atproto/packages/oauth/oauth-provider/CHANGELOG.md

@atproto/oauth-provider

0.2.12

Patch Changes

• Updated dependencies [2889c7699, 2889c7699, 2889c7699, 5ece8c6ae, 2889c7699, 2889c7699, 5ece8c6ae]:
  • @atproto/jwk@0.1.2
  • @atproto/jwk-jose@0.1.3
  • @atproto-labs/fetch@0.2.0
  • @atproto/oauth-types@0.2.2
  • @atproto-labs/fetch-node@0.1.5

0.2.11

Patch Changes

• Updated dependencies []:
  • @atproto/common@0.4.6

0.2.10

Patch Changes

• Updated dependencies [588baae12]:
  • @atproto/common@0.4.5

0.2.9

Patch Changes

• #3135 622654672 Thanks @matthieusieben! - Improve "invalid_client_metadata" error description

• Updated dependencies [622654672]:

  • @atproto-labs/fetch@0.1.2
  • @atproto-labs/fetch-node@0.1.4

0.2.8

Patch Changes

• Updated dependencies [5ddd51235, 5ddd51235, 5ddd51235]:
  • @atproto/oauth-types@0.2.1

0.2.7

Patch Changes

• #2852 709ba3015 Thanks @matthieusieben! - Remove response content-encoding logic

0.2.6

Patch Changes

• #2902 8f2b80a0d Thanks @matthieusieben! - Better report invalid content-encoding errors

• #2871 9d40ccbb6 Thanks @matthieusieben! - Allow using different ioredis version

• #2871 9d40ccbb6 Thanks @matthieusieben! - Use fetch()'s "cache" option instead of headers to force caching behavior

• #2874 7f26b1765 Thanks @matthieusieben! - Improve error message when invalid client id used during code exchange

• Updated dependencies [7f26b1765, 9d40ccbb6, 9d40ccbb6, 7f26b1765, 9d40ccbb6, 7f26b1765]:

  • @atproto/oauth-types@0.2.0

0.2.5

Patch Changes

• Updated dependencies [80450cbf2]:
  • @atproto-labs/fetch-node@0.1.3

0.2.4

Patch Changes

• Updated dependencies [8943c1008]:
  • @atproto-labs/fetch-node@0.1.2

0.2.3

Patch Changes

• #2847 1226ed268 Thanks @matthieusieben! - Do not display the client_name of untrusted clients

• Updated dependencies [4098d9890]:

  • @atproto/common@0.4.4

0.2.2

Patch Changes

• #2755 ed325d863 Thanks @matthieusieben! - Disable request params scopes defaulting to client metadata scopes. Requires that client always provide a "scope" parameter when initiating an oauth flow.

• #2755 ed325d863 Thanks @matthieusieben! - Remove "plain" from code_challenge_methods_supported

• #2755 ed325d863 Thanks @matthieusieben! - Require definition of "scope" in client metadata document

• #2755 ed325d863 Thanks @matthieusieben! - Improve reporting of metadata validation error

• #2755 ed325d863 Thanks @matthieusieben! - Properly validate request_uri request parameter

• #2755 ed325d863 Thanks @matthieusieben! - Enforce code_challenge_method=S256 request parameter

• #2755 ed325d863 Thanks @matthieusieben! - Explicitely forbid MTLS client auth method

• #2755 ed325d863 Thanks @matthieusieben! - Return "invalid_client" on invalid client credentials

• #2755 ed325d863 Thanks @matthieusieben! - Prevent use of empty string in unsupported oidc request parameters

• #2755 ed325d863 Thanks @matthieusieben! - Allow fetching of source maps files from browser debugger

• #2755 ed325d863 Thanks @matthieusieben! - Allow native clients to use https: redirect uris

• #2755 ed325d863 Thanks @matthieusieben! - Allow client metadata to contain other values than "code"

• #2770 a07b21151 Thanks @matthieusieben! - Improve code re-use

• Updated dependencies [ed325d863, ed325d863, a07b21151, ed325d863, ed325d863, ed325d863, ed325d863, ed325d863, ed325d863, a07b21151, ed325d863, ed325d863, a07b21151, ed325d863, a07b21151, a07b21151, a07b21151]:

  • @atproto/oauth-types@0.1.5
  • @atproto-labs/fetch-node@0.1.1
  • @atproto/common@0.4.3
  • @atproto-labs/fetch@0.1.1

0.2.1

Patch Changes

• #2749 c180cf4d8 Thanks @devinivy! - Fix client-side crash on authorize page

0.2.0

Minor Changes

• #2734 dee817b6e Thanks @matthieusieben! - Remove "nonce" from authorization request

• #2734 dee817b6e Thanks @matthieusieben! - Mandate the use of "atproto" scope

• #2734 dee817b6e Thanks @matthieusieben! - Remove "openid" compatibility. The reason is that although we were technically "openid" compatible, ATProto identifiers are distributed identifiers. When a client relies on OpenID to authenticate users, it will use the auth provider in combination with the identifier to uniquely identify the user. Since ATProto identifiers are meant to be able to move from one provider to the other, OpenID compatibility could break authentication after a user was migrated to a different provider.

  The way OpenID compliant clients would adapt to this particularity would typically be to remove the provider + identifier combination and use the identifier alone. While this is indeed the right way to handle ATProto identifiers, it requires more work to avoid impersonation. In particular, when obtaining a user identifier, the client must verify that the issuer of the identity token is indeed the server responsible for that user. This mechanism being not enforced by the OpenID standard, OpenID compatibility could lead to security issues. For this reason, we decided to remove OpenID compatibility from the OAuth provider.

  Note that a trusted central authority could still offer OpenID compatibility by relying on ATProto's regular OAuth flow under the hood. This capability is out of the scope of this library.

Patch Changes

• #2734 dee817b6e Thanks @matthieusieben! - Display requested scopes during the auth flow

• #2734 dee817b6e Thanks @matthieusieben! - Generate proper invalid_authorization_details

• #2734 dee817b6e Thanks @matthieusieben! - Stronger CORS protections

• #2734 dee817b6e Thanks @matthieusieben! - Do not require user consent during oauth flow for first party apps.

• #2734 dee817b6e Thanks @matthieusieben! - Improve reporting of validation errors

• Updated dependencies [dee817b6e, dee817b6e, dee817b6e]:

  • @atproto/oauth-types@0.1.4

0.1.3

Patch Changes

• #2729 35a126429 Thanks @matthieusieben! - The non-standard introspection_endpoint_auth_method, and introspection_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint.

• #2729 35a126429 Thanks @matthieusieben! - The non-standard revocation_endpoint_auth_method, and revocation_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the revocation endpoint.

• #2729 35a126429 Thanks @matthieusieben! - The non-standard pushed_authorization_request_endpoint_auth_method, and pushed_authorization_request_endpoint_auth_signing_alg client metadata properties were removed. The client's token_endpoint_auth_method, and token_endpoint_auth_signing_alg properties are now used as the only indication of how a client must authenticate at the introspection endpoint.

• #2728 5131b027f Thanks @matthieusieben! - Allow charset in content-type header of incoming requests

• #2727 3ebcd4e61 Thanks @matthieusieben! - Do not require "exp" claim in dpop proof

• Updated dependencies [35a126429]:

  • @atproto/oauth-types@0.1.3

0.1.2

Patch Changes

• #2483 b934b396b Thanks @matthieusieben! - Remove unused file

• Updated dependencies [b934b396b, b934b396b, b934b396b]:

  • @atproto/jwk-jose@0.1.2
  • @atproto/oauth-types@0.1.2

0.1.1

Patch Changes

• #2633 acc9093d2 Thanks @matthieusieben! - Add 2FA support

• Updated dependencies [acc9093d2, acc9093d2, acc9093d2, acc9093d2]:

  • @atproto/oauth-types@0.1.1
  • @atproto/jwk-jose@0.1.1
  • @atproto/jwk@0.1.1
  • @atproto-labs/simple-store@0.1.1
  • @atproto-labs/simple-store-memory@0.1.1

0.1.0

Minor Changes

• #2482 a8d6c1123 Thanks @matthieusieben! - Add OAuth provider capability & support for DPoP signed tokens

Patch Changes

• Updated dependencies [a8d6c1123]:
  • @atproto-labs/simple-store-memory@0.1.0
  • @atproto-labs/simple-store@0.1.0
  • @atproto-labs/fetch-node@0.1.0
  • @atproto/oauth-types@0.1.0
  • @atproto-labs/fetch@0.1.0
  • @atproto/jwk-jose@0.1.0
  • @atproto-labs/pipe@0.1.0
  • @atproto/jwk@0.1.0