Skip to content

Releases: inrupt/solid-client-authn-js

v2.3.0

14 Nov 15:51
5391f75
Compare
Choose a tag to compare

Deprecation notice

  • A new signature is introduced for getSessionFromStorage in this release. The legacy signature is
    deprecated, and could be removed with the next major release.
// Deprecated signature
const session = await getSessionFromStorage(
  sessionId,
  storage,
  onNewRefreshToken,
  refresh,
);
// Replacement signature
const session = await getSessionFromStorage(sessionId, {
  storage,
  onNewRefreshToken,
  refresh,
});

Bugfix

node

  • The session expiration date (session.info.expirationDate) is now correct when loading a Session from storage.

Feature

node

  • It is now possible to build a Session using getSessionFromStorage and not log it in
    using its refresh token. To do so, a new refresh optional flag has been introduced.
    It defaults to true, which makes this a non-breaking change. In addition, a new signature
    is introduced to make it easier to provide the optional arguments:
// Legacy signature only specifying one optional argument
const session = await getSessionFromStorage(
  sessionId,
  undefined,
  undefined,
  false,
);

// New signature
const session = await getSessionFromStorage(sessionId, { refresh: false });

Full Changelog: v2.2.7...v2.3.0

v2.2.7

30 Oct 22:34
3b3e6fb
Compare
Choose a tag to compare

Bugfix

node

  • The IdP logout no longer fails in Node if the session was restored from
    storage (using getSessionFromStorage), which is the typical way server-side
    sessions are retrieved.

Full Changelog: v2.2.6...v2.2.7

v2.2.6

18 Sep 14:27
7e3db78
Compare
Choose a tag to compare

node and browser

  • Repository URL in package.json updated to set the repository.type property to git. This intends at
    restoring the previous behavior of npm view @inrupt/solid-client-authn repository.url, expected to return
    git+https://github.com/inrupt/solid-client-authn-js.git.

Full Changelog: v2.2.5...v2.2.6

v2.2.5

16 Sep 12:50
afb64c4
Compare
Choose a tag to compare

New Features

  • Node 22 is now supported

Full Changelog: v2.2.4...v2.2.5

v2.2.4

24 Jun 16:48
793acb2
Compare
Choose a tag to compare

Bugfixes

node and browser

  • The clientAppId property is now correctly set in the ISessionInfo objects returned by the handleIncomingRedirect function in ClientAuthentication and in the Session class.

node

  • The keepAlive option (introduced in v2.2.0) is now correctly observed in a script using the Client Credentials flow (i.e. using a clientId and a clientSecret to log in). It previously was disregarded, and the Session always self-refreshed in the background

Full Changelog: v2.2.3...v2.2.4

v2.2.3

20 Jun 09:40
4222c4a
Compare
Choose a tag to compare

Bugfix

node and browser

  • Fix parsing clientId from ID Token azp claim: the parsing of the ID Token payload was not correctly extracting the clientId from the azp claim. As a result, session.info.clientAppId was not being initialised upon successful login, which prevented the idp logout of the session from working as expected.

Full Changelog: v2.2.2...v2.2.3

v2.2.2

18 Jun 11:52
47822c4
Compare
Choose a tag to compare

Bugfix

node

  • Maintain token type in getSessionIdFromStorage: When loading a session from storage on the server
    (using getSessionIdFromStorage), the token type (i.e. DPoP-bound or not, referred to as Bearer) is
    now consistent with the token type initially associated with the session. Previously, regardless of
    the token type requested when logging the session in, the token type defaulted to DPoP when logging
    the session back in on load from storage, causing authentication issues.

Full Changelog: v2.2.1...v2.2.2

v2.2.1

05 Jun 07:01
f8a7a13
Compare
Choose a tag to compare

Bugfix

browser

  • Fix #3518: Prevent refresh token from being persisted in local storage.

New Contributors

Full Changelog: v2.2.0...v2.2.1

v2.2.0

03 May 10:58
8c3bd68
Compare
Choose a tag to compare

New Feature

node

  • It is now possible to prevent a Session self-refreshing in NodeJS. To do so, a new
    parameter is added to the constructor: Session({ keepAlive: false }). This prevents
    the Session setting a callback to refresh the Access Token before it expires, which
    could cause a memory leak in the case of a server-side application with many users.
    It also avoids unnecessary requests being sent to the OpenID Provider.

v2.1.0

14 Mar 10:54
259a567
Compare
Choose a tag to compare

New Feature

node and browser

  • OpenID Providers with multiple JWK in their JWKS are now supported. Thanks to
    @pavol-brunclik-compote for the original contribution.

node

  • Authorization code flow for statically registered clients is now supported. Statically registered
    clients previously defaulted to the Client Credentials flow, it is no longer an assumption.

Bugfix

browser

  • Fix non-DPoP bound tokens support in browser: a bug in the handling of non-DPoP-bound tokens was
    preventing the auth code grant to complete, with a 401 to the OpenId Provider Token Endpoint
    observed on redirect after the user authenticated. It is now possible to do
    session.login({/*...*/, tokenType: "Bearer"}) and get a successful result.