Releases: inrupt/solid-client-authn-js
Releases · inrupt/solid-client-authn-js
v2.3.0
Deprecation notice
- A new signature is introduced for
getSessionFromStorage
in this release. The legacy signature is
deprecated, and could be removed with the next major release.
// Deprecated signature
const session = await getSessionFromStorage(
sessionId,
storage,
onNewRefreshToken,
refresh,
);
// Replacement signature
const session = await getSessionFromStorage(sessionId, {
storage,
onNewRefreshToken,
refresh,
});
Bugfix
node
- The session expiration date (
session.info.expirationDate
) is now correct when loading aSession
from storage.
Feature
node
- It is now possible to build a
Session
usinggetSessionFromStorage
and not log it in
using its refresh token. To do so, a newrefresh
optional flag has been introduced.
It defaults totrue
, which makes this a non-breaking change. In addition, a new signature
is introduced to make it easier to provide the optional arguments:
// Legacy signature only specifying one optional argument
const session = await getSessionFromStorage(
sessionId,
undefined,
undefined,
false,
);
// New signature
const session = await getSessionFromStorage(sessionId, { refresh: false });
Full Changelog: v2.2.7...v2.3.0
v2.2.7
Bugfix
node
- The IdP logout no longer fails in Node if the session was restored from
storage (usinggetSessionFromStorage
), which is the typical way server-side
sessions are retrieved.
Full Changelog: v2.2.6...v2.2.7
v2.2.6
node and browser
- Repository URL in
package.json
updated to set therepository.type
property togit
. This intends at
restoring the previous behavior ofnpm view @inrupt/solid-client-authn repository.url
, expected to return
git+https://github.com/inrupt/solid-client-authn-js.git
.
Full Changelog: v2.2.5...v2.2.6
v2.2.5
v2.2.4
Bugfixes
node and browser
- The
clientAppId
property is now correctly set in theISessionInfo
objects returned by thehandleIncomingRedirect
function inClientAuthentication
and in theSession
class.
node
- The
keepAlive
option (introduced in v2.2.0) is now correctly observed in a script using the Client Credentials flow (i.e. using aclientId
and aclientSecret
to log in). It previously was disregarded, and theSession
always self-refreshed in the background
Full Changelog: v2.2.3...v2.2.4
v2.2.3
Bugfix
node and browser
- Fix parsing
clientId
from ID Tokenazp
claim: the parsing of the ID Token payload was not correctly extracting theclientId
from theazp
claim. As a result,session.info.clientAppId
was not being initialised upon successful login, which prevented theidp
logout of the session from working as expected.
Full Changelog: v2.2.2...v2.2.3
v2.2.2
Bugfix
node
- Maintain token type in
getSessionIdFromStorage
: When loading a session from storage on the server
(usinggetSessionIdFromStorage
), the token type (i.e. DPoP-bound or not, referred to as Bearer) is
now consistent with the token type initially associated with the session. Previously, regardless of
the token type requested when logging the session in, the token type defaulted toDPoP
when logging
the session back in on load from storage, causing authentication issues.
Full Changelog: v2.2.1...v2.2.2
v2.2.1
Bugfix
browser
- Fix #3518: Prevent refresh token from being persisted in local storage.
New Contributors
- @garciafdezpatricia made their first contribution in #3498
Full Changelog: v2.2.0...v2.2.1
v2.2.0
New Feature
node
- It is now possible to prevent a
Session
self-refreshing in NodeJS. To do so, a new
parameter is added to the constructor:Session({ keepAlive: false })
. This prevents
theSession
setting a callback to refresh the Access Token before it expires, which
could cause a memory leak in the case of a server-side application with many users.
It also avoids unnecessary requests being sent to the OpenID Provider.
v2.1.0
New Feature
node and browser
- OpenID Providers with multiple JWK in their JWKS are now supported. Thanks to
@pavol-brunclik-compote for the original contribution.
node
- Authorization code flow for statically registered clients is now supported. Statically registered
clients previously defaulted to the Client Credentials flow, it is no longer an assumption.
Bugfix
browser
- Fix non-DPoP bound tokens support in browser: a bug in the handling of non-DPoP-bound tokens was
preventing the auth code grant to complete, with a 401 to the OpenId Provider Token Endpoint
observed on redirect after the user authenticated. It is now possible to do
session.login({/*...*/, tokenType: "Bearer"})
and get a successful result.