openid-client - npm Package Compare versions

Comparing version 1.16.0 to 1.17.0

CHANGELOG.md

@@ -8,2 +8,3 @@ # openid-client CHANGELOG
 <!-- TOC START min:2 max:2 link:true update:true -->
+  - [Version 1.17.0](#version-1170)
   - [Version 1.16.0](#version-1160)
@@ -31,4 +32,9 @@ - [Version 1.15.0](#version-1150)
 
+## Version 1.17.0
+- [DIFF](https://github.com/panva/node-openid-client/compare/v1.16.0...v1.17.0)
+- now uses `client_secret_post` as default for Issuer instances that do not support
+  `client_secret_basic` but do signal support for `client_secret_post` in their discovery document
+
 ## Version 1.16.0
-- [DIFF](https://github.com/panva/node-openid-client/compare/v1.15.0...v1.15.1)
+- [DIFF](https://github.com/panva/node-openid-client/compare/v1.15.0...v1.16.0)
 - added `s_hash` value validation support for ID Tokens returned by authorization endpoint
@@ -35,0 +41,0 @@ - fixed edge cases where valid `_hash` but from invalid sha-length was accepted

lib/client.js

@@ -152,2 +152,17 @@ 'use strict';
 
+
+// if an OP doesnt support client_secret_basic but supports client_secret_post, use it instead
+// this is in place to take care of most common pitfalls when first using discovered Issuers without
+// the support for default values defined by Discovery 1.0
+function checkBasicSupport(client, metadata, properties) {
+  try {
+    const supported = client.issuer.token_endpoint_auth_methods_supported;
+    if (supported.indexOf(properties.token_endpoint_auth_method) === -1) {
+      if (supported.indexOf('client_secret_post') !== -1) {
+        properties.token_endpoint_auth_method = 'client_secret_post';
+      }
+    }
+  } catch (err) {}
+}
+
 class Client {
@@ -159,4 +174,9 @@ /**
   constructor(metadata, keystore) {
+    metadata = metadata || {}; // eslint-disable-line no-param-reassign
     const properties = Object.assign({}, CLIENT_DEFAULTS, metadata);
 
+    if (!metadata.token_endpoint_auth_method) { // if no explicit value was provided
+      checkBasicSupport(this, metadata, properties);
+    }
+
     if (String(properties.token_endpoint_auth_method).endsWith('_jwt')) {
@@ -163,0 +183,0 @@ assert(

package.json

 {
   "name": "openid-client",
-  "version": "1.16.0",
+  "version": "1.17.0",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js servers, supports passportjs",
@@ -5,0 +5,0 @@ "main": "lib/index.js",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

79235

increased by1.6%

Lines of code

1429

increased by1.2%

No dependency changes