v4.13.2

Changed

• Updated peer dependency
  • Next: ^14.2.25 || ~15.0.5 || ~15.1.9 || ~15.2.6 || ~15.3.6 || ~15.4.8 || ~15.5.7 || ^16.0.7
  • React: ^18.0.0 || ~19.0.1 || ~19.1.2 || ^19.2.1
  • React-DOM: ^18.0.0 || ~19.0.1 || ~19.1.2 || ^19.2.1

v4.13.1

Added

• docs: Add docs for silent authentication #2422 (tusharpandey13)

Fixed

• fix: broken next-16 app when basePath is used #2424 (nandan-bhat)

v4.13.0

Added

• feat: add support scopes parameter for connected accounts #2407 (guabu)
• Adding support for Next 16 #2405 (nandan-bhat)

Fixed

• fix: merge sessionChanges before finalizing session after refresh (#2401) #2414 (Clone of #2401 by wolfgangGoedel )
• fix: prevent OAuth parameter injection via returnTo (#2381) #2413 (Clone of #2381 by MegaManSec)

v4.12.1

Changed

• Remove TokenRequestCache when calling getAccessToken

v4.11.2

Changed

• Remove TokenRequestCache when calling getAccessToken

v4.12.0

Added

• feat: Proxy handler support enabling My Account and My Org #2400 (tusharpandey13)

v4.11.1

Fixed

• fix: DPoP nonce retry on auth code callback #2391 (tusharpandey13)
• fix: append intl headers in with-next-intl instead of overwrite #2386 (tusharpandey13)
• fix: make sure beforeSessionSaved hook gets the updated token after refresh #2387 (tusharpandey13)
• Fix updateSession and header overwrite issues #2330 (tusharpandey13)
• bugfix: Remove React dependency from server helpers to fix edge runtime bundling #2329 (tusharpandey13)

v4.11.0

📋 Changes

Added

• feat: Add DPoP (Demonstrating Proof-of-Possession) #2357 (tusharpandey13)
• feat: add support for connected accounts #2344 (guabu)
• Add support for access tokens with difference audiences (MRRT) #2333 (frederikprijck)

Fixed

• fix: ensure Connected Accounts use fetcher to properly use DPoP #2366 (frederikprijck)
• fix: ensure fetcher honors token_type #2365 (frederikprijck)
• fix: address typos in comments and examples #2347 (frederikprijck)

v4.10.0

Added

• feat: control sending id_token_hint in OIDC logout URL #2300 (tusharpandey13)
• feat: Allow access token grant type for federated connections #2240 (tusharpandey13)
• feat: add federated logout #2313 (tusharpandey13)
• feat: Add organizations #2282 (tusharpandey13)
• feat: add support for backchannel authentication #2261 (guabu)

Changed

• feat: simplify PAR parameter handling by removing redundant filtering #2298 (tusharpandey13)

Fixed

• fix: Remove unsafe type assertion in withPageAuthRequired HOC #2305 (tusharpandey13)
• fix: parameter name of requested_expiry #2304 (guabu)
• fix: ensure to mark StartInteractiveLoginOptions as optional #2272 (frederikprijck)

v4.9.0

Added

• feat: Allow configuring transaction cookie maxAge #2245 (tusharpandey13)
• feat: Add flag to control parallel transactions #2244 (tusharpandey13)
• feat: add support for withApiAuthRequired helper #2230 (guabu)
• feat: add withPageAuthRequired for server #2207 (guabu)

Fixed

• bugfix: respect path configuration when deleting cookies #2250 (tusharpandey13)
• bugfix: Clear cookies with the correct path when basePath is used #2232 (tusharpandey13)
• bugfix: Fix clientAssertionSigningKey type mismatch #2243 (tusharpandey13)
• fix: correctly handle expired JWE's in cookies #2082 (frederikprijck)

Security

• chore: pin eslint-config-prettier and eslint-plugin-prettier versions to prevent malicious package installation #2239 (tusharpandey13)