Skip to content

Latest commit

 

History

History
649 lines (300 loc) · 26.1 KB

CHANGELOG.md

File metadata and controls

649 lines (300 loc) · 26.1 KB

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.11.1 (2024-06-20)

Fixes

  • allow ID Token auth_time to be present even if client.require_auth_time is false (caa9ab3)

2.11.0 (2024-06-19)

Features

  • add experimental support for edge compute runtimes JWKS caching (15b7aff)

Refactor

  • update maxAge option type check error message (7fe3454)

Documentation

  • clarify documentation is more an API Reference (c96c8e0)
  • update example import (651e8ea)
  • updates for readability and consistency (b1b8b7d)

2.10.4 (2024-03-29)

Refactor

  • types: add explicit type to all exported functions (76e8d19)
  • types: add explicit type to all exported symbols (c66c595)
  • types: protectedResourceRequest method argument is just a string (a15d76c)

Documentation

  • mention RFC 6750 in validateJwtAccessToken (f61b68e), closes #115

2.10.3 (2024-02-07)

Refactor

  • make protectedResourceRequest headers argument optional (bcbc872)

Documentation

2.10.2 (2024-02-05)

Fixes

  • normalize authorization_details and max_age in issueRequestObject (f8d267e)

2.10.0 (2024-02-04)

Features

  • types: add interfaces for RFC 9396 (Rich Authorization Requests) (1c606ea)

Refactor

  • some biome identified smells and less non-null assertions (bc508f6)

Documentation

  • update customFetch and useMtlsAlias a bit (627e716)

Fixes

  • types: add missing and optional scope to interfaces (5dc6d17)

2.9.0 (2024-02-02)

Features

  • graduate recently added experimental features to stable API (94da0c9)

2.8.1 (2024-01-24)

Fixes

  • check that DPoP Proof iat is recent enough (a6159e3)

2.8.0 (2024-01-23)

Features

  • add experimental support for validating JWT Access Tokens (f65deae)

2.7.0 (2024-01-18)

Features

  • allow fragment response as URL in validateDetachedSignatureResponse (bcbe2f5)

2.6.0 (2024-01-11)

Features

  • add experimental support for FAPI 1.0 (6b6b496)

Refactor

  • reorganize experimental features (c8479b4)

Documentation

2.5.0 (2024-01-10)

Features

  • add experimental customize fetch option (e98c1aa), closes #94
  • add experimental support for mtls_endpoint_aliases (f1cb365)
  • allow all of HeadersInit for HttpRequestOptions.headers (a5fe73c)

Refactor

  • fetch url resolution and validation (b2e62a6)

Documentation

  • fix ToC anchors to symbol properties (ed01dcf)
  • return hierarchy to markdown docs (7d3b414)

2.4.5 (2024-01-09)

Fixes

  • DPoP: clockSkew in ProtectedResourceRequestOptions is a unique Symbol (1708f21)

Documentation

  • expose clock skew and tolerance documentation (2d90c49)

2.4.4 (2024-01-09)

Fixes

  • handle Response objects with empty string url in processDpopNonce (f2c9415)

2.4.3 (2024-01-06)

2.4.2 (2024-01-05)

Documentation

  • add distribution links to README.md (29bb947)

Fixes

  • encode client_secret_basic - _ . ! ~ * ' ( ) characters (f926175)

2.4.1 (2024-01-03)

Refactor

  • create Request instances before passing them to fetch (02ab110)
  • types: mark always lowercased values and keys as Lowercase (89e7a77)

Documentation

  • categorize APIs in docs/README.md (c28efda)
  • expose Indexed Access Types (54c4393)
  • update EdDSA description (9765e7a)

2.4.0 (2023-11-15)

Features

  • add the cause property to errors where possible (07c95f7)

Refactor

  • use AlgorithmIdentifier instead of Algorithm where possible (e2ae2f3)

Fixes

  • base64url decode errors are OperationProcessingError (7f4a878)

2.3.0 (2023-04-26)

Features

  • allow Record<string, string> and string[][] as parameter arguments (021b85f)

2.2.4 (2023-04-24)

Refactor

  • brand URLSearchParams instead of extending URLSearchParams (8e62c8a)

2.2.3 (2023-04-21)

2.2.2 (2023-04-21)

Refactor

  • types: enforce flat interfaces (c958d61)

2.2.1 (2023-04-13)

Fixes

  • return undefined from getValidatedIdTokenClaims as documented (678b12d)

2.2.0 (2023-03-10)

Features

  • allow the client's assumed current time to be adjusted (5051a5d), closes #49 #50
  • allow the client's DateTime claims tolerance to be adjusted (3936a56), closes #49 #50

2.1.0 (2023-02-09)

Features

  • add more asymmetric JWS algorithms (af43ec7)

2.0.6 (2022-12-16)

Fixes

  • build: fixup user agent version after version bump (e1c3ed8)

2.0.5 (2022-12-11)

2.0.4 (2022-11-27)

Refactor

  • weak maps instead of symbols (e551edc)

2.0.3 (2022-11-25)

Fixes

  • omit zealous response cloning() to reduce edge compute memory bills (a785223), closes #37

2.0.1 (2022-11-21)

Fixes

  • claims parameter encoding in issued request objects (3eb165a)

Performance

  • cache public DPoP CryptoKey's JWK representation for re-use (2858d06)

2.0.0 (2022-11-20)

⚠ BREAKING CHANGES

  • Use the TLS server validation in processAuthorizationCodeOpenIDResponse to validate the issuer instead of checking the ID Token's signature. The function's options argument was removed.
  • Use the TLS server validation in processDeviceCodeResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
  • Use the TLS server validation in processIntrospectionResponse to validate the issuer instead of checking the optional JWT Introspection Response signature. The function's options argument was removed.
  • Use the TLS server validation in processRefreshTokenResponse to validate the issuer instead of checking the optional ID Token's signature. The function's options argument was removed.
  • Use the TLS server validation in processUserInfoResponse to validate the issuer instead of checking the optional JWT UserInfo Response signature. The function's options argument was removed.
  • PAR w/ DPoP no longer automatically adds dpop_jkt to the authorization request.
  • Removed calculateJwkThumbprint function export.
  • Removed jwksRequest function export.
  • Removed processJwksResponse function export.

Refactor

  • remove ignored and unused exports (4a545df)
  • use TLS server validation instead of jwt signature validations (f728110)

1.4.1 (2022-11-20)

Refactor

  • deno: add mod.ts to deno.land/x (0778278)
  • use RsaHashedKeyAlgorithm in checkRsaKeyAlgorithm (94aa31c)

1.4.0 (2022-11-08)

Features

  • add bun as a supported runtime (707efd1)

1.3.0 (2022-10-31)

Features

  • allow to skip JWT signature validation on select responses (44d9114)

1.2.2 (2022-10-20)

Refactor

  • add a type check on AbortSignal (b013fef)
  • align argument and function names in assert functions (8ea65f6)
  • update "as" error messages (3e894f5)

1.2.1 (2022-10-10)

1.2.0 (2022-09-14)

Features

  • add experimental EdDSA (Ed25519) JWS algorithm support (f70d4d5)

1.1.4 (2022-08-26)

Fixes

  • typescript: resolve ts4.8 issue (572c6de)

1.1.3 (2022-07-20)

1.1.2 (2022-07-12)

1.1.1 (2022-07-04)

Fixes

  • processing pure oauth2 code response ignores invalid ID tokens (282705a)

1.1.0 (2022-06-28)

Features

  • allow AbortSignal-returning function as well as an instance (90d21b8)

1.0.5 (2022-06-17)

Fixes

  • allow zero-length scope in token endpoint responses (#15) (d54c821)

1.0.4 (2022-06-09)

Fixes

  • do not set a user-agent in CORS-enabled runtimes (8899a6b), closes #13

1.0.3 (2022-05-23)

Fixes

  • skip recalculating dpop_jkt in PAR if already set (9499ccd)

1.0.2 (2022-05-19)

1.0.1 (2022-05-18)

Fixes

  • reject unsupported token_type values (3d2cc0c)

1.0.0 (2022-05-13)

0.9.0 (2022-05-13)

⚠ BREAKING CHANGES

  • types: rename TokenEndpointAuthMethod type to ClientAuthenticationMethod

Refactor

  • types: rename TokenEndpointAuthMethod type to ClientAuthenticationMethod (6028fd8)

0.8.0 (2022-05-06)

⚠ BREAKING CHANGES

  • getValidatedIdTokenClaims throws if ref isnt weak referenced
  • remove client_secret_jwt

Refactor

  • getValidatedIdTokenClaims throws if ref isnt weak referenced (1ee5485)
  • remove client_secret_jwt (7611169)

0.7.0 (2022-05-05)

⚠ BREAKING CHANGES

  • ensure supported key in calculateJwkThumbprint
  • clientCredentialsGrantRequest now requires parameters

Features

  • explicitly add dpop_jkt to par request when using dpop (e6acd99)

Refactor

  • clientCredentialsGrantRequest now requires parameters (76e4fea)
  • ensure supported key in calculateJwkThumbprint (540f6cf)

0.6.4 (2022-05-04)

Features

  • add utility for calculating dpop_jkt from a crypto key (045dd10)

0.6.3 (2022-05-04)

0.6.2 (2022-05-03)

Features

  • add utility for generating crypto key pairs (d8f3e90)

0.6.1 (2022-05-02)

Fixes

  • types: validateJwtAuthResponse expectedState is optional (e618089)

0.6.0 (2022-04-28)

⚠ BREAKING CHANGES

  • remove encrypted JAR support

Refactor

  • remove encrypted JAR support (4352049)

Fixes

  • remove sub from request object (41d49fa)
  • signed userinfo aud and iss expected values (38edd37)

0.5.2 (2022-04-27)

Features

  • force jwks refetch every 10 minutes (ae35bae)

Fixes

  • correct jwks refetch minimal interval (8af6f85)

0.5.1 (2022-04-27)

Fixes

  • assert no client private key is provided unless needed (ac6be64)
  • assert no client secret is provided unless needed (604d8f3)
  • ensure issueRequestObject does not mutate input parameters (7b62b82)

0.5.0 (2022-04-27)

⚠ BREAKING CHANGES

  • deno: support deno ^1.21.0 (removed 1.20.x from CI)
  • types: rename SignalledRequestOptions interface to HttpRequestOptions

Features

  • option to add headers to http requests (94a2ecb)

Refactor

  • deno: support deno ^1.21.0 (removed 1.20.x from CI) (764db58)
  • types: rename SignalledRequestOptions interface to HttpRequestOptions (e4058d8)

0.4.0 (2022-04-25)

⚠ BREAKING CHANGES

  • trim down the supported JOSE algorithms

Refactor

  • trim down the supported JOSE algorithms (3a9e9a5)

0.3.3 (2022-04-14)

0.3.2 (2022-04-11)

Features

  • allow all key inputs to be CryptoKey instances (f405719)

0.3.1 (2022-04-10)

0.3.0 (2022-04-10)

⚠ BREAKING CHANGES

  • types: force types without string defaults

Refactor

  • types: force types without string defaults (188b252)

0.2.2 (2022-04-07)

Features

0.2.1 (2022-04-05)

0.2.0 (2022-04-01)

⚠ BREAKING CHANGES

  • ensure 2048 RSA keys are used for RSA-OAEP too

Fixes

  • ensure 2048 RSA keys are used for RSA-OAEP too (f4eda79)

0.1.0 (2022-04-01)

⚠ BREAKING CHANGES

  • ensure 2048 RSA keys are used

Fixes

  • ensure 2048 RSA keys are used (ad707c0)

0.0.11 (2022-04-01)

0.0.10 (2022-03-29)

Fixes

  • remove off-spec "default optional JWT typ" checks (34e524a)

0.0.9 (2022-03-28)

Fixes

  • normalize jwt typ when one is expected (e161ee3)

0.0.8 (2022-03-28)

0.0.7 (2022-03-23)

0.0.6 (2022-03-18)

0.0.5 (2022-03-17)

Fixes

  • jarm: correct message when jarm response is passed to validateAuthResponse (9ef7ce8)

0.0.4 (2022-03-17)

0.0.3 (2022-03-16)

Features

  • client_secret_jwt authentication method (93fc723)

Fixes

  • typescript: allow any string into "alg" and "enc" client fields (e6a8649)

0.0.2 (2022-03-16)

Fixes

  • set a proper user-agent string (1fbb173)

0.0.1 (2022-03-16)