@inrupt/solid-client-authn-core - npm Package Versions

2.3.0 - 2024-11-14

Bugfix

node

• The session expiration date (session.info.expirationDate) is now correct when loading a Session from storage.

Feature

node

• It is now possible to build a Session using getSessionFromStorage and not log it in using its refresh token. To do so, a new refresh optional flag has been introduced. It defaults to true, which makes this a non-breaking change. In addition, a new signature is introduced to make it easier to provide the optional arguments:

// Legacy signature only specifying one optional argument
const session = await getSessionFromStorage(
  sessionId,
  undefined,
  undefined,
  false,
);

// New signature
const session = await getSessionFromStorage(sessionId, { refresh: false });

2.2.7 - 2024-10-30

Bugfix

node

• The IdP logout no longer fails in Node if the session was restored from storage (using getSessionFromStorage), which is the typical way server-side sessions are retrieved.

2.2.6 - 2024-09-18

Bugfix

node and browser

• Repository URL in package.json updated to set the repository.type property to git. This intends at restoring the previous behavior of npm view @inrupt/solid-client-authn repository.url, expected to return git+https://github.com/inrupt/solid-client-authn-js.git.

2.2.5 - 2024-09-16

New Features

• Node 22 is now supported

2.2.4 - 2024-06-24

Bugfix

node and browser

• Fix the initialization of clientAppId in ISessionInfo objects: clientAppId property of the ISessionInfo interface, although present, was not being set either in the ISessionInfo objects returned by the handleIncomingRedirect function in ClientAuthentication, or in the Session class.

Bugfix

node

• The keepAlive option (introduced in v2.2.0) is now correctly observed in a script using the Client Credentials flow (i.e. using a clientId and a clientSecret to log in). It previously was disregarded, and the Session always self-refreshed in the background.

  Note that there still is a timeout being set to notify of session expiration, causing NodeJS to wait for the end of the session before closing a terminal. This can be avoided by logging the session out explicitly:

    const session = new Session();
    await session.login({
      oidcIssuer: ...,
      clientId: ...,
      clientSecret: ...,
    });
  

  will hang until the session expires, while

    const session = new Session();
    await session.login({
      oidcIssuer: ...,
      clientId: ...,
      clientSecret: ...,
    });
    await session.logout();
  

  will close when logout is complete.

2.2.3 - 2024-06-20

Bugfix

node and browser

• Fix parsing clientId from ID Token azp claim: the parsing of the ID Token payload was not correctly extracting the clientId from the azp claim. As a result, session.info.clientAppId was not being initialized upon successful login, which prevented the idp logout of the session from working as expected.

2.2.2 - 2024-06-18

Bugfix

node

• Maintain token type in getSessionIdFromStorage: When loading a session from storage on the server (using getSessionIdFromStorage), the token type (i.e. DPoP-bound or not, referred to as Bearer) is now consistent with the token type initially associated with the session. Previously, regardless of the token type requested when logging the session in, the token type defaulted to DPoP when logging the session back in on load from storage, causing authentication issues.

2.2.1 - 2024-06-04

Bugfix

browser

• Fix #3518: Prevent refresh token from being persisted in local storage.

2.2.0 - 2024-05-03

New Feature

node

• It is now possible to prevent a Session self-refreshing in NodeJS. To do so, a new parameter is added to the constructor: Session({ keepAlive: false }). This prevents the Session setting a callback to refresh the Access Token before it expires, which could cause a memory leak in the case of a server-side application with many users. It also avoids unnecessary requests being sent to the OpenID Provider.

2.1.0 - 2024-03-13

New Feature

node and browser

• OpenID Providers with multiple JWK in their JWKS are now supported. Thanks to @pavol-brunclik-compote for the original contribution.

node

• Authorization code flow for statically registered clients is now supported. Statically registered clients previously defaulted to the Client Credentials flow, it is no longer an assumption.

Bugfix

browser

• Fix non-DPoP bound tokens support in browser: a bug in the handling of non-DPoP-bound tokens was preventing the auth code grant to complete, with a 401 to the OpenId Provider Token Endpoint observed on redirect after the user authenticated. It is now possible to do session.login({/*...*/, tokenType: "Bearer"}) and get a successful result.