Skip to content

v5.0.0-rc.0

Pre-release
Pre-release

Choose a tag to compare

View all tags
@jasonraimondi jasonraimondi released this 01 Jun 01:55
· 48 commits to main since this release
v5.0.0-rc.0
f09c432
This commit was signed with the committer’s verified signature. The key has expired.
jasonraimondi Jason Raimondi
GPG key ID: F1C480ABB9E74720
Expired
Verified
Learn about vigilant mode.

This release adds OpenID Connect support and includes two breaking changes.

Breaking

  • Require Node.js 22.
  • The implicit grant now returns tokens in the URL fragment instead of the query string, as recommended by RFC 6749. Set implicitRedirectMode back to "query" to keep the old behavior: 
    new AuthorizationServer(clientRepository, tokenRepository, scopeRepository, jwtService, {
  implicitRedirectMode: "query",
});

Improvements

  • Add OpenID Connect support for the authorization code flow. Opt in with a top-level issuer and an oidc block backed by an RS256 JwtService. You get a signed id_token alongside the access token, the userInfo(), openidConfiguration(), and jwks() endpoints, and getUserClaims / getIdTokenClaims hooks to shape claims.
  • Add an RS256 JwtService with JWKS export and RFC 7638 thumbprint kid defaults.
  • JwtService.verify() now pins its algorithm and rejects non-object payloads. Only affects direct callers.

This is a pre-release: npm install @jmondi/oauth2-server@next. OIDC is RS256-only, issues id_token on the authorization code flow only, and returns plain-JSON UserInfo.

v4.3.5...v5.0.0-rc.0

Assets 2
Loading