Skip to content

v0.1.1

Choose a tag to compare

@github-actions github-actions released this 04 Jul 20:30
Immutable release. Only release title and notes can be modified.

v0.1.1 — adapter identity-error-mapping hotfix

Patch release. No new features, no port or contract changes — this ships the
identity-error-mapping fix from #1
to npm users on 0.1.0.

What's in this release

When an identity port rejects a subject during /authorize (Entra / Cloudflare
Access allowlist miss, or any throw from identity resolution), the response is
now a spec-correct OAuth error across fastify, express, and hono:

  • Identity rejection ⇒ 401 access_denied with the §9.5 body (was a 500
    internal_error envelope on Express/Hono, and a 401 with a framework-shaped
    body on Fastify).
  • Non-OAuth throws ⇒ 500 with a non-leaking top-level error body. The
    thrown message is no longer echoed — a thrown Error("…") during identity
    resolution previously surfaced in the response body on Express/Fastify.
  • Identity-error redirects are ignored pre-validation — the response is
    delivered directly, with no Location header.

The shared adapter test matrix now covers all three cases (HF.1 rejected
identity, HF.2 OAuthError throw, HF.3 non-OAuth Error throw → non-leaking
500) across every framework. Full matrix documented in
docs/verification.md.

Should you upgrade?

Yes if any of your /authorize requests can be rejected by your identity port
(allowlists, Conditional Access, IdP-side gating). If identity resolution can
never throw in your deployment, behavior is unchanged. Contracts touched:
§9.3, §9.5, §9.6 in
docs/contracts.md.

npm i mcp-sso@0.1.1

Not in this release

Phase 5 (/store/mysql, Redis-backed RateLimitPort, Captatum dogfood) and the
v0.2 feature set (Entra groups, client_credentials, device flow, generic OIDC,
CIMD, audit sinks, console pairing) remain on the roadmap — see the
README.

Full changelog: v0.1.0...v0.1.1