Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency oidc-provider to v8 #360

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency oidc-provider to v8 #360

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 3, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
oidc-provider ^7.11.1 -> ^8.0.0 age adoption passing confidence
@types/oidc-provider (source) 7.14.0 -> 8.5.2 age adoption passing confidence

Release Notes

panva/node-oidc-provider (oidc-provider)

v8.5.2

Compare Source

Refactor
  • remove use of node:url in favour of WHATWG URL (0dc59a1)
Documentation

v8.5.1

Compare Source

Documentation
Refactor
  • build: export Provider also as a named export (083c7c4)

v8.5.0

Compare Source

Features
  • add a Client static validate() method (d1f7d73)
  • add a helper allowing custom claims parameter validations (ec2a1f5)
  • add experimental support for RFC9396 - Rich Authorization Requests (e9fb573)
  • add response_modes client metadata allow list (76f9af0)
  • allow extraParams to define validations for extra parameters (b7d3322)
  • DPoP: add a setting to disable DPoP Proof Replay Detection (2744fc8)
  • DPoP: send a dpop-nonce when the proof's iat check fails and nonces are configured but not required (1b073c0)
  • FAPI: add FAPI 2.0 profile behaviours (5212609)
  • JAR: add a helper allowing custom JWT claim and header validations (be9242a)
  • PAR: add a setting to allow use of unregistered redirect_uri values (a7e73fa)
  • update Web Message Response Mode and remove its Relay Mode (a91add8)
Fixes
  • DPoP,mTLS: reject client configuration in which binding is required but response types include an implicit token response (cd7e0f4)
Refactor
  • deprecate FAPI 1.0 ID2, lax request objects, plain PKCE (3e8a784)
  • don't use overwrite cookie option by default (dfbcb94)
  • DPoP: move the accepted timespan into a constant (a8e8006)
  • DPoP: omit sending the dpop-nonce header if the existing one used is fresh (4d635e2)
  • ensure param-assigned max_age from client.defaultMaxAge is a string (0c52469)
  • FAPI: deprecate FAPI profile hardcoded PKCE checks (56641ec)
  • JAR: authorization requests with JAR now require a client_id parameter (9131cd5)
  • JAR: Request Objects are no longer checked for one time use (18efa70)
  • PAR: consume PAR after user interactions instead of before (53babe6)
  • store claims value parsed in non-JAR PAR (9cd865b)
  • use invalid_request instead of unauthorized_client (7947d87)

v8.4.7

Compare Source

Fixes
  • include ID Token auth_time when client's default_max_age is zero (bebda04)

v8.4.6

Compare Source

Documentation
  • adds events and debugging recipe (#​1246) (0bf7696)
  • fix client_secret_basic special characters encoding example (73baae1)
  • re-run update docs (99cc84a)
Refactor
  • avoid iteration resource iteration in client_credentials (e306640)
  • avoid use of prototype attributes in object-hash (270af1d)
  • use logical or assignment (8f55588)
Fixes
  • ensure each individual resource indicator is a valid URI (d9e1ad2)

v8.4.5

Compare Source

Refactor
  • use doc argument in web_message js code (da3198b)
Fixes
  • add missing opening html tags (23997c5)
  • DPoP: mark defaulted dpop_jkt parameter as trusted (ee633f3)

v8.4.4

Compare Source

Refactor
  • test decoded basic auth tokens for their VSCHAR pattern (3f86cc0)
Fixes
  • DPoP,PAR,JAR: validate DPoP before invalidating JAR during PAR (ca0f999)

v8.4.3

Compare Source

v8.4.2

Compare Source

Fixes

v8.4.1

Compare Source

v8.4.0

Compare Source

Features
  • DPoP: remove experimental flag, DPoP is now RFC9449 (89d133e)

v8.3.2

Compare Source

Fixes
  • assign extraTokenClaims return to the model (e296dc7)

v8.3.1

Compare Source

Fixes
  • DPoP: compare htu scheme and hostname case independent (b72d668)

v8.3.0

Compare Source

Features
  • allow specifying the user-agent header for outgoing requests (95f24ef)

v8.2.2

Compare Source

Fixes

v8.2.1

Compare Source

Fixes
  • ignore post_logout_redirect_uris when logout is disabled (#​1221) (d7dd6cf)

v8.2.0

Compare Source

Features

v8.1.2

Compare Source

v8.1.1

Compare Source

v8.1.0

Compare Source

Features
  • mTLS.getCertificate helper can return a X509Certificate object (be3f47f)

v8.0.0

Compare Source

⚠ BREAKING CHANGES
  • Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the clockTolerance configuration option.
  • The userinfo endpoint will no longer echo back x-fapi-interaction-id headers. This can be reverted using a custom pre-middleware.
  • request_uri parameter is no longer supported at the Device Authorization Endpoint.
  • The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set features.requestObjects.requireSignedRequestObject to true as a global policy or set require_signed_request_object or backchannel_authentication_request_signing_alg client metadata.
  • PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both features.pushedAuthorizationRequests and features.requestObjects.request.
  • CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both features.ciba and features.requestObjects.request.
  • Pushed Authorization Requests (PAR) are now enabled by default. This can be reverted using the features.pushedAuthorizationRequests.enabled configuration option.
  • Completely removed v6.x way of setting access token formats.
  • expiresWithSession() for access tokens issued by the authorization endpoint will now only be invoked for opaque format access tokens.
  • Default allowed DPoP signing algorithms are now just ES256 and EdDSA. RSA algorithms not allowed by default. This can be reverted using the enabledJWA.dPoPSigningAlgValues configuration option.
  • Omitting a redirect_uri parameter when a single one is registered is now enabled by default (again). This can be reverted using the allowOmittingSingleRegisteredRedirectUri configuration option.
  • features.fapi.profile is now a required configuration option when features.fapi.enabled is true.
  • id_token_signed_response_alg now must be set when id_token_encrypted_response_alg is also set on a client.
  • userinfo_signed_response_alg now must be set when userinfo_encrypted_response_alg is also set on a client.
  • introspection_signed_response_alg now must be set when introspection_encrypted_response_alg is also set on a client.
  • authorization_signed_response_alg now must be set when authorization_encrypted_response_alg is also set on a client.
  • The RSA1_5 JWE Key Management Algorithm, which was previously disabled by default, is now completely removed.
  • request_uri parameter support is now disabled by default. This can be reverted using the features.requestObjects.requestUri configuration option.
  • httpOptions return property lookup was renamed to dnsLookup.
  • httpOptions return property timeout was removed, return an AbortSignal instance as signal property instead.
  • oidc-provider is now an ESM-only module, it must now be imported using the import declaration or the import() syntax, the Provider constructor is the module's default export, the errors and interactionPolicy exports are the package's named exports. There is no Provider named export.
  • httpOptions no longer defaults to using the npm module cacheable-lookup as its dnsLookup option. It defaults to node:dns module's lookup export instead.
  • PASETO Access Token format support was removed.
  • Removed support for Node.js 12.
  • Removed support for Node.js 14.
  • Removed support for Node.js 16.
  • Node.js LTS 18 (^18.12.0) is now required.
  • Default Authorization Code duration is now 60 seconds instead of 10 minutes. This can be reverted using the ttl.AuthorizationCode configuration option.
  • Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the features.requestObjects.mode configuration option.
  • The "none" JWS algorithm, which was previously disabled by default, is now completely removed.
  • The PBKDF2 based JWE Key Management Algorithms, which were previously disabled by default, are now completely removed.
  • The client registration management update action now rotates registration access tokens by default. This can be reverted using the features.registrationManagement.rotateRegistrationAccessToken configuration option.
  • It is no longer possible to pass Bearer tokens using the access_token query string parameter. This can be reverted using the acceptQueryParamAccessTokens configuration option.
  • The tokenEndpointAuthMethods configuration method was renamed to clientAuthMethods.
  • The enabledJWA.tokenEndpointAuthSigningAlgValues configuration method was renamed to enabledJWA.clientAuthSigningAlgValues.
  • The non-standard introspection_endpoint_auth_method, and introspection_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint. The accompanying JWA and authentication methods configuration properties were also removed.
  • The non-standard revocation_endpoint_auth_method, and revocation_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the revocation endpoint. The accompanying JWA and authentication methods configuration properties were also removed.
Features
  • add UnmetAuthenticationRequirements error (3f6684a)
  • bump DPoP to draft-11 (917507f)
  • support DPoP nonces (8d82988)
Performance
Refactor
  • change default on allowOmittingSingleRegisteredRedirectUri (d41bb0f)
  • check request_uri_not_supported early (57b39a2)
  • CIBA and PAR do not automatically turn on JAR (089fa43)
  • Completely removed v6.x way of setting access token formats. (a2cf235)
  • default code ttl down from 10 minutes down to 1 minute (f770e2d)
  • default dPoPSigningAlgValues changed (9859969)
  • default JAR mode is now strict instead of lax (cef63b6)
  • disable query string bearer by default (059557b)
  • disable request_uri support by default (3575584)
  • enable PAR by default (4272027)
  • expiresWithSession on authorization endpoint access tokens (cb67083)
  • oidc-provider is now an ESM-only module (3c5ebe1)
  • PBKDF2 JWE encryption algorithms are no longer supported (868ab2f)
  • redo fapi profile checks, remove x-fapi-headers nonsense (7cf031a)
  • remove default from FAPI profile configuration (0f93b8c)
  • remove introspection and revocation client metadata (a6433d0)
  • removed default outgoing cacheable-lookup use (7c10920)
  • removed optional "none" JWS algorithm support (e654fe6)
  • removed PASETO access token format support (079e2f2)
  • removed support for issuing "cty": "json" JWEs (b4b837b)
  • renamed client auth related configuration (b8e8ce9)
  • require Node.js LTS 18 (ff26cf6)
  • rotated registration management access tokens by default (2eb5c63)
  • RSA1_5 JWE encryption algorithm is no longer supported (a967a4e)
  • set default clock skew tolerance to 15 seconds (42c00da)
  • update http request options (2fd5eda)

v7.14.3

Compare Source

Fixes
  • memory adapter grant references for intended models (357ced3)

v7.14.2

Compare Source

Fixes
  • build client symmetric keys from all client signing alg properties (a26f87d)

v7.14.1

Compare Source

Fixes
  • url encode client_id returned in registration responses (500dfeb)

v7.14.0

Compare Source

Features
  • graduate jwtResponseModes (JARM) feature as stable (7b878cd)

v7.13.0

Compare Source

Features
  • enable v18 LTS in package.json (e423b4d)

v7.12.0

Compare Source

Features
  • graduate backchannelLogout feature as stable (617e260)
Fixes
  • ignore instead of throw on unverified post_logout_redirect_uri (04b1096)

v7.11.5

Compare Source

Fixes
  • PAR: set additional stored PAR object properties on plain requests (1be15fa)
  • PAR: skip stored PAR object alg validation when it's being used (406caa4)

v7.11.4

Compare Source

Fixes

v7.11.3

Compare Source

Fixes

v7.11.2

Compare Source

Fixes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch 15 times, most recently from cec265b to 2b7f1ec Compare December 10, 2022 23:46
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch 12 times, most recently from 7f14437 to 537987b Compare December 17, 2022 05:46
@renovate renovate bot changed the title fix(deps): update dependency oidc-provider to v8 Update dependency oidc-provider to v8 Dec 17, 2022
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from 537987b to f78391e Compare December 17, 2022 16:12
@renovate renovate bot changed the title Update dependency oidc-provider to v8 fix(deps): update dependency oidc-provider to v8 Dec 17, 2022
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch 12 times, most recently from 4c2eba2 to 1f58d49 Compare February 14, 2023 05:36
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch 6 times, most recently from e9cc6c8 to 3f92134 Compare February 17, 2023 12:49
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from 3f92134 to 4f4270e Compare April 13, 2023 10:11
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from 4f4270e to ccf5042 Compare May 28, 2023 11:10
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch 2 times, most recently from 58cb98e to 0e58d4f Compare September 8, 2023 09:17
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from 0e58d4f to c243e9f Compare October 18, 2023 10:25
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from c243e9f to 7218899 Compare November 7, 2023 13:53
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from 7218899 to 7785559 Compare November 22, 2023 03:44
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from 7785559 to 6e118d4 Compare February 11, 2024 16:53
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch 2 times, most recently from db02c03 to 40a3c88 Compare July 3, 2024 12:39
@renovate renovate bot force-pushed the renovate/oidc-provider-8.x branch from 40a3c88 to ad555c4 Compare August 15, 2024 13:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants