All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog.
9.1.0 — 2026-06-23
- Teach
/tokenendpoint to supporturn:ietf:params:oauth:grant-type:jwt-bearergrant type and JWT bearer assertions (cf. https://datatracker.ietf.org/doc/html/rfc7523)
- Update dependencies
9.0.0 — 2026-06-05
- Introduce
OAuth2Service.addRoute()to expose additional routes next to the OIDC standard ones. May be useful when willing to stub some vendor specific management routes for instance. - Add support for Node.js 26
- Breaking: No longer support Node.js 20
- Remove Express as a dependency. Request handlers are now implemented directly on top of Node.js's built-in
http/httpsmodules. No impact on the documented API. - Update dependencies
8.2.3 — 2026-05-27
- Update dependencies
8.2.2 — 2026-02-26
- Return state on
/endsessionredirect (by meesvandongen in #391) - Update dependencies
8.2.1 — 2026-01-27
- Allow
beforeSigningevent to modifytypheader property (by AndreasNill in #388)
- Update dependencies
8.2.0 — 2025-10-31
- Export
TokenRequestIncomingMessagetype to make/tokenrelated hooks easier to consume (reported in #355 by kikisaeba) - Teach the cli to accept a
issuer-url-trailing-slashoption (reported in #353 by Valdermeyder)
- Update dependencies
8.1.0 — 2025-06-06
- Update dependencies
8.0.1 — 2025-05-28
- Fix crash when running
npx oauth2-mock-server --help(reported in #337 by robcresswell)
8.0.0 — 2025-05-18
- Breaking: No longer support Node.js 18
- Switched to "Universal" ESM. CommonJS
require()usage pattern still supported for Nodejs ^20.19 & ^22.12 - Add support for Node.js 24
- Update dependencies
7.2.1 — 2025-04-30
- Fix paths of well known endpoints when issuer ends with a forward slash (reported in #331 by kikisaeba)
- Update dependencies
7.2.0 — 2024-11-25
- Include scope in token for authorization_code and refresh_token grants (by PetrasJaug)
- Add PKCE support (by tanettrimas)
- Update dependencies
7.1.2 — 2024-05-21
- Add support for Node.js 22 (by sheinbergon)
7.1.1 — 2023-10-24
- Be a better citizen in an ECMAScript modules world
7.1.0 — 2023-10-23
- Add support for "aud" claim in "client_credentials" grants (by kadams54)
- Update dependencies
7.0.0 — 2023-10-04
- Breaking: No longer support Node.js 16
6.0.1 — 2023-10-03
- Update dependencies to fix:
6.0.0 — 2023-06-19
- Breaking: No longer support Node.js 14
- Fix authorize endpoint compliance (remove scope requirement, make state optional) (by jirutka)
- Add support for Node.js 20
- Update dependencies
5.0.2 — 2023-02-20
- Update dependencies to fix:
5.0.1 — 2022-10-04
- Update dependencies to fix:
5.0.0 — 2022-06-27
- Breaking: No longer support Node.js 12
- Add support for Node.js 18
4.3.2 — 2022-06-27
- Update dependencies
4.3.1 — 2022-03-29
- Update dependencies to fix:
4.3.0 — 2022-02-01
- Support the token introspection endpoint (by cfman)
4.2.0 — 2022-01-28
- Add support for custom endpoint pathnames (by roskh)
- Teach
/tokenendpoint to support JSON content type (by roskh)
4.1.1 — 2021-11-18
- Fix regression: Prevent unhandled rejected promises when incorrectly invoking the /token endpoint
4.1.0 — 2021-11-15
- HTTPS support (by lbestftr)
4.0.0 — 2021-10-25
- Add
/endsessionendpoint (by AndTem) - Support
EdDSAalgorithm
- Breaking: Drop support for Node.js 10
- No longer accepts PEM encoded keys
- No longer supports generating unsigned JWTs
- Breaking: Reworked exposed API. Please refer to the migration guide for more information.
- Add support for Node.js 16
3.2.0 — 2021-08-03
- Add
subject_types_supportedOpenID Provider Metadata field (by jjbooth74)
3.1.0 — 2020-11-30
- Add authorize redirect event (by markwallsgrove)
3.0.3 — 2020-11-12
- Fix regression: When adding a key to the KeyStore, do not normalize key "use" value to "sig" when already defined
3.0.2 — 2020-10-29
- Support Nodejs 14.15 LTS
3.0.1 — 2020-10-23
- Include missing files on pack/publish
3.0.0 — 2020-10-22
- TypeScript type definitions (#48)
- Straightened definitions of optional parameters:
nullis no longer considered as a non valued parameter value;undefinedbears that meaning.
2.0.0 — 2020-10-01
- Honor OpenID Connect
nonce(#34 by @HASHIMOTO-Takafumi)
- No longer support Node 8
1.5.1 — 2020-04-06
- Update
npmdependencies to fix:
1.5.0 — 2020-01-23
- Add HTTP request object to
OAuth2Service's events - Add
beforeTokenSigningevent toOAuth2Service
1.4.0 — 2020-01-15
- Update
npmdependencies to fix:
- Add missing
audclaim under Authorization Code Flow
- Add CORS support
1.3.3 — 2019-09-25
- Update
npmdependencies to fix:
- Update license's legal entity.
1.3.2 — 2019-08-09
- Update
npmdependencies to fix:
1.3.1 — 2019-06-07
- Update
npmdependencies to fix:
1.3.0 — 2019-06-03
- Add revocation endpoint
1.2.0 — 2019-03-19
- Add Authorization code grant
- Add Refresh token grant
- Add Userinfo endpoint
- Update
npmdependencies to fix CVE-2018-16469
1.1.0 — 2018-08-02
- Add Resource Owner Password Credentials grant
- Add missing cache control headers on
/tokenresponses
Initial release.