Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

ether-node-openid-client

ether292MIT6.0.2TypeScript support: included

OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs

auth, authentication, basic, certified, client, connect, dynamic, electron, hybrid, identity, implicit, oauth, oauth2, oidc, openid, passport, relying party, strategy

readme

openid-client

openid-client is a server side OpenID Relying Party (RP, Client) implementation for Node.js runtime, supports passport.

Implemented specs & features

The following client/RP features from OpenID Connect/OAuth2.0 specifications are implemented by openid-client.

Updates to draft specifications are released as MINOR library versions, if you utilize these specification implementations consider using the tilde ~ operator in your package.json since breaking changes may be introduced as part of these version updates.

Certification

OpenID Certification
Filip Skokan has certified that openid-client conforms to the following profiles of the OpenID Connect™ protocol

  • Basic, Implicit, Hybrid, Config, Dynamic, and Form Post RP
  • FAPI 1.0 Advanced RP

auth0-logo If you want to quickly add OpenID Connect authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan. Create an Auth0 account; it's free!

Support

If you or your business use openid-client, please consider becoming a sponsor so I can continue maintaining it and adding new features carefree.

Documentation

The library exposes what are essentially steps necessary to be done by a relying party consuming OpenID Connect Authorization Server responses or wrappers around requests to its endpoints. Aside from a generic OpenID Connect passport strategy it does not expose any framework specific middlewares. Those can however be built using the exposed API, one such example is express-openid-connect

Install

Node.js LTS releases Codename Erbium and newer LTS releases are supported.

npm install openid-client

Note: Other javascript runtimes are not supported. I recommend panva/oauth4webapi, or a derivate thereof, if you're looking for a similarly compliant and certified client software that's not dependent on the Node.js runtime builtins.

Quick start

Discover an Issuer configuration using its published .well-known endpoints

import { Issuer } from 'openid-client';

const googleIssuer = await Issuer.discover('https://accounts.google.com');
console.log('Discovered issuer %s %O', googleIssuer.issuer, googleIssuer.metadata);

Authorization Code Flow

Authorization Code flow is for obtaining Access Tokens (and optionally Refresh Tokens) to use with third party APIs securely as well as Refresh Tokens. In this quick start your application also uses PKCE instead of state parameter for CSRF protection.

Create a Client instance for that issuer's authorization server intended for Authorization Code flow.

See the documentation for full API details.

const client = new googleIssuer.Client({
  client_id: 'zELcpfANLqY7Oqas',
  client_secret: 'TQV5U29k1gHibH5bx1layBo0OSAvAbRT3UYW3EWrSYBB5swxjVfWUa1BS8lqzxG/0v9wruMcrGadany3',
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['code'],
  // id_token_signed_response_alg (default "RS256")
  // token_endpoint_auth_method (default "client_secret_basic")
}); // => Client

When you want to have your end-users authorize you need to send them to the issuer's authorization_endpoint. Consult the web framework of your choice on how to redirect but here's how to get the authorization endpoint's URL with parameters already encoded in the query to redirect to.

import { generators } from 'openid-client';
const code_verifier = generators.codeVerifier();
// store the code_verifier in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.

const code_challenge = generators.codeChallenge(code_verifier);

client.authorizationUrl({
  scope: 'openid email profile',
  resource: 'https://my.api.example.com/resource/32178',
  code_challenge,
  code_challenge_method: 'S256',
});

When end-users are redirected back to your redirect_uri your application consumes the callback and passes in the code_verifier to include it in the authorization code grant token exchange.

const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { code_verifier });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims());

You can then call the userinfo_endpoint.

const userinfo = await client.userinfo(access_token);
console.log('userinfo %j', userinfo);

And later refresh the tokenSet if it had a refresh_token.

const tokenSet = await client.refresh(refresh_token);
console.log('refreshed and validated tokens %j', tokenSet);
console.log('refreshed ID Token claims %j', tokenSet.claims());

Implicit ID Token Flow

Implicit response_type=id_token flow is perfect for simply authenticating your end-users, assuming the only job you want done is authenticating the user and then relying on your own session mechanism with no need for accessing any third party APIs with an Access Token from the Authorization Server.

Create a Client instance for that issuer's authorization server intended for ID Token implicit flow.

See the documentation for full API details.

const client = new googleIssuer.Client({
  client_id: 'zELcpfANLqY7Oqas',
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['id_token'],
  // id_token_signed_response_alg (default "RS256")
}); // => Client

When you want to have your end-users authorize you need to send them to the issuer's authorization_endpoint. Consult the web framework of your choice on how to redirect but here's how to get the authorization endpoint's URL with parameters already encoded in the query to redirect to.

import { generators } from 'openid-client';
const nonce = generators.nonce();
// store the nonce in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.

client.authorizationUrl({
  scope: 'openid email profile',
  response_mode: 'form_post',
  nonce,
});

When end-users hit back your redirect_uri with a POST (authorization request included form_post response mode) your application consumes the callback and passes the nonce in to include it in the ID Token verification steps.

// assumes req.body is populated from your web framework's body parser
const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { nonce });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims());

Device Authorization Grant (Device Flow)

RFC8628 - OAuth 2.0 Device Authorization Grant (Device Flow) is started by starting a Device Authorization Request.

const handle = await client.deviceAuthorization();
console.log('User Code: ', handle.user_code);
console.log('Verification URI: ', handle.verification_uri);
console.log('Verification URI (complete): ', handle.verification_uri_complete);

The handle represents a Device Authorization Response with the verification_uri, user_code and other defined response properties.

You will display the instructions to the end-user and have him directed at verification_uri or verification_uri_complete, afterwards you can start polling for the Device Access Token Response.

const tokenSet = await handle.poll();
console.log('received tokens %j', tokenSet);

This will poll in the defined interval and only resolve with a TokenSet once one is received. This will handle the defined authorization_pending and slow_down "soft" errors and continue polling but upon any other error it will reject. With tokenSet received you can throw away the handle.

Client Credentials Grant Flow

Client Credentials flow is for obtaining Access Tokens to use with third party APIs on behalf of your application, rather than an end-user which was the case in previous examples.

See the documentation for full API details.

const client = new issuer.Client({
  client_id: 'zELcpfANLqY7Oqas',
  client_secret: 'TQV5U29k1gHibH5bx1layBo0OSAvAbRT3UYW3EWrSYBB5swxjVfWUa1BS8lqzxG/0v9wruMcrGadany3',
});

const tokenSet = await client.grant({
  resource: 'urn:example:third-party-api',
  grant_type: 'client_credentials'
});

FAQ

Semver?

Yes. Everything that's either exported in the TypeScript definitions file or documented is subject to Semantic Versioning 2.0.0. The rest is to be considered private API and is subject to change between any versions.

How do I use it outside of Node.js

It is only built for Node.js. Other javascript runtimes are not supported. I recommend panva/oauth4webapi, or a derivate thereof, if you're looking for a similarly compliant and certified client software that's not dependent on the Node.js runtime builtins.

How to make the client send client_id and client_secret in the body?

See Client Authentication Methods (docs).

Can I adjust the HTTP timeout?

See Customizing (docs).

changelog

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.6.5 (2024-03-07)

Refactor

  • avoid use of prototype attributes in keystore queries (#660) (47a549c)

5.6.4 (2024-01-06)

5.6.3 (2024-01-05)

Fixes

  • encode client_secret_basic - _ . ! ~ * ' ( ) characters (5a2ea80)

5.6.2 (2023-12-22)

Refactor

Fixes

  • add explicit Accept-Encoding header to http requests (abcb564), closes #648

5.6.1 (2023-10-11)

Fixes

  • consistent space encoding in authorizationUrl (#627) (ad68223), closes #626

5.6.0 (2023-10-03)

Features

5.5.0 (2023-09-08)

Features

  • DPoP: remove experimental warning, DPoP is now RFC9449 (133a022)

5.4.3 (2023-07-06)

Fixes

  • handle empty client_secret with basic and post client auth (#610) (402c711), closes #609

5.4.2 (2023-04-25)

Fixes

5.4.1 (2023-04-21)

5.4.0 (2023-02-05)

Features

  • allow third party initiated login requests to trigger strategy (568709a), closes #510 #564

5.3.4 (2023-02-02)

Fixes

  • regression introduced in v5.3.3 (4f6e847)

5.3.3 (2023-02-02)

Refactor

5.3.2 (2023-01-20)

Fixes

  • passport: ignore static state and nonce passed to Strategy() (#556) (43daff3)

5.3.1 (2022-11-28)

Fixes

  • typescript: requestResource returns a Promise (#546) (8bc9519), closes #488

5.3.0 (2022-11-09)

Features

  • JARM is now a stable feature (10e3a37)

5.2.1 (2022-10-20)

Fixes

  • typescript: add client_id and logout_hint to EndSessionParameters (b7b5438)

5.2.0 (2022-10-19)

Features

  • add client_id to endSessionUrl query strings (6fd9350)

Fixes

  • allow endSessionUrl defaults to be overriden (7cc2402)

5.1.10 (2022-09-28)

Refactor

  • engines: remove package.json engines restriction (9aefba3)

5.1.9 (2022-08-23)

Fixes

  • safeguard TokenSet prototype methods (7468674), closes #511

5.1.8 (2022-07-04)

Fixes

  • ignore non-conform "unrecognized" id_token in oauthCallback() (3425110), closes #503

5.1.7 (2022-06-25)

Fixes

  • improve support of electron BrowserWindow with nodeIntegration (9e5ea0f)

5.1.6 (2022-05-10)

Fixes

  • typescript: add types export for nodenext module resolution (92fd33d)

5.1.5 (2022-04-14)

Fixes

  • interoperable audience array value for JWT Client auth assertions (again) (96b367d)
  • typescript: add error constructors (#483) (9505cba)

5.1.4 (2022-03-04)

Fixes

  • dpop: htu without querystring (f6fa149)

5.1.3 (2022-02-03)

Fixes

  • add application/jwk-set+json to accept header for JWKS calls (#467) (f94d42b), closes #466

5.1.2 (2022-01-13)

Fixes

  • passing null as checks.nonce should not disable it (5120a07)

5.1.1 (2021-12-20)

Fixes

  • allow setting timeout to 0 to disable it (32b28b5), closes #443

5.1.0 (2021-12-03)

Features

  • support OAuth 2.0 Authorization Server Issuer Identification (fb6a141)
  • support server-provided DPoP nonces (update DPoP to draft-04) (a84950a)

Bug Fixes

  • reject oauthCallback when id_token is detected (92ffee5)
  • typescript: ts-ignore missing AbortSignal global (d975c11), closes #433

5.0.2 (2021-10-28)

Bug Fixes

  • explicitly set content-length again (956c34b), closes #420

5.0.1 (2021-10-27)

Bug Fixes

  • explicitly set accept: application/json again (89cdbe2)

5.0.0 (2021-10-27)

⚠ BREAKING CHANGES

  • The 'query' way of passing access token to userinfo was removed.
  • Access Token is now asserted to be present for the userinfo call.
  • The registry export was removed.
  • FAPIClient is renamed to FAPI1Client
  • FAPI1Client has default algorithms set to PS256 rather than RS256
  • FAPI1Client has default tls_client_certificate_bound_access_tokens set to true
  • FAPI1Client has default response_types set to id_token code and grant_types accordingly
  • FAPI1Client has no token_endpoint_auth_method set, one must be set explicitly
  • Client methods unpackAggregatedClaims and fetchDistributedClaims were removed with no replacement.
  • DPoP option inputs must be a private crypto.KeyObject or a valid crypto.createPrivateKey input.
  • Issuer.prototype.keystore is now private API
  • HTTP(S) request customization now only recognizes the following options 'agent', 'ca', 'cert', 'crl', 'headers', 'key', 'lookup', 'passphrase', 'pfx', and 'timeout'. These are standard node http/https module request options, got-library specific options such as 'followRedirect', 'retry', or 'throwHttpErrors' are no longer recognized.
  • The arguments inside individual HTTP request customization changed, first argument is now an instance of URL, the http request options object is passed in as a second argument.
  • The response property attached to some RPError or OPError instances is now an instance of http.IncomingMessage. Its body is available on its body property as either JSON if it could be parsed, or a Buffer if it failed to pass as JSON.
  • Drop support for Node.js v10.x
  • Only Node.js LTS releases Codename Erbium (^12.19.0) and newer are supported. Currently this means ^12.19.0 (Erbium), ^14.15.0 (Fermium), and ^16.13.0 (Gallium).
  • Issuer.discover will no longer attempt to load /.well-known/oauth-authorization-server. To load such discovery documents pass full well-known URL to Issuer.discover.

Refactor

  • DPoP input must be a private KeyObject or valid crypto.createPrivateKey input (d69af6f)
  • FAPIClient is renamed to FAPI1Client (59a4e73)
  • Issuer.prototype.keystore is now private API (0c23248)
  • only use the native http(s) client (83376ac)
  • remove automatic lookup of /.well-known/oauth-authorization-server (fc87d2b)
  • remove client.unpackAggregatedClaims and client.fetchDistributedClaims (b7f261f)
  • remove Registry public API export (6b91d58)
  • remove the 'query' option for userinfo, assert access token (eb9d139)
  • update Node.js semver support matrix (8b3044e)

4.9.1 (2021-10-13)

Bug Fixes

  • do not implicitly calculate key ids for Client instances (46e44e7), closes #379

4.9.0 (2021-09-20)

Features

4.8.0 (2021-09-15)

Features

  • OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable feature (327f366)

4.7.5 (2021-08-30)

Bug Fixes

  • typescript: add remaining properties from RFC7662 (#398) (166e89b)

4.7.4 (2021-05-25)

Bug Fixes

  • typescript: add a missing PATCH method to requestResource (6b2c3ce), closes #368

4.7.3 (2021-04-30)

Bug Fixes

  • fapi: validate ID Token's iat regardless of which channel it came from (b68b9ab)

4.7.2 (2021-04-23)

Bug Fixes

  • typescript: add types for 4.6.0 additions (9064136)

4.7.1 (2021-04-22)

Bug Fixes

  • typescript: add types for 4.7.0 additions (2c1d2ab)

4.7.0 (2021-04-22)

Features

4.6.0 (2021-03-25)

Features

  • added OAuth 2.0 Pushed Authorization Requests client API (e7af9f5), closes #259

4.5.2 (2021-03-24)

Bug Fixes

  • interoperable audience array value for JWT Client auth assertions (da7d2f0)

4.5.1 (2021-03-15)

Bug Fixes

  • use mtls token endpoint alias as audience when using jwt auth with mtls constrained tokens (c463359)

4.5.0 (2021-03-10)

Features

  • include nbf in FAPIClient Request Objects (0be56ba)

4.4.2 (2021-03-07)

Bug Fixes

  • resolve discovery URIs one by one to yield consistent results (6b18218), closes #260 #267

4.4.1 (2021-02-26)

Bug Fixes

  • hide AggregateError message stack (3011cca), closes #336

4.4.0 (2021-01-29)

Features

  • allow options.https.pfx for mTSL (075cad7), closes #326

4.3.0 (2021-01-22)

Features

  • typescript: add userinfo response generics (b176b2f)

4.2.3 (2021-01-18)

Performance

  • use base64url encoding in node when available (24ab5b4)

4.2.2 (2020-11-30)

Bug Fixes

  • push pkce <> response type resolution to the authenticate function (1970af4), closes #312

4.2.1 (2020-10-27)

Bug Fixes

  • typescript: add state property to AuthorizationParameters (#305) (b9dfa60), closes #304

4.2.0 (2020-10-03)

Features

  • add callback extras to strategy options (#295) (b77466d)

4.1.1 (2020-09-14)

Bug Fixes

  • typescript: ts module interop issues with default export (6ca57d0), closes #291

4.1.0 (2020-09-11)

Features

  • OAuth 2.0 DPoP in various relevant API interfaces (44a0de7)

4.0.2 (2020-09-11)

Bug Fixes

  • updated request object mime-type as per draft-ietf-oauth-jwsreq-30 (d5cc619)

4.0.1 (2020-09-10)

Bug Fixes

  • ensure minimal got version handles upcoming node version changes (fd737a3)

4.0.0 (2020-09-09)

⚠ BREAKING CHANGES

  • the deprecated issuer.key() method was removed
  • due to added ESM module support Node.js version with ESM implementation bugs are no longer supported, this only affects early v13.x versions. The resulting Node.js semver range is ^10.19.0 || >=12.0.0 < 13 || >=13.7.0 (also taking into account the got dependency update)
  • upgraded got http request library dependency from v9.x to v11.x. If you override some of the http request options you will most certainly have to accomodate them.
  • Signed Request Object "typ" changed from JWT to oauth.authz.req+jwt
  • Encrypted Request Object "cty" changed from JWT to oauth.authz.req+jwt
  • PKCE is now used by default in the passport strategy
  • client.userinfo() verb parameter was renamed to method
  • the deprecated client.resource() method was removed

Features

  • added support for ESM (ECMAScript modules) (3ac37e8)
  • passport strategy will now use PKCE by default where applicable (56f9fe7)

Bug Fixes

  • request object type changed from 'JWT' to 'oauth.authz.req+jwt' (641a42f)

Refactor

  • remove deprecated client.resource() (c0ec865)
  • remove deprecated issuer.key() (5cd1ecf)
  • rename client.userinfo() verb parameter to method (4cb21a4)
  • upgrade got from v9.x to v11.x (c72b5e8)

3.15.10 (2020-09-02)

Bug Fixes

3.15.9 (2020-07-26)

Bug Fixes

  • typescript: max_age in AuthorizationParameters is a number (5ce2a73), closes #279

3.15.8 (2020-07-17)

Bug Fixes

  • allow AAD appid including discovery URLs to be multi-tenant (c27caab)

3.15.7 (2020-07-16)

3.15.6 (2020-07-06)

Bug Fixes

  • merge helper returns modified object, leftovers removed (2e3339b)

3.15.5 (2020-06-26)

Bug Fixes

3.15.4 (2020-06-26)

3.15.3 (2020-06-15)

Bug Fixes

  • give AAD v1 common same treatment as v2 common (2344e00), closes #269

3.15.2 (2020-06-01)

Bug Fixes

  • allow any JSON numeric value for timestamp values (a24a759), closes #263

3.15.1 (2020-05-12)

Bug Fixes

  • A192CBC-HS384 and A256CBC-HS512 direct encryption key derivation (c356bbe)

3.15.0 (2020-04-28)

Features

  • add RPError indicators for unix timestamp comparison failures (fe3db5c), closes #250

3.14.2 (2020-04-07)

Bug Fixes

  • typescript: add options arg to TypeOfGenericClient (b97b028)

3.14.1 (2020-03-21)

Bug Fixes

  • assert refresh_token grant ID Token sub to equal previous (23f3f9f)

3.14.0 (2020-02-28)

Features

  • support additional authorized parties (c9268ce), closes #231

3.13.0 (2020-02-18)

Features

  • add support for RSA-OAEP-384 and RSA-OAEP-512 JWE algorithms (6c696e9)

3.12.2 (2020-01-30)

Bug Fixes

  • ensure jose version that handles ECDH-ES for larger key sizes right (e91001a)

3.12.1 (2020-01-25)

Bug Fixes

  • allow multiple keys to match when selecting encryption key for request object (fa3fa67)

3.12.0 (2020-01-23)

Bug Fixes

  • allow omitting the *_enc attributes (default 'A128CBC-HS256') (6567c73)

Features

  • new API for fetching arbitrary resources with the access token (c981ed6), closes #222

3.11.0 (2020-01-10)

Bug Fixes

  • typescript: allow 'id_token token' as a response type (61c486c)

Features

  • detect self-issued OP and validate ID Token accordingly (c5d3158), closes #220 #221

3.10.1 (2020-01-07)

Bug Fixes

  • allow duplicate "kid" values in issuer's jwks_uri (sigh) (8840fb6)

3.10.0 (2019-12-27)

Bug Fixes

  • enabled full JWT validation on distributed and aggregated claims (d95e31b)

Features

  • allow consuming JARM responses (jwt response mode) (dd4aae9)

3.9.2 (2019-12-17)

Bug Fixes

  • skip validating iat is in the past (0791001)

3.9.1 (2019-12-15)

Bug Fixes

  • remove check for nonce presence in params (cac46fb)

3.9.0 (2019-12-06)

Bug Fixes

  • check for mTLS request options during token_endpoint calls (269569f)
  • typescript: complete http options (3997687)

Features

  • added API for fetching any resource (ae242a5)
  • added issuer.FAPIClient for FAPI RW integrations (ab88aa5)

3.8.4 (2019-11-26)

Bug Fixes

  • use shake256(m, 114) for Ed448 ID Token _hash claims (80311c8)

3.8.3 (2019-11-14)

3.8.2 (2019-11-10)

Bug Fixes

  • assert jwks is present for private_key_jwk first (c1f875c)

3.8.1 (2019-11-07)

Bug Fixes

  • use sha512 for Ed25519 and shake256 for Ed448 ID Token _hash claims (31f7a04)

3.8.0 (2019-11-07)

Features

  • allow tokenType for userinfo to use as authorization header scheme (4eaa75f)

3.7.4 (2019-10-24)

Bug Fixes

  • allow distributed claims to be missing from the response (48d6633), closes #197

3.7.3 (2019-10-01)

Bug Fixes

  • use updated jose package (1f3a251)

3.7.2 (2019-09-13)

Bug Fixes

  • typescript: add missing Strategy interface properties (c0d59c4), closes #189

3.7.1 (2019-09-09)

Bug Fixes

  • typescript: remove the need for @types/got dependency (e5a50d7)

3.7.0 (2019-09-09)

Bug Fixes

  • assert client_secret is present when required, require client_id, etc (82855a5)

Features

  • Add Typescript definitions (#184) (c37130b)
  • allow clientAssertionPayload to overwrite default payload (28c8964)

3.6.2 (2019-09-03)

Bug Fixes

  • device authorization request always pushes the client_id to body (6fbf125)

3.6.1 (2019-08-24)

Bug Fixes

  • ignore runtime unsupported or malformed issuer jwks (f08b8be)

3.6.0 (2019-08-24)

Features

  • add RFC8628 - OAuth 2.0 Device Authorization Grant (Device Flow) support (adb4b76)
  • allow multiple resource parameters in authorization requests (dfdd8cb)

3.5.0 (2019-08-22)

Features

  • added Node.js lts/dubnium support for runtime supported features (54788c2)

3.4.0 (2019-08-13)

Features

  • electron v6.x runtime support (65ec619)

3.3.0 (2019-08-02)

Features

  • option to change http options globally (a1e0a3f)

3.2.3 (2019-07-18)

Bug Fixes

  • strategy: do not modify the params argument, clone it instead (4731d29), closes #177

3.2.2 (2019-07-12)

Bug Fixes

  • give AAD v2 organizations and consumers same treatment as common (4891b5b), closes #175

3.2.1 (2019-07-10)

Bug Fixes

  • plug reported lodash vulnerability (b690dac)

3.2.0 (2019-06-27)

Features

  • feat: added support for direct symmetric key encryption alg (dir) (f1b4282)

3.1.2 (2019-06-21)

Bug Fixes

  • ensure runtime @panva/jose dependency ^1.3.0 (d992deb)

3.1.1 (2019-05-15)

Bug Fixes

  • passport strategy runtime authenticate parameters regression (36e741e), closes #167

3.1.0 (2019-05-13)

Features

  • add helpers for generating secure random values & PKCE challenges (44f1865)

3.0.0 (2019-05-11)

Bug Fixes

  • authorizationParams no longer requires nonce for response_type=token
  • issuer's auth signing algs presence is now asserted if client is missing the relevant metadata property
  • unintended (client|issuer).metadata[property] reassignment is no longer possible
  • refreshed encrypted ID Tokens are now properly decrypted
  • userinfo_endpoint presence on an issuer is now asserted during userinfo function call
  • PBES2 symmetric encryption and decryption now correctly uses the client_secret value rather then its SHA digest
  • Accept header is now correctly set for all requests
  • clients configured to receive signed and/or encrypted userinfo endpoints will now correctly reject a response that isn't proper application/jwt

Features

  • Typed Errors - openid-client now has unique errors for HTTP transport related errors, OP/AS returned errors and RP(client-side) assertions.
  • common configuration issues are now gracefully handled. I feel like many developers may be setting properties like redirect_uri or response_type on a client instance. I sympathize and openid-client will now take these common mistakes and accomodate.
  • QoL #client.authorizationParams() will now attempt to resolve the redirect_uri and response_type from your client's metadata. If there's only one listed, it will be used automatically. If there's more, you must continue providing it explicitly.
  • per-request http request options helper function HTTP request options can now be modified on a per request basis for the different classes or their instances. This now allows each request's options to be altered on-demand with e.g. client mutual-TLS certificates or implementing work arounds for specific AS quirks.
  • mutual-TLS client authentication is now supported through the above mentioned helper for both client-authentication and proof-of-possession purposes.
  • custom request bodies Where the above per-request helper falls short is providing extra token endpoint exchange parameters like resource to authorization code or refresh token exchange, you can now pass those in the actual client methods.
  • custom client assertion payloads You can now pass extra claims to the client authenticated calls e.g. token, introspect, revoke.
  • request objects are now set to be one-time use Generated Request Objects are secure by default they include iat, exp and jti claims so that OPs have a way to make them one-time use depending on their policy.
  • EdDSA support OKP JSON Web Keys and EdDSA signing and verification is now supported.

BREAKING CHANGES

  • openid-client now uses @panva/jose for all things JOSE. As a result of this the minimum required node version is v12.0.0 and the client will now only function in node.js environments.
  • Issuer.defaultHttpOptions getter and setter were removed. See documentation customization section for its replacement.
  • client.CLOCK_TOLERANCE client property was removed. See documentation customization section for its replacement.
  • client.authorizationCallback() has been renamed to client.callback()
  • tokenset.claims getter is now a function tokenset.claims()
  • useRequest and useGot methods were removed, with the maintenance mode and inevitable deprecation of the request module i've decided to only support got as an http request library.
  • Instead of passing jose library keystore instances with private keys the API now expects a JWKS formatted object. keystore options argument properties are now called just jwks.
  • response_type=code is no longer defaulted to in #client.authorizationUrl() if your client instance has multiple response_types members.
  • Strict === equality operator is now used for assertions, while unlikely the breaking change is that should some ID Token claims be correct values but incorrect type, these will start failing now.
  • #client.revoke() no longer returns or in any way processes the response body as per spec requirements.
  • All http(s) responses are now strictly checked for the expected http response status code.
  • All http(s) requests now assert that an absolute URL is being requested.
  • Passport Strategy will now fail when userinfo is requested via the verify callback arity but no access token is returned from the OP.

2.5.0 (2019-04-29)

Bug Fixes

  • key lookup cache is now working as intended (90d2f2a), closes #162

Features

  • add support for azure ad v2 multitenant apps (24486dd), closes #148

2.4.5 (2018-11-05)

Bug Fixes

  • upgrade min node-jose version to fix its performance in node (e682dfc)

2.4.4 (2018-10-18)

Bug Fixes

2.4.3 (2018-10-10)

Bug Fixes

  • assign Discovery 1.0 defaults when discovering with .well-known (74b593e)

2.4.2 (2018-09-27)

Bug Fixes

  • non-string error responses are not treated as OpenIdConnectError (782d464), closes #125

2.4.1 (2018-09-16)

Bug Fixes

  • lts/boron unsupported syntax fix (5289188)

2.4.0 (2018-09-16)

Bug Fixes

  • OpenIdConnectError also returns session_state (95fae3d)
  • stop sending state on the authorisation code token grant (c4c9e50)

Features

  • add RP-Initiated Logout URL helper (7c2e030), closes #116

2.3.1 (2018-08-23)

Bug Fixes

  • apply safer, simpler www-authenticate parsing regex (ffce55a)
  • only assign Discovery 1.0 defaults when Issuer is discovered (dca60b8)

2.3.0 (2018-08-11)

Features

  • authorization response parameter checking based on response_type (6e0ac57)
  • passport strategy automatically checks response REQUIRED params (902eeed)

Pre standard-version Change Log

Version 2.2.x

Version 2.2.1

  • 2018-07-10 DIFF
  • improved discovery support of custom .well-known suffixes
  • chores - refactoring, missing tests, cleanup

Version 2.2.0

Version 2.1.x

Version 2.1.1

  • 2018-06-28 DIFF
  • fixed handling of bearer endpoint responses with www-authenticate headers only. fixes #102

Version 2.1.0

  • 2018-05-31 DIFF
  • node-jose dependency bumped to major ^1.0.0 - fixes A\d{3}GCMKW symmetrical encryption support
  • dependency updates

Version 2.0.x

Version 2.0.4

  • 2018-05-25 DIFF
  • fixed circular when serializing OpenIdConnectError
  • base64url dependency update

Version 2.0.3

  • 2018-05-15 DIFF
  • base64url dependency replaced

Version 2.0.2

  • 2018-05-10 DIFF
  • dependency tree updates

Version 2.0.1

  • 2018-04-26 DIFF
  • fixed client_secret_basic requiring the username and password tokens to be x-www-form-urlencoded according to https://tools.ietf.org/html/rfc6749#section-2.3.1
    • NOTE: Although technically a fix, this is a breaking change when used with providers that also don't currently follow the standard. A proper way of submitting client_id and client_secret using client_secret_basic is Authorization: base64(formEncode(client_id):formEncode(client_secret)). If your client_id and client_secret does contain special characters that need encoding this does not affect you. If it does, try using client_secret_post instead.

Version 2.0.0

  • 2018-04-12 DIFF
  • dropped support for Node.js v4.x due to its End-of-Life on 2018-04-30
  • removed deprecated client#grantAuth
  • removed deprecated way of passing keystore directly to Client#register
  • removed support for passing client to OpenIDConnectStrategy as single argument, use new Strategy({ client }) instead of new Strategy(client).
  • fixed a bug requiring nonce to be passed for response_type=none

Version 1.20.0

  • 2018-03-13 DIFF
  • added documentation for OpenIdConnectError
  • added error_uri from IdP responses to OpenIdConnectError instances
  • fixed OpenIdConnectError messages to include error_description

Version 1.19.x

Version 1.19.5

  • 2018-03-10 DIFF
  • Issuer.discover now parses the provided URI instead of just inspecting the string. #80

Version 1.19.4

  • 2018-01-30 DIFF
  • fixed edge cases of (and simplified) private id token decryption method

Version 1.19.3

  • 2018-01-22 DIFF
  • fix return values of #authorizationCallback() for response_type=none to resolve a TokenSet

Version 1.19.2

  • 2018-01-16 DIFF
  • fixed authorizationUrl to respect existing issuer authorization_endpoint query parameters

Version 1.19.1

  • 2018-01-15 DIFF
  • adjusted the passport state mismatch related error message to hint developers at a local setup issue

Version 1.19.0

  • 2017-12-12 DIFF
  • added maintained request wrapper and a simple api to use request instead of got

Version 1.18.x

Version 1.18.2

  • 2017-12-05 DIFF
  • bumped node-jose dependency

Version 1.18.1

  • 2017-11-25 DIFF
  • fixed the order of several assert.equal calls to swap actual/expected descriptions
  • added assertion error messages for passport strategy

Version 1.18.0

  • 2017-11-19 DIFF
  • added option for the passport strategy to use PKCE
  • updated http request library got dependency

Version 1.17.0

  • 2017-10-31 DIFF
  • now uses client_secret_post as default for Issuer instances that do not support client_secret_basic but do signal support for client_secret_post in their discovery document

Version 1.16.0

  • 2017-10-13 DIFF
  • added s_hash value validation support for ID Tokens returned by authorization endpoint
  • fixed edge cases where valid _hash but from invalid sha-length was accepted

Version 1.15.0

  • 2017-09-11 DIFF
  • added support for Request Objects encrypted with symmetrical keys
  • fixed PBES2 encryption to use client_secret derived symmetrical key instead of its full octet value

Version 1.14.0

  • 2017-09-09 DIFF
  • added Passport Strategy passReqToCallback option, defaults to false

Version 1.13.0

  • 2017-08-24 DIFF
  • added an optional keystore argument to Client#fromUri(uri, token, [keystore]) to pass a keystore with private asymmetrical keys
  • fixed keystore check during constructor Client#new calls to check that only private asymmetrical keys are added

Version 1.12.0

Version 1.12.1

  • 2017-08-11 DIFF
  • explicitly specified accepted response type via accept: application/json header
  • added state to token_endpoint calls for servers supporting mixup mitigation

Version 1.12.0

  • 2017-07-17 DIFF
  • Allow session key to be specified in passport strategy options

Version 1.11.0

Version 1.11.1

  • 2017-07-14 DIFF
  • relaxed #callbackParams to allow IncomingMessage lookalikes
  • update internal dependencies

Version 1.11.0

  • 2017-05-19 DIFF
  • fixed default application_type from ['web'] to 'web'
  • added barebones Issuer.httpClient setter to help advanced developers in complex environments to change the used http request client

Version 1.10.0

  • 2017-05-04 DIFF
  • added pure OAuth 2.0 stripped down callback function #oauthCallback
  • added an extra option for #userinfo requests to have extra params in either query or body

Version 1.9.0

  • 2017-04-30 DIFF
  • added introspection/revocation specific client and issuer properties. To remain backwards compatible they default to their token endpoint counterparts
    • issuer.revocation_endpoint_auth_methods_supported
    • issuer.introspection_endpoint_auth_methods_supported
    • issuer.revocation_endpoint_auth_signing_alg_values_supported
    • issuer.introspection_endpoint_auth_signing_alg_values_supported
    • client.revocation_endpoint_auth_method
    • client.introspection_endpoint_auth_method
    • client.revocation_endpoint_auth_signing_alg
    • client.introspection_endpoint_auth_signing_alg

Version 1.8.0

Version 1.8.2

  • 2017-04-29 DIFF
  • bumped node-jose dependency to avoid github tar.gz dependencies
  • adjusted token_endpoint_auth_method=none to how it should be

Version 1.8.0

  • 2017-04-07 DIFF
  • Issuer and Client now recognize custom properties, this is so that new Registry Contents do not require a new release of openid-client to be picked up. Custom properties are exposed as getters so long as they do not interfere with the object's Prototype and they are always available in #metadata getter.

Version 1.7.0

Version 1.7.2

  • 2017-03-28 DIFF
  • added missing check for webfinger issuer location protocol

Version 1.7.1

  • 2017-03-28 DIFF
  • added authorizationCallback support for submitting code_verifier
  • example now includes session management OP and RP frames

1.7.0 failed to publish properly, use 1.7.1 instead

Version 1.6.0

Version 1.6.4

  • 2017-03-14 DIFF
  • fixed receiving (correct) empty responses from revocation endpoints (#21)

Version 1.6.3

Version 1.6.2

  • 2017-03-09 DIFF
  • fixed verify callback skipping userinfo when userinfo_endpoint is not configured (#19)
  • removed mandatory checks from passport strategy, allowing i.e. implicit only OPs (#19)

Version 1.6.1

  • 2017-03-07 DIFF
  • fixed verify callback skipping userinfo call when arity says it should but no access token is present (#18)

Version 1.6.0

  • 2017-02-15 DIFF
  • added at_hash presence assertion for applicable (implicit) ID Token validation
  • added c_hash presence assertion for applicable (hybrid) ID Token validation from the authorization_endpoint

Version 1.5.0

Version 1.5.3

  • 2017-02-15 DIFF
  • fixed an ID Token validation for ID Token returned by Token Endpoint that includes c_hash

Version 1.5.2

  • 2017-02-01 DIFF
  • fixed passport strategy, have it use prototype instead of ES6 class syntax

Version 1.5.1

  • 2017-01-29 DIFF
  • fixed client_assertion aud claim for _jwt auth methods when used in introspection and revocation

Version 1.5.0

  • 2017-01-26 DIFF
  • added a passport.js strategy
  • added missing max_age, default_max_age related functionality
    • authorizationCallback now supports max_age check
    • clients with default_max_age use this default value automatically
    • when max_age is checked auth_time claim is mandatory and must be a number
  • added missing require_auth_time related functionality
    • clients with require_auth_time = true have the presence and format of auth_time claim validated
  • authorizationUrl and authorizationPost now removes null and undefined values and ensures parameters are stringified before passed to url.format
  • added client.CLOCK_TOLERANCE property, to allow for clock skew (in seconds)

Version 1.4.0

  • 2017-01-10 DIFF
  • deprecated passing keystore directly to Client#register, pass an object with keystore property instead
  • added the option to provide InitialAccessToken value to Client#register

Version 1.3.0

Version 1.3.1

  • 2016-12-18 DIFF
  • added error messages when expected response is missing

Version 1.3.0

  • 2016-12-13 DIFF
  • added #requestObject method to Client to return signed and/or encrypted Request Object

Version 1.2.0

  • 2016-12-09 DIFF
  • added #claims getter to TokenSets returned from authorizationCallback and refresh;

Version 1.1.0

  • 2016-11-23 DIFF
  • fixed unpacking aggregated claims with alg=none and no iss claim
  • fetching distributed claims now expects a JWT response, previously expected invalid OP responses

Version 1.0.0

Version 1.0.2

  • 2016-11-22 DIFF
  • fixed signed userinfo response validation in case iss, aud and similar ID Token claims are missing

Version 1.0.1

  • 2016-11-18 DIFF
  • Updated uuid dependency

Version 1.0.0

RP test tools are passing, no changes required from the library, API is declared stable, hence 1.0.0 release.

Migrating from 0.x to 1.0

  1. update your package.json file to "^1.0.0"
  2. sit back and relax, no breaking changes

pre 1.x changelog

4. Major version zero (0.y.z) is for initial development. Anything may change at any time.
   The public API should not be considered stable.

5. Version 1.0.0 defines the public API.