v2.5.0

Notes

• feat(#68): support RFC 7009 for token revocation (thank you @oliverlockwood)
• fix(#67): allow userRepository.extraAccessTokenFields() to set the 'iss' and 'aud' claims (thank you @oliverlockwood)

Full Changelog

v2.4.0...v2.5.0

v2.4.0

Notes

• feat(#61): add client param to issueRefreshToken
• fix(#66): match URLSearchParams constructor signature

Full Changelog

v2.3.0...v2.4.0

v2.3.0

Notes

• feat(#56): add more informative error messaging
• feat(#57): add configuration option to disallow plain code verifiers
• feat(#59): throw 400 on malformed jwt
• chore: fix error messages
• chore: removed deprecated querystring
• chore: renamed the default branch to main

Full Changelog

v2.2.5...v2.3.0

v2.2.5

Notes

docs: resolve #54 add example readme content for OAUTH_CODES_SECRET
fix: resolve #55 removes duplicate client secret verification
refactor: replace jest with vitest
chore: bumps node version CI to v14/16

Full Changelog

v2.2.4...v2.2.5

v2.2.4

fix: #53 add missing export of OAuthException to main index

v2.2.3

fix: #50 #51 implicit grant properly responds to authorization requests and rejects token requests

v2.2.2

feat: adds AuthorizationServerOption tokenCID: "name"|"id";. This field allows you to switch the value of the JWT accessToken.cid to either the client.name or client.id.

In version 2.x this field is defaulted to "name", in v3.x this will switch to "id".

Example usage:

const authorizationServer = new AuthorizationServer(
  authCodeRepository,
  clientRepository,
  accessTokenRepository,
  scopeRepository,
  userRepository,
  new JwtService("secret-key"),
  {
    tokenCID: "id" // default is "name", in v3.0.0 this will default to "id"
  }
);

The decoded JWT example:

{
  // this value defaults to the client.name in 2.x but will change to client.id in 3.x
  cid: 'test auth code client', 
  
  email: '[email protected]',
  scope: '',
  sub: 'abc123',
  exp: 1637178101,
  nbf: 1637174501,
  iat: 1637174501,
  jti: 'new token'
}

v2.2.1

deprecation warning

refactor: unused response parameter has been marked optional will be removed in 3.x. In 2.x, there is a deprecation warning in development builds.

- authorizationServer.respondToAccessTokenRequest(request, response)
+ authorizationServer.respondToAccessTokenRequest(request)

v2.2.0

feat: #39 support optional promise - thanks @xhebox
fix: #38 use floor instead of ceil when rounding

v2.1.0

• feat: adds optional AuthorizationServer support for notBeforeLeeway with JWT RFC7519#4.1.5

Note: This release is equivalent to v2.0.5. I first published this release under the patch version, then decided that this was technically a new feature, and I should release it under v2.1.0.