Skip to content

Latest commit

 

History

History
2827 lines (1820 loc) · 161 KB

CHANGELOG.md

File metadata and controls

2827 lines (1820 loc) · 161 KB

This file is no longer being updated and kept for historical reasons. Please check the GitHub releases instead!

Table of Contents

0.0.0 (2022-09-22)

Breaking Changes

Please be aware that several internal APIs have changed, as well as public methods. Most notably, we added the context to all Write* metods.

 type OAuth2Provider interface {
-    WriteAuthorizeError(rw http.ResponseWriter, requester AuthorizeRequester, err error)
+    WriteAuthorizeError(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, err error)

-    WriteAuthorizeResponse(rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)
+    WriteAuthorizeResponse(ctx context.Context, rw http.ResponseWriter, requester AuthorizeRequester, responder AuthorizeResponder)

-    WriteAccessError(rw http.ResponseWriter, requester AccessRequester, err error)
+    WriteAccessError(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, err error)

-    WriteAccessResponse(rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)
+    WriteAccessResponse(ctx context.Context, rw http.ResponseWriter, requester AccessRequester, responder AccessResponder)

-    WriteRevocationResponse(rw http.ResponseWriter, err error)
+    WriteRevocationResponse(ctx context.Context, rw http.ResponseWriter, err error)

-    WriteIntrospectionError(rw http.ResponseWriter, err error)
+    WriteIntrospectionError(ctx context.Context, rw http.ResponseWriter, err error)

-    WriteIntrospectionResponse(rw http.ResponseWriter, r IntrospectionResponder)
+    WriteIntrospectionResponse(ctx context.Context, rw http.ResponseWriter, r IntrospectionResponder)
 }

The default config struct has moved from package github.com/ory/fosite/compose.Config to github.com/ory/fosite.Config. Struct github.com/ory/fosite.Fosite no longer has any configuration parameters itself.

Please note that the HMAC / global secret has to be set no longer in the compose call, but in the config initialization:

-compose.ComposeAllEnabled(&compose.Config{}, store, secret, privateKey)
+compose.ComposeAllEnabled(&fosite.Config{GlobalSecret: secret}, store, privateKey)

Many internal interfaces have been changed, usually adding ctx context.Context as the first parameter.

Bug Fixes

Code Refactoring

  • config: Support hot reloading (1661401), closes #666:

    This patch updates the config system to be replacable and uses functions instead of struct fields. This allows implementing hot reloading mechanisms easily.

  • Move to go 1.17 (d9d0fed)

Features

  • Add ory_at|pt|ac prefixes to HMAC tokens (b652335):

    See ory/hydra#2845

  • Add json mappings to default session and its contents (#688) (d8ecac4)

  • Add json mappings to generic session to match openid session (#690) (2386b25)

  • Implement client token lifespan customization (#684) (cfffe8c):

    This change introduces the ability to control the lifespan of tokens for each valid combination of Client, GrantType, and TokenType.

  • Introduce cache strategy for JWKS fetcher (452f377)

  • Make http source contextualized (9fc89e9)

  • PAR implementation (#660) (3de78db), closes #628:

    Implements RFC9126 - Pushed Authorization Request.

  • Support variety of JWT formats when jose.JSONWebKey is used (2590eb8)

Tests

Unclassified

  • Revert "chore: delete .circleci folder (#699)" (#705) (ef753d5), closes #699 #705:

    This reverts commit 2eea63bddcbdf50771adf670391e495e339f619f since CircleCI is still used here.

0.42.2 (2022-04-17)

autogen(docs): regenerate and update changelog

Bug Fixes

  • Always rollback (#638) (7edf673), closes #637

  • Empty client secret via basic auth header means "none" authn (#655) (7a2d972), closes /github.com/golang/oauth2/blob/ee480838109b20d468babcb00b7027c82f962065/internal/token.go#L174-L176:

    The existing client authentication code treats an empty client_secret query parameter to be equivalent to "none" authentication instead of "client_secret_post."

    This change updates the basic auth check to be consistent with this. That is, an empty secret via the basic auth header is considered to mean "none" instead of "client_secret_basic."

    The "golang.org/x/oauth2" library probes for both methods of authentication, starting with the basic auth header approach first.

    As required, both client ID and secret are encoded in one header:

  • Handle invalid_token error for refresh_token is expired (#664) (76bb274)

  • Handle token_inactive error for multiple concurrent refresh requests (#652) (7c8f4ae):

    See ory/hydra#3004

  • Url-encode the fragment in the redirect URL of the authorize response (#649) (beec138), closes #648:

    This patch reverts the encoding logic for the fragment of the redirect URL returned as part of the authorize response to what was the one before version 0.36.0. In that version, the code was refactored and the keys and values of the fragment ceased to be url-encoded. This in turn reflected on all Ory Hydra versions starting from 1.9.0 and provoked a breaking change that made the parsing of the fragment impossible if any of the params contain a character like & or = because they get treated as separators instead of as text

  • Use the correct algorithm for at_hash and c_hash (#659) (8cb4b4b), closes #630

Code Generation

  • docs: Regenerate and update changelog (5dbfa9a)

Documentation

  • Add deprecation to communicate ropc discouragement (#665) (df491be):

    This adds godoc deprecations to the compose.OAuth2ResourceOwnerPasswordCredentialsFactory and oauth2.ResourceOwnerPasswordCredentialsGrantHandler in order to clearly communicate the discouragement of the ROPC grant type to users implementing this library.

Features

0.42.1 (2022-02-03)

autogen(docs): regenerate and update changelog

Code Generation

  • docs: Regenerate and update changelog (dcc6550)

Features

  • Support FormPostHTMLTemplate config for fosite (#647) (570ce3f), closes #646

0.42.0 (2022-01-06)

autogen(docs): regenerate and update changelog

Code Generation

  • docs: Regenerate and update changelog (cf2c545)

Features

  • Add new function to TokenRevocationStorage to support refresh token grace-period (#635) (9b40d03)

0.41.0 (2021-11-13)

autogen(docs): regenerate and update changelog

Bug Fixes

Code Generation

  • docs: Regenerate and update changelog (1777ad5)

Code Refactoring

  • Upgrade go-jose to decode JSON numbers into int64 (#603) (c02d327), closes #602

Documentation

Features

0.40.2 (2021-05-28)

feat: use int64 type for claims with timestamps (#600)

Co-authored-by: Nestor nesterran@gmail.com

Features

  • Use int64 type for claims with timestamps (#600) (c370994)

0.40.1 (2021-05-23)

fix: revert float64 auth_time claim (#599)

Closes #598

Bug Fixes

0.40.0 (2021-05-21)

feat: transit from jwt-go to go-jose (#593)

Closes #514

Co-authored-by: hackerman 3372410+aeneasr@users.noreply.github.com

Bug Fixes

  • 582memory store authentication error code (#583) (51b4424)
  • Do not include nonce in ID tokens when not used (#570) (795dee2)
  • Sha alg name in error message and go doc (#571) (0f2e289)
  • Upgrade gogo protubuf (#573) (9a9467a)

Code Refactoring

Documentation

Features

Tests

  • Change sha algorithm name acc to standard naming (#572) (a3594a3)

0.39.0 (2021-03-08)

feat: token reuse detection (#567)

See ory/hydra#2022

Features

0.38.0 (2021-02-23)

feat: add ClientAuthenticationStrategy extension point (#565)

Closes #564

Breaking Changes

Replaces token_expired error ID with invalid_token which is the correct value according to https://tools.ietf.org/html/rfc6750#section-3.1

Bug Fixes

  • Use correct error code for expired token (#562) (56a71e5)

Features

  • Add ClientAuthenticationStrategy extension point (#565) (ec0bec2), closes #564

0.37.0 (2021-02-05)

feat: add support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523� (#560)

Closes #546 Closes #305

Co-authored-by: Vladimir Kalugin v.p.kalugin@tinkoff.ru Co-authored-by: i.seliverstov i.seliverstov@tinkoff.ru

Bug Fixes

Features

  • Add support for urn:ietf:params:oauth:grant-type:jwt-bearer grant type RFC 7523� (#560) (9720241), closes #546 #305

0.36.1 (2021-01-11)

chore: bump deps

Bug Fixes

  • Broken dependency to reflection package (#555) (a103222)

Chores

Code Refactoring

0.36.0 (2020-11-16)

fix: be more permissive in time checks

Time equality should not cause failures in OpenID Connect validation.

Breaking Changes

This patch removes fields error_hint, error_debug from error responses. To use the legacy error format where these fields are included, set UseLegacyErrorFormat to true in your compose config or directly on the Fosite struct. If UseLegacyErrorFormat is set, the error_description no longer merges error_hint nor error_debug messages which reverts a change introduced in v0.33.0. Instead, error_hint and error_debug are included and the merged message can be constructed from those fields.

As part of this change, the error interface and its fields have changed:

  • RFC6749Error.Name was renamed to RFC6749Error.ErrorField.
  • RFC6749Error.Description was renamed to RFC6749Error.DescriptionField.
  • RFC6749Error.Hint was renamed to RFC6749Error.HintField.
  • RFC6749Error.Code was renamed to RFC6749Error.CodeField.
  • RFC6749Error.Hint was renamed to RFC6749Error.HintField.
  • RFC6749Error.WithCause() was renamed to RFC6749Error.WithWrap() *RFC6749Error and alternatively to RFC6749Error.Wrap() (without return value) to standardize naming conventions around the new Go 1.14+ error interfaces.

As part of this change, methods GetResponseMode, SetDefaultResponseMode, GetDefaultResponseMode where added to interface AuthorizeRequester. Also, methods GetQuery, AddQuery, and GetFragment were merged into one function GetParameters and AddParameter on the AuthorizeResponder interface. Methods on AuthorizeRequest and AuthorizeResponse changed accordingly and will need to be updated in your codebase. Additionally, the field Debug was renamed to DebugField and a new method Debug() string was added to RFC6749Error.

Co-authored-by: hackerman 3372410+aeneasr@users.noreply.github.com

Bug Fixes

  • Allow all request object algs when client value is unset (1d14636):

    Allows all request object signing algorithms when the client has not explicitly allowed a certain algorithm. This follows the spec:

    *request_object_signing_alg - OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.

  • Always return non-error response for inactive tokens (#517) (5f2cae3)

  • Be more permissive in time checks (839d000):

    Time equality should not cause failures in OpenID Connect validation.

  • Do not accidentally leak jwks fetching errors (6d2092d), closes /github.com/ory/fosite/pull/526#discussion_r517491738

  • Do not require nonce for hybrid flows (de5c8f9):

    This patch resolves an issue where nonce was required for hybrid flows, which does not comply with the OpenID Connect conformity test suite, specifically the oidcc-ensure-request-without-nonce-succeeds-for-code-flow test.

  • Guess default response mode in NewAuthorizeRequest (a2952d7)

  • Improve claims handling for jwts (a72ca9a)

  • Improve error stack wrapping (620d4c1)

  • Kid header is not required for key lookup (27cc5c0)

  • Modernized JWT stateless introspection (#519) (a6bfb92)

  • Only use allowed characters in error_description (431f9a5), closes #525:

    Replace LF and quotes with . and ' to match allowed and recommended character set defined in various RFCs.

  • Prevent debug details from leaking during key lookup (c0598fb), closes /github.com/ory/fosite/pull/526#discussion_r517490461

  • Reset jti and hash ID token claims on refresh (#523) (ce2de73)

  • Use state from request object (8cac1a0):

    Resolves failing OIDC conformity test "oidcc-request-uri-unsigned".

Code Refactoring

  • Use rfc compliant error formating (edbbda3)

Documentation

Features

  • Add support for response_mode=form_post (#509) (3e3290f):

    This patch introduces support for response_mode=form_post as well as response_mode of none and query and fragment.

    To support this new feature your OAuth2 Client must implement the fosite.ResponseModeClient interface. We suggest to always return all response modes there unless you want to explicitly disable one of the response modes:

    func (c *Client) GetResponseModes() []fosite.ResponseModeType {
    	return []fosite.ResponseModeType{
    		fosite.ResponseModeDefault,
    		fosite.ResponseModeFormPost,
    		fosite.ResponseModeQuery,
    		fosite.ResponseModeFragment,
    	}
    }
  • Improve error messages (#513) (fcac5a6)

  • Introduce WithExposeDebug to error interface (625a521)

  • Support passing repeated audience parameter in URL query (#518) (47f2a31), closes #504:

    Added GetAudiences helper function which tries to have current behavior and also support multiple/repeated audience parameters. If there are parameter is repeated, then it is not split by space. If there is only one then it is split by space. I think this is the best balance between standard/backwards behavior and allowing repeated parameter and allowing also URIs/audiences with spaces in them (which we probably all agree is probably not something anyone should be doing).

    Also added ExactAudienceMatchingStrategy which is slightly more suitable to use for audiences which are not URIs. In OIDC spec audience is described as:

    Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.

    client_id is generally not an URI, but some UUID or some other random string.

0.35.1 (2020-10-11)

autogen(docs): regenerate and update changelog

Bug Fixes

Code Generation

  • docs: Regenerate and update changelog (c598cc7)

Documentation

Features

  • Allow configuring redirect secure checker everywhere (#489) (e87d091)
  • Scope can now be space delimited in access tokens (#482) (8225935), closes #362

0.35.0 (2020-10-06)

autogen(docs): regenerate and update changelog

Breaking Changes

Type fosite.TokenType has been renamed to fosite.TokenUse.

Bug Fixes

Code Generation

  • docs: Regenerate and update changelog (3f0bc87)

0.34.1 (2020-10-02)

fix: make redirect URL checking more strict

The OAuth 2.0 Client's Redirect URL and the Redirect URL used in the OAuth 2.0 flow do not check if the query string is equal:

  1. Registering a client with allowed redirect URL https://example.com/callback
  2. Performing OAuth2 flow and requesting redirect URL https://example.com/callback?bar=foo
  3. Instead of an error, the browser is redirected to https://example.com/callback?bar=foo with a potentially successful OAuth2 response.

Additionally, matching Redirect URLs used strings.ToLower normalization:

  1. Registering a client with allowed redirect URL https://example.com/callback
  2. Performing OAuth2 flow and requesting redirect URL https://example.com/CALLBACK
  3. Instead of an error, the browser is redirected to https://example.com/CALLBACK with a potentially successful OAuth2 response.

This patch addresses all of these issues and adds regression tests to keep the implementation secure in future releases.

Bug Fixes

  • Make redirect URL checking more strict (cdee51e):

    The OAuth 2.0 Client's Redirect URL and the Redirect URL used in the OAuth 2.0 flow do not check if the query string is equal:

    1. Registering a client with allowed redirect URL https://example.com/callback
    2. Performing OAuth2 flow and requesting redirect URL https://example.com/callback?bar=foo
    3. Instead of an error, the browser is redirected to https://example.com/callback?bar=foo with a potentially successful OAuth2 response.

    Additionally, matching Redirect URLs used strings.ToLower normalization:

    1. Registering a client with allowed redirect URL https://example.com/callback
    2. Performing OAuth2 flow and requesting redirect URL https://example.com/CALLBACK
    3. Instead of an error, the browser is redirected to https://example.com/CALLBACK with a potentially successful OAuth2 response.

    This patch addresses all of these issues and adds regression tests to keep the implementation secure in future releases.

Documentation

0.34.0 (2020-09-24)

chore: fix unused const linter error (#484)

Breaking Changes

fosite.ErrRevocationClientMismatch was removed because it is not part of RFC 6749. Instead, fosite.ErrUnauthorizedClient will be returned when calling RevokeToken with an OAuth2 Client which does not match the Access or Refresh Token to be revoked.

Bug Fixes

Chores

Features

Unclassified

  • Merge pull request from GHSA-7mqr-2v3q-v2wm (03dd558)

0.33.0 (2020-09-16)

feat: error_hint and error_debug are now exposed through error_description (#460)

BREAKING CHANGE: Merges the error description with error hint and error debug, making it easier to consume error messages in standardized OAuth2 clients.

Breaking Changes

Merges the error description with error hint and error debug, making it easier to consume error messages in standardized OAuth2 clients.

Features

  • Error_hint and error_debug are now exposed through error_description (#460) (8daab21)

0.32.4 (2020-09-15)

autogen(docs): regenerate and update changelog

Code Generation

  • docs: Regenerate and update changelog (1f16df0)

Code Refactoring

  • Fix inconsistent spelling of revocation (#477) (7a55edb)

Documentation

0.32.3 (2020-09-12)

fix: add missing OAuth2TokenRevocationFactory to ComposeAllEnabled (#472)

Bug Fixes

Code Refactoring

Documentation

Features

0.32.2 (2020-06-22)

feat: new factory with default issuer for JWT tokens (#444)

Features

  • New factory with default issuer for JWT tokens (#444) (901e206)

0.32.1 (2020-06-05)

feat: makeRemoveEmpty public (#443)

Bug Fixes

  • Improved error messages in client authentication (#440) (c06e560), closes #436

Features

0.32.0 (2020-05-28)

feat: added support for ES256 token strategy and client authentication (#439)

I added to DefaultOpenIDConnectClient a field TokenEndpointAuthSigningAlgorithm to be able to configure what GetTokenEndpointAuthSigningAlgorithm returns. I also cleaned some other places where there were assumptions about only RSA keys.

Closes #429

Bug Fixes

  • arguments: Fixes a logic bug in MatchesExact and adds documentation (#433) (10fd67b):

  • Double-decoding of client credentials in request body (#434) (48c9b41):

    I noticed that client credentials are URL-decoded after being extracted from the POST body form, which was already URL-decoded by Go. The accompanying error message suggests this was copied and pasted from the HTTP basic authorization header handling, which is the only place where the extra URL-decoding was needed (as per the OAuth 2.0 spec). The result is that client credentials containing %-prefixed sequences, whether valid sequences or not, are going to fail validation.

    Remove the extra URL decoding. Add tests that ensure client credentials work with special characters in both the HTTP basic auth header and in the request body.

Documentation

Features

  • Added support for ES256 token strategy and client authentication (#439) (36eb661), closes #429:

    I added to DefaultOpenIDConnectClient a field TokenEndpointAuthSigningAlgorithm to be able to configure what GetTokenEndpointAuthSigningAlgorithm returns. I also cleaned some other places where there were assumptions about only RSA keys.

0.31.3 (2020-05-09)

feat(pkce): add EnforcePKCEForPublicClients config flag (#431)

Alternative proposal for the issue discussed in #389 and #391, where enforcement of PKCE is wanted only for certain clients.

Add a new flag EnforcePKCEForPublicClients which enforces PKCE only for public clients. The error hint is slightly different, as it mentions PKCE is enforced for "this client" rather than "clients". (It intentionally does not mention why it's enforced, as I think basing it on public clients is an implementation detail that servers may want to change without adding to the error hints).

Closes #389 Closes #391

Bug Fixes

  • Do not issue refresh tokens to clients who cannot use it (#430) (792670d), closes #370

Features

0.31.2 (2020-04-16)

fix: introduce better linting pipeline and resolve Go issues (#428)

Bug Fixes

  • Introduce better linting pipeline and resolve Go issues (#428) (e02f731)

0.31.1 (2020-04-16)

fix: return invalid_grant instead of invalid_request in refresh flow (#427)

Return invalid_grant instead of invalid_request when in authorization code flow when the user is not the owner of the authorization code or if the redirect uri doesn't match from the authorization request.

Co-authored-by: Damien Bravin damienbr@users.noreply.github.com

Bug Fixes

  • List all response types in example memory store (#413) (427d40d), closes #304

  • Return invalid_grant instead of invalid_request in refresh flow (#427) (f5a0e96):

    Return invalid_grant instead of invalid_request when in authorization code flow when the user is not the owner of the authorization code or if the redirect uri doesn't match from the authorization request.

  • storage: Remove unused field (#422) (d2eb3b9), closes #417

  • storage: Remove unused methods (#417) (023bdcf)

Documentation

0.31.0 (2020-03-29)

Merge pull request from GHSA-v3q9-2p3m-7g43

  • u

  • u

Unclassified

  • Merge pull request from GHSA-v3q9-2p3m-7g43 (0c9e0f6):

    • u

    • u

0.30.6 (2020-03-26)

fix: handle serialization errors that can be thrown by call to 'Commit' (#403)

Bug Fixes

  • Handle serialization errors that can be thrown by call to 'Commit' (#403) (35a1558)

Documentation

  • Update forum and chat links (b1ba04e)

0.30.5 (2020-03-25)

fix: handle concurrent transactional errors in the refresh token grant handler (#402)

This commit provides the functionality required to address ory/hydra#1719 & ory/hydra#1735 by adding error checking to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method so it can deal with errors due to concurrent access. This will allow the authorization server to render a better error to the user-agent.

No longer returns fosite.ErrServerError in the event the storage. Instead a wrapped fosite.ErrNotFound is returned when fetching the refresh token fails due to it no longer being present. This scenario is caused when the user sends two or more request to refresh using the same token and one request gets into the handler just after the prior request finished and successfully committed its transaction.

Adds unit test coverage for transaction error handling logic added to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method

Bug Fixes

  • Handle concurrent transactional errors in the refresh token grant handler (#402) (b17190b):

    This commit provides the functionality required to address ory/hydra#1719 & ory/hydra#1735 by adding error checking to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method so it can deal with errors due to concurrent access. This will allow the authorization server to render a better error to the user-agent.

    No longer returns fosite.ErrServerError in the event the storage. Instead a wrapped fosite.ErrNotFound is returned when fetching the refresh token fails due to it no longer being present. This scenario is caused when the user sends two or more request to refresh using the same token and one request gets into the handler just after the prior request finished and successfully committed its transaction.

    Adds unit test coverage for transaction error handling logic added to the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method

0.30.4 (2020-03-17)

fix: add ability to specify amr values natively in id_token payload (#401)

See ory/hydra#1756

Bug Fixes

0.30.3 (2020-03-04)

fix: Support RFC8252#section-7.3 Loopback Interface Redirection (#400)

Closes #284

Bug Fixes

Documentation

  • Add undocumented ExactScopeStrategy (#395) (387cade)
  • Updates issue and pull request templates (#393) (cdefb3e)
  • Updates issue and pull request templates (#394) (119e6ab)

Features

  • Add ExactOne and MatchesExact to Arguments (#399) (cf23400):

    Previously Arguments.Exact had vague semantic where it coudln't distinguish between value with a space and multiple values. Split it into 2 functions with clear semantic.

    Old .Exact() remains for compatibility and marked as deprecated

0.30.2 (2019-11-21)

Return state parameter in authorization error conditions (#388)

Related to ory/hydra#1642

Unclassified

0.30.1 (2019-09-23)

pkce: Enforce verifier formatting (#383)

Unclassified

0.30.0 (2019-09-16)

handler/pkce: Enable PKCE for private clients (#382)

Unclassified

  • handler/pkce: Enable PKCE for private clients (#382) (e21830e), closes #382

  • Add RefreshTokenScopes Config (#371) (bcc7859), closes #371:

    When set to true, this will return refresh tokens even if the user did not ask for the offline or offline_access Oauth Scope.

0.29.8 (2019-08-29)

handler/revoke: respecting ErrInvalidRequest code (#380)

This commit modifies the case for ErrInvalidRequest in WriteRevocationResponse to respect the 400 error code and not fallthrough to ErrInvalidClient.

Author: DefinitelyNotAGoat baldrich@protonmail.com

Documentation

  • Updates issue and pull request templates (#376) (165e93e)
  • Updates issue and pull request templates (#377) (40590cb)
  • Updates issue and pull request templates (#378) (54426bb)

Unclassified

  • handler/revoke: respecting ErrInvalidRequest code (#380) (cc34bfb), closes #380:

    This commit modifies the case for ErrInvalidRequest in WriteRevocationResponse to respect the 400 error code and not fallthrough to ErrInvalidClient.

    Author: DefinitelyNotAGoat baldrich@protonmail.com

0.29.7 (2019-08-06)

pkce: Return error when PKCE is used with private clients (#375)

Documentation

  • Fix method/struct documents (#360) (ad06f22)
  • Updates issue and pull request templates (#361) (35157e2)
  • Updates issue and pull request templates (#365) (90a3c50)
  • Updates issue and pull request templates (#366) (27c64ec)
  • Updates issue and pull request templates (#367) (01cd955)
  • Updates issue and pull request templates (#373) (5962474)
  • Updates issue and pull request templates (#374) (9f7cf40)

Unclassified

  • Create FUNDING.yml (1b7b479)
  • Return error when PKCE is used with private clients (#375) (7219387)

0.29.6 (2019-04-26)

openid: Allow promp=none for https/localhost (#359)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified

  • Allow promp=none for https/localhost (#359) (27bbe00)

0.29.5 (2019-04-25)

core: Add debug log to invalid_client error(#358)

Signed-off-by: nerocrux nerocrux@gmail.com

Unclassified

  • Add debug log to invalid_client error(#358) (dce3111)

0.29.3 (2019-04-17)

Export IsLocalhost

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified

  • Export IsLocalhost (a95ea09)
  • Improve IsRedirectURISecure check (d6f8962)

0.29.2 (2019-04-11)

Allow providing a custom redirect URI checker (#355)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified

  • Allow providing a custom redirect URI checker (#355) (3d16e39), closes #355

0.29.1 (2019-03-27)

token: Improve rotated secret error reporting in HMAC strategy (#354)

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified

  • Improve rotated secret error reporting in HMAC strategy (#354) (f21d930)

  • Propagate session data properly (#353) (5ba0f04):

    This example is slightly inaccurate; the session data will need to come from the returned AccessRequester, not the pre-created session. The session passed to IntrospectToken isn't mutated.

  • Remove useless details fn receiver (#349) (af403c6)

  • Update HISTORY.md, README.md, CONTRIBUTING.md (#347) (de5e61e):

    • README: Breaks out 0.26.0 as was stuck inside a code block.
    • README: Ensures the later versions formats code blocks as Go code.
    • Runs doctoc to ensure TOCs are up to date.

0.29.0 (2018-12-23)

oauth2: add test coverage to exercise the transactional support in the AuthorizeExplicitGrantHandler's PopulateTokenEndpointResponse method.

Signed-off-by: Amir Aslaminejad aslaminejad@gmail.com

Unclassified

  • Add mock for storage.Transactional + update generate-mocks.sh (03f7bc8)
  • Add test coverage to exercise the transactional support in the AuthorizeExplicitGrantHandler's PopulateTokenEndpointResponse method. (2f58f9e)
  • Add test coverage to exercise the transactional support in the RefreshTokenGrantHandler's PopulateTokenEndpointResponse method. (b38d7c8)
  • Adds new interface Transactional which is to be implemented by storage providers that can support transactions. (c364b33)
  • Don't double encode URL fragments (#346) (1f41934), closes #345
  • Use transactions in the auth code token flow (if the storage implementation implements the Transactional interface) to address #309 (e00c567)
  • Use transactions in the refresh token flow (if the storage implementation implements the Transactional interface) to address #309 (07d1a39)

0.28.1 (2018-12-04)

compose: Expose token entropy setting (#342)

Signed-off-by: nerocrux nerocrux@gmail.com

Unclassified

0.28.0 (2018-11-16)

oauth2: Add ability to specify refresh token lifespan (#337)

Set it to -1 to disable this feature. Defaults to 30 days.

Closes #319

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • Add ability to specify refresh token lifespan (#337) (fa65408), closes #319:

    Set it to -1 to disable this feature. Defaults to 30 days.

0.27.4 (2018-11-12)

docs: Fix quickstart (#335)

  • replace NewMemoryStore with NewExampleStore
  • fix length of signing key
  • fix config type

Signed-off-by: Peter Schultz peter.schultz@classmarkets.com

Documentation

  • Fix quickstart (#335) (25cc6c4):

    • replace NewMemoryStore with NewExampleStore
    • fix length of signing key
    • fix config type

Unclassified

0.27.3 (2018-11-08)

oauth2: Set exp for authorize code issued by hybrid flow (#333)

Signed-off-by: nerocrux nerocrux@gmail.com

Unclassified

  • Set exp for authorize code issued by hybrid flow (#333) (d275e84)

0.27.2 (2018-11-07)

pkce: Allow hybrid flows (#328)

Signed-off-by: Adam Shannon adamkshannon@gmail.com Signed-off-by: Wenhao Ni niwenhao@gmail.com

Unclassified

0.27.1 (2018-11-03)

oauth2: Improve refresh security and reliability (#332)

This patch resolves several issues regarding the refresh flow. First, an issue has been resolved which caused the audience to not be set in the refreshed access tokens.

Second, scope and audience are validated against the client's whitelisted values and if the values are no longer allowed, the grant is canceled.

Closes #331 Closes #325 Closes #324

Unclassified

  • Improve refresh security and reliability (#332) (4e4121b), closes #331 #325 #324:

    This patch resolves several issues regarding the refresh flow. First, an issue has been resolved which caused the audience to not be set in the refreshed access tokens.

    Second, scope and audience are validated against the client's whitelisted values and if the values are no longer allowed, the grant is canceled.

0.27.0 (2018-10-31)

oauth2: Update jwt access token interface (#330)

The interface needed to change in order to natively handle the audience claim.

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • Introduce audience capabilities (#327) (e2441d2), closes #326:

    This patch allows clients to whitelist audiences and request that audiences are set for oauth2 access and refresh tokens

  • Update jwt access token interface (#330) (2da9764):

    The interface needed to change in order to natively handle the audience claim.

0.26.1 (2018-10-25)

hash: Raise bcrypt cost factor lower bound (#321)

Users of this library can easily create the following:

hasher := fosite.BCrypt{} hasher.Hash(..)

This is a problem because WorkFactor will default to 0 and x/crypto/bcrypt will default that to 4 (See https://godoc.org/golang.org/x/crypto/bcrypt).

Instead this should be some higher cost factor. Callers who need a lower WorkFactor can still lower the cost, if needed.

Signed-off-by: Adam Shannon adamkshannon@gmail.com

Unclassified

  • Fix Config.GetHashCost godoc comment (#320) (4d2b119)

  • Fix doc typo (#322) (239b1ed)

  • Raise bcrypt cost factor lower bound (#321) (799fc70):

    Users of this library can easily create the following:

    hasher := fosite.BCrypt{} hasher.Hash(..)

    This is a problem because WorkFactor will default to 0 and x/crypto/bcrypt will default that to 4 (See https://godoc.org/golang.org/x/crypto/bcrypt).

    Instead this should be some higher cost factor. Callers who need a lower WorkFactor can still lower the cost, if needed.

0.26.0 (2018-10-24)

all: Rearrange commits with goreturns

Signed-off-by: aeneasr aeneas@ory.sh

Unclassified

  • Allow customization of JWT claims (f97e451)
  • Rearrange commits with goreturns (211b43b)

0.25.1 (2018-10-23)

handler/openid: Populate at_hash in explicit/refresh flows (#315)

Signed-off-by: Wenhao Ni niwenhao@gmail.com

Documentation

  • Updates issue and pull request templates (#313) (53c7b55)
  • Updates issue and pull request templates (#314) (73ae623)
  • Updates issue and pull request templates (#316) (64299bb)

Unclassified

  • handler/openid: Populate at_hash in explicit/refresh flows (#315) (189589c), closes #315
  • Fix typo in README.md (#312) (dcb83ae), closes #312

0.25.0 (2018-10-08)

Fix broken go modules tests (#311)

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • Fix broken go modules tests (#311) (02ea4b1), closes #311
  • Switch from dep to go modules (#310) (ac46a67), closes #310

0.24.0 (2018-09-27)

Propagate context in jwt strategies (#308)

Closes #307

Signed-off-by: Prateek Malhotra someone1@gmail.com

Unclassified

  • Propagate context in jwt strategies (#308) (e1e18d6), closes #308 #307
  • Use test tables for Hasher unit tests (#306) (499af11), closes #306

0.23.0 (2018-09-22)

Add breaking change to the Hasher interface to the change log

Signed-off-by: Amir Aslaminejad aslaminejad@gmail.com

Unclassified

  • Add breaking change to the Hasher interface to the change log (805e0e9)
  • Update BCrypt to adhere to new Hasher interface (938e50a)
  • Update Hasher to take in context (02f19fa)

0.22.0 (2018-09-19)

jwt: update JWTStrategy to take in context (#302)

Signed-off-by: Amir Aslaminejad aslaminejad@gmail.com

Unclassified

  • Update PR template (3920be2)
  • Add github issue and PR templates (b630f54)
  • Update JWTStrategy to take in context (#302) (514fdbd)

0.21.5 (2018-08-31)

openid: Allow JWT from id_token_hint to be expired (#299)

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • Allow JWT from id_token_hint to be expired (#299) (1ad9cd3)

0.21.4 (2018-08-26)

token/hmac: Add ability to rotate HMAC keys (#298)

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • token/hmac: Add ability to rotate HMAC keys (#298) (2134650), closes #298

0.21.3 (2018-08-22)

compose: Pass ID Token configuration to strategy (#297)

Resolves an issue where expiry and issuer where not properly configurable in the strategy.

See ory/hydra#985

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • Pass ID Token configuration to strategy (#297) (a07ce27):

    Resolves an issue where expiry and issuer where not properly configurable in the strategy.

    See ory/hydra#985

0.21.2 (2018-08-07)

openid: Validate id_token_hint only via ID claims (#296)

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • Validate id_token_hint only via ID claims (#296) (0fcbfea)

0.21.1 (2018-07-22)

Improve token_endpoint_auth_method error message (#294)

Signed-off-by: arekkas aeneas@ory.am

Unclassified

  • Improve token_endpoint_auth_method error message (#294) (7820fb2), closes #294

  • Gofmt (#290) (f02884b):

    Run standard gofmt command on project root.

    • go version go1.10.3 darwin/amd64

0.21.0 (2018-06-23)

Makes error messages easier to debug for end-users

Documentation

  • Fixes header image in README (4907d60)

Unclassified

  • Makes error messages easier to debug for end-users (5688a1c)

  • Adds errors for request and registration parameters (920ed71)

  • Adds OIDC request/request_uri support (c7abcca)

  • Adds private_key_jwt authentication method (baa4cf1)

  • Adds proper error responses to request object (f483262)

  • Disallow empty response_type in request (cf2eb85)

  • Do not require id_token response type for auth_code (#288) (edc4910):

    Before this patch, the id_token response type was required whenever an ID Token was requested. This patch changes that.

  • Implements oidc compliant response_type validation (f950b9e)

  • Return unsupported_response_type in validator (a24708e)

  • Uses JWTStrategy in oauth2.DefaultStrategy (e2d2e75)

  • Uses JWTStrategy interface in openid.DefaultStrategy (517fdc5), closes #252

0.20.3 (2018-06-07)

Allows multipart content type as alternative to x-www-form-urlencoded (#285)

Unclassified

  • Allows multipart content type as alternative to x-www-form-urlencoded (#285) (2edf8f8), closes #285

0.20.2 (2018-05-29)

openid: Merge duplicate aud claim values (#283)

Unclassified

0.20.1 (2018-05-29)

Uses query instead of fragment when handling unsupported response type (#282)

Unclassified

  • Uses query instead of fragment when handling unsupported response type (#282) (57b1471), closes #282
  • Updates upgrade guide (a958ab8)

0.20.0 (2018-05-28)

oauth2: Resolves several issues related to revokation (#281)

This patch resolves several issues related to token revokation as well as duplicate authorize code usage:

  • oauth2: Revoking access or refresh tokens should revoke past and future tokens too
  • oauth2: Revoke access and refresh tokens when authorize code is used twice

Additionally, this patch resolves an issue where refreshing a token would not revoke previous tokens.

Closes #278 Closes #280

Unclassified

  • Resolves several issues related to revokation (#281) (72bff7f), closes #278 #280:

    This patch resolves several issues related to token revokation as well as duplicate authorize code usage:

    • oauth2: Revoking access or refresh tokens should revoke past and future tokens too
    • oauth2: Revoke access and refresh tokens when authorize code is used twice

    Additionally, this patch resolves an issue where refreshing a token would not revoke previous tokens.

  • Sets audience to a string array (#279) (2d58a58), closes #215

0.19.8 (2018-05-24)

authorize: Fixes implicit detection in error writer (#277)

Unclassified

  • Fixes implicit detection in error writer (#277) (608bf5f)

0.19.7 (2018-05-24)

openid: Use claims.RequestedAt for a reference of "now" (#276)

Previously, time.Now() was used to get a reference of "now". However, this caused short max_age values to fail if, for example, the consent screen took a long time. This patch now uses the "requested_at" claim value to determine a sense of "now" which should resolve the mentioned issue.

Unclassified

  • Use claims.RequestedAt for a reference of "now" (#276) (91e7a4c):

    Previously, time.Now() was used to get a reference of "now". However, this caused short max_age values to fail if, for example, the consent screen took a long time. This patch now uses the "requested_at" claim value to determine a sense of "now" which should resolve the mentioned issue.

0.19.6 (2018-05-24)

openid: Issue ID Token on implicit code flow as well

Unclassified

  • Issue ID Token on implicit code flow as well (180c749)

0.19.5 (2018-05-23)

jwt: Add JTI to counter missing nonce

Unclassified

  • Add JTI to counter missing nonce (28822d7)
  • Enforce nonce on implicit/hybrid flows (3b44eb3)

0.19.4 (2018-05-20)

core: Checks scopes before dispatching handlers (#272)

Unclassified

  • Checks scopes before dispatching handlers (#272) (0f18305)

0.19.3 (2018-05-20)

openid: Resolves timing issues in JWT strategy (#271)

Unclassified

  • Resolves timing issues in JWT strategy (#271) (aaec994)

0.19.2 (2018-05-19)

openid: Resolves timing issues by setting now to the future (#270)

Unclassified

  • Resolves timing issues by setting now to the future (#270) (e9339d7)

0.19.1 (2018-05-19)

openid: Improves validation errors and uses UTC everywhere (#269)

Unclassified

  • Improves validation errors and uses UTC everywhere (#269) (eee3dad)

0.19.0 (2018-05-17)

openid: Improves prompt, max_age and id_token_hint validation (#268)

This patch improves the OIDC prompt, max_age, and id_token_hint validation.

Unclassified

  • Improves prompt, max_age and id_token_hint validation (#268) (7ccad77):

    This patch improves the OIDC prompt, max_age, and id_token_hint validation.

0.18.1 (2018-05-01)

openid: Adds a validator used to validate OIDC parameters (#266)

The validator, for now, validates the prompt parameter of OIDC requests.

Unclassified

  • Adds a validator used to validate OIDC parameters (#266) (91c9d19):

    The validator, for now, validates the prompt parameter of OIDC requests.

0.18.0 (2018-04-30)

oauth2: Introspection should return token type (#265)

Closes #264

This patch allows the introspection handler to return the token type (e.g. access_token, refresh_token) of the introspected token. To achieve that, some breaking API changes have been introduced:

  • OAuth2.IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scope ...string) (AccessRequester, error) is now OAuth2.IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scope ...string) (TokenType, AccessRequester, error).
  • TokenIntrospector.IntrospectToken(ctx context.Context, token string, tokenType TokenType, accessRequest AccessRequester, scopes []string) (error) is now TokenIntrospector.IntrospectToken(ctx context.Context, token string, tokenType TokenType, accessRequest AccessRequester, scopes []string) (TokenType, error).

This patch also resolves a misconfigured json key in the IntrospectionResponse struct. AccessRequester AccessRequester json:",extra" is now properly declared as AccessRequester AccessRequester json:"extra".

Unclassified

0.17.2 (2018-04-26)

core: Regression fix for request ID in refresh token flow (#262)

Signed-off-by: Beorn Facchini beorn@lade.io

Unclassified

  • handler/oauth2: Returns request unauthorized error on invalid password credentials (#261) (cca6af4), closes #261
  • Regression fix for request ID in refresh token flow (#262) (99029e0)

0.17.1 (2018-04-22)

core: Adds ExactScopeStrategy (#260)

The ExactScopeStrategy performs a simple string match (case sensitive) of scopes.

Unclassified

  • Adds ExactScopeStrategy (#260) (0fcdf33):

    The ExactScopeStrategy performs a simple string match (case sensitive) of scopes.

0.17.0 (2018-04-08)

core: Sanitizes request body before sending it to the storage adapter (#258)

This release resolves a security issue (reported by platform.sh) related to potential storage implementations. This library used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused, with the addition of enabling POST-body based client authentication, the client secret to be leaked.

The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This lead to two breaking changes in the API:

  1. The fosite.Requester interface has a new method Sanitize(allowedParameters []string) Requester which returns a sanitized clone of the method receiver. If you do not use your own fosite.Requester implementation, this won't affect you.
  2. If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods to be added work exactly like, for example CreateAuthorizeCodeSession. The method signatures are as follows:
type PKCERequestStorage interface {
	GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
	CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
	DeletePKCERequestSession(ctx context.Context, signature string) error
}

We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.

We would like to thank platform.sh for sponsoring the development of a patch that resolves this issue.

Documentation

Unclassified

  • Sanitizes request body before sending it to the storage adapter (#258) (018b5c1):

    This release resolves a security issue (reported by platform.sh) related to potential storage implementations. This library used to pass all of the request body from both authorize and token endpoints to the storage adapters. As some of these values are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused, with the addition of enabling POST-body based client authentication, the client secret to be leaked.

    The issue has been resolved by sanitizing the request body and only including those values truly required by their respective handlers. This lead to two breaking changes in the API:

    1. The fosite.Requester interface has a new method Sanitize(allowedParameters []string) Requester which returns a sanitized clone of the method receiver. If you do not use your own fosite.Requester implementation, this won't affect you.
    2. If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods to be added work exactly like, for example CreateAuthorizeCodeSession. The method signatures are as follows:
    type PKCERequestStorage interface {
    	GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
    	CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
    	DeletePKCERequestSession(ctx context.Context, signature string) error
    }

    We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.

    We would like to thank platform.sh for sponsoring the development of a patch that resolves this issue.

0.16.5 (2018-03-17)

introspection: Improves debug messages (#254)

Documentation

  • Resolves minor code documentation misspellings (#248) (c580d79)
  • Resolves minor spelling mistakes (#250) (7fbd246)
  • Updates chat badge to discord (b6380be)

Unclassified

  • docs : Fixes typo in README (#249) (d05fadf), closes #249
  • Adds email to license notice (77fa262)
  • Improves debug messages (#254) (338399b)
  • Updates license header (85bdbcb)
  • Updates license notice (917401c)
  • Updates years in license headers (77df218)
  • Updates years in license headers (d8458ab)

0.16.4 (2018-02-07)

handler: Adds PKCE implementation for none and S256 (#246)

This patch adds support for PKCE (https://tools.ietf.org/html/rfc7636) which is used by native apps (mobile) and prevents eavesdropping attacks against authorization codes.

PKCE is enabled by default but not enforced. Challenge method plain is disabled by default. Both settings can be changed using compose.Config.EnforcePKCE and compose.config.EnablePKCEPlainChallengeMethod.

Closes #213

Unclassified

  • Adds PKCE implementation for none and S256 (#246) (4512853), closes #213:

    This patch adds support for PKCE (https://tools.ietf.org/html/rfc7636) which is used by native apps (mobile) and prevents eavesdropping attacks against authorization codes.

    PKCE is enabled by default but not enforced. Challenge method plain is disabled by default. Both settings can be changed using compose.Config.EnforcePKCE and compose.config.EnablePKCEPlainChallengeMethod.

0.16.3 (2018-02-07)

introspection: Adds missing http header to response writer (#247)

The introspection response writer was missing application/json in header Content-Type. This patch fixes that.

Closes #209

Unclassified

  • Adds missing http header to response writer (#247) (f345ec1), closes #209:

    The introspection response writer was missing application/json in header Content-Type. This patch fixes that.

0.16.2 (2018-01-25)

introspection: Decodes of Basic Authorization username/password (#245)

Signed-off-by: Dmitry Dolbik dolbik@gmail.com

Unclassified

  • Decodes of Basic Authorization username/password (#245) (b94312e)

0.16.1 (2017-12-23)

compose: Makes SendDebugMessages first class citizen (#243)

Unclassified

  • Makes SendDebugMessages first class citizen (#243) (1ef3041)

0.16.0 (2017-12-23)

Adds ability to forward hints and debug messages to clients (#242)

Unclassified

  • Adds ability to forward hints and debug messages to clients (#242) (7216c4f), closes #242

0.15.6 (2017-12-21)

handler/oauth2: Adds offline_access alias for refresh flow

Unclassified

  • handler/oauth2: Adds offline_access alias for refresh flow (2aa8e70)

0.15.5 (2017-12-17)

Returns the correct error on duplicate auth code use

Unclassified

  • Returns the correct error on duplicate auth code use (95d5f58)

0.15.4 (2017-12-17)

Improves http error codes

Unclassified

  • Improves http error codes (6831f75)

0.15.3 (2017-12-17)

Resolves overriding auth_time with wrong value

Unclassified

  • Resolves overriding auth_time with wrong value (c85b32d)

0.15.2 (2017-12-10)

Adds ability to catch non-conform OIDC authorizations

Fosite is now capable of detecting authorization flows that are not conformant with the OpenID Connect spec.

Unclassified

  • Adds ability to catch non-conform OIDC authorizations (97fbeb3):

    Fosite is now capable of detecting authorization flows that are not conformant with the OpenID Connect spec.

  • Forces use of UTC time zone everywhere (4c7e4e5)

0.15.1 (2017-12-10)

token/jwt: Adds ability to specify acr value natively in id token payload

Unclassified

  • token/jwt: Adds ability to specify acr value natively in id token payload (b87ca49)

0.15.0 (2017-12-09)

Upgrades history.md

Documentation

Unclassified

  • Upgrades history.md (87c37c3)
  • Improves test coverage report by removing internal package from it (831f56a)
  • Resolves test issues and reverts auth code revokation patch (59fc47b)
  • Improves error debug messages across the project (7ec8d19)
  • handler/oauth2: Adds token revokation on authorize code reuse (2341dec)
  • handler/oauth2: Improves authorization code error handling (d6e0fbd)
  • Allows client credentials in POST body and solves public client auth (392c191), closes #231 #217
  • Updates mocks and mock generation (1f9d07d)

0.14.2 (2017-12-06)

Makes use of rfcerr in access error endpoint writer explicit

Unclassified

  • Makes use of rfcerr in access error endpoint writer explicit (701d850)

0.14.1 (2017-12-06)

Exports ErrorToRFC6749Error again (#228)

Unclassified

  • Exports ErrorToRFC6749Error again (#228) (8d35b66), closes #228

0.14.0 (2017-12-06)

Simplifies error contexts (#227)

Simplifies how errors are instantiated. Errors now contain all necessary information without relying on fosite.ErrorToRFC6749Error any more. fosite.ErrorToRFC6749Error is now an internal method and was renamed to fosite.errorToRFC6749Error.

Unclassified

  • Simplifies error contexts (#227) (8961d86), closes #227:

    Simplifies how errors are instantiated. Errors now contain all necessary information without relying on fosite.ErrorToRFC6749Error any more. fosite.ErrorToRFC6749Error is now an internal method and was renamed to fosite.errorToRFC6749Error.

0.13.1 (2017-12-04)

handler/oauth2: Client IDs in revokation requests must match now (#226)

Closes #225

Unclassified

  • handler/oauth2: Client IDs in revokation requests must match now (#226) (83136a3), closes #226 #225
  • Add license header to all source files (#222) (dd9398e), closes #222 #221
  • Update go version (#220) (ff751ee)

0.13.0 (2017-10-25)

vendor: replace glide with dep

Unclassified

0.12.0 (2017-10-25)

scripts: fix goimports import path

Unclassified

  • token/hmac: replace custom logic with copypasta (b4b9be5)
  • Add 0.12.0 to TOC (a2e3a47)
  • Add format helper scripts (92c73ae)
  • Add goimports to install section (4f5df70)
  • Fix goimports import path (65743b4)
  • Format files with goimports (c87defe)
  • Replace nil checks with Error/NoError (7fe1f94)
  • Update to go 1.9 (c17222c)
  • Use go-acc and test format (47fd477)

0.11.4 (2017-10-10)

handler/oauth2: set expiration time before the access token is generated (#216)

Signed-off-by: Nikita Vorobey nikita@vorobey.by

Documentation

Unclassified

  • handler/oauth2: set expiration time before the access token is generated (#216) (0911eb0), closes #216

0.11.3 (2017-08-21)

oauth2/ropc: Set expires at for password credentials flow (#210)

Signed-off-by: Beorn Facchini beornf@gmail.com

Documentation

  • Fixes documentation oauth2 variable and updates old method (#205) (fa50c80):

    It seems that the documentation was declaring as OAuth2Provider the variable oauth2Provider whereas it used a non-declared variable oauth2. I renamed oauth2 into the variable declared oauth2Provider.

    Furthermore, on line 333, the IntrospectToken method was called without the TokenType argument. I added the fosite.AccessToken type.

  • Update docs on scope strategy (68119ca)

Unclassified

  • oauth2/ropc: Set expires at for password credentials flow (#210) (461b38f), closes #210
  • oauth2/introspection: configure core validator with access only option (#208) (80cae74), closes #208
  • Add more test cases (c45a37d)

0.11.2 (2017-07-09)

scope: resolve haystack needle mixup - closes #201

Unclassified

  • Resolve haystack needle mixup - closes #201 (2c7cdff)

0.11.1 (2017-07-09)

token/jwt: add claims tests

Unclassified

  • token/jwt: add claims tests (c55d679)
  • handler/openid: only refresh id token with id_token response type (dd2463a), closes #199
  • Add tests for nil sessions (d67d52d)

0.11.0 (2017-07-09)

handler/oauth2: update docs

Unclassified

  • handler/oauth2: update docs (63f329b)
  • handler/oauth2: remove code validity check from test (664d1a6)
  • handler/oauth2: first retrieve, then validate (ab72cba)
  • handler/oauth2: set requested at date in auth code test (edd4084)
  • handler/oauth2: resolve travis time mismatch (ec6534c)
  • handler/oauth2: simplify storage interface (361b368), closes #194
  • handler/oauth2: use hmac strategy for jwt refresh tokens (#190) (56c88c0), closes #190 #180
  • handler/openid: refresh token handler for oidc (#193) (04888c5), closes #193 #181
  • Gofmt (7a998fe)
  • Implement new wildcard strategy - closes #188 (e03e99e)
  • Revoke access tokens when refreshing (bb74955), closes #167
  • Run goimports (35941c2)
  • Use deepcopy not gob encoding - closes #191 (823db5b)

0.10.0 (2017-07-06)

oauth2/introspector: remove auth code, refresh scopes (#187)

Removes authorize code introspection in the HMAC-based strategy and now checks scopes of refresh tokens as well.

Unclassified

  • oauth2/introspector: remove auth code, refresh scopes (#187) (ef8f175), closes #187:

    Removes authorize code introspection in the HMAC-based strategy and now checks scopes of refresh tokens as well.

  • Separate test dependencies (#186) (71451f0):

    • vendor: Move testify to testImport
    • test: Move Assert/Require helpers to _test pkg

0.9.7 (2017-06-28)

handler/openid: remove forced nonce (#185)

Signed-off-by: Wyatt Anderson wanderson@gmail.com

Unclassified

  • handler/openid: remove forced nonce (#185) (6c91a21), closes #185

0.9.6 (2017-06-21)

oauth2: basic auth should decode client id and secret

closes #182

Documentation

  • Update test command in README and CONTRIBUTING (#183) (c1ab029)

Unclassified

  • Basic auth should decode client id and secret (92b75d9), closes #182

0.9.5 (2017-06-08)

handler/oauth2: grant scopes before the access token is generated (#177)

Signed-off-by: Nikita Vorobey nikita@vorobey.by

Unclassified

  • handler/oauth2: grant scopes before the access token is generated (#177) (3497260), closes #177

0.9.4 (2017-06-05)

introspection: return with active set false on token error (#176)

Unclassified

  • Return with active set false on token error (#176) (82944aa)

0.9.3 (2017-06-05)

vendor: remove unnecessary go-jose import (#175)

Unclassified

0.9.2 (2017-06-05)

Resolve issues with error handling (#174)

  • errors: do not convert errors compliant with rfcerrors

  • handler/oauth2: improve redirect message for insecure http

Unclassified

  • Resolve issues with error handling (#174) (9abdfd0), closes #174:

    • errors: do not convert errors compliant with rfcerrors

    • handler/oauth2: improve redirect message for insecure http

0.9.1 (2017-06-04)

vendor: clean up dependencies (#173)

  • vendor: remove stray github.com/Sirupsen/logrus
  • vendor: remove common lib

Unclassified

  • Clean up dependencies (#173) (524d3b6):

    • vendor: remove stray github.com/Sirupsen/logrus
    • vendor: remove common lib

0.9.0 (2017-06-03)

docs: add 0.9.0 release note

Documentation

Unclassified

  • Enable fosite composing with custom hashers. (#170) (d70d882)
  • Removed implicit storage as its never used - closes #165 (#171) (fe74027)

0.8.0 (2017-05-18)

docs: add notes for breaking changes that come with 0.8.0

Documentation

  • Add notes for breaking changes that come with 0.8.0 (d5fafb8)

Unclassified

  • Added context to GetClient storage interface (#162) (974585d), closes #161

  • Removed *http.Request from interfaces that access request objects (786b971):

    • removed the requirement to *http.Request for endpoints and response object, they are resolvable trough the request.GetRequestForm

    • updated readme to reflect changes to implementation

    • run goimports on internal dir added goimports command to generate-mocks.sh to force first run after generating the mock files

  • Set authorize code expire time before persist (#166) (305a74f)

  • Set expiry date on implicit access tokens (#164) (0785b07)

0.7.0 (2017-05-03)

vendor: glide update

Documentation

  • Add breaking changes note (7d726e1)

Unclassified

0.6.19 (2017-05-03)

access: revert regression issue introduced by #150

Unclassified

0.6.18 (2017-04-14)

oauth2: basic auth should www-url-decode client id and secret - closes #150

Unclassified

  • handler/oauth2: removes RevokeHandler from JWT introspector (#155) (344dbef), closes #155:

    • Removes RevokeHandler from JWT Introspector

    RevokeHandler has been removed because it conflicts with Stateless JWT accesstokens and revocable hmac refresh tokens. The readme has been updated to warn users about possible misconfiguration.

    • Moves text back to correct section
  • Allow localhost subdomains such as blog.localhost:1234 (5e1c890)

  • Basic auth should www-url-decode client id and secret - closes #150 (ad395bf)

  • Get the token from the access_token query parameter (#156) (9edac04)

0.6.17 (2017-02-24)

readme: update badges to ory

Unclassified

  • revert unintentional change (14a18a7)
  • make stateless validator return an error on revocation (f8f7978)
  • dont client id for aud (a39200b)
  • handler/oauth2: allow stateless introspection of jwt access tokens (c2d2ac2)
  • Redirect uris should ignore cases during matching - closes #144 (4b88774)
  • Update badges to ory (9b33931)

0.6.15 (2017-02-11)

errors: fixed typo in acccess_error

Unclassified

  • Fixed typo in acccess_error (08b2242)

0.6.14 (2017-01-08)

allow public clients to revoke tokens with just an ID

This functionality is described in the OAuth2 spec here: https://tools.ietf.org/html/rfc7009#section-5

Unclassified

0.6.13 (2017-01-08)

request: fix SetRequestedScopes (#139)

Signed-off-by: Peter Schultz peter.schultz@classmarkets.com

Unclassified

0.6.12 (2017-01-02)

authorize: allow custom redirect url schemas

Unclassified

  • Allow custom redirect url schemas (c740b70)
  • Properly wrap errors (e054b6e)

0.6.11 (2017-01-02)

openid: c_hash / at_hash should use url-safe base64 encoding

Unclassified

  • C_hash / at_hash should use url-safe base64 encoding (33d4414)

0.6.10 (2016-12-29)

openid: c_hash / at_hash should be string not byte slice

Unclassified

  • C_hash / at_hash should be string not byte slice (b489cc9)

0.6.9 (2016-12-29)

oauth2/implicit: fix redirect url on error Signed-off-by: Nikita Vorobey nikita@vorobey.by

Documentation

  • Fix missing protocol in link in readme (#132) (37ef374)

Unclassified

  • oauth2/implicit: fix redirect url on error (435288c)

0.6.8 (2016-12-20)

lint: gofmt -w -s .

Unclassified

0.6.7 (2016-12-06)

access: response expires in should be int, not string

Unclassified

  • Response expires in should be int, not string (a2080a3)

0.6.6 (2016-12-06)

errors: add inactive token error

Unclassified

  • Add content type to error response (75aad53)
  • Add inactive token error (0151f1e)
  • Resolve broken test (51ab7bb)

0.6.5 (2016-12-04)

introspection: always return the error

Unclassified

  • Always return the error (366b4c1)

0.6.4 (2016-11-29)

token/jwt: Allow single element string arrays to be treated as strings

This commit allows aud to be passed in as a single element array during consent validation on Hydra. This fixes ory/hydra#314.

Signed-off-by: Son Dinh son.dinh@blacksquaremedia.com

Unclassified

  • token/jwt: Allow single element string arrays to be treated as strings (5388e10):

    This commit allows aud to be passed in as a single element array during consent validation on Hydra. This fixes ory/hydra#314.

0.6.2 (2016-11-25)

oauth2/introspection: endpoint responds to invalid requests appropriately (#126)

Unclassified

  • oauth2/introspection: endpoint responds to invalid requests appropriately (#126) (9360f64), closes #126

0.6.1 (2016-11-17)

core: resolve issues with token introspection and sessions

Unclassified

  • Resolve issues with token introspection and sessions (895d169)

0.6.0 (2016-11-17)

core: resolve session referencing issue (#125)

Unclassified

0.5.1 (2016-10-22)

handler/oauth2: set JWT ExpiresAt claim per TokenType from the session (#121)

Signed-off-by: Cristian Graziano cristian.graziano@gmail.com

Unclassified

  • handler/oauth2: set JWT ExpiresAt claim per TokenType from the session (#121) (66170ae), closes #121
  • oauth2/introspection: do not include the session in the response (daad271)

0.5.0 (2016-10-17)

0.5.0 (#119)

  • all: resolve regression issues introduced by 0.4.0 - closes #118
  • oauth2: introspection handler excess calls - closes #117
  • oauth2: inaccurate expires_in time - closes #72

Unclassified

0.4.0 (2016-10-16)

all: clean up, resolve broken tests

Documentation

  • Add danilobuerger and jrossiter to hall of fame (f864e26)
  • Add offline note to readme (60a7672)
  • Document reasoning for interface{} in compose package - closes #94 (f193012)

Unclassified

  • Allow public clients to access token endpoint - closes #78 (cbe433e)
  • Clean up, resolve broken tests (1041e67)
  • Flatten package hierarchy and merge files - closes #93 (9b7ba80)
  • Reduce third party dependencies - closes #116 (5ec5cff)
  • Split library and example - closes #92 (6d76d35)

0.3.6 (2016-10-07)

oauth2: added refresh token generation for password grant type (#107)

  • oauth2: added refresh token generation for password grant type when offline scope is requested

Signed-off-by: Jason Rossiter jrossiter403@gmail.com

Unclassified

  • Added refresh token generation for password grant type (#107) (81c3cbd):

    • oauth2: added refresh token generation for password grant type when offline scope is requested

0.3.5 (2016-10-06)

handler/oauth2: resolve issues with refresh token flow (#110)

  • handler/oauth2/refresh: requestedAt time is not reset - closes #109
  • handler/oauth2/refresh: session is not transported to new access token - closes #108

Unclassified

  • handler/oauth2: resolve issues with refresh token flow (#110) (bef6197), closes #110 #109 #108
  • Add tests to request state (8c7c77e)

0.3.4 (2016-10-04)

handler/oauth2: refresh token does not migrate original access data - closes #103 (#104)

Unclassified

  • handler/oauth2: refresh token does not migrate original access data - closes #103 (#104) (8ffa0bc), closes #103 #104

0.3.3 (2016-10-03)

authorize: scopes should be separated by %20 and not +, to ensure javascript compatibility - closes #101 (#102)

Documentation

  • Fix reference to store example in readme (#87) (b1e2cda)

Unclassified

  • Scopes should be separated by %20 and not +, to ensure javascript compatibility - closes #101 (#102) (e61a25f)

0.3.2 (2016-09-22)

openid: resolves an issue with the explicit token flow

Unclassified

  • Resolves an issue with the explicit token flow (aa1b854)

0.3.1 (2016-09-22)

0.3.1 (#98)

  • all: better error handling - closes #100
  • oauth2/implicit: bad HTML encoding of the scope parameter - closes #95
  • oauth2: state parameter is missing when response_type=id_token - closes #96
  • oauth2: id token hashes are not base64 url encoded - closes #97
  • openid: hybrid flow using token+code+id_token returns multiple tokens of the same type - closes #99

Unclassified

0.3.0 (2016-08-22)

vendor: jwt-go is now v3.0.0 (#77)

Signed-off-by: Alexander Widerberg alexander.widerberg@cybercom.com

Unclassified

  • HierarchicScopeStrategy worngly accepts missing scopes (7faee6b)
  • Jwt-go is now v3.0.0 (#77) (76ef7ea)

0.2.4 (2016-08-09)

all: resolve race condition and package fosite with glide

Unclassified

  • Resolve race condition and package fosite with glide (66b53a9)

0.2.3 (2016-08-08)

vendor: commit missing lock file

Unclassified

  • Commit missing lock file (be30574)

0.2.2 (2016-08-08)

vendor: updated go-jwt to use semver instead of gopkg

Unclassified

  • Updated go-jwt to use semver instead of gopkg (3b66309)

0.2.1 (2016-08-08)

core: remove unused fields and methods from client

Unclassified

  • Remove unused fields and methods from client (5f1851b)
  • Resolved package naming issue (4d1caeb)

0.2.0 (2016-08-06)

all: composable factories, better token validation, better scope handling and simplify structure

  • readme: add gitter chat badge closes #67
  • handler: flatten packages closes #70
  • openid: don't autogrant openid scope - closes #68
  • all: clean up scopes / arguments - closes #66
  • all: composable factories - closes #64
  • all: refactor token validation - closes #63
  • all: remove mandatory scope - closes #62

Unclassified

0.1.0 (2016-08-01)

oauth2: implicit handlers do not require tls over https (#61)

closes #60

Code Refactoring

Documentation

  • Add -d option to go get (0e63038)

  • Define implicitHandler (745a4df):

    Someone forgot to rename the variable name when copy-pasting in the example.

  • Document new token generation and validation (ddef55b)

  • Drafted workflows (4ad1d14)

  • Explain what handlers are (48ca03b)

  • Fix typos in readme (b9ed7ac)

  • Readme (a5aa697)

  • Readme (f77fd41)

  • Readme (e143d8c)

  • Readme (d483568)

  • Updated authorize section (9c21afb)

  • Updated readme docs (336a2cd)

Unclassified

  • updated gif (39c239f)

  • gofmt (f813288)

  • updated example gif (29b39ea)

  • added open id connect to example (6f0ce68)

  • added integration tests (8d47f80)

  • added doc to fix travis (a0db129)

  • Add go report card (204c5d6)

  • Clean-up fosite-example/main.go link in README.md (497ff80):

    The README url to the suggested example was broken.

  • Added jti as parameter to claims helper to privide better interface to developers (bde3822)

  • Added missing jti claim (26f41a0)

  • Added NOTE (64516f8)

  • Removed unnecessary print. Added bugfix from Arekkas. (96458b6)

  • Example updated (5022339)

  • Added working example of jwt token (9410fca)

  • Added tests. Still need to verify implemtation with test (1ebdd88)

  • WIP (caaa43a)

  • readme (c97d844)

  • readme (fe24f26)

  • readme (be8cd23)

  • refactor done (unstaged) (625f168)

  • unstaged (6c616b1)

  • unstaged (17ad70b)

  • Include user session data in all calls to storage handlers. (2be3fc1)

  • unstaged (fde7c80)

  • unstaged (e775aad)

  • unstaged (ae2fc16)

  • handler/core: fixed tests (7f5938a)

  • core handlers: added tests (e9affb7)

  • authorize/explicit ✓ (d61635b)

  • authorize/explicit: minor name refactoring and tests for authorize endpoint (4736e28)

  • plugin/token: fix import path (fdba2f7)

  • unstaged (f939597)

  • Initial commit (7adad58)

  • Access code request workflow finalized (0232918)

  • Access request api draft (9f482ef)

  • Add api stability section (3ca6ec9)

  • Add go-rethink tags (49c82bc)

  • Add ValidateToken to CoreValidator (4c2b9d8)

  • Added authorize code grant example (269c5fa)

  • Added client grant and did some renaming (75c8179)

  • Added cristiangraz to the hall of fame (1b6e2b4)

  • Added danielchatfield to the hall of fame (2b988a8)

  • Added go 1.6 (ae41a0a)

  • Added go1.4 to allowed failures (49aa920)

  • Added grant and response type validation (f524fc2)

  • Added json and gorethink tags (99c836c)

  • Added JWT generator and validator. (58acd68), closes #16

  • Added missing file (8fc1615)

  • Added owner method (78012ed)

  • Added tests fragment capabilities to writeresponse (6df0eca)

  • Api cleanup, gofmt (3d6e8b6)

  • Api refactor (d936c91)

  • Basic draft (480af91)

  • Defined OAuth2.HandleResponseTypes (30b6e74):

    Incorporated feedback from GitHub, did refactoring and renaming, added tests

  • Enforce https for all redirect endpoints except localhost (d65b45a)

  • Enforce use of scopes (12d76dd), closes #14

  • Finalized auth endpoint, added tests, added integration tests (c6dcb90)

  • Finalized token endpoint api (8de3f10)

  • Finished up integration tests (a6d027e)

  • Fix broken test (653e324)

  • Fix config (82e9332)

  • Fix deps (bcc6a07)

  • Fix jwt strategy interface mismatch (#58) (4d0a545)

  • Fix unique scope tests (3ac3a79)

  • Fixed granted scope match (13b7efa)

  • Fixed racy tests (f0b691d)

  • Fixed tests (8bf73e3)

  • Fixed tests refactor broke (5da857b)

  • Fixed typos (a5391de), closes #10

  • Fixed urls (58908b8)

  • Fixed wrongfully set constant ErrTemporaryUnvailableName (71a9105), closes #9

  • Generic claims and headers (1f2e97f)

  • Glide (#43) (de85e2a)

  • Godep save (c457104)

  • Goimports (8b9816c)

  • Goimports (96be194)

  • Implemented all core grant types (ce0a849)

  • Implemented and documented examples (8c625c9)

  • Implemented new token generator based on hmac-sha256 (01f9ede), closes #11

  • Implemented validator for access tokens (4140422)

  • Implicit handlers do not require tls over https (#61) (6c40c08), closes #60

  • Improve handling of expiry and include a protected api example (dfb047d)

  • Improve strategy API (21f5e8c)

  • Increased coverage (83194b6)

  • Issue refresh token only when 'offline' scope is set (34068b9), closes #47

  • Jwt signing and client changes (#44) (fae3c96)

  • Made hybrid flow optional (08ddbae)

  • Major refactor, use enigma, finalized authorize skeleton (38bacd3), closes #8 #11

  • More test cases (1188750)

  • More tests (164506a)

  • Moved to root package, updated docs (1871702)

  • Moved to root package, updated docs (5b9b20c)

  • No "session" secret required (d1f45ad)

  • Preview (ba84987)

  • Refactor (eb9153c)

  • Refactor, fixed tests, incorporated feedback (9e59df2)

  • Refactoring, more tests (df79a81)

  • Refactoring, renaming, docs (e5476d1)

  • Refactoring, renaming, more tests (9467ca8)

  • Remove duplicate field (e134351)

  • Remove store mock (80c14f7)

  • Rename fields name to client_name and secret to client_secret (99ce066)

  • Renaming and refactoring (d3697bd)

  • Replace internal import (#52) (1290282)

  • Replace pkg.ErrNotFound with fosite.ErrNotFound (4390c49)

  • Request should return unique scopes (af66918)

  • Resolve an issue where query params could be used instead of post body (7eb85c6)

  • Resolve danger of not reading enough bytes (c68a3e9)

  • Resolve id token issues with empty claims (89c60c9)

  • Resolve scope issues (#55) (9d54b98):

    handler: resolve scope issues

  • Sanitized tests and apis (12c70bb)

  • Tests for client credentials flow (c13298c)

  • Tests for resource owner password credentials grant (f503615)

  • Update (88e84de)

  • Update installation instructions (201c6aa), closes #33

  • Updated example and added implicit grant (d12fa5c)

  • Use jwt-go.v2 and fix bc break (f731d88)