Skip to content

v5.0.0-rc.2

Pre-release
Pre-release

Choose a tag to compare

View all tags
@jasonraimondi jasonraimondi released this 08 Jun 02:12
· 31 commits to main since this release
v5.0.0-rc.2
63bc157
This commit was signed with the committer’s verified signature. The key has expired.
jasonraimondi Jason Raimondi
GPG key ID: F1C480ABB9E74720
Expired
Verified
Learn about vigilant mode.

Added

  • Add the introspectionRequiresConfidentialClient option (default true) to control whether the Token Introspection endpoint (RFC 7662 §4) rejects public clients. Set it to false to allow public clients to introspect their own tokens.

Changed

  • BREAKING: The Token Introspection endpoint now requires a confidential client by default (RFC 7662 §4), rejecting public clients with invalid_client. Opt out with introspectionRequiresConfidentialClient: false.
  • The revoke (RFC 7009) and introspect (RFC 7662) endpoints now authenticate the client's identity — and its secret, for confidential clients — rather than asserting membership in the client_credentials grant. (#233)

Fixed

  • Token revocation no longer rejects legitimate clients that are not authorized for the client_credentials grant. A public PKCE SPA or an auth-code-only confidential client can now revoke its own tokens; previously the grant-membership check refused them. (#233)
Assets 2
Loading