Releases: panva/oauth4webapi
Releases · panva/oauth4webapi
v2.2.1
v2.2.0
Features
// client's local clock is mistakenly 1 hour in the past
const client: oauth.Client = {
client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
// ... other metadata
[oauth.clockSkew]: +(60 * 60),
}
// client's local clock is mistakenly 1 hour in the future
const client: oauth.Client = {
client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
// ... other metadata
[oauth.clockSkew]: -(60 * 60),
}
// Tolerate 30 seconds clock skew when validating JWT claims like `exp` or `nbf`.
const client: oauth.Client = {
client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
// ... other metadata
[oauth.clockTolerance]: 30,
}
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.1
v2.0.0
⚠ BREAKING CHANGES
- Use the TLS server validation in
processAuthorizationCodeOpenIDResponse
to validate the issuer instead of checking the ID Token's signature. The function'soptions
argument was removed. - Use the TLS server validation in
processDeviceCodeResponse
to validate the issuer instead of checking the optional ID Token's signature. The function'soptions
argument was removed. - Use the TLS server validation in
processIntrospectionResponse
to validate the issuer instead of checking the optional JWT Introspection Response signature. The function'soptions
argument was removed. - Use the TLS server validation in
processRefreshTokenResponse
to validate the issuer instead of checking the optional ID Token's signature. The function'soptions
argument was removed. - Use the TLS server validation in
processUserInfoResponse
to validate the issuer instead of checking the optional JWT UserInfo Response signature. The function'soptions
argument was removed. - PAR w/ DPoP no longer automatically adds
dpop_jkt
to the authorization request. - Removed
calculateJwkThumbprint
function export. - Removed
jwksRequest
function export. - Removed
processJwksResponse
function export.