1.1.0 Beta 5

OAuth 2.0 and OpenID Connect Enhancements - Version 1.1.0 Beta 5

⚠️ This release introduces breaking changes ⚠️

✨ New Features and Improvements

• JWTSignerService now returns an array of JWTSigner instances for flexible key management and rotation strategies.
• emailAddress property in OAuthUser struct is now mutable, allowing dynamic email address updates.
• Updated scopes property type in AccessTokenPayload struct for better type safety and clarity.
• Upgraded dependencies to their latest versions for security patches and performance optimizations.
• Enhanced key retrieval mechanism in KeyManagementService for improved reliability and efficiency.
• Introduced getUserClient method to UserManager protocol for retrieving client information associated with a user.

🛠 Fixes

• Resolved an issue with key retrieval in KeyManagementService.

💣 Breaking Changes

• 💥 JWTSignerService now returns an array of JWTSigner instances instead of a single JWTSigner.
• 💥 emailAddress property in OAuthUser struct is now mutable.
• 💥 scopes property type in AccessTokenPayload struct has been updated.

1.1.0 Beta 4

OAuth 2.0 and OpenID Connect Enhancements - Version 1.1.0 Beta 4

Introducing further enhancements to the OAuth 2.0 and OpenID Connect implementation, focusing on security improvements, codebase optimizations, and support for modern asynchronous programming patterns.

🛠 Fixes and Enhancements

• Updated the representation of token string in JWTs to jti, aligning with JWT standards.
• Enhanced access token generation logic in RefreshTokenHandler for improved security and efficiency.
• Expanded the userinfo endpoint functionality for better compliance with OpenID Connect specifications.
• Optimized UserInfoHandler to utilize sub instead of userID, ensuring alignment with OpenID Connect.
• Improved JWT signing process with the addition of private key identifier and updated private key retrieval mechanisms.
• Refactored OAuthUser class and related models to enhance code structure and remove deprecated protocols.
• Introduced new authorization error types and updated client validation logic for more robust error handling.
• Overhauled authorization code generation to include nonce parameter, significantly enhancing security against replay attacks.
• Updated Vapor framework dependency to the latest version, benefiting from performance and security improvements.
• Refined scope validation in token handlers and client validator for more precise access control.
• Transitioned OAuth models from classes to structs for better performance and safety.
• Updated DiscoveryDocument protocol, making certain properties optional to support more flexible configurations.
• Enhanced user information handling with the addition of an environment parameter and Address struct, improving user data management.
• Implemented key rotation and deletion methods in KeyManagementService, bolstering key management security.
• Updated KeyManagementService protocol to support storing different types of keys, enhancing flexibility and security.
• Integrated async/await programming model across key management and token generation processes, aligning with modern Swift concurrency patterns.
• Revised scopes property definition in AccessToken and RefreshToken, optimizing for better type safety and clarity.

This release represents a substantial advancement in the Vapor OAuth, with particular emphasis on security enhancements, adherence to standards, and the adoption of modern Swift programming paradigms.

1.0.2

OAuth Enhancements and Concurrency Support - Version (1.0.2)

Introduces a series of enhancements and optimizations to the OAuth framework, emphasizing concurrency support and security improvements. These updates ensure that the OAuth components are robust, secure, and aligned with the latest Swift concurrency standards.

🔄 Refactoring and Concurrency

• Refined OAuthClient properties for improved Sendable compatibility, embracing Swift's concurrency model.
• Updated StaticClientRetriever to support concurrent access, enhancing performance and reliability in multi-threaded scenarios.
• Enhanced OAuthHelper+remote.swift with async method refactoring for improved asynchronous handling.
• Streamlined the codebase by removing unnecessary file headers and imports.

📄 Documentation and Code Cleanup

• Updated documentation and removed redundant comments in CodeManager, ensuring clarity and consistency.

🛡️ Security and Functionality

• Introduced PKCEValidator for robust PKCE validation, increasing the security of the OAuth flow.
• Integrated nonce parameters into the generateCode function and associated test methods, bolstering security and integrity in code generation.
• Extended the TokenManager protocol with new token generation methods, enhancing its capabilities.

This update marks a significant stride in improving the security, efficiency, and maintainability of the OAuth components, ensuring they meet contemporary standards.

1.1.0 Beta 3

Userinfo Endpoint Enhancement - Version 1.1.0

Introducing Userinfo Endpoint and Security Improvements in the OAuth 2.0 framework, enhancing both functionality and security.

🛠 Fixes and Enhancements

• 390eba7 Implemented the userinfo endpoint, extending the OAuth 2.0 feature set.
• b49ab78 Refactored UserInfoHandler to use 'sub' instead of 'userID' in AccessTokenPayload, aligning with OpenID Connect specifications.
• 3208a3c Added private key identifier and enhanced private key retrieval in JWTSignerService for improved JWT security.
• 4e2096d Refactored OAuthUser class for better encapsulation and removed Extendable protocol.
• 4019c46 Introduced new authorization error types, enhancing client validation and error handling.
• c3eb934, 5de6018, c8070dd Revamped authorization code generation logic, including nonce parameter to mitigate replay attacks.
• Updated Vapor dependency to the latest version for increased performance and security.

Special Contributions

Special thanks to @mynona for their valuable contributions, particularly in addressing issue #8 and providing consistent support throughout the development process. Their insights have been instrumental in enhancing the nonce parameter implementation and overall security features of this release.

This beta release marks a significant step forward in the OAuth 2.0 implementation, particularly in enhancing security and aligning with current standards. The introduction of the userinfo endpoint and nonce parameter support further solidifies the library's compliance with OpenID Connect and OAuth 2.0 specifications.

1.0.1

Patch Update 1.0.1: Security Enhancement with Vapor

This patch update (1.0.1) for vapor-oauth integrates Vapor 4.90.0 to address the moderate severity issue of integer overflow in URI parsing, as detailed in GHSA-r6r4-5pr8-gjcp. This vulnerability, identified in versions <= 4.89.3 of Vapor, could lead to potential host spoofing. The upgrade to Vapor 4.90.0 in vapor-oauth mitigates this risk, reinforcing both the security and reliability of the library.

🔒 Security Patch

• ede89f6 Updated vapor-oauth to incorporate Vapor 4.90.0, resolving URI parsing vulnerability and preventing host spoofing risks.

1.1.0 Beta 2

OAuth Enhancements with PKCE Validation - Version 1.1.0

Enhanced PKCE (Proof Key for Code Exchange) Validation in the OAuth 2.0 Authorization Code Flow for improved security and compliance with OAuth 2.0 standards.

🛠 Fixes and Enhancements

• 7e548bb Improved PKCE validation logic to enforce strict validation of PKCE parameters.
• 6d13272 Refined the CodeValidator to utilize the enhanced PKCEValidator, ensuring PKCE verification during the authorization process.

This release addresses a critical security concern raised by @mynona for enhancing PKCE validation in the OAuth 2.0 Authorization Code Flow. These improvements significantly reduce the risk of authorization code interception attacks, particularly in public client scenarios.

1.1.0 Beta 1

OAuth Enhancements with PKCE and Vapor Dependency Update - Version 1.1.0

✨ New Features

• Added PKCE (Proof Key for Code Exchange) parameters to various components including AuthorizationRequestObject, OAuthCode class, and AuthorizePostRequest, significantly enhancing OAuth security.
• Integrated JWTKit for robust handling of JWT tokens, including the implementation of an IDToken protocol and custom IDToken struct.
• Introduced new token generation and retrieval methods in the TokenManager protocol to support the enhanced OAuth flow.
• Implemented OAuth 2.0 Discovery Document for better standard compliance and service discovery.

🔧 Updates and Refinements

• Updated Vapor dependency to the latest version, ensuring compatibility with recent advances in the framework.
• Updated CodeManager and EmptyCodeManager protocols to include PKCE parameters, aligning with the new security enhancements.
• Employed SwiftCrypto for SHA-256 hashing and PKCE validation, leveraging Apple's native cryptographic library for improved security.
• Refactored AuthorizationRequestObject initializer signature for better clarity and ease of use.
• Updated the Swift container version to 5.9.2-jammy, aligning with the latest Swift tools and environments.

🧰 Conformance and Refactoring

• Added Sendable conformance to several protocols like AuthorizeHandler, UserManager, TokenManager, CodeManager, ClientRetriever, and ResourceServerRetriever, preparing the codebase for Swift's Actor-Based Concurrency.
• Refactored OAuthHelper for Actor-Based Concurrency, enhancing thread safety and performance.
• Refactored StaticClientRetriever to use a private clients dictionary, improving data encapsulation and security.

🛠 Fixes and Enhancements

• Ensured proper handling of PKCE Code Challenge in the authorization flow, adding an extra layer of security to the OAuth process.
• Added extensive tests for code challenge and code challenge method, ensuring robustness and reliability of the new features.

🚀 Major Dependency Updates

• Transition to Swift-tools-version 5.9, staying up-to-date with the latest Swift developments and tooling.
• Enhancement of OAuth security with the integration of JWTKit and PKCE Code Challenge Handling.

1.0.0

OAuth Device Code Flow Improvements and Vapor 4 Migration

✨ Enhancements

• a8d4e9f Implemented and integrated the device code grant type in OAuth flow.
• e96d61c Added scope validation to DeviceCodeTokenHandler.
• 7466495 Integrated DeviceCodeTokenHandler into TokenHandler to support device code grant type.
• fa30cca Extended CodeManager protocol to include methods for handling device codes.

🔨 Refinements

• 7b0a3b8 Refactored TokenManager protocol by removing device code-related methods.
• 564f76e Refactored TokenHandler based on DeviceCodeTokenHandler.
• f2e7272 Updated OAuthResponseParameters.ErrorType with expiredToken.
• 9f40c9c Updated EmptyCodeManager to conform to the updated CodeManager protocol.

🛠 Fixes

• b9c3e1a Added expiration check for device code in DeviceCodeTokenHandler.
• f74ba60 Handled expired device code in DeviceCodeTokenHandler.
• Fix all test cases related to device code token handling.

🚀 Major Updates

• Migrated to Vapor 4.