1**THIS DOCUMENT HAS MOVED**
2
3This file is no longer being updated and kept for historical reasons. Please
4check the [CHANGELOG](changelog.md) instead!
5
6<!-- START doctoc generated TOC please keep comment here to allow auto update -->
7<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
8
9- [0.28.0](#0280)
10- [0.27.0](#0270)
11 - [Conceptual Changes](#conceptual-changes)
12 - [API Changes](#api-changes)
13- [0.26.0](#0260)
14- [0.24.0](#0240)
15 - [Breaking change(s)](#breaking-changes)
16 - [`fosite/handler/oauth2.JWTStrategy`](#fositehandleroauth2jwtstrategy)
17 - [`OpenIDConnectRequestValidator.ValidatePrompt`](#openidconnectrequestvalidatorvalidateprompt)
18- [0.23.0](#0230)
19 - [Breaking change(s)](#breaking-changes-1)
20 - [`Hasher`](#hasher)
21- [0.22.0](#0220)
22 - [Breaking change(s)](#breaking-changes-2)
23 - [`JWTStrategy`](#jwtstrategy)
24- [0.21.0](#0210)
25 - [Changes to parsing of OAuth 2.0 Client `response_types`](#changes-to-parsing-of-oauth-20-client-response_types)
26 - [`openid.DefaultStrategy` field name changed](#openiddefaultstrategy-field-name-changed)
27 - [`oauth2.RS256JWTStrategy` was renamed and field name changed](#oauth2rs256jwtstrategy-was-renamed-and-field-name-changed)
28 - [Adds `private_key_jwt` client authentication method](#adds-private_key_jwt-client-authentication-method)
29 - [Response Type `id_token` no longer required for authorize_code flow](#response-type-id_token-no-longer-required-for-authorize_code-flow)
30- [0.20.0](#0200)
31- [Breaking Changes](#breaking-changes)
32 - [JWT Claims](#jwt-claims)
33 - [`AuthorizeCodeStorage`](#authorizecodestorage)
34- [0.19.0](#0190)
35- [0.18.0](#0180)
36- [0.17.0](#0170)
37- [0.16.0](#0160)
38- [0.15.0](#0150)
39- [0.14.0](#0140)
40- [0.13.0](#0130)
41 - [Breaking changes](#breaking-changes)
42- [0.12.0](#0120)
43 - [Breaking changes](#breaking-changes-1)
44 - [Improved cryptographic methods](#improved-cryptographic-methods)
45- [0.11.0](#0110)
46 - [Non-breaking changes](#non-breaking-changes)
47 - [Storage adapter](#storage-adapter)
48 - [Reducing use of gomock](#reducing-use-of-gomock)
49 - [Breaking Changes](#breaking-changes-1)
50 - [`fosite/handler/oauth2.AuthorizeCodeGrantStorage` was removed](#fositehandleroauth2authorizecodegrantstorage-was-removed)
51 - [`fosite/handler/oauth2.RefreshTokenGrantStorage` was removed](#fositehandleroauth2refreshtokengrantstorage-was-removed)
52 - [`fosite/handler/oauth2.AuthorizeCodeGrantStorage` was removed](#fositehandleroauth2authorizecodegrantstorage-was-removed-1)
53 - [WildcardScopeStrategy](#wildcardscopestrategy)
54 - [Refresh tokens and authorize codes are no longer JWTs](#refresh-tokens-and-authorize-codes-are-no-longer-jwts)
55 - [Delete access tokens when persisting refresh session](#delete-access-tokens-when-persisting-refresh-session)
56- [0.10.0](#0100)
57- [0.9.0](#090)
58- [0.8.0](#080)
59 - [Breaking changes](#breaking-changes-2)
60 - [`ClientManager`](#clientmanager)
61 - [`OAuth2Provider`](#oauth2provider)
62- [0.7.0](#070)
63- [0.6.0](#060)
64- [0.5.0](#050)
65- [0.4.0](#040)
66- [0.3.0](#030)
67- [0.2.0](#020)
68- [0.1.0](#010)
69
70<!-- END doctoc generated TOC please keep comment here to allow auto update -->
71
72## 0.28.0
73
74This version (re-)introduces refresh token lifespans. Per default, this feature
75is enabled and set to 30 days. If a refresh token has not been used within 30
76days, it will expire.
77
78To disable refresh token lifespans (previous behaviour), set
79`compose.Config.RefreshTokenLifespan = -1`.
80
81## 0.27.0
82
83This PR adds the ability to specify a target audience for OAuth 2.0 Access
84Tokens.
85
86### Conceptual Changes
87
88From now on, `scope` and `audience` will be checked against the client's
89whitelisted scope and audience on every refresh token exchange. This prevents
90clients, which no longer are allowed to request a certain audience or scope, to
91keep using those values with existing refresh tokens.
92
93### API Changes
94
95```go
96type fosite.Client interface {
97+ // GetAudience returns the allowed audience(s) for this client.
98+ GetAudience() Arguments
99}
100```
101
102```go
103type fosite.Request struct {
104- Scopes Argument
105+ RequestedScope Argument
106
107- GrantedScopes Argument
108+ GrantedScope Argument
109}
110```
111
112```go
113type fosite.Requester interface {
114+ // GetRequestedAudience returns the requested audiences for this request.
115+ GetRequestedAudience() (audience Arguments)
116
117+ // SetRequestedAudience sets the requested audienc.
118+ SetRequestedAudience(audience Arguments)
119
120+ // GetGrantedAudience returns all granted scopes.
121+ GetGrantedAudience() (grantedAudience Arguments)
122
123+ // GrantAudience marks a request's audience as granted.
124+ GrantAudience(audience string)
125}
126```
127
128```go
129type fosite/token/jwt.JWTClaimsContainer interface {
130- // With returns a copy of itself with expiresAt and scope set to the given values.
131- With(expiry time.Time, scope, audience []string) JWTClaimsContainer
132
133+ // With returns a copy of itself with expiresAt, scope, audience set to the given values.
134+ With(expiry time.Time, scope, audience []string) JWTClaimsContainer
135}
136```
137
138## 0.26.0
139
140This release makes it easier to define custom JWT Containers for access tokens
141when using the JWT strategy. To do that, the following signatures have changed:
142
143```go
144// github.com/ory/fosite/handler/oauth2
145type JWTSessionContainer interface {
146 // GetJWTClaims returns the claims.
147- GetJWTClaims() *jwt.JWTClaims
148+ GetJWTClaims() jwt.JWTClaimsContainer
149
150 // GetJWTHeader returns the header.
151 GetJWTHeader() *jwt.Headers
152
153 fosite.Session
154}
155```
156
157```go
158+ type JWTClaimsContainer interface {
159+ // With returns a copy of itself with expiresAt and scope set to the given values.
160+ With(expiry time.Time, scope []string) JWTClaimsContainer
161+
162+ // WithDefaults returns a copy of itself with issuedAt and issuer set to the given default values. If those
163+ // values are already set in the claims, they will not be updated.
164+ WithDefaults(iat time.Time, issuer string) JWTClaimsContainer
165+
166+ // ToMapClaims returns the claims as a github.com/dgrijalva/jwt-go.MapClaims type.
167+ ToMapClaims() jwt.MapClaims
168+ }
169```
170
171All default session implementations have been updated to reflect this change. If
172you define custom session, this patch will affect you.
173
174## 0.24.0
175
176This release addresses areas where the go context was missing or not propagated
177down the call path properly.
178
179### Breaking change(s)
180
181#### `fosite/handler/oauth2.JWTStrategy`
182
183The
184[`fosite/handler/oauth2.JWTStrategy`](https://github.com/ory/fosite/blob/master/handler/oauth2/strategy.go)
185interface changed as a context parameter was added to its method signature:
186
187```go
188type JWTStrategy interface {
189- Validate(tokenType fosite.TokenType, token string) (requester fosite.Requester, err error)
190+ Validate(ctx context.Context, tokenType fosite.TokenType, token string) (requester fosite.Requester, err error)
191}
192```
193
194#### `OpenIDConnectRequestValidator.ValidatePrompt`
195
196The
197[`OpenIDConnectRequestValidator.ValidatePrompt`](https://github.com/ory/fosite/blob/master/handler/openid/validator.go)
198method signature was updated to take a go context as its first parameter:
199
200```go
201- func (v *OpenIDConnectRequestValidator) ValidatePrompt(req fosite.AuthorizeRequester) error {
202+ func (v *OpenIDConnectRequestValidator) ValidatePrompt(ctx context.Context, req fosite.AuthorizeRequester) error {
203```
204
205## 0.23.0
206
207This releases addresses inconsistencies in some of the public interfaces by
208passing in the go context to their signatures.
209
210### Breaking change(s)
211
212#### `Hasher`
213
214The [`Hasher`](https://github.com/ory/fosite/blob/master/hash.go) interface
215changed as a context parameter was added to its method signatures:
216
217```go
218type Hasher interface {
219- Compare(hash, data []byte) error
220+ Compare(ctx context.Context, hash, data []byte) error
221- Hash(data []byte) ([]byte, error)
222+ Hash(ctx context.Context, data []byte) ([]byte, error)
223}
224```
225
226## 0.22.0
227
228This releases addresses inconsistencies in some of the public interfaces by
229passing in the go context to their signatures.
230
231### Breaking change(s)
232
233#### `JWTStrategy`
234
235The [`JWTStrategy`](https://github.com/ory/fosite/blob/master/token/jwt/jwt.go)
236interface changed as a context parameter was added to its method signatures:
237
238```go
239type JWTStrategy interface {
240- Generate(claims jwt.Claims, header Mapper) (string, string, error)
241+ Generate(ctx context.Context, claims jwt.Claims, header Mapper) (string, string, error)
242- Validate(token string) (string, error)
243+ Validate(ctx context.Context, token string) (string, error)
244- GetSignature(token string) (string, error)
245+ GetSignature(ctx context.Context, token string) (string, error)
246- Hash(in []byte) ([]byte, error)
247+ Hash(ctx context.Context, in []byte) ([]byte, error)
248- Decode(token string) (*jwt.Token, error)
249+ Decode(ctx context.Context, token string) (*jwt.Token, error)
250 GetSigningMethodLength() int
251}
252```
253
254## 0.21.0
255
256This release improves compatibility with the OpenID Connect Dynamic Client
257Registration 1.0 specification.
258
259### Changes to parsing of OAuth 2.0 Client `response_types`
260
261Previously, when response types such as `code token id_token` were requested
262(OpenID Connect Hybrid Flow) it was enough for the client to have
263`response_types=["code", "token", "id_token"]`. This is however incompatible
264with the OpenID Connect Dynamic Client Registration 1.0 spec which dictates that
265the `response_types` have to match exactly.
266
267Assuming you are requesting `&response_types=code+token+id_token`, your client
268should have `response_types=["code token id_token"]`, if other response types
269are required (e.g. `&response_types=code`, `&response_types=token`) they too
270must be included: `response_types=["code", "token", "code token id_token"]`.
271
272### `openid.DefaultStrategy` field name changed
273
274Field `RS256JWTStrategy` was renamed to `JWTStrategy` and now relies on an
275interface instead of a concrete struct.
276
277### `oauth2.RS256JWTStrategy` was renamed and field name changed
278
279The strategy `oauth2.RS256JWTStrategy` was renamed to
280`oauth2.DefaultJWTStrategy` and now accepts an interface that implements
281`jwt.JWTStrategy` instead of directly relying on `jwt.RS256JWTStrategy`. For
282this reason, the field `RS256JWTStrategy` was renamed to `JWTStrategy`
283
284### Adds `private_key_jwt` client authentication method
285
286This patch adds the ability to perform the
287[`private_key_jwt` client authentication method](http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
288defined in the OpenID Connect specification. Please note that method
289`client_secret_jwt` is not supported because of the BCrypt hashing strategy.
290
291For this strategy to work, you must set the `TokenURL` field of the
292`compose.Config` object to the authorization server's Token URL.
293
294If you would like to support this authentication method, your `Client`
295implementation must also implement `fosite.DefaultOpenIDConnectClient` and then,
296for example, `GetTokenEndpointAuthMethod()` should return `private_key_jwt`.
297
298### Response Type `id_token` no longer required for authorize_code flow
299
300The `authorize_code`
301[does not require](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)
302the `id_token` response type to be available when performing the OpenID Connect
303flow:
304
305> grant_types OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant
306> Types that the Client is declaring that it will restrict itself to using. The
307> Grant Type values used by OpenID Connect are:
308>
309> authorization_code: The Authorization Code Grant Type described in OAuth 2.0 Section 4.1.
310> implicit: The Implicit Grant Type described in OAuth 2.0 Section 4.2.
311> refresh_token: The Refresh Token Grant Type described in OAuth 2.0 Section 6.
312>
313> The following table lists the correspondence between response_type values that the Client will use and grant_type values that MUST be included in the registered grant_types list:
314>
315> code: authorization_code
316> id_token: implicit
317> token id_token: implicit
318> code id_token: authorization_code, implicit
319> code token: authorization_code, implicit
320> code token id_token: authorization_code, implicit
321>
322> If omitted, the default is that the Client will use only the authorization_code Grant Type.
323
324Before this patch, the `id_token` response type was required whenever an ID
325Token was requested. This patch changes that.
326
327## 0.20.0
328
329This release implements an OAuth 2.0 Best Practice with regards to revoking
330already issued access and refresh tokens if an authorization code is used more
331than one time.
332
333## Breaking Changes
334
335### JWT Claims
336
337- `github.com/ory/fosite/token/jwt.JWTClaims.Audience` is no longer a `string`,
338 but a string slice `[]string`.
339- `github.com/ory/fosite/handler/openid.IDTokenClaims` is no longer a `string`,
340 but a string slice `[]string`.
341
342### `AuthorizeCodeStorage`
343
344This improves security as, in the event of an authorization code being leaked,
345all associated tokens are revoked. To implement this feature, a breaking change
346had to be introduced. The
347`github.com/ory/fosite/handler/oauth2.AuthorizeCodeStorage` interface changed as
348follows:
349
350- `DeleteAuthorizeCodeSession(ctx context.Context, code string) (err error)` has
351 been removed from the interface and is no longer used by this library.
352- `InvalidateAuthorizeCodeSession(ctx context.Context, code string) (err error)`
353 has been introduced.
354- The error `github.com/ory/fosite/handler/oauth2.ErrInvalidatedAuthorizeCode`
355 has been added.
356
357The following documentation sheds light on how you should update your storage
358adapter:
359
360```
361// ErrInvalidatedAuthorizeCode is an error indicating that an authorization code has been
362// used previously.
363var ErrInvalidatedAuthorizeCode = errors.New("Authorization code has ben invalidated")
364
365// AuthorizeCodeStorage handles storage requests related to authorization codes.
366type AuthorizeCodeStorage interface {
367 // GetAuthorizeCodeSession stores the authorization request for a given authorization code.
368 CreateAuthorizeCodeSession(ctx context.Context, code string, request fosite.Requester) (err error)
369
370 // GetAuthorizeCodeSession hydrates the session based on the given code and returns the authorization request.
371 // If the authorization code has been invalidated with `InvalidateAuthorizeCodeSession`, this
372 // method should return the ErrInvalidatedAuthorizeCode error.
373 //
374 // Make sure to also return the fosite.Requester value when returning the ErrInvalidatedAuthorizeCode error!
375 GetAuthorizeCodeSession(ctx context.Context, code string, session fosite.Session) (request fosite.Requester, err error)
376
377 // InvalidateAuthorizeCodeSession is called when an authorize code is being used. The state of the authorization
378 // code should be set to invalid and consecutive requests to GetAuthorizeCodeSession should return the
379 // ErrInvalidatedAuthorizeCode error.
380 InvalidateAuthorizeCodeSession(ctx context.Context, code string) (err error)
381}
382```
383
384## 0.19.0
385
386This release improves the OpenID Connect vaildation strategy which now properly
387handles `prompt`, `max_age`, and `id_token_hint` at the `/oauth2/auth` endpoint
388instead of the `/oauth2/token` endpoint.
389
390To achieve this, the `OpenIDConnectRequestValidator` has been modified and now
391requires a `jwt.JWTStrategy` (implemented by, for example
392`jwt.RS256JWTStrategy`).
393
394The compose package has been updated accordingly. You should not expect any
395major breaking changes from this release.
396
397## 0.18.0
398
399This release allows the introspection handler to return the token type (e.g.
400`access_token`, `refresh_token`) of the introspected token. To achieve that,
401some breaking API changes have been introduced:
402
403- `OAuth2.IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scope ...string) (AccessRequester, error)`
404 is now
405 `OAuth2.IntrospectToken(ctx context.Context, token string, tokenType TokenType, session Session, scope ...string) (TokenType, AccessRequester, error)`.
406- `TokenIntrospector.IntrospectToken(ctx context.Context, token string, tokenType TokenType, accessRequest AccessRequester, scopes []string) (error)`
407 is now
408 `TokenIntrospector.IntrospectToken(ctx context.Context, token string, tokenType TokenType, accessRequest AccessRequester, scopes []string) (TokenType, error)`.
409
410This patch also resolves a misconfigured json key in the `IntrospectionResponse`
411struct. `AccessRequester AccessRequester json:",extra"` is now properly declared
412as `AccessRequester AccessRequester json:"extra"`.
413
414## 0.17.0
415
416This release resolves a security issue (reported by
417[platform.sh](https://www.platform.sh)) related to potential storage
418implementations. This library used to pass all of the request body from both
419authorize and token endpoints to the storage adapters. As some of these values
420are needed in consecutive requests, some storage adapters chose to drop the full
421body to the database.
422
423This implied that confidential parameters, such as the `client_secret` which can
424be passed in the request body since version 0.15.0, were stored as key/value
425pairs in plaintext in the database. While most client secrets are generated
426programmatically (as opposed to set by the user), it's a considerable security
427issue nonetheless.
428
429The issue has been resolved by sanitizing the request body and only including
430those values truly required by their respective handlers. This lead to two
431breaking changes in the API:
432
4331. The `fosite.Requester` interface has a new method
434 `Sanitize(allowedParameters []string) Requester` which returns a sanitized
435 clone of the method receiver. If you do not use your own `fosite.Requester`
436 implementation, this won't affect you.
4372. If you use the PKCE handler, you will have to add three new methods to your
438 storage implementation. The methods to be added work exactly like, for
439 example `CreateAuthorizeCodeSession`. A reference implementation can be found
440 in [./storage/memory.go](./storage/memory.go). The method signatures are as
441 follows:
442
443```go
444type PKCERequestStorage interface {
445 GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
446 CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
447 DeletePKCERequestSession(ctx context.Context, signature string) error
448}
449```
450
451We encourage you to upgrade to this release and check your storage
452implementations and potentially remove old data.
453
454We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the
455development of a patch that resolves this issue.
456
457## 0.16.0
458
459This patch introduces `SendDebugMessagesToClients` to the Fosite struct which
460enables/disables sending debug information to clients. Debug information may
461contain sensitive information as it forwards error messages from, for example,
462storage implementations. For this reason, `RevealDebugPayloads` defaults to
463false. Keep in mind that the information may be very helpful when specific OAuth
4642.0 requests fail and we generally recommend displaying debug information.
465
466Additionally, error keys for JSON changed which caused a new minor version,
467speicifically
468[`statusCode` was changed to `status_code`](https://github.com/ory/fosite/pull/242/files#diff-dd25e0e0a594c3f3592c1c717039b85eR221).
469
470## 0.15.0
471
472This release focuses on improving compatibility with OpenID Connect
473Certification and better error context.
474
475- Error handling is improved by explicitly adding debug information (e.g. "Token
476 invalid because it was not found in the database") to the error object.
477 Previously, the original error was prepended which caused weird formatting
478 issues.
479- Allows client credentials in POST body at the `/oauth2/token` endpoint. Please
480 note that this method is not recommended to be used, unless the client making
481 the request is unable to use HTTP Basic Authorization.
482- Allows public clients (without secret) to access the `/oauth2/token` endpoint
483 which was previously only possible by adding an arbitrary secret.
484
485This release has no breaking changes to the external API but due to the nature
486of the changes, it is released as a new major version.
487
488## 0.14.0
489
490Improves error contexts. A breaking code changes to the public API was reverted
491with 0.14.1.
492
493## 0.13.0
494
495### Breaking changes
496
497`glide` was replaced with `dep`.
498
499## 0.12.0
500
501### Breaking changes
502
503#### Improved cryptographic methods
504
505- The minimum required secret length used to generate signatures of access
506 tokens has increased from 16 to 32 byte.
507- The algorithm used to generate access tokens using the HMAC-SHA strategy has
508 changed from HMAC-SHA256 to HMAC-SHA512.
509
510## 0.11.0
511
512### Non-breaking changes
513
514#### Storage adapter
515
516To simplify the storage adapter logic, and also reduce the likelihoods of bugs
517within the storage adapter, the interface was greatly simplified. Specifically,
518these two methods have been removed:
519
520- `PersistRefreshTokenGrantSession(ctx context.Context, requestRefreshSignature, accessSignature, refreshSignature string, request fosite.Requester) error`
521- `PersistAuthorizeCodeGrantSession(ctx context.Context, authorizeCode, accessSignature, refreshSignature string, request fosite.Requester) error`
522
523For this change, you don't need to do anything. You can however simply delete
524those two methods from your store.
525
526#### Reducing use of gomock
527
528In the long term, fosite should remove all gomocks and instead test against the
529internal implementations. This will increase iterations per line during tests
530and reduce annoying mock updates.
531
532### Breaking Changes
533
534#### `fosite/handler/oauth2.AuthorizeCodeGrantStorage` was removed
535
536`AuthorizeCodeGrantStorage` was used specifically in the composer. Refactor
537references to `AuthorizeCodeGrantStorage` with `CoreStorage`.
538
539#### `fosite/handler/oauth2.RefreshTokenGrantStorage` was removed
540
541`RefreshTokenGrantStorage` was used specifically in the composer. Refactor
542references to `RefreshTokenGrantStorage` with `CoreStorage`.
543
544#### `fosite/handler/oauth2.AuthorizeCodeGrantStorage` was removed
545
546`AuthorizeCodeGrantStorage` was used specifically in the composer. Refactor
547references to `AuthorizeCodeGrantStorage` with `CoreStorage`.
548
549#### WildcardScopeStrategy
550
551A new [scope strategy](https://github.com/ory/fosite/pull/187) was introduced
552called `WildcardScopeStrategy`. This strategy is now the default when using the
553composer. To set the HierarchicScopeStrategy strategy, do:
554
555```
556import "github.com/ory/fosite/compose"
557
558var config = &compose.Config{
559 ScopeStrategy: fosite.HierarchicScopeStrategy,
560}
561```
562
563#### Refresh tokens and authorize codes are no longer JWTs
564
565Using JWTs for refresh tokens and authorize codes did not make sense:
566
5671. Refresh tokens are long-living credentials, JWTs require an expiry date.
5682. Refresh tokens are never validated client-side, only server-side. Thus access
569 to the store is available.
5703. Authorize codes are never validated client-side, only server-side.
571
572Also, one compose method changed due to this:
573
574```go
575package compose
576
577// ..
578
579- func NewOAuth2JWTStrategy(key *rsa.PrivateKey) *oauth2.RS256JWTStrategy
580+ func NewOAuth2JWTStrategy(key *rsa.PrivateKey, strategy *oauth2.HMACSHAStrategy) *oauth2.RS256JWTStrategy
581```
582
583#### Delete access tokens when persisting refresh session
584
585Please delete access tokens in your store when you persist a refresh session.
586This increases security. Here is an example of how to do that using only
587existing methods:
588
589```go
590func (s *MemoryStore) PersistRefreshTokenGrantSession(ctx context.Context, originalRefreshSignature, accessSignature, refreshSignature string, request fosite.Requester) error {
591 if ts, err := s.GetRefreshTokenSession(ctx, originalRefreshSignature, nil); err != nil {
592 return err
593 } else if err := s.RevokeAccessToken(ctx, ts.GetID()); err != nil {
594 return err
595 } else if err := s.RevokeRefreshToken(ctx, ts.GetID()); err != nil {
596 return err
597 } else if err := s.CreateAccessTokenSession(ctx, accessSignature, request); err != nil {
598 return err
599 } else if err := s.CreateRefreshTokenSession(ctx, refreshSignature, request); err != nil {
600 return err
601 }
602
603 return nil
604}
605```
606
607## 0.10.0
608
609It is no longer possible to introspect authorize codes, and passing scopes to
610the introspector now also checks refresh token scopes.
611
612## 0.9.0
613
614This patch adds the ability to pass a custom hasher to `compose.Compose`, which
615is a breaking change. You can pass nil for the fosite default hasher:
616
617```
618package compose
619
620-func Compose(config *Config, storage interface{}, strategy interface{}, factories ...Factory) fosite.OAuth2Provider {
621+func Compose(config *Config, storage interface{}, strategy interface{}, hasher fosite.Hasher, factories ...Factory) fosite.OAuth2Provider {
622```
623
624## 0.8.0
625
626This patch addresses some inconsistencies in the public interfaces. Also
627remaining references to the old repository location at `ory-am/fosite` where
628updated to `ory/fosite`.
629
630### Breaking changes
631
632#### `ClientManager`
633
634The
635[`ClientManager`](https://github.com/ory/fosite/blob/master/client_manager.go)
636interface changed, as a context parameter was added:
637
638```go
639type ClientManager interface {
640 // GetClient loads the client by its ID or returns an error
641 // if the client does not exist or another error occurred.
642- GetClient(id string) (Client, error)
643+ GetClient(ctx context.Context, id string) (Client, error)
644}
645```
646
647#### `OAuth2Provider`
648
649The [OAuth2Provider](https://github.com/ory/fosite/blob/master/oauth2.go)
650interface changed, as the need for passing down `*http.Request` was removed.
651This is justifiable because `NewAuthorizeRequest` and `NewAccessRequest` already
652contain `*http.Request`.
653
654The public api of those two methods changed:
655
656```go
657- NewAuthorizeResponse(ctx context.Context, req *http.Request, requester AuthorizeRequester, session Session) (AuthorizeResponder, error)
658+ NewAuthorizeResponse(ctx context.Context, requester AuthorizeRequester, session Session) (AuthorizeResponder, error)
659
660
661- NewAccessResponse(ctx context.Context, req *http.Request, requester AccessRequester) (AccessResponder, error)
662+ NewAccessResponse(ctx context.Context, requester AccessRequester) (AccessResponder, error)
663```
664
665## 0.7.0
666
667Breaking changes:
668
669- Replaced `"golang.org/x/net/context"` with `"context"`.
670- Move the repo from `github.com/ory-am/fosite` to `github.com/ory/fosite`
671
672## 0.6.0
673
674A bug related to refresh tokens was found. To mitigate it, a `Clone()` method
675has been introduced to the `fosite.Session` interface. If you use a custom
676session object, this will be a breaking change. Fosite's default sessions have
677been upgraded and no additional work should be required. If you use your own
678session struct, we encourage using package `gob/encoding` to deep-copy it in
679`Clone()`.
680
681## 0.5.0
682
683Breaking changes:
684
685- `compose.OpenIDConnectExplicit` is now `compose.OpenIDConnectExplicitFactory`
686- `compose.OpenIDConnectImplicit` is now `compose.OpenIDConnectImplicitFactory`
687- `compose.OpenIDConnectHybrid` is now `compose.OpenIDConnectHybridFactory`
688- The token introspection handler is no longer added automatically by
689 `compose.OAuth2*`. Add `compose.OAuth2TokenIntrospectionFactory` to your
690 composer if you need token introspection.
691- Session refactor:
692 - The HMACSessionContainer was removed and replaced by `fosite.Session` /
693 `fosite.DefaultSession`. All sessions must now implement this signature. The
694 new session interface allows for better expiration time handling.
695 - The OpenID `DefaultSession` signature changed as well, it is now
696 implementing the `fosite.Session` interface
697
698## 0.4.0
699
700Breaking changes:
701
702- `./fosite-example` is now a separate repository:
703 https://github.com/ory-am/fosite-example
704- `github.com/ory-am/fosite/fosite-example/pkg.Store` is now
705 `github.com/ory-am/fosite/storage.MemoryStore`
706- `fosite.Client` has now a new method called `IsPublic()` which can be used to
707 identify public clients who do not own a client secret
708- All grant types except the client_credentials grant now allow public clients.
709 public clients are usually mobile apps and single page apps.
710- `TokenValidator` is now `TokenIntrospector`, `TokenValidationHandlers` is now
711 `TokenIntrospectionHandlers`.
712- `TokenValidator.ValidateToken` is now `TokenIntrospector.IntrospectToken`
713- `fosite.OAuth2Provider.NewIntrospectionRequest()` has been added
714- `fosite.OAuth2Provider.WriteIntrospectionError()` has been added
715- `fosite.OAuth2Provider.WriteIntrospectionResponse()` has been added
716
717## 0.3.0
718
719- Updated jwt-go from 2.7.0 to 3.0.0
720
721## 0.2.0
722
723Breaking changes:
724
725- Token validation refactored: `ValidateRequestAuthorization` is now `Validate`
726 and does not require a http request but instead a token and a token hint. A
727 token can be anything, including authorization codes, refresh tokens, id
728 tokens, ...
729- Remove mandatory scope: The mandatory scope (`fosite`) has been removed as it
730 has proven impractical.
731- Allowed OAuth2 Client scopes are now being set with `scope` instead of
732 `granted_scopes` when using the DefaultClient.
733- There is now a scope matching strategy that can be replaced.
734- OAuth2 Client scopes are now checked on every grant type.
735- Handler subpackages such as `core/client` or `oidc/explicit` have been merged
736 and moved one level up
737- `handler/oidc` is now `handler/openid`
738- `handler/core` is now `handler/oauth2`
739
740## 0.1.0
741
742Initial release
View as plain text