v0.1.1
v0.1.1 — adapter identity-error-mapping hotfix
Patch release. No new features, no port or contract changes — this ships the
identity-error-mapping fix from #1
to npm users on 0.1.0.
What's in this release
When an identity port rejects a subject during /authorize (Entra / Cloudflare
Access allowlist miss, or any throw from identity resolution), the response is
now a spec-correct OAuth error across fastify, express, and hono:
- Identity rejection ⇒
401 access_deniedwith the §9.5 body (was a 500
internal_errorenvelope on Express/Hono, and a 401 with a framework-shaped
body on Fastify). - Non-OAuth throws ⇒
500with a non-leaking top-levelerrorbody. The
thrown message is no longer echoed — a thrownError("…")during identity
resolution previously surfaced in the response body on Express/Fastify. - Identity-error redirects are ignored pre-validation — the response is
delivered directly, with noLocationheader.
The shared adapter test matrix now covers all three cases (HF.1 rejected
identity, HF.2 OAuthError throw, HF.3 non-OAuth Error throw → non-leaking
500) across every framework. Full matrix documented in
docs/verification.md.
Should you upgrade?
Yes if any of your /authorize requests can be rejected by your identity port
(allowlists, Conditional Access, IdP-side gating). If identity resolution can
never throw in your deployment, behavior is unchanged. Contracts touched:
§9.3, §9.5, §9.6 in
docs/contracts.md.
npm i mcp-sso@0.1.1
Not in this release
Phase 5 (/store/mysql, Redis-backed RateLimitPort, Captatum dogfood) and the
v0.2 feature set (Entra groups, client_credentials, device flow, generic OIDC,
CIMD, audit sinks, console pairing) remain on the roadmap — see the
README.
Full changelog: v0.1.0...v0.1.1