v3.6.0-alpha.5
Pre-release
Pre-release
·
19 commits
to main
since this release
ddf3d16
This commit was signed with the committer’s verified signature.
The key has expired.
jasonraimondi
Jason Raimondi
What's Changed
- feat: add support for RFC7662 "OAuth 2.0 Token Introspection"
- add configuration options to control client credentials authentication for
/introspectand/revokeendpoints.
new AuthorizationServer({
authenticateIntrospect: false, // Default: false (v3.x), true (v4.x)
authenticateRevoke: false, // Default: false (v3.x), true (v4.x)
})- Default
falsevalues maintain v3.x compatibility, and you must implement your own authentication. - Setting to
trueenables client credentials authentication (v4.x behavior).
Important Notes
- If set to
false, you must implement your own authentication:- Use middleware or similar to authenticate requests before they reach these endpoints.
- Implement according to specifications:
- Introspection: RFC 7662 Section 2.1
- Revocation: RFC 7009 Section 2.1
Full Changelog: v3.6.0-alpha.1...v3.6.0-alpha.5