refactor!: openid-client@6

BREAKING CHANGE: openid-client v6.x is a complete rewrite of the openid-client module, this is the first time since 0.1.0 (8 years ago) that the API has drastically changed. The new module structure and API focuses on three core principles: - runtime compatibility (adding support for Deno, Cloudflare Workers, Bun, and other Web API interoperable runtimes) - tree-shakeability (bundles should not contain features that don't end up being used) - less options (removing support for processing deprecated response types, cutting down on the number of combinations that need to handled) To that end openid-client@6 no longer supports the full cartesian matrix of response types and response modes, it no longer supports issuing encrypted assertions, decrypting assertions is limited to only a few algorithms, it no longer supports Dynamic Client Registration or Management, and Self-Issued OpenID Provider responses are also not supported. The new API makes basic setups simple while allowing some degree of complexity where needed. openid-client@6 is an ESM module using ES2022 syntax and it depends on WebCryptoAPI and Fetch API globals being available in the JS runtime. openid-client@6 is written in TypeScript and its exported types come with comment annotations. (Node.js) Versions 20.x and newer have all the necessary globals. v18.x is being tested in CI as well with the `--experimental-global-webcrypto` CLI flag. (Node.js) CJS style `let client = require('openid-client')` is possible in versions where `process.features.require_module` is `true`. This is a new Node.js feature slated to be released without a CLI flag in 23.x and 22.x
panva · Oct 7, 2024 · e8daf06 · e8daf06
1 parent fe19ecb
commit e8daf06
Show file tree

Hide file tree

Showing 262 changed files with 19,688 additions and 14,986 deletions.
diff --git a/.electron_flags.sh b/.electron_flags.sh
@@ -0,0 +1,9 @@
+echo $(electron -i <<< 'process.exit(0)' 2> /dev/null | grep "Using" | awk '{$1=$1};1' | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g")
+
+electron -i <<< 'process.exit(parseInt(process.versions.node, 10))' &> /dev/null
+NODE_VERSION=$?
+export NODE_OPTIONS='--import=tsx/esm --conditions=browser --no-warnings --tls-cipher-list="ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384"'
+
+if [[ $NODE_VERSION -eq 18 ]]; then
+  export NODE_OPTIONS+=' --experimental-global-webcrypto'
+fi
diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -1,42 +1,56 @@
----
 name: 🐞Bug report
-about: Something is not working as I think it should be
-labels: triage
-
----
-
-**Describe the bug**
-<!-- A clear and concise description of what the bug is. -->
-
-
-**To Reproduce**
-Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.
-```js
-// Issuer configuration (issuer.metadata) and how it is constructed (discovery or manual?)
-{
-  // ...
-}
-// Client configuration (client.metadata) and how it is constructed (fromUri or manual?)
-{
-  // ...
-}
-```
-
-Steps to reproduce the behaviour:
-
-1.  
-2.  
-3.  
-
-**Expected behaviour**
-A clear and concise description of what you expected to happen.
-
-**Environment:**
- - openid-client version: [e.g. v3.14.0]
- - node version: [e.g. v8.9.0]
-
-**Additional context**
-Add any other context about the problem here.
-
- - [ ] the bug is happening on latest openid-client too.
- - [ ] i have searched the issues tracker on github for similar issues and couldn't find anything related.
+description: There's a bug I want to report
+labels:
+  - triage
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report. Do not use this form to ask questions or make suggestions, use the [appropriate](https://github.com/panva/openid-client/issues/new/choose) Discussions Topic for those.
+  - type: textarea
+    attributes:
+      label: What happened?
+      description: A clear and concise description of what the bug is and what you expected to happen instead.
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Version
+      description: What exact version of the library do you use?
+      placeholder: e.g. v1.0.0
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Runtime
+      description: What JavaScript runtime are you seeing the problem on?
+      options:
+        - Browser
+        - Cloudflare Workers
+        - Deno
+        - Electron
+        - Node.js
+        - Other (I will specify below)
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Runtime Details
+      description: More information about the runtime (e.g. node version, browser vendor and version, electron version, operating system)
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Code to reproduce
+      description: Please copy and paste code to reproduce the issue. This will be automatically formatted into JavaScript code, so no need for backticks.
+      render: js
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Required
+      options:
+        - label: I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
+          required: true
+        - label: I agree to follow this project's [Code of Conduct](https://github.com/panva/openid-client/blob/main/CODE_OF_CONDUCT.md)
+          required: true
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,11 +1,11 @@
 blank_issues_enabled: false
 contact_links:
   - name: ❓ Question
-    url: https://github.com/panva/node-openid-client/discussions/new?category=q-a
+    url: https://github.com/panva/openid-client/discussions/new?category=q-a
     about:
       Have a question about using openid-client? Head over to the discussions "Q&A" Category
   - name: 💡 Feature proposal
-    url: https://github.com/panva/node-openid-client/discussions/new?category=ideas
+    url: https://github.com/panva/openid-client/discussions/new?category=ideas
     about:
       Have a proposal for a new feature? Head over to the discussions "Ideas" Category
   - name: Support the project

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,6 +5,13 @@
 
 version: 2
 updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    versioning-strategy: "increase"
+    allow:
+      - dependency-name: "edge-runtime"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -22,6 +22,7 @@ on:
 
 jobs:
   analyze:
+    if: ${{ github.repository == 'panva/openid-client' }}
     name: Analyze
     runs-on: ubuntu-latest
     permissions:

diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -11,115 +11,68 @@ on:
 
 jobs:
   build:
+    if: ${{ github.repository == 'panva/openid-client' || github.event_name == 'workflow_dispatch' }}
     uses: panva/.github/.github/workflows/build-conformance-suite.yml@main
 
   run:
     runs-on: ubuntu-latest
     needs:
       - build
-    env:
-      NODE_TLS_REJECT_UNAUTHORIZED: 0
-      DEBUG: runner,moduleId*
-      SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
-      PLAN_NAME: ${{ matrix.setup.plan }}
-      VARIANT: ${{ toJSON(matrix.setup) }}
     strategy:
       fail-fast: false
       matrix:
         setup:
-          # OIDC BASIC
+          # Core 1.0 response_type=code
           - plan: oidcc-client-basic-certification-test-plan
 
-          # OIDC IMPLICIT
-          - plan: oidcc-client-implicit-certification-test-plan
-
-          # OIDC HYBRID
+          # Core 1.0 response_type=code id_token
           - plan: oidcc-client-hybrid-certification-test-plan
 
-          # OIDC CONFIG
-          - plan: oidcc-client-config-certification-test-plan
-
-          # OIDC DYNAMIC
-          # TODO: work around the request_uri lodging service EOL
-          # - plan: oidcc-client-dynamic-certification-test-plan
-
-          # FAPI 1.0 ID-2
-          # These plans are deprecated and to be removed
-          # - plan: fapi-rw-id2-client-test-plan
-          #   client_auth_type: mtls
-          # - plan: fapi-rw-id2-client-test-plan
-          #   client_auth_type: private_key_jwt
+          # Comprehensive Core 1.0 client test
+          - plan: oidcc-client-test-plan
+          - plan: oidcc-client-test-plan
+            variant:
+              response_type: code id_token
 
-          # FAPI 1.0 Advanced Final
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: private_key_jwt
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: mtls
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: mtls
-            fapi_auth_request_method: pushed
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: private_key_jwt
-            fapi_auth_request_method: pushed
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: mtls
-            fapi_response_mode: jarm
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: private_key_jwt
-            fapi_response_mode: jarm
+          # Financial-grade API Security Profile 1.0 - Part 2: Advanced
           - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: mtls
-            fapi_auth_request_method: pushed
-            fapi_response_mode: jarm
+            variant:
+              client_auth_type: 'private_key_jwt'
           - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: private_key_jwt
-            fapi_auth_request_method: pushed
-            fapi_response_mode: jarm
+            variant:
+              client_auth_type: 'mtls'
           - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: mtls
-            fapi_auth_request_method: pushed
-            fapi_response_mode: jarm
-            fapi_client_type: plain_oauth
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: mtls
-            fapi_response_mode: jarm
-            fapi_client_type: plain_oauth
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: private_key_jwt
-            fapi_auth_request_method: pushed
-            fapi_response_mode: jarm
-            fapi_client_type: plain_oauth
-          - plan: fapi1-advanced-final-client-test-plan
-            client_auth_type: private_key_jwt
-            fapi_response_mode: jarm
-            fapi_client_type: plain_oauth
+            variant:
+              fapi_response_mode: 'plain_response'
+              fapi_auth_request_method: 'by_value'
 
           # FAPI 2.0 Security Profile ID2
           - plan: fapi2-security-profile-id2-client-test-plan
-            client_auth_type: 'private_key_jwt'
-            sender_constrain: 'dpop'
+            variant:
+              client_auth_type: 'private_key_jwt'
+              sender_constrain: 'dpop'
           - plan: fapi2-security-profile-id2-client-test-plan
-            client_auth_type: 'private_key_jwt'
-            sender_constrain: 'mtls'
+            variant:
+              client_auth_type: 'private_key_jwt'
+              sender_constrain: 'mtls'
           - plan: fapi2-security-profile-id2-client-test-plan
-            client_auth_type: 'mtls'
-            sender_constrain: 'dpop'
+            variant:
+              client_auth_type: 'mtls'
+              sender_constrain: 'dpop'
           - plan: fapi2-security-profile-id2-client-test-plan
-            client_auth_type: 'mtls'
-            sender_constrain: 'mtls'
+            variant:
+              client_auth_type: 'mtls'
+              sender_constrain: 'mtls'
 
           # FAPI 2.0 Message Signing ID1
           - plan: fapi2-message-signing-id1-client-test-plan
-            client_auth_type: 'mtls'
-            sender_constrain: 'mtls'
+          - plan: fapi2-message-signing-id1-client-test-plan
+            variant:
+              fapi_client_type: 'plain_oauth'
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Set Conformance Suite Version
-        run: |
-          export VERSION=($(curl --silent "https://gitlab.com/api/v4/projects/4175605/releases" | jq -r '.[0].tag_name'))
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
       - name: Load Cached Conformance Suite Build
         uses: actions/cache@v4
         id: cache
@@ -132,25 +85,35 @@ jobs:
         run: |
           docker compose -f docker-compose-dev.yml up -d
           while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done
-      - run: git clone --depth 1 --single-branch --branch main https://github.com/panva/openid-client-certification-suite.git runner
-      - uses: actions/setup-node@v4
+      - name: Setup node
+        uses: actions/setup-node@v4
         with:
           node-version: lts/iron # 20
           cache: 'npm'
       - run: npm clean-install
-        working-directory: ./runner
-      - run: npm install ${{ github.repository }}#${{ github.sha }}
-        working-directory: ./runner
-      - run: npm run test
-        working-directory: ./runner
+      - name: npm run conformance
+        run: |
+          set -o pipefail
+          npm run conformance | tee capture.txt
         env:
-          NODE_OPTIONS: --tls-cipher-list="ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384"
+          NODE_TLS_REJECT_UNAUTHORIZED: 0
+          SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
+          PLAN_NAME: ${{ matrix.setup.plan }}
+          VARIANT: ${{ toJSON(matrix.setup.variant) }}
+      - run: node ./conformance/.parse-logs.mjs capture.txt
       - name: Upload test artifacts
+        id: artifact-upload-step
         uses: actions/upload-artifact@v4
         with:
           path: |
-            runner/export-*.zip
-            runner/logs/*.log
-          name: certification results idx(${{ strategy.job-index }})
-          if-no-files-found: warn
-        if: ${{ failure() }}
+            *.zip
+            *.txt
+          name: conformance results idx(${{ strategy.job-index }})
+          if-no-files-found: error
+        if: ${{ always() }}
+      - if: ${{ success() }}
+        run: |
+          echo "### [:tada:](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/${{ steps.artifact-upload-step.outputs.artifact-id }})" >> $GITHUB_STEP_SUMMARY
+      - if: ${{ failure() }}
+        run: |
+          echo "### [:exclamation:](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/${{ steps.artifact-upload-step.outputs.artifact-id }})" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -6,6 +6,7 @@ on:
 
 jobs:
   lock:
+    if: ${{ github.repository == 'panva/openid-client' }}
     continue-on-error: true
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,7 @@ on:
 
 jobs:
   npm:
+    if: ${{ github.repository == 'panva/openid-client' }}
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -35,7 +36,12 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - run: git push origin $GITHUB_SHA:v5.x
+      - run: git push origin $GITHUB_SHA:v6.x
+      - run: git rm -r build
+      - run: |
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git commit -m "chore: cleanup after release"
       - run: git push origin HEAD:main
 
   github:

diff --git a/.github/workflows/retry.yml b/.github/workflows/retry.yml
@@ -4,13 +4,14 @@ on:
   workflow_run:
     workflows:
       - Conformance Checks
+      - Test
     types:
       - completed
 
 jobs:
   retry:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.run_attempt == 1 }}
+    if: ${{ github.repository == 'panva/openid-client' && github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.run_attempt == 1 }}
     steps:
       - run: gh api -XPOST ${{ github.event.workflow_run.rerun_url }}-failed-jobs
         env: