v3.0.0

[github-actions[bot]]

⚠ BREAKING CHANGES

• build target is now ES2022
• jweDecrypt is no longer an allowed symbol on the Client interface, it is instead an option passed to functions that may encounter encrypted assertions
• specifying Ed448 curve for EdDSA is no longer supported, EdDSA is now just an alias for the fully-specified Ed25519 JWS algorithm
• assertions signed with an Ed25519 CryptoKey will now use the Ed25519 JWS alg value instead of EdDSA. This can be reverted using the modifyAssertion symbol export
• the audience of a Private Key JWT and Client Secret JWT client assertions is now just the issuer identifier
• remove modifyAssertion from the PrivateKey interface
• optional (non-repudiation) signature validation of ID Token JWS Signatures is now done the same way as JWT UserInfo and JWT Introspection is done, with a Response instance rather than a TokenEndpointResponse object
• validateJwtIntrospectionSignature is now validateApplicationLevelSignature
• validateJwtUserInfoSignature is now validateApplicationLevelSignature
• validateIdTokenSignature is now validateApplicationLevelSignature
• DPoP request options are now obtained by calling the DPoP() exported function. This returns a handle that also maintains its own LRU nonce caches
• client authentication is now an explicit argument to authenticated functions
• processAuthorizationCodeOpenIDResponse() method was removed in favour of processAuthorizationCodeResponse()
• processAuthorizationCodeOAuth2Response() method was removed in favour of processAuthorizationCodeResponse()
• All grant functions that execute against the Token Endpoint will now validate ID Token when there is one in the response. This has already been the behaviour of functions such as processRefreshTokenResponse() or processDeviceCodeResponse()
• Presence of auth_time is now required in all ID Tokens if client.default_auth_time is set
• encode client_secret_basic - _ . ! ~ * ' ( ) characters
• remove all deprecated options
• remove the useMtlsAlias symbol and options
• all functions now reject interacting with non-TLS HTTP endpoints. You can use the allowInsecureRequests in the HttpRequestOptions interface to revert this behaviour.
• removed the isOAuth2Error() helper, all functions that used to possibly return an OAuth2Error now reject with ResponseBodyError or AuthorizationResponseError instead
• removed parseWwwAuthenticateChallenges(), all functions verify process Response now reject with WWWAuthenticateChallengeError instead
• removed protectedResourceRequest() now rejects with WWWAuthenticateChallengeError when the Response has one

Features

• add a counterpart process method to genericTokenEndpointRequest (848f3f6)
• add a helper function for DPoP retry management (06493e3)
• add support for client_secret_jwt (cf85fd6)
• add support for code id_token response without FAPI 1.0 s_hash (eebb4f1)
• add unified authorization code method (07d4ff9)
• allow setting expected JWT algorithms in validateJwtAccessToken (8f20f91)

Fixes

• encode client_secret_basic - _ . ! ~ * ' ( ) characters (cd5bbc1)
• types: infer CryptoKey type for @types/node types' sake (d126f1f)

Documentation

• add more examples (dcaf056)
• export and document error codes (364cbd8)
• hide the error constructors (a1cb7f8)
• minor touch ups (fee6790)
• re-generate API reference docs (c4a7f64)
• update client auth method docs (ef8fe9f)
• update examples due to changes (f24b39d)
• update examples due to changes (fcd3c3e)
• update groups, properties (329876a)
• update inline examples (33ee2b0)
• update README.md (0bd2e56)
• update several examples and add descriptions to DAG (dd99b9a)

Refactor

• add a source map, update pkg exports (0232cf2)
• add causes and codes to "is not a conform" errors (a0b19c5)
• add claim/attribute names to error reasons (fe11bdc)
• add more error messages and update codes (038b44a)
• add OperationProcessingError code and cause when wrong callback method is used (9d4c546)
• added codes and reasons to as many errors as possible (bce81b4)
• allow and document tls client auth methods (f0e7919)
• better type for oauth.customFetch implementations, updated examples (a06efb5)
• build target is now ES2022 (8af3e9f)
• changed the default client authentication (4fe3f2c)
• client authentication is now an explicit argument to authenticated functions (cefcf32)
• future proof Ed25519 (ac0550d)
• improve tree-shaking of JWT claims verification (60b7dcf)
• jweDecrypt is now an option on the functions that support it (d7e8482)
• keep all OAuthError properties (fce528e)
• make DPoP implementation tree-shakeable (1fca2a3)
• private_key_jwt audience is now only the issuer identifier (f388ba8)
• push id token required claims straight to jwt validation (ec45b61)
• reject requests to non-HTTPS endpoints by default (4829da6)
• remove all deprecated options (137a547)
• remove modifyAssertion from the PrivateKey interface (4d8b9e8)
• remove the useMtlsAlias symbol and options (cd5ed0d)
• remove the weird use of JWSAlgorithm type (970e3b6)
• removed the parseWwwAuthenticateChallenges export (5fa774d)
• resolve only successful responses (0f8bcc3)
• unify validating endpoints and checking their protocols (e16254f)
• update the CryptoKey workarounds without affecting docs (0d3b05a)
• userInfoRequest should not reject www-authenticate (e373ec3)
• validating ID Token signatures is now done with a Response (d71bc2c)

---

This discussion was created from the release v3.0.0.