5.0.1 (2021-10-27)

Bug Fixes

• explicitly set accept: application/json again (89cdbe2)

5.0.0 (2021-10-27)

⚠ BREAKING CHANGES

• The 'query' way of passing access token to userinfo was removed.
• Access Token is now asserted to be present for the userinfo call.
• The registry export was removed.
• FAPIClient is renamed to FAPI1Client
• FAPI1Client has default algorithms set to PS256 rather than RS256
• FAPI1Client has default tls_client_certificate_bound_access_tokens set to true
• FAPI1Client has default response_types set to id_token code and grant_types accordingly
• FAPI1Client has no token_endpoint_auth_method set, one must be set explicitly
• Client methods unpackAggregatedClaims and fetchDistributedClaims were removed with no replacement.
• DPoP option inputs must be a private crypto.KeyObject or a valid crypto.createPrivateKey input.
• Issuer.prototype.keystore is now private API
• HTTP(S) request customization now only recognizes the following options 'agent', 'ca', 'cert', 'crl', 'headers', 'key', 'lookup', 'passphrase', 'pfx', and 'timeout'. These are standard node http/https module request options, got-library specific options such as 'followRedirect', 'retry', or 'throwHttpErrors' are no longer recognized.
• The arguments inside individual HTTP request customization changed, first argument is now an instance of URL, the http request options object is passed in as a second argument.
• The response property attached to some RPError or OPError instances is now an instance of http.IncomingMessage. Its body is available on its body property as either JSON if it could be parsed, or a Buffer if it failed to pass as JSON.
• Drop support for Node.js v10.x
• Only Node.js LTS releases Codename Erbium (^12.19.0) and newer are supported. Currently this means ^12.19.0 (Erbium), ^14.15.0 (Fermium), and ^16.13.0 (Gallium).
• Issuer.discover will no longer attempt to load /.well-known/oauth-authorization-server. To load such discovery documents pass full well-known URL to Issuer.discover.

Refactor

• DPoP input must be a private KeyObject or valid crypto.createPrivateKey input (d69af6f)
• FAPIClient is renamed to FAPI1Client (59a4e73)
• Issuer.prototype.keystore is now private API (0c23248)
• only use the native http(s) client (83376ac)
• remove automatic lookup of /.well-known/oauth-authorization-server (fc87d2b)
• remove client.unpackAggregatedClaims and client.fetchDistributedClaims (b7f261f)
• remove Registry public API export (6b91d58)
• remove the 'query' option for userinfo, assert access token (eb9d139)
• update Node.js semver support matrix (8b3044e)

4.9.1 (2021-10-13)

Bug Fixes

• do not implicitly calculate key ids for Client instances (46e44e7), closes #379

4.9.0 (2021-09-20)

Features

• update DPoP support to draft-03 (#407) (5565ee1), closes #406

4.8.0 (2021-09-15)

Features

• OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable feature (327f366)

4.7.5 (2021-08-30)

Bug Fixes

• typescript: add remaining properties from RFC7662 (#398) (166e89b)

4.7.4 (2021-05-25)

Bug Fixes

• typescript: add a missing PATCH method to requestResource (6b2c3ce), closes #368

4.7.3 (2021-04-30)

Bug Fixes

• fapi: validate ID Token's iat regardless of which channel it came from (b68b9ab)

4.7.2 (2021-04-23)

Bug Fixes

• typescript: add types for 4.6.0 additions (9064136)

4.7.1 (2021-04-22)

Bug Fixes

• typescript: add types for 4.7.0 additions (2c1d2ab)