v3.0.3

• all options passed to defaultHttpOptions now also reach request when #useRequest() is used
• fixed a case when RS256 key presence check was wrongly omitted during #initialize()
• fixed client jwks_uri refresh error to be invalid_client_metadata and propagated to the client

v3.0.2

• base64url dependency replaced with base64-url

v3.0.1

only dependency tree updates

v3.0.0

• fixed client_secret_basic requiring the username and password tokens to be x-www-form-urlencoded according to https://tools.ietf.org/html/rfc6749#section-2.3.1

NOTE: Although technically a fix, this is a breaking change for clients with client secrets that need to be encoded according to the standard and don't currently do so. A proper way of submitting client_id and client_secret using client_secret_basic is Authorization: base64(formEncode(client_id):formEncode(client_secret)). This is only becoming apparent for client ids and secrets with special characters that need encoding. Update with care, if you have client identifiers or secrets with special characters that need encoding and they worked before, they will not anymore and you should reach out to your client maintainers to fix how client_secret_basic is submitted.

v2.18.2

• republished 2.18.0 following deprecation of 2.18.1

v2.18.0

• added ctx.oidc.entities with all loaded model/entity instances during a given request
• added cookies.keys configuration option for KeyGrip key app passthrough
• added #provider.setProviderSession for setting provider session from outside of a regular context
• deprecated #provider.setSessionAccountId in favor of #provider.setProviderSession

v2.17.0

• fixed alternative verb routes to be named as well
• fixed default interactionCheck passing /resume when users click cancel or just navigate back to auth resume route
• added client_update and client_delete as named routes
• added extraClientMetadata configuration option that allows for custom client properties as well as for additional validations for existing properties to be defined
• when provider is configured with only pairwise subject type support then it is the client default and does not have to be explicitly provided anymore

v2.16.0

• supported PKCE code challenge methods are now configurable, use to i.e. disable plain for stricter OIDC profiles and new deployments where legacy clients without S256 support aren't to be expected.
• added configuration validations for subjectTypes and pkce supportedMethods

v2.15.0

• add provider.use((ctx, next) => {}) middleware support
• add provider.listen(port_or_socket)
• add attribute delegates proxy, keys, env, subdomainOffset from provider to the underlying koa app
• updated docs

v2.14.1

• bumped minimal debug dependency version due to its found vulnerability in lesser versions
• adjusted documentation on refreshTokenRotation configuration option
• adjusted documentation on TLS offloading