Skip to content

Update openid-client to v6 #1394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

Update openid-client to v6 #1394

wants to merge 24 commits into from

Conversation

alxndrsn
Copy link
Contributor

@alxndrsn alxndrsn commented Feb 10, 2025
edited
Loading

openid-client v6 is a complete rewrite, with API changes: https://github.com/panva/openid-client/releases/tag/v6.0.0

API reference: https://github.com/panva/openid-client/blob/v6.1.7/docs/README.md

Closes getodk/central#1225

What has been done to verify that this works as intended?

Existing tests; new tests at #1392

Why is this the best possible solution? Were any other approaches considered?

Staying up-to-date with security-focussed libraries seems like a sensible approach. An alternative might be to fork the openid-client library, but this seems like high-risk, unnecessary work for no obvious benefit.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

It should not affect users.

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

No.

Before submitting this PR, please make sure you have:

  • run make test and confirmed all checks still pass OR confirm CircleCI build passes
  • verified that any code from external sources are properly credited in comments or that everything is internally sourced

Update openid-client to v6
68c9798 
v6 is a complete rewrite, with API changes: https://github.com/panva/openid-client/releases/tag/v6.0.0

Closes #1230
alxndrsn
alxndrsn commented Feb 10, 2025
View reviewed changes
alxndrsn
alxndrsn commented Feb 10, 2025
View reviewed changes
alxndrsn
alxndrsn commented Feb 10, 2025
View reviewed changes
alxndrsn
alxndrsn commented Feb 10, 2025
View reviewed changes
alxndrsn
alxndrsn commented Feb 10, 2025
View reviewed changes
alxndrsn
alxndrsn commented Feb 10, 2025
View reviewed changes
@alxndrsn

This comment was marked as resolved.

Sign in to view
@alxndrsn

This comment was marked as resolved.

Sign in to view
@alxndrsn alxndrsn marked this pull request as ready for review February 11, 2025 14:03
alxndrsn
alxndrsn commented Feb 12, 2025
View reviewed changes
@alxndrsn alxndrsn requested a review from sadiqkhoja March 13, 2025 16:16
sadiqkhoja
sadiqkhoja approved these changes Mar 26, 2025
View reviewed changes
Copy link
Contributor

@sadiqkhoja sadiqkhoja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

Nothing to change here but I'd like mention that I am getting Support for loading ES Module in require() is an experimental feature and might change at any time warning. Maybe this feature will get matured or we may consider migrating to ESM 🤷‍♂️

lib/resources/oidc.js
Comment on lines +16 to +23
const { // eslint-disable-line object-curly-newline
authorizationCodeGrant,
buildAuthorizationUrl,
calculatePKCECodeChallenge,
fetchUserInfo,
randomPKCECodeVerifier,
randomState,
} = require('openid-client'); // eslint-disable-line object-curly-newline
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a nit / preference: we can const client = require('openid-client'); then the rest of the code in this file will be easier to read and understand, specially knowing which functions are coming from the external library.

@alxndrsn
Copy link
Contributor Author

I am getting Support for loading ES Module in require() is an experimental feature and might change at any time warning.

Good spot - I'll take a look into this.

Maybe this feature will get matured or we may consider migrating to ESM 🤷‍♂️

I think we should avoid that migration as long as possible.

@alxndrsn
Copy link
Contributor Author

Support for loading ES Module in require() is an experimental feature and might change at any time

Current status:

Stability: 1.2 - Release candidate
https://nodejs.org/api/modules.html#loading-ecmascript-modules-using-require

which means

1.2 - Release candidate. Experimental features at this stage are hopefully ready to become stable. No further breaking changes are anticipated but may still occur in response to user feedback. We encourage user testing and feedback so that we can know that this feature is ready to be marked as stable.
https://nodejs.org/api/documentation.html#stability-index

I'll hold of merging for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sadiqkhoja sadiqkhoja sadiqkhoja approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

openid-client: update to v6?
2 participants
@alxndrsn @sadiqkhoja