v3.3.1

• #193: Fix race condition when multiple function calls are trying to do endpoint discovery. (@lukybrody)

v3.3.0

• OAuth2 token operations may now return an extraParams property, which is an object with all unrecognized properties. Some servers return custom properties from OAuth2 responses, and this lets users get access to them. (@ericleib, @blarralde)
• The OAuth2Token object now has a scope property, containing a list of scopes the server returned if the server returned this. (@ericleib)

3.2.0

• #180: The browser build was failing to work for vite and next.js users since v3. This was probably due to the switch to ESM. Instead of trying to fix this problem in Webpack, this library has switched to vite for the minified browser build instead.

v3.1.0

• #181: Revert back to percent-encoding of the Authorization: Basic header. Even though this was more correct from a standards perspective, this is causing interopability problems with popular real-world OAuth2 servers. If you need strict encoding, you can opt-in using the authorizationMethod option. We recommend using client_secret_post if it's possible with your server. See README.md for more information on this behaviour and what the possible options are.

v3.0.0

• Dropped support for Node 14 and 16.
• Full conversion to ESM.
• Support for the OpenID Connect id_token. If a server returns it, we expose it as idToken. This is a JWT and would require parsing by a JWT library to get access to its information. (@drev74, @redguardtoo).
• #171: client_id and client_secret are now percent-encoded with the most strict rules as specified by RFC 6749. We weren't doing any percent/urlencoding before. This is a a BC break if your secret used special characters, and the server you're talking is not compliant with the OAuth2 spec itself (@p2004a, @panva).
• Migrated the test suite from Mocha and Chai to node:test and node:assert (@Zen-cronic).
• Package now uses 'erasableSyntaxOnly' flag with Typescript, so it can be used with node --experimental-strip-types.

v2.4.2

• #161: Re-use old refresh_token if no new one was issued after a refresh.

v2.4.1

• #151: Add 'Accept' header on token requests to fix a Github compatibility issue.
• #151: Throw error when we get an invalid reply from a token endpoint.

v2.4.0

• More robust error handling. When an error is emitted, you now give you access to the emitted HTTP Response and response body.
• Support for response_mode=fragment in the authorization_code flow.

v2.3.0

• Fix for #128: If there's no secret, we should never use Basic auth to encode the client_id.
• Support for the resource parameter from RFC 8707.
• Add support for scope parameter to refresh().
• Support for RFC 7009, Token Revocation. (@adambom)

v2.2.4

• Added extraParams option to getAuthorizeUri, allowing users to add non-standard arguments to the authorization URI for servers that require this. (@pks1989)