v2.2.0

• added support for RFC8414 - OAuth 2.0 Authorization Server Metadata discovery
• encrypted_id_token property added to TokenSet instances with the value of the encrypted ID Token value before its decryption

v2.1.1

• fixed handling of bearer endpoint responses with www-authenticate headers only. (#102)

v2.1.0

• node-jose dependency bumped to major ^1.0.0 - fixes A\d{3}GCMKW symmetrical encryption support
• dependency updates

v2.0.4

• fixed circular when serializing OpenIdConnectError
• base64url dependency update

v2.0.3

• base64url dependency replaced with base64-url

v2.0.2

only dependency tree updates

v2.0.1

• fixed client_secret_basic requiring the username and password tokens to be x-www-form-urlencoded
  according to https://tools.ietf.org/html/rfc6749#section-2.3.1
  • NOTE: Although technically a fix, this is a breaking change when used with providers that also
    don't currently follow the standard. A proper way of submitting client_id and client_secret using client_secret_basic is Authorization: base64(formEncode(client_id):formEncode(client_secret)). If your client_id and client_secret does contain special characters that need encoding this does not affect you. If it does, try using client_secret_post instead.

v2.0.0

• dropped support for Node.js v4.x due to its End-of-Life on 2018-04-30
• removed deprecated client#grantAuth
• removed deprecated way of passing keystore directly to Client#register
• removed support for passing client to OpenIDConnectStrategy as single argument, use new Strategy({ client }) instead of new Strategy(client).
• fixed a bug requiring nonce to be passed for response_type=none

v1.20.0

• added documentation for OpenIdConnectError
• added error_uri from IdP responses to OpenIdConnectError instances
• fixed OpenIdConnectError messages to include error_description

v1.19.5

• Issuer.discover now parses the provided URI instead of just inspecting the string. #80