v2.17.1 (2023-11-02)
Fixed
- Honor params passed to logout over defaults #533 (adamjmcgrath)
v2.17.0 (2023-09-15)
Added
- OIDC Back-Channel Logout #484 (adamjmcgrath)
v2.16.0 (2023-05-05)
Added
- [SDK-4135] Add Pushed Authorization Requests #470 (adamjmcgrath)
v2.15.0 (2023-04-19)
Added
v2.14.0 (2023-04-13)
Added
- Add httpAgent option #458 (adamjmcgrath)
v2.13.0 (2023-03-28)
Added
- [SDK-3873] Discovery cache max age #449 (adamjmcgrath)
v2.12.1 (2023-03-10)
Fixed
- [SDK-3887] Always honor auth0Logout config #447 (adamjmcgrath)
v2.12.0 (2023-01-24)
Added
- [SDK-3911] Add support for providing a custom callback route #438 (ewanharris)
Fixed
- Use custom client assertion signing alg #437 (adamjmcgrath)
v2.11.0 (2022-12-08)
Added
- [SDK-3808] Optionally sign the session store cookie #419 (adamjmcgrath)
Fixed
- Remove dependency on
cb
lib #424 (kmannislands)
v2.10.0 (2022-11-11)
Added
- Add option to override transaction cookie name #414 (MatthewBacalakis)
v2.9.0 (2022-10-17)
Added
- [SDK-3717] Add cookie prop to support more express-session stores #395 (adamjmcgrath)
v2.8.0 (2022-07-20)
Added
- [SDK-3503] Add *_jwt token endpoint auth methods #376 (adamjmcgrath)
v2.7.3 (2022-06-29)
Fixed
- discovery errors should be handled in express middleware #371 (adamjmcgrath)
- Allow periods in cookie name #350 (moberegger)
v2.7.2 (2022-03-29)
Security
- URL Redirection to Untrusted Site ('Open Redirect') in express-openid-connect GHSA-7p99-3798-f85c
v2.7.1 (2022-02-24)
Fixed
v2.7.0 (2022-02-17)
Added
- [SDK-3109] Add ability to pass custom logout params #329 (adamjmcgrath)
- [SDK-3111] Add Oauth error props to http error when available #328 (adamjmcgrath)
- [SDK-3110] Allow customising the UA header in client reqs #327 (adamjmcgrath)
- allow configuration of same site attribute on auth_verification cookie #323 (BitPatty)
Changed
- Looser cookie name validation #330 (adamjmcgrath)
v2.6.0 (2022-01-31)
Added
- Add cross domain iframe support for modern browsers #317 (adamjmcgrath)
v2.5.2 (2021-12-09)
Security
- Session fixation fix CVE-2021-41246
Fixed
- Fix refresh signature in ts defs #294 (adamjmcgrath)
v2.5.1 (2021-09-28)
Fixed
- Fix cookie chunking #275 (adamjmcgrath)
2.5.0 (2021-07-14)
Added
Fixed
- Chunked cookies should not exceed browser max #237 (davidpatrick)
2.4.0 (2021-05-11)
Added
- Swallor error on silent auth #230 (adamjmcgrath)
- Token Endpoint Parameters #228 (davidpatrick)
2.3.1 (2021-04-09)
Fixed
- Set cookie headers on header write (before res.end) #214 (adamjmcgrath)
- Prompt should be passed as an auth param #217 (adamjmcgrath)
2.3.0 (2021-03-10)
Added
- Custom session stores #190 (davidpatrick)
2.3.0-beta.0 (2021-02-23)
To install: npm install express-openid-connect@beta
Added
- Custom session stores #190 (davidpatrick)
2.2.1 (2021-01-25)
Fixed
- missing base64url dependency #180 (adamjmcgrath)
2.2.0 (2021-01-14)
Added
- afterCallback Hook #171 (davidpatrick)
Changed
- Move transient cookies into single cookie #168 (davidpatrick)
- Use native node hkdf when available (Node >=15) #177 (panva)
2.1.0 (2020-12-15)
Changed
- Default cookie.secure config to the protocol of baseURL #159 (adamjmcgrath)
Fixed
- Fix session.cookie TS definitions #157 (adamjmcgrath)
2.0.0-beta.0 (2020-08-31)
For a full list of breaking changes and migration guide, checkout https://github.com/auth0/express-openid-connect/blob/master/V2_MIGRATION_GUIDE.md
Breaking Changes
- postLogoutRedirect and response_type check #123 (adamjmcgrath)
- Logout returnTo param #115 (adamjmcgrath)
- Session duration behaviour #114 (adamjmcgrath)
- Update Session cookie #111 (adamjmcgrath)
- Configuration and API updates #109 (adamjmcgrath)
- Update token set #108 (adamjmcgrath)
Added
- attemptSilentLogin feature #121 (adamjmcgrath)
- Add refresh method to access token #124 (adamjmcgrath)
- Architecture #128 (adamjmcgrath)
v1.0.2 (2020-05-12)
Fixed
- Fix returnTo on Login #95 (davidpatrick)
v1.0.1 (2020-04-17)
Fixed
- Fix issue where authz header was overridden in code exchange #86 (adamjmcgrath)
v1.0.0 (2020-03-30)
Added
- Allow to opt-out from sending SDK Telemetry #78 (adamjmcgrath)
Changed
- Change the default session duration to 1 day #80 (adamjmcgrath)
Fixed
- Fix case where APP_SESSION_SECRET is set and appSession is not #74 (adamjmcgrath)
- Fix cookie options case #76 (adamjmcgrath)
v0.8.1 (2020-03-02)
Fixed
- Remove returnTo parameter for logout #72 (joshcanhelp)
v0.8.0 (2020-02-26)
This release contains a breaking change for all applications. Please see the PR below for migration info.
Changed
- App session settings #68 (joshcanhelp)
v0.7.0 (2020-02-18)
Added
- Update TS defs for config functions #65 (joshcanhelp)
- Register Express as a peer dependency #63 (stevehobbsdev)
- Add custom state handling #60 (joshcanhelp)
Changed
- Merge seperate config schemas #57 (joshcanhelp)
- Update hapi to v16 and fix breaking changes #56 (joshcanhelp)
- Update hapi/joi to 15.x; update other deps to minor/patch #51 (joshcanhelp)
Fixed
- Additional allowed cookieOptions #53 (joshcanhelp)
- Fix TS definition for appSessionSecret #52 (joshcanhelp)
- Fix post logout redirect, add config for default #40 (balazsorban44)
v0.6.0 (2020-01-14)
Breaking changes in this release:
This release includes important changes to user session and token handling which will require an update for all applications.
First, a new, required configuration key - appSessionSecret
(changed to appSession.secret
in v0.8.0) - has been added. The value here will be used to generate keys which are in turn used to encrypt the user identity returned from the identity provider. This encrypted and signed identity is stored in a cookie and used to populate the req.openid.user
property, as before. This key should be set to either a secure, random value to use this built-in session or false
to provide your own custom application session handling. A value for this can be generated with openssl
like so:
❯ openssl rand -hex 32
f334eb9ee5898101f90047ec46f18c2f4c082f5eeef109920d6b0fc5b79b6f29
As part of these changes, a session middleware is no longer required for this library. One can be added and used for application session and tokens (see above and below, respectively) but initialization will no longer fail if one is not present.
Additionally, tokens returned from the identity provider will no longer be stored in a session middleware automatically. If your application requires access, refresh, or ID tokens to be retrieved and stored (not just the user identity), you will need to provide a method for that storage in version 0.6.0 and beyond. See our examples page for guidance.
Closed issues
- "legacySameSiteCookie" for auth config params is not yet available in the typings file. #44
- Validate configured routes #21
Added
- Add path validation #47 (joshcanhelp)
- Add typescript defs new config #46 (joshcanhelp)
- Add SameSite support #39 (joshcanhelp)
- Add custom callback handling #37 (joshcanhelp)
- Add body parser to login and callback route #33 (davidpatrick)
Changed
- Change session and token handling #42 (joshcanhelp)
v0.5.0 (2019-10-17)
Closed issues
- Removal of automatic refresh #11
Added
- Add configurable HTTP options #29 (joshcanhelp)
- add typescript types #27 (jbarrus)
- Add telemetry to HTTP requests #23 (joshcanhelp)
- feat: allow custom login and logout paths #14 (joshcanhelp)
Changed
- Update default leeway and re-write API documentation #30 (joshcanhelp)
v0.4.0 (2019-09-26)
Important note: This release bumps the minimum Node version required to ^10.13.0
.
Closed issues
Changed
Removed
- Remove debugging callbacks #17 (joshcanhelp)