chore(deps): update dependency oidc-provider to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
oidc-provider	8.8.1 → 9.6.1
@types/oidc-provider (source)	8.8.1 → 9.5.0

---

Release Notes

panva/node-oidc-provider (oidc-provider)

v9.6.1

Compare Source

Refactor

• extract NON_REJECTABLE_CLAIMS into shared constant (2b7c025)
• extract shared grant handler helpers to reduce duplication (f5eee9e)
• extract shared token finder for introspection and revocation (666c2b0)

Fixes

• required PAR should not affect CIBA and DAG (8167bd0)

v9.6.0

Compare Source

Features

• add RAR support to CIBA flows (0fc5893), closes #​1358

Documentation

• update spec links (019fa43)

v9.5.2

Compare Source

Refactor

• change new Debug() to debug() (#​1363) (b86b47c)

v9.5.1

Compare Source

Fixes

• safeguard global navigator access (1caae21)

v9.5.0

Compare Source

Features

• support ML-DSA JWS algorithm identifiers (f308b09)

Refactor

• add a warning for more unsupported runtimes (c55d58e)
• make warn/info warnings colorization a no-op in nonTTY (0c0a5b6)

v9.4.2

Compare Source

Fixes

• check for native logout redirect allowed same way as during auth (419f286), closes #​1351

v9.4.1

Compare Source

Documentation

• add an getAttestationSignaturePublicKey example (3a7730c)

Refactor

• avoid code generation from strings by pre-compiling eta views (f997073)
• drop the default implementation of pairwiseIdentifier (6a2338a)
• remove oidc-token-hash dependency (b607491)

v9.4.0

Compare Source

Features

• Experimental support for Attestation-Based Client Authentication (d655ebd)

Refactor

• consistently lowercase header names and use req/res aliases (1748a54)
• cors: update default client-based cors helper (77e06eb)
• reconcile dpop and attestation challenge implementations (e31f639)

Documentation

• updated documentation for configuration options (5710d61)

v9.3.0

Compare Source

Features

• revocation: add an allowed token revocation policy helper (a7e47e4)

Documentation

• update README.md (857c34d)

Fixes

• introspection: use unsupported_token_type to indicate structured jwt tokens cannot be introspected (c9001be)
• revocation: use unsupported_token_type to indicate structured jwt tokens cannot be revoked (b45b00c)

Refactor

• pull structured token rejection to a shared middleware (30367af)

v9.2.0

Compare Source

Features

• expose RFC8414 Authorization Server Metadata route (c5bd90f)

v9.1.3

Compare Source

Fixes

• ensure an account's accountId and claims().sub is the same (9b89153), closes #​1336

v9.1.2

Compare Source

Fixes

• ignore allowOmittingSingleRegisteredRedirectUri when FAPI 2.0 is used (e2de529)

v9.1.1

Compare Source

Refactor

• oidc-provider now uses koa@​3 (3a83d32)

v9.1.0

Compare Source

Features

• experimental support for OIDC RP Metadata Choices (f3550da)

Fixes

• only include DPoP-Nonce in Access-Control-Expose-Headers when DPoP is enabled (e769aa8)

Refactor

• avoid assignment operators in conditional expressions (b7ed877)
• improve static find performance (106f94a)
• update some default helpers for readability (0818c36)

Documentation

• more clarity for features.dPoP.allowReplay (779a141)

v9.0.1

Compare Source

Documentation

• mark experimental features more distinctly (986adc5)
• update references and styling of spec links (a4787b8)

Fixes

• DCR endpoints only include www-authenticate for non-registration related errors (9a864d6)

Refactor

• client schema defaults and static props (843943d)
• handle frame-ancestors in wmrm without a regexp (4f85585)
• push multiple elements to the recognized array in client_schema (d478a8b)
• simpler DCR validate registration access token (5f01eda)

v9.0.0

Compare Source

⚠ BREAKING CHANGES

• authorization and logout endpoints no longer support the HTTP POST method by default, this can be re-enabled using the enableHttpPostMethods boolean configuration, this also requires that cookies.long.sameSite is set to none
• cookie session sameSite attribute default is now "lax" instead of "none"
• userinfo requests with bearer tokens will now fail if they also include DPoP
• userinfo now includes both dpop and bearer challenges when dpop is enabled
• accessing protected resources without an access token will now yield a 401 HTTP Status Code instead of a 400
• default PKCE configuration no longer requires PKCE to be used unless RFC9700 or a given profile says so
• removed the provider.Account getter
• all Provider routes will now end the HTTP request when finished, koa middlewares that are "downstream" will no longer be executed after a route is matched in oidc-provider, "upstream" control flows are unaffected
• the Provider no longer includes a catch-all 404 Not Found error handler
• FAPI profile behaviours no longer force PKCE, these should be forced by configuring the pkce.required configuration helper the default of which already does so.
• the server's JWK Key IDs (JWK kid parameter) now must be unique, no two keys must use the same kid.
• the revokeGrantPolicy configuration helper is now also invoked during opaque Access Token revocation, its default return remains false for this case though
• CIBA ping and poll delivery mode ID Tokens no longer include at_hash, urn:openid:params:jwt:claim:rt_hash, and urn:openid:params:jwt:claim:auth_req_id
• authorization code grant type issued ID Tokens no longer include at_hash
• device authorization grant type issued ID Tokens no longer include at_hash
• refresh token grant type issued ID Tokens no longer include at_hash
• implicit grant type issued ID Tokens no longer include s_hash unless the request is a FAPI 1.0 Final request
• global fetch() API is now used to make outgoing HTTP requests instead of the "got" module.
• the httpOptions configuration option was removed and a new option to accomodate the use of fetch() interface was added. This options is aptly called "fetch" and its call signature and expected returns mirror the fetch() API.
• Enabling JAR (Request Objects by Value) is now enabled via features.requestObjects.enabled boolean instead of features.requestObjects.request boolean
• removed support for Passing a Request Object by Reference (JAR request_uri)
• removed legacy sameSite cookie fallback
• removed support for Node.js 18.x
• removed support for Node.js 20.x
• removed the pkce.methods configuration
• removed the features.requestObjects.mode configuration
• removed support for Ed448
• removed support for X448
• removed support for secp256k1 / ES256K
• removed support for FAPI 1.0 ID2

Features

• Access Token revocation may now also optionally revoke the underlying grant (4f69668)
• add support for the fully-specified Ed25519 JWS Algorithm Identifier (645b900)
• DPoP support is now enabled by default (a5694af)
• Experimental support for external signing keys, e.g. in a KMS or HSM (8b3ceff)
• expose current requests' ctx via Provider.ctx static getter (1fbd81b)
• update FAPI 2.0 implementation to FAPI 2.0 Final (eff3115)

Documentation

• auto-format code blocks (c2c520f)
• dpop cannot acked anymore, it is stable (a48c51f)
• improvements to linked resources (cf77770)
• mention external types (5f8a450)
• move adapters to the Community Guides Discussions section (ba806ca)
• move recipes to the Community Guides Discussions section (cd8da28)
• remove mentions of the connect server framework (7cb1aaa)
• update README to use named exports (8355886)
• update version support matrix (abbfe2f)

Fixes

• no access token provided error is now a 401 (8493e2d)
• userinfo now includes both dpop and bearer challenges when dpop is enabled (1093f6b)

Refactor

• change default PKCE usage requirement (fdf8ad8)
• change default session cookie from sameSite none to lax (b47eee8)
• cleanup unused azp claim code (6c57e63)
• deprecate the .app getter (9b61212)
• disable HTTP POST Method handling of authorization and logout endpoints (d56304c)
• encryption and key derivation is not blocking the main thread (73a422f)
• ensure all route handlers are final (8cc44e6)
• escape www-authenticate backslashes despite not directly using them (e789b98)
• increase all random identifiers from ~126 bits of randomness to ~256 (45721f8)
• minimal change to support koa@​3 (925cee5)
• no more warnings if cookie keys are missing (7ab6157)
• omit generic "typ: JWT" in issued JSON Web Tokens (4eb4004)
• pass over internal configuration getters (0243964)
• Provider is now the Koa application instance (167216e)
• remove hardcoded require PKCE checks (be0b2fd)
• remove object-hash dependency (fda9385)
• remove optional ID Token _hash claims (58ca2c2)
• remove the provider.Account getter (dd2bde4)
• remove unused code (e5fc3cb)
• remove uses of randomFill and Buffer.allocUnsafe (00fe106)
• removed legacy sameSite cookie fallback (2defa70)
• removed support for FAPI 1.0 ID2 (311e3e2)
• removed support for Passing a Request Object by Reference (JAR request_uri) (bacf375)
• removed the features.requestObjects.mode configuration (4ec8327)
• removed the pkce.methods configuration (4a736b8)
• Request Object (JAR) is now enabled with features.requestObjects.enabled (20d60a4)
• simplify default assertJwtClaimsAndHeader configuration (1ea27a6)
• update Node.js support matrix (db57556)
• use fetch() api to make outgoing HTTP requests (cc70e5a)
• use hkdf in dpop's rolling nonce calculation (7b77967)
• use more optional chaining (e5539ae)
• use oneshot hash methods instead of intermediate Hash objects (2dc4bd1)
• use structuredClone instead of JSON.stringify then parse (ad02170)
• use URL.parse (11e1b33)
• userinfo requests with bearer tokens will now fail if they also include DPoP (e5efa5c)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.