Skip to content
This repository was archived by the owner on Aug 28, 2023. It is now read-only.

Version 3.0.0

Choose a tag to compare

View all tags
@lovemaths lovemaths released this 13 Oct 20:51
· 155 commits to master since this release
v3.0.0
d99efed

OIDCStrategy

Breaking changes

SAML and WSFED

  • We no longer support SAML and WSFED starting from version 3.0.0, please use release 2.0.3 instead.

Options

  • skipUserProfile option: this option is no longer provided. We will load 'userinfo' if we can get an access_token for 'userinfo'. More specifically, if you are using AAD v1 with 'code', 'code id_token' or 'id_token code' flow, and the resource is not specified. For all other scenarios, we do an 'id_token' fallback.
  • returnURL/callbackURL option: this option is renamed to redirectUrl. redirectUrl can only be a https url now unless you set the allowHttpForRedirectUrl option to true.

Claims in the returned profile

  • removed email claim.
  • added oid, upn and emails claim. emails claim is always an array. You might get upn claim from non B2C tenants, and you might get emails claim from B2C tenants.

B2C only

  • identityMetadata option: common endpoint is no longer allowed for B2C. Tenant-specific endpoint should be used, for instance:
    https://login.microsoftonline.com/your_B2C_tenant_name.onmicrosoft.com/v2.0/.well-known/openid-configuration or
    https://login.microsoftonline.com/your_B2C_tenant_guid/v2.0/.well-known/openid-configuration.
  • isB2C option: this is a new option. If you are using a B2C tenant, set this option to true.
  • tenantName: this option is no longer used.

New features

  • multiple nonce and state support in OIDCStrategy. Provided nonceLifetime option to configure the lifetime of nonce saved in session.
  • enabled issuer validation against common endpoint. To validate issuer on common endpoint, user must
    specify the allowed issuer(s) in issuer option, and set validateIssuer option to true.
  • user-provided state support. The usage is as follows:
  passport.authenticate('azuread-openidconnect', { customState : 'the_state_you_want_to_use' });

BearerStrategy

Breaking changes

General

  • We no longer accept access_token sent by request query. access_token should either be put in the request header or request body.
  • We no longer support the certificate option. Now we always fetch the keys from the metadata url and generate the pem key.

B2C only

  • identityMetadata: common endpoint is no longer allowed for B2C. Tenant-specific endpoint should be used, for instance:
    https://login.microsoftonline.com/your_B2C_tenant_name.onmicrosoft.com/v2.0/.well-known/openid-configuration or
    https://login.microsoftonline.com/your_B2C_tenant_guid/v2.0/.well-known/openid-configuration.
  • isB2C option: this is a new option. If you are using a B2C tenant, set this option to true.
  • tenantName: this option is no longer used.

New features

  • enabled issuer validation against common endpoint. To validate issuer on common endpoint, user must
    specify the allowed issuer or array of issuers in issuer option, and set validateIssuer option to true.

Bug fixes

  • #218 Missing email claim for B2C
  • #195 Remove default query support for access_token in bearerStrategy
  • #194 Error message for 'sub' mismatch is incorrect after redeeming 'code'
  • #189 Extensibility to allow issuer validation when going against common endpoint
  • #188 Mocha tests for B2C to prevent regressions
  • #187 p parameter is not being passed in each flow through the passport.js library
  • #171 multiple nonce and state handling
  • #165 validationConfiguration.callbackUrl should be named redirectUrl
  • #164 By default redirect URL should be https
Assets 2
Loading