Skip to content

Latest commit

 

History

History
2441 lines (1382 loc) · 125 KB

CHANGELOG.md

File metadata and controls

2441 lines (1382 loc) · 125 KB
Raw

Changelog

Table of Contents

Unreleased (2021-04-04)

Bug Fixes

Tests

  • Change sha algorithm name acc to standard naming (#572) (a3594a3)

0.39.0 (2021-03-08)

Features

0.38.0 (2021-02-23)

Bug Fixes

  • Use correct error code for expired token (#562) (56a71e5)

Features

  • Add ClientAuthenticationStrategy extension point (#565) (ec0bec2), closes #564

BREAKING CHANGES

0.37.0 (2021-02-05)

Bug Fixes

Features

  • Add support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523� (#560) (9720241), closes #546 #305

0.36.1 (2021-01-11)

Bug Fixes

  • Broken dependency to reflection package (#555) (a103222)

Code Refactoring

0.36.0 (2020-11-16)

Bug Fixes

  • Allow all request object algs when client value is unset (1d14636):

    Allows all request object signing algorithms when the client has not explicitly allowed a certain algorithm. This follows the spec:

    *request_object_signing_alg - OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.

  • Always return non-error response for inactive tokens (#517) (5f2cae3)

  • Be more permissive in time checks (839d000):

    Time equality should not cause failures in OpenID Connect validation.

  • Do not accidentally leak jwks fetching errors (6d2092d), closes /github.com/ory/fosite/pull/526#discussion_r517491738

  • Do not require nonce for hybrid flows (de5c8f9):

    This patch resolves an issue where nonce was required for hybrid flows, which does not comply with the OpenID Connect conformity test suite, specifically the oidcc-ensure-request-without-nonce-succeeds-for-code-flow test.

  • Guess default response mode in NewAuthorizeRequest (a2952d7)

  • Improve claims handling for jwts (a72ca9a)

  • Improve error stack wrapping (620d4c1)

  • Kid header is not required for key lookup (27cc5c0)

  • Modernized JWT stateless introspection (#519) (a6bfb92)

  • Only use allowed characters in error_description (431f9a5), closes #525:

    Replace LF and quotes with . and ' to match allowed and recommended character set defined in various RFCs.

  • Prevent debug details from leaking during key lookup (c0598fb), closes /github.com/ory/fosite/pull/526#discussion_r517490461

  • Reset jti and hash ID token claims on refresh (#523) (ce2de73)

  • Use state from request object (8cac1a0):

    Resolves failing OIDC conformity test "oidcc-request-uri-unsigned".

Code Refactoring

  • Use rfc compliant error formating (edbbda3)

Documentation

Features

  • Add support for response_mode=form_post (#509) (3e3290f):

    This patch introduces support for response_mode=form_post as well as response_mode of none and query and fragment.

    To support this new feature your OAuth2 Client must implement the fosite.ResponseModeClient interface. We suggest to always return all response modes there unless you want to explicitly disable one of the response modes:

    func (c *Client) GetResponseModes() []fosite.ResponseModeType {
	return []fosite.ResponseModeType{
		fosite.ResponseModeDefault,
		fosite.ResponseModeFormPost,
		fosite.ResponseModeQuery,
		fosite.ResponseModeFragment,
	}
}

  • Improve error messages (#513) (fcac5a6)

  • Introduce WithExposeDebug to error interface (625a521)

  • Support passing repeated audience parameter in URL query (#518) (47f2a31), closes #504:

    Added GetAudiences helper function which tries to have current behavior and also support multiple/repeated audience parameters. If there are parameter is repeated, then it is not split by space. If there is only one then it is split by space. I think this is the best balance between standard/backwards behavior and allowing repeated parameter and allowing also URIs/audiences with spaces in them (which we probably all agree is probably not something anyone should be doing).

    Also added ExactAudienceMatchingStrategy which is slightly more suitable to use for audiences which are not URIs. In OIDC spec audience is described as:

    Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.

    client_id is generally not an URI, but some UUID or some other random string.

BREAKING CHANGES

  • This patch removes fields error_hint, error_debug from error responses. To use the legacy error format where these fields are included, set UseLegacyErrorFormat to true in your compose config or directly on the Fosite struct. If UseLegacyErrorFormat is set, the error_description no longer merges error_hint nor error_debug messages which reverts a change introduced in v0.33.0. Instead, error_hint and error_debug are included and the merged message can be constructed from those fields.
  • As part of this change, the error interface and its fields have changed:
  • RFC6749Error.Name was renamed to RFC6749Error.ErrorField.
  • RFC6749Error.Description was renamed to RFC6749Error.DescriptionField.
  • RFC6749Error.Hint was renamed to RFC6749Error.HintField.
  • RFC6749Error.Code was renamed to RFC6749Error.CodeField.
  • RFC6749Error.Hint was renamed to RFC6749Error.HintField.
  • RFC6749Error.WithCause() was renamed to RFC6749Error.WithWrap() *RFC6749Error and alternatively to RFC6749Error.Wrap() (without return value) to standardize naming conventions around the new Go 1.14+ error interfaces.
  • As part of this change, methods GetResponseMode, SetDefaultResponseMode, GetDefaultResponseMode where added to interface AuthorizeRequester. Also, methods GetQuery, AddQuery, and GetFragment were merged into one function GetParameters and AddParameter on the AuthorizeResponder interface. Methods on AuthorizeRequest and AuthorizeResponse changed accordingly and will need to be updated in your codebase. Additionally, the field Debug was renamed to DebugField and a new method Debug() string was added to RFC6749Error.

Co-authored-by: hackerman 3372410+aeneasr@users.noreply.github.com

0.35.1 (2020-10-11)

Bug Fixes

Documentation

Features

  • Allow configuring redirect secure checker everywhere (#489) (e87d091)
  • Scope can now be space delimited in access tokens (#482) (8225935), closes #362

0.35.0 (2020-10-06)

Bug Fixes

BREAKING CHANGES

  • Type fosite.TokenType has been renamed to fosite.TokenUse.

0.34.1 (2020-10-02)

Bug Fixes

  • Make redirect URL checking more strict (cdee51e):

    The OAuth 2.0 Client's Redirect URL and the Redirect URL used in the OAuth 2.0 flow do not check if the query string is equal:

    1. Registering a client with allowed redirect URL https://example.com/callback
    2. Performing OAuth2 flow and requesting redirect URL https://example.com/callback?bar=foo
    3. Instead of an error, the browser is redirected to https://example.com/callback?bar=foo with a potentially successful OAuth2 response.

    Additionally, matching Redirect URLs used strings.ToLower normalization:

    1. Registering a client with allowed redirect URL https://example.com/callback
    2. Performing OAuth2 flow and requesting redirect URL https://example.com/CALLBACK
    3. Instead of an error, the browser is redirected to https://example.com/CALLBACK with a potentially successful OAuth2 response.

    This patch addresses all of these issues and adds regression tests to keep the implementation secure in future releases.

Documentation

0.34.0 (2020-09-24)

Bug Fixes

Features

Unclassified

  • Merge pull request from GHSA-7mqr-2v3q-v2wm (03dd558)

BREAKING CHANGES

  • fosite.ErrRevocationClientMismatch was removed because it is not part of RFC 6749. Instead, fosite.ErrUnauthorizedClient will be returned when calling RevokeToken with an OAuth2 Client which does not match the Access or Refresh Token to be revoked.

0.33.0 (2020-09-16)

Features

  • Error_hint and error_debug are now exposed through error_description (#460) (8daab21)

BREAKING CHANGES

  • Merges the error description with error hint and error debug, making it easier to consume error messages in standardized OAuth2 clients.

0.32.4 (2020-09-15)

Code Refactoring

  • Fix inconsistent spelling of revocation (#477) (7a55edb)

Documentation

0.32.3 (2020-09-12)

Bug Fixes

Code Refactoring

Documentation

Features

0.32.2 (2020-06-22)

Features

  • New factory with default issuer for JWT tokens (#444) (901e206)

0.32.1 (2020-06-05)

Bug Fixes

  • Improved error messages in client authentication (#440) (c06e560), closes #436

Features

0.32.0 (2020-05-28)

Bug Fixes

  • Double-decoding of client credentials in request body (#434) (48c9b41):

    I noticed that client credentials are URL-decoded after being extracted from the POST body form, which was already URL-decoded by Go. The accompanying error message suggests this was copied and pasted from the HTTP basic authorization header handling, which is the only place where the extra URL-decoding was needed (as per the OAuth 2.0 spec). The result is that client credentials containing %-prefixed sequences, whether valid sequences or not, are going to fail validation.

    Remove the extra URL decoding. Add tests that ensure client credentials work with special characters in both the HTTP basic auth header and in the request body.

  • arguments: Fixes a logic bug in MatchesExact and adds documentation (#433) (10fd67b):

Documentation

Features

  • Added support for ES256 token strategy and client authentication (#439) (36eb661), closes #429:

    I added to DefaultOpenIDConnectClient a field TokenEndpointAuthSigningAlgorithm to be able to configure what GetTokenEndpointAuthSigningAlgorithm returns. I also cleaned some other places where there were assumptions about only RSA keys.

0.31.3 (2020-05-09)

Bug Fixes

  • Do not issue refresh tokens to clients who cannot use it (#430) (792670d), closes #370

Features

0.31.2 (2020-04-16)

Bug Fixes

  • Introduce better linting pipeline and resolve Go issues (#428) (e02f731)

0.31.1 (2020-04-16)

Bug Fixes

  • Return invalid_grant instead of invalid_request in refresh flow (#427) (f5a0e96):

    Return invalid_grant instead of invalid_request when in authorization code flow when the user is not the owner of the authorization code or if the redirect uri doesn't match from the authorization request.

  • storage: Remove unused field (#422) (d2eb3b9), closes #417

  • List all response types in example memory store (#413) (427d40d), closes #304

  • storage: Remove unused methods (#417) (023bdcf)

Documentation

0.31.0 (2020-03-29)

Unclassified

  • Merge pull request from GHSA-v3q9-2p3m-7g43 (0c9e0f6):

    • u

    • u

0.30.6 (2020-03-26)

Bug Fixes

  • Handle serialization errors that can be thrown by call to 'Commit' (#403) (35a1558)

Documentation

  • Update forum and chat links (b1ba04e)

0.30.5 (2020-03-25)

Bug Fixes

  • Handle concurrent transactional errors in the refresh token grant handler (#402) (b17190b):

    This commit provides the functionality required to address ory/hydra#1719 & ory/hydra#1735 by adding error checking to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method so it can deal with errors due to concurrent access. This will allow the authorization server to render a better error to the user-agent.

    No longer returns fosite.ErrServerError in the event the storage. Instead a wrapped fosite.ErrNotFound is returned when fetching the refresh token fails due to it no longer being present. This scenario is caused when the user sends two or more request to refresh using the same token and one request gets into the handler just after the prior request finished and successfully committed its transaction.

    Adds unit test coverage for transaction error handling logic added to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method

0.30.4 (2020-03-17)

Bug Fixes

0.30.3 (2020-03-04)

Bug Fixes

Documentation

  • Add undocumented ExactScopeStrategy (#395) (387cade)
  • Updates issue and pull request templates (#393) (cdefb3e)
  • Updates issue and pull request templates (#394) (119e6ab)

Features

  • Add ExactOne and MatchesExact to Arguments (#399) (cf23400):

    Previously Arguments.Exact had vague semantic where it coudln't distinguish between value with a space and multiple values. Split it into 2 functions with clear semantic.

    Old .Exact() remains for compatibility and marked as deprecated

0.30.2 (2019-11-21)

Unclassified

0.30.1 (2019-09-23)

Unclassified

0.30.0 (2019-09-16)

Unclassified

  • handler/pkce: Enable PKCE for private clients (#382) (e21830e), closes #382

  • Add RefreshTokenScopes Config (#371) (bcc7859), closes #371:

    When set to true, this will return refresh tokens even if the user did not ask for the offline or offline_access Oauth Scope.

0.29.8 (2019-08-29)

Documentation

  • Updates issue and pull request templates (#376) (165e93e)
  • Updates issue and pull request templates (#377) (40590cb)
  • Updates issue and pull request templates (#378) (54426bb)

Unclassified

  • handler/revoke: respecting ErrInvalidRequest code (#380) (cc34bfb), closes #380:

    This commit modifies the case for ErrInvalidRequest in WriteRevocationResponse to respect the 400 error code and not fallthrough to ErrInvalidClient.

    Author: DefinitelyNotAGoat baldrich@protonmail.com

0.29.7 (2019-08-06)

Documentation

  • Fix method/struct documents (#360) (ad06f22)
  • Updates issue and pull request templates (#361) (35157e2)
  • Updates issue and pull request templates (#365) (90a3c50)
  • Updates issue and pull request templates (#366) (27c64ec)
  • Updates issue and pull request templates (#367) (01cd955)
  • Updates issue and pull request templates (#373) (5962474)
  • Updates issue and pull request templates (#374) (9f7cf40)

Unclassified

  • Return error when PKCE is used with private clients (#375) (7219387)
  • Create FUNDING.yml (1b7b479)

0.29.6 (2019-04-26)

Unclassified

  • Allow promp=none for https/localhost (#359) (27bbe00)

0.29.5 (2019-04-25)

Unclassified

  • Add debug log to invalid_client error(#358) (dce3111)

0.29.3 (2019-04-17)

Unclassified

  • Export IsLocalhost (a95ea09)
  • Improve IsRedirectURISecure check (d6f8962)

0.29.2 (2019-04-11)

Unclassified

  • Allow providing a custom redirect URI checker (#355) (3d16e39), closes #355

0.29.1 (2019-03-27)

Unclassified

  • Improve rotated secret error reporting in HMAC strategy (#354) (f21d930)

  • Propagate session data properly (#353) (5ba0f04):

    This example is slightly inaccurate; the session data will need to come from the returned AccessRequester, not the pre-created session. The session passed to IntrospectToken isn't mutated.

  • Remove useless details fn receiver (#349) (af403c6)

  • Update HISTORY.md, README.md, CONTRIBUTING.md (#347) (de5e61e):

    • README: Breaks out 0.26.0 as was stuck inside a code block.
    • README: Ensures the later versions formats code blocks as Go code.
    • Runs doctoc to ensure TOCs are up to date.

0.29.0 (2018-12-23)

Unclassified

  • Add mock for storage.Transactional + update generate-mocks.sh (03f7bc8)
  • Add test coverage to exercise the transactional support in the AuthorizeExplicitGrantHandler's PopulateTokenEndpointResponse method. (2f58f9e)
  • Add test coverage to exercise the transactional support in the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method. (b38d7c8)
  • Adds new interface Transactional which is to be implemented by storage providers that can support transactions. (c364b33)
  • Don't double encode URL fragments (#346) (1f41934), closes #345
  • Use transactions in the auth code token flow (if the storage implementation implements the Transactional interface) to address #309 (e00c567)
  • Use transactions in the refresh token flow (if the storage implementation implements the Transactional interface) to address #309 (07d1a39)

0.28.1 (2018-12-04)

Unclassified

0.28.0 (2018-11-16)

Unclassified

  • Add ability to specify refresh token lifespan (#337) (fa65408), closes #319:

    Set it to -1 to disable this feature. Defaults to 30 days.

0.27.4 (2018-11-12)

Documentation

  • Fix quickstart (#335) (25cc6c4):

    • replace NewMemoryStore with NewExampleStore
    • fix length of signing key
    • fix config type

Unclassified

0.27.3 (2018-11-08)

Unclassified

  • Set exp for authorize code issued by hybrid flow (#333) (d275e84)

0.27.2 (2018-11-07)

Unclassified

0.27.1 (2018-11-03)

Unclassified

  • Improve refresh security and reliability (#332) (4e4121b), closes #331 #325 #324:

    This patch resolves several issues regarding the refresh flow. First, an issue has been resolved which caused the audience to not be set in the refreshed access tokens.

    Second, scope and audience are validated against the client's whitelisted values and if the values are no longer allowed, the grant is canceled.

0.27.0 (2018-10-31)

Unclassified

  • Introduce audience capabilities (#327) (e2441d2), closes #326:

    This patch allows clients to whitelist audiences and request that audiences are set for oauth2 access and refresh tokens

  • Update jwt access token interface (#330) (2da9764):

    The interface needed to change in order to natively handle the audience claim.

0.26.1 (2018-10-25)

Unclassified

  • Fix Config.GetHashCost godoc comment (#320) (4d2b119)

  • Fix doc typo (#322) (239b1ed)

  • Raise bcrypt cost factor lower bound (#321) (799fc70):

    Users of this library can easily create the following:

    hasher := fosite.BCrypt{} hasher.Hash(..)

    This is a problem because WorkFactor will default to 0 and x/crypto/bcrypt will default that to 4 (See https://godoc.org/golang.org/x/crypto/bcrypt).

    Instead this should be some higher cost factor. Callers who need a lower WorkFactor can still lower the cost, if needed.

0.26.0 (2018-10-24)

Unclassified

  • Allow customization of JWT claims (f97e451)
  • Rearrange commits with goreturns (211b43b)

0.25.1 (2018-10-23)

Documentation

  • Updates issue and pull request templates (#313) (53c7b55)
  • Updates issue and pull request templates (#314) (73ae623)
  • Updates issue and pull request templates (#316) (64299bb)

Unclassified

  • handler/openid: Populate at_hash in explicit/refresh flows (#315) (189589c), closes #315
  • Fix typo in README.md (#312) (dcb83ae), closes #312

0.25.0 (2018-10-08)

Unclassified

  • Fix broken go modules tests (#311) (02ea4b1), closes #311
  • Switch from dep to go modules (#310) (ac46a67), closes #310

0.24.0 (2018-09-27)

Unclassified

  • Propagate context in jwt strategies (#308) (e1e18d6), closes #308 #307
  • Use test tables for Hasher unit tests (#306) (499af11), closes #306

0.23.0 (2018-09-22)

Unclassified

  • Add breaking change to the Hasher interface to the change log (805e0e9)
  • Update BCrypt to adhere to new Hasher interface (938e50a)
  • Update Hasher to take in context (02f19fa)

0.22.0 (2018-09-19)

Unclassified

  • Update JWTStrategy to take in context (#302) (514fdbd)
  • Update PR template (3920be2)
  • Add github issue and PR templates (b630f54)

0.21.5 (2018-08-31)

Unclassified

  • Allow JWT from id_token_hint to be expired (#299) (1ad9cd3)

0.21.4 (2018-08-26)

Unclassified

  • token/hmac: Add ability to rotate HMAC keys (#298) (2134650), closes #298

0.21.3 (2018-08-22)

Unclassified

  • Pass ID Token configuration to strategy (#297) (a07ce27):

    Resolves an issue where expiry and issuer where not properly configurable in the strategy.

    See ory/hydra#985

0.21.2 (2018-08-07)

Unclassified

  • Validate id_token_hint only via ID claims (#296) (0fcbfea)

0.21.1 (2018-07-22)

Unclassified

  • Improve token_endpoint_auth_method error message (#294) (7820fb2), closes #294

  • Gofmt (#290) (f02884b):

    Run standard gofmt command on project root.

    • go version go1.10.3 darwin/amd64

0.21.0 (2018-06-23)

Documentation

  • Fixes header image in README (4907d60)

Unclassified

  • Makes error messages easier to debug for end-users (5688a1c)

  • Adds errors for request and registration parameters (920ed71)

  • Adds OIDC request/request_uri support (c7abcca)

  • Adds private_key_jwt authentication method (baa4cf1)

  • Adds proper error responses to request object (f483262)

  • Disallow empty response_type in request (cf2eb85)

  • Do not require id_token response type for auth_code (#288) (edc4910):

    Before this patch, the id_token response type was required whenever an ID Token was requested. This patch changes that.

  • Implements oidc compliant response_type validation (f950b9e)

  • Return unsupported_response_type in validator (a24708e)

  • Uses JWTStrategy in oauth2.DefaultStrategy (e2d2e75)

  • Uses JWTStrategy interface in openid.DefaultStrategy (517fdc5), closes #252

0.20.3 (2018-06-07)

Unclassified

  • Allows multipart content type as alternative to x-www-form-urlencoded (#285) (2edf8f8), closes #285

0.20.2 (2018-05-29)

Unclassified

0.20.1 (2018-05-29)

Unclassified

  • Uses query instead of fragment when handling unsupported response type (#282) (57b1471), closes #282
  • Updates upgrade guide (a958ab8)

0.20.0 (2018-05-28)

Unclassified

  • Resolves several issues related to revokation (#281) (72bff7f), closes #278 #280:

    This patch resolves several issues related to token revokation as well as duplicate authorize code usage:

    • oauth2: Revoking access or refresh tokens should revoke past and future tokens too
    • oauth2: Revoke access and refresh tokens when authorize code is used twice

    Additionally, this patch resolves an issue where refreshing a token would not revoke previous tokens.

  • Sets audience to a string array (#279) (2d58a58), closes #215

0.19.8 (2018-05-24)

Unclassified

  • Fixes implicit detection in error writer (#277) (608bf5f)

0.19.7 (2018-05-24)

Unclassified

  • Use claims.RequestedAt for a reference of "now" (#276) (91e7a4c):

    Previously, time.Now() was used to get a reference of "now". However, this caused short max_age values to fail if, for example, the consent screen took a long time. This patch now uses the "requested_at" claim value to determine a sense of "now" which should resolve the mentioned issue.

0.19.6 (2018-05-24)

Unclassified

  • Issue ID Token on implicit code flow as well (180c749)

0.19.5 (2018-05-23)

Unclassified

  • Add JTI to counter missing nonce (28822d7)
  • Enforce nonce on implicit/hybrid flows (3b44eb3)

0.19.4 (2018-05-20)

Unclassified

  • Checks scopes before dispatching handlers (#272) (0f18305)

0.19.3 (2018-05-20)

Unclassified

  • Resolves timing issues in JWT strategy (#271) (aaec994)

0.19.2 (2018-05-19)

Unclassified

  • Resolves timing issues by setting now to the future (#270) (e9339d7)

0.19.1 (2018-05-19)

Unclassified

  • Improves validation errors and uses UTC everywhere (#269) (eee3dad)

0.19.0 (2018-05-17)

Unclassified

  • Improves prompt, max_age and id_token_hint validation (#268) (7ccad77):

    This patch improves the OIDC prompt, max_age, and id_token_hint validation.

0.18.1 (2018-05-01)

Unclassified

  • Adds a validator used to validate OIDC parameters (#266) (91c9d19):

    The validator, for now, validates the prompt parameter of OIDC requests.

0.18.0 (2018-04-30)

Unclassified

0.17.2 (2018-04-26)

Unclassified

  • Regression fix for request ID in refresh token flow (#262) (99029e0)
  • handler/oauth2: Returns request unauthorized error on invalid password credentials (#261) (cca6af4), closes #261

0.17.1 (2018-04-22)

Unclassified

  • Adds ExactScopeStrategy (#260) (0fcdf33):

    The ExactScopeStrategy performs a simple string match (case sensitive) of scopes.

0.17.0 (2018-04-08)

Documentation

Unclassified

  • Sanitizes request body before sending it to the storage adapter (#258) (018b5c1):

    This release resolves a security issue (reported by platform.sh) related to potential storage implementations. This library used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused, with the addition of enabling POST-body based client authentication, the client secret to be leaked.

    The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This lead to two breaking changes in the API:

    1. The fosite.Requester interface has a new method Sanitize(allowedParameters []string) Requester which returns a sanitized clone of the method receiver. If you do not use your own fosite.Requester implementation, this won't affect you.
    2. If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods to be added work exactly like, for example CreateAuthorizeCodeSession. The method signatures are as follows:
    type PKCERequestStorage interface {
	GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
	CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
	DeletePKCERequestSession(ctx context.Context, signature string) error
}

    We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.

    We would like to thank platform.sh for sponsoring the development of a patch that resolves this issue.

0.16.5 (2018-03-17)

Documentation

  • Resolves minor code documentation misspellings (#248) (c580d79)
  • Resolves minor spelling mistakes (#250) (7fbd246)
  • Updates chat badge to discord (b6380be)

Unclassified

  • Adds email to license notice (77fa262)
  • Improves debug messages (#254) (338399b)
  • Updates license header (85bdbcb)
  • Updates license notice (917401c)
  • Updates years in license headers (77df218)
  • Updates years in license headers (d8458ab)
  • docs : Fixes typo in README (#249) (d05fadf), closes #249

0.16.4 (2018-02-07)

Unclassified

  • Adds PKCE implementation for none and S256 (#246) (4512853), closes #213:

    This patch adds support for PKCE (https://tools.ietf.org/html/rfc7636) which is used by native apps (mobile) and prevents eavesdropping attacks against authorization codes.

    PKCE is enabled by default but not enforced. Challenge method plain is disabled by default. Both settings can be changed using compose.Config.EnforcePKCE and compose.config.EnablePKCEPlainChallengeMethod.

0.16.3 (2018-02-07)

Unclassified

  • Adds missing http header to response writer (#247) (f345ec1), closes #209:

    The introspection response writer was missing application/json in header Content-Type. This patch fixes that.

0.16.2 (2018-01-25)

Unclassified

  • Decodes of Basic Authorization username/password (#245) (b94312e)

0.16.1 (2017-12-23)

Unclassified

  • Makes SendDebugMessages first class citizen (#243) (1ef3041)

0.16.0 (2017-12-23)

Unclassified

  • Adds ability to forward hints and debug messages to clients (#242) (7216c4f), closes #242

0.15.6 (2017-12-21)

Unclassified

  • handler/oauth2: Adds offline_access alias for refresh flow (2aa8e70)

0.15.5 (2017-12-17)

Unclassified

  • Returns the correct error on duplicate auth code use (95d5f58)

0.15.4 (2017-12-17)

Unclassified

  • Improves http error codes (6831f75)

0.15.3 (2017-12-17)

Unclassified

  • Resolves overriding auth_time with wrong value (c85b32d)

0.15.2 (2017-12-10)

Unclassified

  • Adds ability to catch non-conform OIDC authorizations (97fbeb3):

    Fosite is now capable of detecting authorization flows that are not conformant with the OpenID Connect spec.

  • Forces use of UTC time zone everywhere (4c7e4e5)

0.15.1 (2017-12-10)

Unclassified

  • token/jwt: Adds ability to specify acr value natively in id token payload (b87ca49)

0.15.0 (2017-12-09)

Documentation

Unclassified

  • Upgrades history.md (87c37c3)
  • Improves test coverage report by removing internal package from it (831f56a)
  • Resolves test issues and reverts auth code revokation patch (59fc47b)
  • Improves error debug messages across the project (7ec8d19)
  • Allows client credentials in POST body and solves public client auth (392c191), closes #231 #217
  • Updates mocks and mock generation (1f9d07d)
  • handler/oauth2: Adds token revokation on authorize code reuse (2341dec)
  • handler/oauth2: Improves authorization code error handling (d6e0fbd)

0.14.2 (2017-12-06)

Unclassified

  • Makes use of rfcerr in access error endpoint writer explicit (701d850)

0.14.1 (2017-12-06)

Unclassified

  • Exports ErrorToRFC6749Error again (#228) (8d35b66), closes #228

0.14.0 (2017-12-06)

Unclassified

  • Simplifies error contexts (#227) (8961d86), closes #227:

    Simplifies how errors are instantiated. Errors now contain all necessary information without relying on fosite.ErrorToRFC6749Error any more. fosite.ErrorToRFC6749Error is now an internal method and was renamed to fosite.errorToRFC6749Error.

0.13.1 (2017-12-04)

Unclassified

  • handler/oauth2: Client IDs in revokation requests must match now (#226) (83136a3), closes #226 #225
  • Update go version (#220) (ff751ee)
  • Add license header to all source files (#222) (dd9398e), closes #222 #221

0.13.0 (2017-10-25)

Unclassified

0.12.0 (2017-10-25)

Unclassified

  • Add 0.12.0 to TOC (a2e3a47)
  • Add format helper scripts (92c73ae)
  • Add goimports to install section (4f5df70)
  • Fix goimports import path (65743b4)
  • Format files with goimports (c87defe)
  • Replace nil checks with Error/NoError (7fe1f94)
  • Update to go 1.9 (c17222c)
  • Use go-acc and test format (47fd477)
  • token/hmac: replace custom logic with copypasta (b4b9be5)

0.11.4 (2017-10-10)

Documentation

Unclassified

  • handler/oauth2: set expiration time before the access token is generated (#216) (0911eb0), closes #216

0.11.3 (2017-08-21)

Documentation

  • Fixes documentation oauth2 variable and updates old method (#205) (fa50c80):

    It seems that the documentation was declaring as OAuth2Provider the variable oauth2Provider whereas it used a non-declared variable oauth2. I renamed oauth2 into the variable declared oauth2Provider.

    Furthermore, on line 333, the IntrospectToken method was called without the TokenType argument. I added the fosite.AccessToken type.

  • Update docs on scope strategy (68119ca)

Unclassified

  • oauth2/ropc: Set expires at for password credentials flow (#210) (461b38f), closes #210
  • oauth2/introspection: configure core validator with access only option (#208) (80cae74), closes #208
  • Add more test cases (c45a37d)

0.11.2 (2017-07-09)

Unclassified

  • Resolve haystack needle mixup - closes #201 (2c7cdff)

0.11.1 (2017-07-09)

Unclassified

  • token/jwt: add claims tests (c55d679)
  • Add tests for nil sessions (d67d52d)
  • handler/openid: only refresh id token with id_token response type (dd2463a), closes #199

0.11.0 (2017-07-09)

Unclassified

  • handler/oauth2: update docs (63f329b)
  • handler/oauth2: remove code validity check from test (664d1a6)
  • handler/oauth2: first retrieve, then validate (ab72cba)
  • handler/oauth2: set requested at date in auth code test (edd4084)
  • handler/oauth2: resolve travis time mismatch (ec6534c)
  • Gofmt (7a998fe)
  • Implement new wildcard strategy - closes #188 (e03e99e)
  • Run goimports (35941c2)
  • handler/oauth2: simplify storage interface (361b368), closes #194
  • handler/oauth2: use hmac strategy for jwt refresh tokens (#190) (56c88c0), closes #190 #180
  • handler/openid: refresh token handler for oidc (#193) (04888c5), closes #193 #181
  • Revoke access tokens when refreshing (bb74955), closes #167
  • Use deepcopy not gob encoding - closes #191 (823db5b)

0.10.0 (2017-07-06)

Unclassified

  • oauth2/introspector: remove auth code, refresh scopes (#187) (ef8f175), closes #187:

    Removes authorize code introspection in the HMAC-based strategy and now checks scopes of refresh tokens as well.

  • Separate test dependencies (#186) (71451f0):

    • vendor: Move testify to testImport
    • test: Move Assert/Require helpers to _test pkg

0.9.7 (2017-06-28)

Unclassified

  • handler/openid: remove forced nonce (#185) (6c91a21), closes #185

0.9.6 (2017-06-21)

Documentation

  • Update test command in README and CONTRIBUTING (#183) (c1ab029)

Unclassified

  • Basic auth should decode client id and secret (92b75d9), closes #182

0.9.5 (2017-06-08)

Unclassified

  • handler/oauth2: grant scopes before the access token is generated (#177) (3497260), closes #177

0.9.4 (2017-06-05)

Unclassified

  • Return with active set false on token error (#176) (82944aa)

0.9.3 (2017-06-05)

Unclassified

0.9.2 (2017-06-05)

Unclassified

  • Resolve issues with error handling (#174) (9abdfd0), closes #174:

    • errors: do not convert errors compliant with rfcerrors

    • handler/oauth2: improve redirect message for insecure http

0.9.1 (2017-06-04)

Unclassified

  • Clean up dependencies (#173) (524d3b6):

    • vendor: remove stray github.com/Sirupsen/logrus
    • vendor: remove common lib

0.9.0 (2017-06-03)

Documentation

Unclassified

  • Enable fosite composing with custom hashers. (#170) (d70d882)
  • Removed implicit storage as its never used - closes #165 (#171) (fe74027)

0.8.0 (2017-05-18)

Documentation

  • Add notes for breaking changes that come with 0.8.0 (d5fafb8)

Unclassified

  • Added context to GetClient storage interface (#162) (974585d), closes #161

  • Removed *http.Request from interfaces that access request objects (786b971):

    • removed the requirement to *http.Request for endpoints and response object, they are resolvable trough the request.GetRequestForm

    • updated readme to reflect changes to implementation

    • run goimports on internal dir added goimports command to generate-mocks.sh to force first run after generating the mock files

  • Set authorize code expire time before persist (#166) (305a74f)

  • Set expiry date on implicit access tokens (#164) (0785b07)

0.7.0 (2017-05-03)

Documentation

  • Add breaking changes note (7d726e1)

Unclassified

0.6.19 (2017-05-03)

Unclassified

0.6.18 (2017-04-14)

Unclassified

  • Basic auth should www-url-decode client id and secret - closes #150 (ad395bf)

  • Get the token from the access_token query parameter (#156) (9edac04)

  • handler/oauth2: removes RevokeHandler from JWT introspector (#155) (344dbef), closes #155:

    • Removes RevokeHandler from JWT Introspector

    RevokeHandler has been removed because it conflicts with Stateless JWT accesstokens and revocable hmac refresh tokens. The readme has been updated to warn users about possible misconfiguration.

    • Moves text back to correct section

  • Allow localhost subdomains such as blog.localhost:1234 (5e1c890)

0.6.17 (2017-02-24)

Unclassified

  • Redirect uris should ignore cases during matching - closes #144 (4b88774)
  • Update badges to ory (9b33931)
  • revert unintentional change (14a18a7)
  • make stateless validator return an error on revocation (f8f7978)
  • dont client id for aud (a39200b)
  • handler/oauth2: allow stateless introspection of jwt access tokens (c2d2ac2)

0.6.15 (2017-02-11)

Unclassified

  • Fixed typo in acccess_error (08b2242)

0.6.14 (2017-01-08)

Unclassified

0.6.13 (2017-01-08)

Unclassified

0.6.12 (2017-01-02)

Unclassified

  • Allow custom redirect url schemas (c740b70)
  • Properly wrap errors (e054b6e)

0.6.11 (2017-01-02)

Unclassified

  • C_hash / at_hash should use url-safe base64 encoding (33d4414)

0.6.10 (2016-12-29)

Unclassified

  • C_hash / at_hash should be string not byte slice (b489cc9)

0.6.9 (2016-12-29)

Documentation

  • Fix missing protocol in link in readme (#132) (37ef374)

Unclassified

  • oauth2/implicit: fix redirect url on error (435288c)

0.6.8 (2016-12-20)

Unclassified

0.6.7 (2016-12-06)

Unclassified

  • Response expires in should be int, not string (a2080a3)

0.6.6 (2016-12-06)

Unclassified

  • Add content type to error response (75aad53)
  • Add inactive token error (0151f1e)
  • Resolve broken test (51ab7bb)

0.6.5 (2016-12-04)

Unclassified

  • Always return the error (366b4c1)

0.6.4 (2016-11-29)

Unclassified

  • token/jwt: Allow single element string arrays to be treated as strings (5388e10):

    This commit allows aud to be passed in as a single element array during consent validation on Hydra. This fixes ory/hydra#314.

0.6.2 (2016-11-25)

Unclassified

  • oauth2/introspection: endpoint responds to invalid requests appropriately (#126) (9360f64), closes #126

0.6.1 (2016-11-17)

Unclassified

  • Resolve issues with token introspection and sessions (895d169)

0.6.0 (2016-11-17)

Unclassified

0.5.1 (2016-10-22)

Unclassified

  • handler/oauth2: set JWT ExpiresAt claim per TokenType from the session (#121) (66170ae), closes #121
  • oauth2/introspection: do not include the session in the response (daad271)

0.5.0 (2016-10-17)

Unclassified

0.4.0 (2016-10-16)

Documentation

  • Add danilobuerger and jrossiter to hall of fame (f864e26)
  • Add offline note to readme (60a7672)
  • Document reasoning for interface{} in compose package - closes #94 (f193012)

Unclassified

  • Allow public clients to access token endpoint - closes #78 (cbe433e)
  • Clean up, resolve broken tests (1041e67)
  • Flatten package hierarchy and merge files - closes #93 (9b7ba80)
  • Reduce third party dependencies - closes #116 (5ec5cff)
  • Split library and example - closes #92 (6d76d35)

0.3.6 (2016-10-07)

Unclassified

  • Added refresh token generation for password grant type (#107) (81c3cbd):

    • oauth2: added refresh token generation for password grant type when offline scope is requested

0.3.5 (2016-10-06)

Unclassified

  • handler/oauth2: resolve issues with refresh token flow (#110) (bef6197), closes #110 #109 #108
  • Add tests to request state (8c7c77e)

0.3.4 (2016-10-04)

Unclassified

  • handler/oauth2: refresh token does not migrate original access data - closes #103 (#104) (8ffa0bc), closes #103 #104

0.3.3 (2016-10-03)

Documentation

  • Fix reference to store example in readme (#87) (b1e2cda)

Unclassified

  • Scopes should be separated by %20 and not +, to ensure javascript compatibility - closes #101 (#102) (e61a25f)

0.3.2 (2016-09-22)

Unclassified

  • Resolves an issue with the explicit token flow (aa1b854)

0.3.1 (2016-09-22)

Unclassified

0.3.0 (2016-08-22)

Unclassified

  • HierarchicScopeStrategy worngly accepts missing scopes (7faee6b)
  • Jwt-go is now v3.0.0 (#77) (76ef7ea)

0.2.4 (2016-08-09)

Unclassified

  • Resolve race condition and package fosite with glide (66b53a9)

0.2.3 (2016-08-08)

Unclassified

  • Commit missing lock file (be30574)

0.2.2 (2016-08-08)

Unclassified

  • Updated go-jwt to use semver instead of gopkg (3b66309)

0.2.1 (2016-08-08)

Unclassified

  • Remove unused fields and methods from client (5f1851b)
  • Resolved package naming issue (4d1caeb)

0.2.0 (2016-08-06)

Unclassified

0.1.0 (2016-08-01)

Code Refactoring

Documentation

  • Add -d option to go get (0e63038)

  • Define implicitHandler (745a4df):

    Someone forgot to rename the variable name when copy-pasting in the example.

  • Document new token generation and validation (ddef55b)

  • Drafted workflows (4ad1d14)

  • Explain what handlers are (48ca03b)

  • Fix typos in readme (b9ed7ac)

  • Readme (a5aa697)

  • Readme (f77fd41)

  • Readme (e143d8c)

  • Readme (d483568)

  • Updated authorize section (9c21afb)

  • Updated readme docs (336a2cd)

Unclassified

  • Add api stability section (3ca6ec9)

  • Add go-rethink tags (49c82bc)

  • Add ValidateToken to CoreValidator (4c2b9d8)

  • Added go 1.6 (ae41a0a)

  • Added grant and response type validation (f524fc2)

  • Added json and gorethink tags (99c836c)

  • Added missing file (8fc1615)

  • Added owner method (78012ed)

  • Api cleanup, gofmt (3d6e8b6)

  • Finished up integration tests (a6d027e)

  • Fix broken test (653e324)

  • Fix config (82e9332)

  • Fix deps (bcc6a07)

  • Fix jwt strategy interface mismatch (#58) (4d0a545)

  • Fix unique scope tests (3ac3a79)

  • Fixed granted scope match (13b7efa)

  • Fixed racy tests (f0b691d)

  • Generic claims and headers (1f2e97f)

  • Glide (#43) (de85e2a)

  • Godep save (c457104)

  • Goimports (8b9816c)

  • Goimports (96be194)

  • Implemented validator for access tokens (4140422)

  • Implicit handlers do not require tls over https (#61) (6c40c08), closes #60

  • Improve handling of expiry and include a protected api example (dfb047d)

  • Improve strategy API (21f5e8c)

  • Issue refresh token only when 'offline' scope is set (34068b9), closes #47

  • Jwt signing and client changes (#44) (fae3c96)

  • More tests (164506a)

  • No "session" secret required (d1f45ad)

  • Preview (ba84987)

  • Refactor (eb9153c)

  • Remove duplicate field (e134351)

  • Rename fields name to client_name and secret to client_secret (99ce066)

  • Replace internal import (#52) (1290282)

  • Replace pkg.ErrNotFound with fosite.ErrNotFound (4390c49)

  • Request should return unique scopes (af66918)

  • Resolve an issue where query params could be used instead of post body (7eb85c6)

  • Resolve danger of not reading enough bytes (c68a3e9)

  • Resolve id token issues with empty claims (89c60c9)

  • Resolve scope issues (#55) (9d54b98):

    handler: resolve scope issues

  • Update (88e84de)

  • Use jwt-go.v2 and fix bc break (f731d88)

  • updated gif (39c239f)

  • gofmt (f813288)

  • updated example gif (29b39ea)

  • added open id connect to example (6f0ce68)

  • added integration tests (8d47f80)

  • added doc to fix travis (a0db129)

  • Sanitized tests and apis (12c70bb)

  • Tests for client credentials flow (c13298c)

  • Tests for resource owner password credentials grant (f503615)

  • Add go report card (204c5d6)

  • Update installation instructions (201c6aa), closes #33

  • Clean-up fosite-example/main.go link in README.md (497ff80):

    The README url to the suggested example was broken.

  • Added jti as parameter to claims helper to privide better interface to developers (bde3822)

  • Added missing jti claim (26f41a0)

  • Added NOTE (64516f8)

  • Removed unnecessary print. Added bugfix from Arekkas. (96458b6)

  • Example updated (5022339)

  • Api refactor (d936c91)

  • Added working example of jwt token (9410fca)

  • Added tests. Still need to verify implemtation with test (1ebdd88)

  • WIP (caaa43a)

  • readme (c97d844)

  • readme (fe24f26)

  • readme (be8cd23)

  • refactor done (unstaged) (625f168)

  • unstaged (6c616b1)

  • unstaged (17ad70b)

  • Access code request workflow finalized (0232918)

  • Added cristiangraz to the hall of fame (1b6e2b4)

  • Include user session data in all calls to storage handlers. (2be3fc1)

  • unstaged (fde7c80)

  • unstaged (e775aad)

  • unstaged (ae2fc16)

  • Access request api draft (9f482ef)

  • Added JWT generator and validator. (58acd68), closes #16

  • Added tests fragment capabilities to writeresponse (6df0eca)

  • Defined OAuth2.HandleResponseTypes (30b6e74):

    Incorporated feedback from GitHub, did refactoring and renaming, added tests

  • Finalized auth endpoint, added tests, added integration tests (c6dcb90)

  • Fixed typos (a5391de), closes #10

  • Fixed urls (58908b8)

  • handler/core: fixed tests (7f5938a)

  • Made hybrid flow optional (08ddbae)

  • core handlers: added tests (e9affb7)

  • Added authorize code grant example (269c5fa)

  • Added client grant and did some renaming (75c8179)

  • Added danielchatfield to the hall of fame (2b988a8)

  • Added go1.4 to allowed failures (49aa920)

  • Basic draft (480af91)

  • Enforce https for all redirect endpoints except localhost (d65b45a)

  • Enforce use of scopes (12d76dd), closes #14

  • Finalized token endpoint api (8de3f10)

  • Fixed tests (8bf73e3)

  • Fixed tests refactor broke (5da857b)

  • Fixed wrongfully set constant ErrTemporaryUnvailableName (71a9105), closes #9

  • Implemented all core grant types (ce0a849)

  • Implemented and documented examples (8c625c9)

  • Implemented new token generator based on hmac-sha256 (01f9ede), closes #11

  • Increased coverage (83194b6)

  • Major refactor, use enigma, finalized authorize skeleton (38bacd3), closes #8 #11

  • Refactoring, more tests (df79a81)

  • Refactoring, renaming, docs (e5476d1)

  • Refactoring, renaming, more tests (9467ca8)

  • Remove store mock (80c14f7)

  • Updated example and added implicit grant (d12fa5c)

  • authorize/explicit ✓ (d61635b)

  • authorize/explicit: minor name refactoring and tests for authorize endpoint (4736e28)

  • Renaming and refactoring (d3697bd)

  • plugin/token: fix import path (fdba2f7)

  • unstaged (f939597)

  • More test cases (1188750)

  • Moved to root package, updated docs (1871702)

  • Moved to root package, updated docs (5b9b20c)

  • Refactor, fixed tests, incorporated feedback (9e59df2)

  • Initial commit (7adad58)