atproto/packages/oauth/oauth-client/CHANGELOG.md

@atproto/oauth-client

0.6.1

Patch Changes

• #4896 087515e Thanks @matthieusieben! - Allow using an oauth provider (e.g. Entryway) instead of a PDS url to initiate an OAuth sign-in/sign-up

0.6.0

Minor Changes

• #4642 a23d132 Thanks @matthieusieben! - Remove support for legacy session data that does not contain authMethod.

• #4642 a23d132 Thanks @matthieusieben! - Remove dependency on EventTarget (missing in some environments)

Patch Changes

• #4642 a23d132 Thanks @matthieusieben! - Delete any pre-existing OAuth session when a new one is created (for a given sub)

• #4642 a23d132 Thanks @matthieusieben! - Avoid throwing errors when trying to revoke a missing or invalid session

0.5.14

Patch Changes

• Updated dependencies [d54d707, d54d707]:
  • @atproto/did@0.3.0
  • @atproto-labs/did-resolver@0.2.6
  • @atproto-labs/handle-resolver@0.3.6
  • @atproto/oauth-types@0.6.2
  • @atproto-labs/identity-resolver@0.3.6

0.5.13

Patch Changes

• Updated dependencies [2f78893, 2f78893]:
  • @atproto-labs/identity-resolver@0.3.5
  • @atproto/did@0.2.4
  • @atproto-labs/did-resolver@0.2.5
  • @atproto-labs/handle-resolver@0.3.5
  • @atproto/oauth-types@0.6.1

0.5.12

Patch Changes

• Updated dependencies [95ef3c2, 5d8e7a6]:
  • @atproto/oauth-types@0.6.0

0.5.11

Patch Changes

• Updated dependencies []:
  • @atproto/xrpc@0.7.7

0.5.10

Patch Changes

• Updated dependencies [8012627, d396de0]:
  • @atproto/did@0.2.3
  • @atproto-labs/did-resolver@0.2.4
  • @atproto-labs/handle-resolver@0.3.4
  • @atproto/oauth-types@0.5.2
  • @atproto-labs/identity-resolver@0.3.4

0.5.9

Patch Changes

• Updated dependencies [261968fd6, 261968fd6, 261968fd6, 261968fd6]:
  • @atproto-labs/identity-resolver@0.3.3
  • @atproto-labs/handle-resolver@0.3.3
  • @atproto-labs/did-resolver@0.2.3
  • @atproto/did@0.2.2
  • @atproto/oauth-types@0.5.1
  • @atproto/xrpc@0.7.6

0.5.8

Patch Changes

• Updated dependencies [8ff5ec4ca, 8ff5ec4ca, 8ff5ec4ca]:
  • @atproto/oauth-types@0.5.0

0.5.7

Patch Changes

• #4220 fefe70126 Thanks @matthieusieben! - Use core-js to polyfill Symbol.dispose

• #4216 09439d7d6 Thanks @matthieusieben! - Use AbortSignal.timeout to generate timeout based signals

• Updated dependencies [09439d7d6, f560cf226, fefe70126, f560cf226, f560cf226, 09439d7d6, f560cf226, 09439d7d6, 09439d7d6]:

  • @atproto/oauth-types@0.4.2
  • @atproto/jwk@0.6.0
  • @atproto/did@0.2.1
  • @atproto-labs/did-resolver@0.2.2
  • @atproto-labs/handle-resolver@0.3.2
  • @atproto-labs/identity-resolver@0.3.2

0.5.6

Patch Changes

• Updated dependencies []:
  • @atproto/xrpc@0.7.5

0.5.5

Patch Changes

• #4150 86c4699da Thanks @matthieusieben! - Remove redirect_uri validation on the client because it does not properly match loopback redirect uris

• Updated dependencies [f9dc9aa4c, f9dc9aa4c, f9dc9aa4c, f9dc9aa4c, f9dc9aa4c, f9dc9aa4c, f9dc9aa4c]:

  • @atproto/did@0.2.0
  • @atproto-labs/simple-store@0.3.0
  • @atproto/xrpc@0.7.4
  • @atproto-labs/did-resolver@0.2.1
  • @atproto-labs/handle-resolver@0.3.1
  • @atproto-labs/simple-store-memory@0.1.4
  • @atproto-labs/identity-resolver@0.3.1

0.5.4

Patch Changes

• #4139 6231c8730 Thanks @ThisIsMissEm! - Fix support for multiple redirect URIs in @atproto/oauth-client

  Previously the callback method assumed a singular redirect_uris value, and enforced only performing the callback with the first registered redirect URI. This change allows passing the actual redirect URI to the callback method, much like the authorize method supports.

• Updated dependencies []:

  • @atproto/xrpc@0.7.3

0.5.3

Patch Changes

• Updated dependencies []:
  • @atproto/xrpc@0.7.2

0.5.2

Patch Changes

• Updated dependencies [8a88e2c15, 8a88e2c15]:
  • @atproto/jwk@0.5.0
  • @atproto/oauth-types@0.4.1

0.5.1

Patch Changes

• Updated dependencies []:
  • @atproto/xrpc@0.7.1

0.5.0

Minor Changes

• #3982 4c2d49917 Thanks @matthieusieben! - didResolver and handleResolver no longer exposed on OAuthClient class

Patch Changes

• #3982 4c2d49917 Thanks @matthieusieben! - Allow providing custom identityProvider implementation as OAuthClient constructor option

• Updated dependencies [4c2d49917, 4c2d49917, 3a1e010e1, 4c2d49917, 3a1e010e1]:

  • @atproto-labs/identity-resolver@0.3.0
  • @atproto/oauth-types@0.4.0

0.4.2

Patch Changes

• Updated dependencies [9dac8b0c6, 9dac8b0c6, 9dac8b0c6, 9dac8b0c6, 9dac8b0c6, 9dac8b0c6, 9dac8b0c6]:
  • @atproto-labs/handle-resolver@0.3.0
  • @atproto-labs/identity-resolver@0.2.0

0.4.1

Patch Changes

• #3976 90b4775fc Thanks @matthieusieben! - Re-export all types & utilities needed to instantiate an OAuth client

• #3976 90b4775fc Thanks @matthieusieben! - Allow OAuthClient to be instantiated with custom didResolver instance

• Updated dependencies [90b4775fc, 90b4775fc, 90b4775fc, 90b4775fc, 90b4775fc]:

  • @atproto-labs/handle-resolver@0.2.0
  • @atproto-labs/did-resolver@0.2.0
  • @atproto/jwk@0.4.0
  • @atproto-labs/identity-resolver@0.1.19
  • @atproto/oauth-types@0.3.1

0.4.0

Minor Changes

• #3847 349b59175 Thanks @matthieusieben! - Bind the OAuth session to the kid that was used to authenticate the client (private_key_jwt)

Patch Changes

• #3847 349b59175 Thanks @matthieusieben! - Add missing exp claim in client attestation JWT

• Updated dependencies [349b59175, 349b59175, 349b59175, 349b59175, 349b59175]:

  • @atproto/oauth-types@0.3.0
  • @atproto/jwk@0.3.0

0.3.22

Patch Changes

• #3933 192f3ab89 Thanks @matthieusieben! - Use resolved handle or did instead of raw input as "login_hint"

• #3926 4e96e2c7b Thanks @matthieusieben! - Remove iss claim from DPoP proofs

• Updated dependencies [192f3ab89]:

  • @atproto-labs/identity-resolver@0.1.18

0.3.21

Patch Changes

• #3935 cd4bed3c9 Thanks @matthieusieben! - Cache new DPoP nonces from successful retries

0.3.20

Patch Changes

• #3919 a3b24ca77 Thanks @matthieusieben! - Use application/x-www-form-urlencoded content instead of JSON for OAuth requests

• Updated dependencies [3fa2ee3b6, a3b24ca77]:

  • @atproto/jwk@0.2.0
  • @atproto/oauth-types@0.2.8

0.3.19

Patch Changes

• #3877 a03f0b906 Thanks @matthieusieben! - Remove un-necessary validation of alg on every dpop token creation

0.3.18

Patch Changes

• 36d0d370c Thanks @matthieusieben! - Remove query & fragment from DPoP proof htu claim

0.3.17

Patch Changes

• Updated dependencies [5050b6550]:
  • @atproto-labs/fetch@0.2.3
  • @atproto-labs/did-resolver@0.1.13
  • @atproto-labs/identity-resolver@0.1.17

0.3.16

Patch Changes

• Updated dependencies [a48b093f0, f36ab48d9, f36ab48d9, f36ab48d9]:
  • @atproto/oauth-types@0.2.7
  • @atproto/xrpc@0.7.0

0.3.15

Patch Changes

• Updated dependencies [0d77d1b55, 30f9b6690, 30f9b6690, 0d77d1b55]:
  • @atproto-labs/simple-store@0.2.0
  • @atproto/oauth-types@0.2.6
  • @atproto-labs/did-resolver@0.1.12
  • @atproto-labs/handle-resolver@0.1.8
  • @atproto-labs/simple-store-memory@0.1.3
  • @atproto-labs/identity-resolver@0.1.16

0.3.14

Patch Changes

• Updated dependencies [371e04aad, 26a077716]:
  • @atproto/oauth-types@0.2.5
  • @atproto/jwk@0.1.5

0.3.13

Patch Changes

• Updated dependencies []:
  • @atproto/xrpc@0.6.12

0.3.12

Patch Changes

• Updated dependencies []:
  • @atproto-labs/identity-resolver@0.1.15
  • @atproto/xrpc@0.6.11

0.3.11

Patch Changes

• #2945 850e39843 Thanks @matthieusieben! - Minor code optimizations

• Updated dependencies [850e39843, 850e39843, 850e39843]:

  • @atproto-labs/fetch@0.2.2
  • @atproto/oauth-types@0.2.4
  • @atproto/jwk@0.1.4
  • @atproto-labs/did-resolver@0.1.11
  • @atproto-labs/identity-resolver@0.1.14
  • @atproto/xrpc@0.6.10

0.3.10

Patch Changes

• Updated dependencies []:
  • @atproto-labs/identity-resolver@0.1.13
  • @atproto/xrpc@0.6.9

0.3.9

Patch Changes

• #3220 61dc0d60e Thanks @matthieusieben! - Apply new linting rules regarding import order

• Updated dependencies [61dc0d60e, 61dc0d60e]:

  • @atproto-labs/simple-store-memory@0.1.2
  • @atproto-labs/identity-resolver@0.1.12
  • @atproto-labs/handle-resolver@0.1.7
  • @atproto-labs/did-resolver@0.1.10
  • @atproto-labs/simple-store@0.1.2
  • @atproto/oauth-types@0.2.3
  • @atproto-labs/fetch@0.2.1
  • @atproto/jwk@0.1.3
  • @atproto/xrpc@0.6.8
  • @atproto/did@0.1.5

0.3.8

Patch Changes

• Updated dependencies [cc2a1222b, cc2a1222b, fb64d50ee]:
  • @atproto-labs/did-resolver@0.1.9
  • @atproto/did@0.1.4
  • @atproto/xrpc@0.6.7
  • @atproto-labs/identity-resolver@0.1.11
  • @atproto-labs/handle-resolver@0.1.6

0.3.7

Patch Changes

• Updated dependencies [2889c7699, 2889c7699, 5ece8c6ae, 2889c7699, 2889c7699, 5ece8c6ae]:
  • @atproto/jwk@0.1.2
  • @atproto-labs/fetch@0.2.0
  • @atproto/oauth-types@0.2.2
  • @atproto-labs/did-resolver@0.1.8
  • @atproto-labs/identity-resolver@0.1.10

0.3.6

Patch Changes

• Updated dependencies [72eba67af]:
  • @atproto-labs/did-resolver@0.1.7
  • @atproto-labs/identity-resolver@0.1.9
  • @atproto/xrpc@0.6.6

0.3.5

Patch Changes

• Updated dependencies [a200e5095]:
  • @atproto-labs/handle-resolver@0.1.5
  • @atproto-labs/identity-resolver@0.1.8

0.3.4

Patch Changes

• Updated dependencies []:
  • @atproto/xrpc@0.6.5

0.3.3

Patch Changes

• Updated dependencies [622654672]:
  • @atproto-labs/fetch@0.1.2
  • @atproto-labs/did-resolver@0.1.6
  • @atproto-labs/identity-resolver@0.1.7

0.3.2

Patch Changes

• #3066 5ddd51235 Thanks @matthieusieben! - Verify authorization_endpoint URL protocol

• #3066 5ddd51235 Thanks @matthieusieben! - Ensure that client-id is a web url

• #3066 5ddd51235 Thanks @matthieusieben! - Improve message of OAuthResolverError in case of metadata validation error

• Updated dependencies [5ddd51235, 5ddd51235, 5ddd51235]:

  • @atproto/oauth-types@0.2.1

0.3.1

Patch Changes

• Updated dependencies []:
  • @atproto-labs/identity-resolver@0.1.6
  • @atproto/xrpc@0.6.4

0.3.0

Minor Changes

• #2871 9d40ccbb6 Thanks @matthieusieben! - Use "auto" instead of undefined to descibe the refresh mechanism to use in various methods.

Patch Changes

• #2874 7f26b1765 Thanks @matthieusieben! - Add allowHttp OAuthClient construction option to allow working with "http:" oauth providers (for development & testing purposes).

• #2871 9d40ccbb6 Thanks @matthieusieben! - Perform issuer validation before refreshing tokens.

• #2871 9d40ccbb6 Thanks @matthieusieben! - Ensure token response is properly typed according to the atproto OAuth spec

• #2871 9d40ccbb6 Thanks @matthieusieben! - Use fetch()'s "cache" option instead of headers to force caching behavior

• #2871 9d40ccbb6 Thanks @matthieusieben! - Do not use cache when checking sub authority

• #2871 9d40ccbb6 Thanks @matthieusieben! - Allow all oauth request parameters to be used as authorize() options

• Updated dependencies [7f26b1765, 9d40ccbb6, 7f26b1765, 9d40ccbb6, 9d40ccbb6, 9d40ccbb6, 7f26b1765, 9d40ccbb6, 7f26b1765]:

  • @atproto/oauth-types@0.2.0
  • @atproto-labs/did-resolver@0.1.5
  • @atproto-labs/handle-resolver@0.1.4
  • @atproto/did@0.1.3
  • @atproto-labs/identity-resolver@0.1.5

0.2.2

Patch Changes

• #2755 ed325d863 Thanks @matthieusieben! - Improve client side validation of client metadata

• #2755 ed325d863 Thanks @matthieusieben! - Use scope from client metadata as default value

• Updated dependencies [ed325d863, a07b21151, ed325d863, ed325d863, ed325d863, ed325d863, ed325d863, ed325d863, ed325d863, ed325d863, ed325d863, a07b21151, ed325d863, a07b21151, a07b21151]:

  • @atproto/oauth-types@0.1.5
  • @atproto/xrpc@0.6.3
  • @atproto-labs/fetch@0.1.1
  • @atproto-labs/did-resolver@0.1.4
  • @atproto-labs/identity-resolver@0.1.4

0.2.1

Patch Changes

• Updated dependencies [cb4abbb67, cb4abbb67, cb4abbb67, 98711a147]:
  • @atproto/did@0.1.2
  • @atproto/xrpc@0.6.2
  • @atproto-labs/did-resolver@0.1.3
  • @atproto-labs/handle-resolver@0.1.3
  • @atproto-labs/identity-resolver@0.1.3

0.2.0

Minor Changes

• #2714 d9ffa3c46 Thanks @matthieusieben! - The OAuthClient (and runtime specific sub-classes) no longer return @atproto/api Agent instances. Instead, they return OAuthSession instances that can be used to instantiate the Agent class.

• #2734 dee817b6e Thanks @matthieusieben! - Remove "nonce" from authorization request

• #2734 dee817b6e Thanks @matthieusieben! - Mandate the use of "atproto" scope

• #2734 dee817b6e Thanks @matthieusieben! - Remove "openid" compatibility. The reason is that although we were technically "openid" compatible, ATProto identifiers are distributed identifiers. When a client relies on OpenID to authenticate users, it will use the auth provider in combination with the identifier to uniquely identify the user. Since ATProto identifiers are meant to be able to move from one provider to the other, OpenID compatibility could break authentication after a user was migrated to a different provider.

  The way OpenID compliant clients would adapt to this particularity would typically be to remove the provider + identifier combination and use the identifier alone. While this is indeed the right way to handle ATProto identifiers, it requires more work to avoid impersonation. In particular, when obtaining a user identifier, the client must verify that the issuer of the identity token is indeed the server responsible for that user. This mechanism being not enforced by the OpenID standard, OpenID compatibility could lead to security issues. For this reason, we decided to remove OpenID compatibility from the OAuth provider.

  Note that a trusted central authority could still offer OpenID compatibility by relying on ATProto's regular OAuth flow under the hood. This capability is out of the scope of this library.

• #2714 d9ffa3c46 Thanks @matthieusieben! - Rename OAuthAgent into OAuthSession

• #2714 d9ffa3c46 Thanks @matthieusieben! - Rename OAuthSession's request method to fetchHandler. The goal of this change is to allow OAuthSession to be used in order to instantiate XrpcClient by implementing the FetchHandlerObject interface.

Patch Changes

• #2714 d9ffa3c46 Thanks @matthieusieben! - Add getTokenInfo() method to OAuthSession.

• #2734 dee817b6e Thanks @matthieusieben! - Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.

• #2714 d9ffa3c46 Thanks @matthieusieben! - Make getTokenSet() method public in OAuthSession.

• Updated dependencies [d9ffa3c46, dee817b6e, dee817b6e, dee817b6e, d9ffa3c46, d9ffa3c46]:

  • @atproto/xrpc@0.6.1
  • @atproto/oauth-types@0.1.4

0.1.7

Patch Changes

• Updated dependencies [4ab248354]:
  • @atproto/api@0.13.3

0.1.6

Patch Changes

• Updated dependencies [2a0c088cc, aba664fbd]:
  • @atproto/api@0.13.2

0.1.5

Patch Changes

• #2729 35a126429 Thanks @matthieusieben! - The non-standard introspection_endpoint_auth_method, and introspection_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint.

• #2729 35a126429 Thanks @matthieusieben! - The non-standard revocation_endpoint_auth_method, and revocation_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the revocation endpoint.

• #2727 3ebcd4e61 Thanks @matthieusieben! - Remove "exp" from dpop proof

• #2729 35a126429 Thanks @matthieusieben! - The non-standard pushed_authorization_request_endpoint_auth_method, and pushed_authorization_request_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint.

• Updated dependencies [35a126429]:

  • @atproto/oauth-types@0.1.3

0.1.4

Patch Changes

• #2710 04112783d Thanks @matthieusieben! - Add CustomEvent ponyfill for enviroments that don't provide it

0.1.3

Patch Changes

• Updated dependencies [22af354a5]:
  • @atproto/api@0.13.1

0.1.2

Patch Changes

• #2483 b934b396b Thanks @matthieusieben! - Misc fixes for confidential client usage

• #2483 b934b396b Thanks @matthieusieben! - Better implement aptroto OAuth spec

• Updated dependencies [b934b396b, b934b396b, b934b396b, b934b396b, b934b396b, b934b396b]:

  • @atproto/oauth-types@0.1.2
  • @atproto-labs/handle-resolver@0.1.2
  • @atproto/did@0.1.1
  • @atproto/xrpc@0.6.0
  • @atproto/api@0.13.0
  • @atproto-labs/identity-resolver@0.1.2
  • @atproto-labs/did-resolver@0.1.2

0.1.1

Patch Changes

• #2633 acc9093d2 Thanks @matthieusieben! - Add event emitting capability to OAuthClient

• Updated dependencies [acc9093d2, acc9093d2, acc9093d2, acc9093d2]:

  • @atproto/oauth-types@0.1.1
  • @atproto/jwk@0.1.1
  • @atproto-labs/identity-resolver@0.1.1
  • @atproto-labs/handle-resolver@0.1.1
  • @atproto-labs/did-resolver@0.1.1
  • @atproto-labs/simple-store@0.1.1
  • @atproto-labs/simple-store-memory@0.1.1

0.1.0

Minor Changes

• #2482 a8d6c1123 Thanks @matthieusieben! - Add OAuth provider capability & support for DPoP signed tokens

Patch Changes

• Updated dependencies [a8d6c1123]:
  • @atproto-labs/simple-store-memory@0.1.0
  • @atproto-labs/identity-resolver@0.1.0
  • @atproto-labs/handle-resolver@0.1.0
  • @atproto-labs/did-resolver@0.1.0
  • @atproto-labs/simple-store@0.1.0
  • @atproto/oauth-types@0.1.0
  • @atproto-labs/fetch@0.1.0
  • @atproto/jwk@0.1.0
  • @atproto/did@0.1.0