349b59175e
* Ensure that the credentials used during a refresh correspond to those used to create the OAuth tokens. * tidy * Bind the OAuth session to the kid that was used to authenticate the client (private_key_jwt) * Store the whole authentication method in the client session store rather than the kid only * tidy * Improve error reporting in case an invalid `token_endpoint_auth_method` is used in the client metadata document. * tidy * tidy * Improve JAR checks * tidy * changeset * tidy * Remove schema's `.optional()` modifier when a `.default()` is defined * tidy * verify client auth during code exchange * tidy * Minor naming improvement * tidy * Update .changeset/quiet-pans-fix.md Co-authored-by: devin ivy <devinivy@gmail.com> * Update packages/oauth/oauth-client/src/oauth-client-auth.ts * Use `private_key_jwt` instead of incorrect `client_secret_jwt` as authentication method for confidential clients * style * code split * dead code removal * Represent missing client auth with a `null` instead of "none" when storing request data. * Allow storing `null` in authorization_request's `clientAuth` json column * document * tidy * Remove non-standard behavior that allowed client to authenticate through JAR * Improved error messages * Parse JSON encoded Authorization Request Parameters * Use `application/x-www-form-urlencoded` content instead of JSON for OAuth requests Fixes: #3723 * tidy * tidy * tidy * tidy * code style * remove un-necessary checks * tidy * Pre-process number too * improved type checking * add missing exports * fix merge conflict * tidy * Remove invalid default for `code_challenge_method` authorization request parameter * tidy * Delete inaccurate changeset * PR comment * tidy * Update OAuth client credentials factory to return headers and payload separately. * tidy * Renamed `clientAuthCheck` to `validateClientAuth` * Validate presence of DPoP proofs sooner when processing token requests. Fixes: #3859 * Protect against concurrent use of request code * tidy * tidy * Update packages/oauth/oauth-provider/src/client/client.ts Co-authored-by: devin ivy <devinivy@gmail.com> * Review comments * Add missing `exp` claim in client attestation JWT * fixup! Review comments * Review comments * Refactor: explicit optionality of unsigned JAR issuer & audience * Use client attestation's `exp` claim to determine the life time of JWT's `jti` nonce. * Fix PDS: consumeRequestCode should delete request data * tidy * tidy * Unused code removal * Restore "Native clients must authenticate using "none" method" check * tidy * tidy * cleanup * comment * Allow missing DPoP header during PAR request if `dpop_jkt` is provided * tidy --------- Co-authored-by: devin ivy <devinivy@gmail.com>
Changesets
Hello and welcome! This folder has been automatically generated by @changesets/cli, a build tool that works
with multi-package repos, or single-package repos to help you version and publish your code. You can
find the full documentation for it in our repository
We have a quick list of common questions to get you started engaging with this project in our documentation