Bugfixes

browser

• Mismatching redirect URI on refresh: this bug was caused by an invalid redirect URL stored with session data.
  Saving an invalid redirect URL is now prohibited, and in addition the storage of users impacted by this bug will be cleared so that they don't have to do anything manually
  to clear their local storage. Users affected by this bug will be asked to log back in, as if they logged out.

Bugfixes

• The fetch function is now bound to the window object in all uses within authn-browser

New Features

• Support for RP-Initiated Logout in Node and Browser libraries.
• ESM support for Node and Browser packages.

New Feature

• Node 20 support

New features

• Add Node 18 support

browser and node

New features

• The Session exposes an events attribute implementing EventEmitter, with
  type hints to guide which events are supported. It allows to register a callback
  listening on events using session.events.on, but also to unregister a callback
  using session.events.off, or to register a one-off callback using session.events.once.
  This attribute intends at replacing exising Session methods to listen on events,
  namely onLogin, onLogout, onError, onSessionRestore, onSessionExpiration,
  onNewRefreshToken.

Deprecation notice

The following have been deprecated, and will be removed in future major releases.

• The Session class will no longer extend EventEmitter. Instead, it will expose
  an events attribute implementing EventEmitter. We do not recommand to use
  either a Session instance or its events attribute as an arbitrary events emitter,
  and encourage users to only use the supported events and documented API.
• Session methods onLogin, onLogout, onError, onSessionRestore,
  onSessionExpiration, onNewRefreshToken are deprecated in favor of session.events.on
  called with the appropriate event name.

node

Bugfixes

• The session expiration date was incorrectly computed in the authorization code flow.

browser

Bugfix

• v1.13.3 introduced a bug in the silent reload flow, resulting in a "Mismatching
  redirect URL" error when refreshing a page with an app logged in. This regression
  went unnoticed because of a misconfiguration of the browser-based test app that
  should have covered this scenario. Both issues are now resolved.

node

Bugfix

• The Session expiration date was not set in all contexts: session.info.expirationDate
  wasn't set properly using Client Credentials.

browser

Bugfixes

• No longer remove the last issuer URL path component if it doesn't have a trailing
  slash: a bug was introduced in baac030, resulting
  in the issuer configuration discovery failing if the issuer URL had a path that
  did not end with a trailing slash. This is now fixed.

node

Bugfix

• The Client Credential flow had a bug where the expiration time set by the OpenID
  Provider for the token was ignored, and an arbitrary default was applied instead.
  This resulted in the session being unable to make authenticated requests, but
  still acting as if it were logged in. The session now uses the expiration time
  set by the OpenID Provider.

Node and browser

Bugfix

• The redirect URL provided to the login function was being normalized, which could result in misalignments with the redirect URLs declared in a Client Identifier document, since the latter wasn't being normalized. The normalization step has now been removed, and the redirect provided by the user is sent to the OpenID Provider unchanged.
• Some dependencies updates