compare Source

Fixes

• allow client secret based auth factories to be used with DCR (d125b30)

v6.4.0

Compare Source

Features

• add support for Dynamic Client Registration (15f6953)

Fixes

• handle max_age=0 in buildAuthorizationUrlWithJAR() (5a5a7c9)

v6.3.4

Compare Source

Documentation

• bump typedoc (36e8714)

Refactor

• use subpath export for JWE decryption dependency (f8c39fc)

v6.3.3

Compare Source

v6.3.2

Compare Source

Documentation

• improve docs for default client authentication (3c9f0d9), closes #​761

v6.3.1

Compare Source

Refactor

• passport: allow dpop handle to be retrieved with an async function (4491f70)
• passport: bind authorization code to a DPoP Key (b536d0a)
• passport: use the supportsPKCE() metadata helper (e13fb37)

v6.3.0

Compare Source

Features

• add a helper to DPoPHandle to calculate dpop_jkt (e99a9d9)

Documentation

• add DPoP example (2fb51e1)
• reword buildAuthorizationUrl methods for more clarity (7e987d9)
• update CIBA docs (35ff0f5)
• update example diffs (2e152d9)
• update JWT Introspection Response references to RFC 9701 (d742709)
• update README.md (8dbb921)
• update README.md (546b651)

v6.2.0

Compare Source

Features

• add Client-Initiated Backchannel Authentication (fe6d996)

Documentation

• explain more discovery() behaviours (271ac5b)
• re-run docs (17b531a)
• update buildAuthorizationUrl parameters description (23fb405)
• update buildAuthorizationUrl parameters description (db9fd94)

Fixes

• types: fix typo in DeviceAuthorizationGrantPollOptions (d3629c9)

v6.1.7

Compare Source

Refactor

• types: move customFetch options into its own interface (57d8355)

v6.1.6

Compare Source

Fixes

• handle scope, prompt, and passReqToCallback from generic passport types (cc92a36), closes #​735

v6.1.5

Compare Source

Fixes

• passport: fix currentUrl when using express.Router (3b2d570), closes #​733

v6.1.4

Compare Source

Documentation

• resolve discovery customFetch jsdoc mentioning timeout (5f4cd1b)

v6.1.3

Compare Source

Documentation

• remove note from issuer transformation algorithm (5fda2cb)

Fixes

• deal with discovery issues from b2clogin.com (b9a4f2f), closes #​718

v6.1.2

Compare Source

Refactor

• rename the parameters positional argument in authorizationCodeGrant() (c79ccc5), closes #​712

Documentation

• document behaviour of customFetch on discovery (072da62)
• update Strategy.prototype.currentUrl JSDoc (46ea086), closes #​714

v6.1.1

Compare Source

Documentation

• update link to passport example (110575b)

Fixes

• correct supportsPKCE bool return (f1aa9db), closes #​710

v6.1.0

Compare Source

Features

• add a server metadata helper for checking PKCE support (ca34a91)
• add JWKS Cache management for use in non-persistent runtimes (cda4b53)

v6.0.0

Compare Source

⚠ BREAKING CHANGES

• openid-client v6.x is a complete rewrite of the openid-client module, this is the first time since 0.1.0 (8 years ago) that the API has drastically changed. The new module structure and API focuses on three core principles:

• runtime compatibility (adding support for Deno, Cloudflare Workers, Bun, and other Web API interoperable runtimes)
• tree-shakeability (bundles should not contain features that don't end up being used)
• less options (removing support for processing deprecated response types, cutting down on the number of combinations that need to handled)

To that end openid-client@​6 no longer supports the full cartesian matrix of response types and response modes, it no longer supports issuing encrypted assertions, decrypting assertions is limited to only a few algorithms, it no longer supports Dynamic Client Registration or Management, and Self-Issued OpenID Provider responses are also not supported.

The new API makes basic setups simple while allowing some degree of complexity where needed.

openid-client@​6 is an ESM module using ES2022 syntax and it depends on WebCryptoAPI and Fetch API globals being available in the JS runtime.

openid-client@​6 is written in TypeScript and its exported types come with comment annotations.

(Node.js) Versions 20.x and newer have all the necessary globals.

(Node.js) CJS style let client = require('openid-client') is possible in versions where process.features.require_module is true. This is a new Node.js feature slated to be released without a CLI flag in 23.x and 22.x

Documentation

• update (3b7e09d)
• update README.md (d142984)
• update README.md (13698a3)

Refactor

• openid-client@​6 (15890ff)

---

Configuration

📅 Schedule: Branch creation - "after 9pm,before 6am" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.