This change log is intended to record changes made across all packages contained within this mono-repo.
This project adheres to Semantic Versioning.
The following have been deprecated, and will be removed in future major releases.
- The
Session
class will no longer extendEventEmitter
. Instead, it will expose anevents
attribute implementingEventEmitter
. We do not recommand to use either aSession
instance or itsevents
attribute as an arbitrary events emitter, and encourage users to only use the supported events and documented API. Session
methodsonLogin
,onLogout
,onError
,onSessionRestore
,onSessionExpiration
,onNewRefreshToken
are deprecated in favor ofsession.events.on
called with the appropriate event name.
The following changes have been implemented but not released yet:
- Added
prompt
as a login option.
1.17.1 - 2023-07-15
- The
fetch
function is now bound to the window object in all uses withinauthn-browser
1.17.0 - 2023-07-14
- Support for RP-Initiated Logout in Node and Browser libraries.
- ESM support for Node and Browser packages.
1.16.0 - 2023-05-09
- Node 20 support
1.15.0 - 2023-04-17
- Node 18 support
1.14.0 - 2023-03-23
- The
Session
exposes anevents
attribute implementingEventEmitter
, with type hints to guide which events are supported. It allows to register a callback listening on events usingsession.events.on
, but also to unregister a callback usingsession.events.off
, or to register a one-off callback usingsession.events.once
. This attribute intends at replacing exisingSession
methods to listen on events, namelyonLogin
,onLogout
,onError
,onSessionRestore
,onSessionExpiration
,onNewRefreshToken
.
- The session expiration date was incorrectly computed in the authorization code flow.
1.13.4 - 2023-03-16
- v1.13.3 introduced a bug in the silent reload flow, resulting in a "Mismatching redirect URL" error when refreshing a page with an app logged in. This regression went unnoticed because of a misconfiguration of the browser-based test app that should have covered this scenario. Both issues are now resolved.
- The
Session
expiration date was not set in all contexts:session.info.expirationDate
wasn't set properly using Client Credentials.
-
Added
events
attribute to theSession
class to expose fullEventEmitter
API with type hints for each supported event. This allows to write code such as the following:const mySession = new Session(); mySession.events.on(EVENTS.LOGIN, () => { console.log("Logged in!") });
This is closer to the EventEmitter API, so it should be familiar to more developers.
- No longer remove the last issuer URL path component if it doesn't have a trailing slash: a bug was introduced in baac030d33163ba08dadebabdaf676450be7fa88, resulting in the issuer configuration discovery failing if the issuer URL had a path that did not end with a trailing slash. This is now fixed.
- The Client Credential flow had a bug where the expiration time set by the OpenID Provider for the token was ignored, and an arbitrary default was applied instead. This resulted in the session being unable to make authenticated requests, but still acting as if it were logged in. The session now uses the expiration time set by the OpenID Provider.
- Updated transitive dependencies to fix GHSA-rc47-6667-2j5j
- The redirect URL provided to the
login
function was being normalized, which could result in misalignments with the redirect URLs declared in a Client Identifier document, since the latter wasn't being normalized. The normalization step has now been removed, and the redirect provided by the user is sent to the OpenID Provider unchanged.
- Added support for RFC 9207
- Clean up
iss
parameter from redirect URL after redirect
- Upgrades dependencies
- Upgrades dependencies
- Multiple dependencies updates.
- Make support for Node engines explicit.
- Fix incompatible type definitions for
fetch
following changes to the typescript definitions.
- Support for Node.js v12.x has been dropped as that version has reached end-of-life.
- We've cleaned up dynamic client registration by removing support for the registrationAccessToken / initialAccessToken when performing the registration flow as this feature was never fully implemented. For Solid apps we recommend the use of a Public Client Identifier Document
- We've also removed support for the iframe-based session renewal, which was never fully implemented.
- Removed immediate use of
window
in Session constructor of the browser package
- the
useEssSession
option is deprecated, and the associated session endpoint is no longer used. Note that this option defaulted to false, and no public ESS instance was enabling this endpoint, so unless you were explicitly using this feature in an ESS instance you were running yourself, this change should not affect you. If you were using this in a demo app, you may want to clear its local storage.
- The refresh flow was broken for browser-based applications using a client identifier, leading to short session lifetime. Now that this is fixed, the background refresh will happen normally, and the session will remain active.
- The incoming redirect sometimes left OAuth parameters on the URL, despite already having consumed them, this only happened in certain error scenarios, but now the parameters will always be removed, such that the user doesn't get stuck at an error.
- The client credential flow as implemented by the Community Solid Server Identity Provider is now supported. See the documentation for more details.
- @inrupt/oidc-client-ext: remove ts-jest from package dependencies.
- The PKCE verifier is now cleared from storage as soon as it has been used in the token exchange, regardless of the token type (it used to not be cleared from part of the storage when getting a DPoP-bound token).
- Silent authentication is only attempted once, and no longer retries indefinitely on failure.
- Default values are provided for the OIDC Provider supported scopes if not present in the configuration. This fixes inrupt#1991.
No changes; fixed issue with npm publish.
- The HTU field of the DPoP header is now normalized to remove the query parameters. Thanks to @diegoaraujo for his first contribution to the project!
- The Solid-OIDC discovery implemented a deprecated method, and is now updated to align with the latest Solid-OIDC specification.
- Using a Client Identifier caused authentication issues at the token endpoint.
- Passing custom headers to a session's fetch as a Headers object would result in the headers being overlooked.
- As per the Solid-OIDC spec, the
webid
scope is now added to token requests. - The ID token is no longer kept in storage.
- Since
oidc-client
has been deprecated, and won't be maintained anymore, the OIDC package now depends on a fork,@inrupt/oidc-client
, so that we can ensure the dependencies are kept up-to-date. This should be transparent for users of@inrupt/solid-client-authn-browser
.
- When dynamically registering a Client to a Solid Identity Provider, the subject
type was incorrectly set to
pairwise
, instead ofpublic
. Onlypublic
makes sense in the context of Solid, where subjects (in this case, users) are uniquely identified by their WebID. This was disregarded by current Solid Identity Providers, so it should not have affected dependants, but it's technically more correct.
- The
prompt=consent
parameter was missing when redirecting the user to the Solid Identity Provider authorization endpoint. This prevented working with the Community Solid Server Identity Provider. - Proactive refreshing of the token prevented NodeJS from shutting down gracefully. Logging out now clear the timeout previously set, which resolves the issue.
- When dynamically registering a Client to a Solid Identity Provider, the subject
type was incorrectly set to
pairwise
, instead ofpublic
. Onlypublic
makes sense in the context of Solid, where subjects (in this case, users) are uniquely identified by their WebID. This was disregarded by current Solid Identity Providers, so it should not have affected dependants, but it's technically more correct.
- The
prompt=consent
parameter was missing when redirecting the user to the Solid Identity Provider authorization endpoint. This prevented working with the Community Solid Server Identity Provider.
- Use refresh tokens to keep the sesion alive: The browser client now requests a refresh token, and uses it when its access token is about to expire to get a new access token. This enables keeping a session alive for longer than the lifetime of a single access token.
- The
Session
class now exposes anonError
method, which is a hook where error-handling callbacks may be registered. - The
Session
class now exposes anonSessionExpiration
method, which is a hook where a callback may be registered to handle session expiration in the case when silent authentication fails.
- Trying to log a session in providing dynamically registered client credentials along with a refresh token was mistaken for a static client login, leading to an "Invalid client credentials" error.
- A transitive dependency used submodule exports, which aren't supported yet by significant parts of the ecosystem, such as Jest. With an internal change, we enabled using @inrupt/solid-client-authn-node without encountering submodule exports.
- DPoP-bound refresh tokens are now supported, which allows for an increased protection against refresh token extraction.
- Client credential grant: for Solid Identity Providers which support it, a client may statically register, and use the obtained credentials (client ID and secret) to log in to an Identity Provider. This is convenient in some cases, such as CI environment. However, it requires offline provider/client interaction, which does not scale well in the decentralized ecosystem of Solid. As such, it should only be used in specific cases, where the user is able to statically register their app to their identity provider (which requires some technical background).
- When not using a bundler that automatically provided a polyfill for Node.js
built-in modules, the
events
package had to be installed manually.
- Trying to call
Session.fetch
for a Session that had not yet authenticated would result in the following error: 'fetch' called on an object that does not implement interface Window.
- The SessionManager has been removed. Since there is no active use of this class that we are aware of, we are not bumping the major version for this.
- The SessionManager has been removed. Since there is no active use of this class that we are aware of, we are not bumping the major version for this.
- solid-client-authn-browser is no longer dependent on (polyfills being
available for) modules built into Node.js but not available in the browser,
except for
events
, which will be removed later. This should not cause any change in behaviour, but let us know if you encounter any issues.
- If
restorePreviousSession
was set to true, yet the user's session at their Pod server had expired, the Promise returned byhandleIncomingRedirect
would never resolve. - When initialising a new
Session
in Node, e.g. when doing server-side rendering, an error would be thrown about trying to accesswindow
.
- The
popUp
option for thelogin
method, although listed in the API docs, never had any effect. It has now been removed. - The Promise returned by
login
will no longer resolve, because no code is able to reliably run after it is called; it redirects the user away from the app and thereby terminates all running scripts.
- With Node.js version 10 reaching end-of-life on 2021-04-30, @inrupt/solid-client-authn-node no longer actively supports it. It will not stop working right away, but it will no longer be actively tested and no special effort will be made to keep it from breaking.
- Node.js version 16 is now supported.
- The workaround to maintain sessions in 1.6.1 has been disabled by default;
this means you should see no more (failed) calls to
/session
in your network console. If you want to make sure a session is preserved across page reloads, please see the documentation on using therestorePreviousSession
option. If you are working with an instance of ESS that still has the dedicated/session
you can still enable this workaround to maintain the previous behaviour.
The following sections document changes that have been released already:
- It is now possible to specify a callback when constructing a function in order to invoke custom code when the refresh token is rotated. This is useful for users who wish to run authenticated scripts, without implementing a brand new storage.
- The OIDC issuer profile is used to negotiate the preferred signature algorithm for ID tokens.
- During client registration, the client explicitly specifies both the 'refresh_token' and the 'authorization_code' grants as part of its profile, instead of only relying on scopes to get refresh tokens. Depending on the Identity Provider, the former behaviour could result in not getting refresh tokens.
- When the token endpoint returns an error message, it is now bubbled up properly.
- Building the browser package is now possible on Windows, thanks to more portable scripts.
- Asynchronous calls that lead to a redirection when restoring a session are now
blocking, to prevent the error associated to the message
Field [sessionId] for user [...] is not stored
that gets thrown when the user is redirected back from the identity provider.
- When loaded in the same environment (e.g. a full-stack NextJS app), it is no longer possible that the browser and node code get mixed together, resulting in code being executed in the wrong environment.
- A client WebID can now be provided as part of the
login
options. The library will check for compliance of the chosen Solid Identity Provider, and go use the provided client WebID or go through Dynamic Client Registration accordingly.
- Attempting to log in with a hash fragment in the redirect URL no longer throws, the hash fragment is simply discarded.
- The ID token is now validated when asking for DPoP-bound tokens, and not only when asking for a Bearer token.
- The OIDC parameters added to the redirect IRI by the Solid Identity Provider are no longer included in the redirect IRI provided at the token endpoint.
- The provided redirect IRI is now normalized.
- Fixed a typo in the TypeScript interface IHandleIncomingRedirectOptions.
- New option
useEssSession
forsession.handleIncomingRedirect
: Control to enable and disble the behaviour introduced in 1.4.0. If set to false, the/session
endpoint isn't looked up, and cookie-based auth is disabled. The behaviour is similar whenrestorePreviousSession
is true.
- Some components of the redirect URL are no longer lost after redirect, which prevents silent authentication from failing.
- The first parameter to
Session.handleIncomingRedirect
is now an options object. If you want to pass in the URL to handle, you can now do so by setting theurl
property on the options object. Passing the URL directly as the first argument (which has been optional since version 1.5.0, defaulting towindow.location.href
) is still possible, but is now deprecated and thus might be removed in a future major release.
- Version 1.6.0 automatically redirected the user away from your app after a
page refresh if they had signed in previously, losing all application state.
This now no longer happens; instead, you can opt in to automatically restoring
a user's session after reloading the page by passing a
restorePreviousSession
boolean tohandleIncomingRedirect
, and listening for thesessionRestore
event (or passing a callback toonSessionRestore
) to restore your application state. - No longer send PKCE-related information during DCR, when they are irrelevant.
validateIdToken
: A function to check that an ID token has been signed by the correct issuer, and that it contains some expected values.
- Added new
onSessionRestore
event toSession
(and default session) to allow the developer to register an event callback that will be called whenever a session is restored (e.g., due to a browser page refresh). The callback is given a URL parameter, which represents the current URL of the browser before the session restoration (to allow the developer to restore their app's state if needed, e.g., if the app is a Single Page App (SPA) and the developer wishes to restore the users 'current page' to exactly where they were before the refresh).
- Refreshing the page no longer logs the session out, no matter what Resource Server the data is collected from.
- When a session expires, the session is now marked as logged out, and a
logout
event is thrown. - The 'client_id' option, if specified as an option when logging in, is now stored in storage, ready to be retrieved again from storage when the login flow redirects back to the client application (previously it was only being stored if DCR was invoked).
- The issuer URL associated with the session is now necessarily the canonical issuer's URL, instead of potentially including/missing a trailing slash.
- Deprecated SessionManager
- The implicit flow is no longer supported. However, no known Solid Identity issuer only supports the implicit flow and not the auth code flow, and no user-facing controls enable choosing one's flow, so this has no user impact.
- store the user's issuer claim, specifically to 'localStorage' to allow retrieval on tab refresh.
- Logging out of an app opened in multiple tabs logged the user back in automatically.
handleIncomingRedirect
uses the current browser URL as a default value.
getSessionFromStorage
: a function to retrieve a session from storage based on its session ID (for multi-session management).getSessionIdFromStorageAll
: a function to retrieve the session IDs for all stored sessions.clearSessionFromStorageAll
: a function to clear all information about all sessions in storage.
- Any exception thrown by the custom
/session
endpoint lookup is swallowed.
- Building multiple sessions with the default storage re-initialized a new storage each time.
- The
onLogin
callback couldn't read session information, such as the WebID.
- For
solid-client-authn-node
, thesecureStorage
andinsecureStorage
are deprecated, and replaced bystorage
.
- The
Session
constructor in solid-client-authn-browser no longer referenceswindow
so that it can be instantiated in a non-window context (although it will continue to referene window.localstorage when you attempt to log in.)
- Updating the browser window will no longer log the user out if their WebID is
hosted on an ESS instance (such as https://pod.inrupt.com). A better, global
solution will be implemented later in order not to break compatibility in the
ecosystem. The current solution is based on a custom
/session
endpoint lookup, and a Resource Server cookie.
- Although still possible, it is now no longer required to manually instantiate
a new
Session
object when usingsolid-client-authn-browser
. Instead, you can directly importfetch
,login
,logout
andhandleIncomingRedirect
, which will instantiate a new Session implicitly behind the scenes. If you do need access to this Session, you can do so using the new functiongetDefaultSession
.
- The
session.info.isLoggedIn
property is now set to false on logout.
- Adds "main" entry to browser packages
- Credentials for statically registered clients weren't stored, which failed the token exchange.
ajv
was imported through a dependency instead of being explicitly declared as a direct dependency ofsolid-client-authn-core
- The
browser
entry in thepackage.json
was incorrect, leading to issues when bundling the library.
- The WebID is now REALLY set on the session when logging in a script. The initial fix introduced in 1.2.1 did compute the WebID from the identity provider response, but did not set it properly on the session.
The following sections document changes that have been released already:
- Addressed part of issue inrupt#684,
by providing a
browser
entry in thepackage.json
file. The ES modules export will be adressed in a different PR. - The WebID is now set on the session when logging in a script.
- When logging in with a refresh token (e.g. for a script), if the provided credentials are incorrect, an error is thrown.
- Support for authenticated scripts: It's now possible to provide a script with login parameters for a refresh token, a client ID and a client secret, which enables it to access private resources on Pods. This means that it's now easier to write small backend scripts which can interact with Pods in an automated way (i.e. no human interaction required).
- In some use cases (e.g. authenticating a script), logging in happens without a redirection. The architecture so far prevented this from being possible, and now after a login that does not require a redirect, the current session may be authenticated.
- Logging in a browser app will now clear OIDC-specific query params from the URL, which prevents a crash on refresh.
- issue #685 fixed by removing all URL query params after login, which prevents from crashing when reloading a page.
- updated version of
solid-common-vocab
to pull in common RDF/JS types.
- NodeJS support: a new NPM package,
@inrupt/solid-client-authn-node
, is now available to use authentication in a server environment. - In addition to the features supported by the browser version,
@inrupt/solid-client-authn-node
supports the refresh token grant, which makes it possible to maintain long-lived sessions without re-involving the user.
- Deriving the WebID from the ID token did not accept some valid IRIs in the subject claim, i.e. issued by a local instance of Node Solid Server.
There is no breaking change in this release, but from now on, as per semantic versioning, we will bump the major version when we change our publicly documented interface.
- The expiration claim has been removed from the DPoP token, where it is not needed.
- There were dependency upgrades.
- The package
@inrupt/oidc-dpop-client-browser
is now called@inrupt/oidc-client-ext
. - The public API doesn't expect environement-specific types anymore. in particular,
URL
has been replaced withstring
.
- It is now possible to build a
Session
without callinggetClientAuthenticationWithDependencies
, which results in simpler code.
- If
handleLogin
is called twice, the token endpoint is only hit once, because it might reject replay of the authorization code. - A DPoP-authenticated request now follow redirects (in particular, forgetting the trailing
/
for a container no longer returns 401).
- TestCafe test suite now tests with real tests against both NSS and ESS.
- The support for DPoP was re-implemented in @inrupt/oidc-client-dpop-browser, such that the DPoP JWK is never stored, and only kept inside the closure of the authenticated fetch.
- The Authorization header was not set properly, which made it impossible to access private resources.
- The types consumed/returned by the API are now exported for convenience.
- The URL parsing library did not parse properly some redirection IRIs, this is now fixed.
- The dynamic client registration could hang depending on the environment it was deployed in, this is now resolved.
- The
login
event was never actually fired because of a bug which is now fixed.
- Fixed typo in
detachSession
function name for the browserSessionManager
.
- Uses oidc-client-js now to perform the Auth Code Flow (replacing lots of hand-rolled code).
- Source files are now also published to npm, so source maps should work from now on.
- Fixed typo in
detachSession
function name for the browserSessionManager
.
- Browser
- Login now clears the local storage, so that you can log into a different server even if not logged out properly.
- Created multiple sub-packages, specifically the core and oidc-dpop-client-browser.
- Moved interfaces down into Core.
- Removed TSyringe annotations from the implementation of StorageUtility in the Core package and extended it in the browser module (where they we re-applied to allow injection again).
- Refactored the StorageUtility code to fix up mock usage.
- Moved to Lerna (currently only the browser module is available).
- Browser:
- The code wasn't shipped properly when publishing a non-dev release to NPMJS.
First release! What's possible with this first release:
- Authenticate a Web app to a Solid Identity provider
- Perform an authenticated fetch to a Pod Server, using a DPoP token