• Passport now offers support for the cookie attribute SameSite for the Oidc Strategy. Without this cookie attribute set, coookies will not be forwarded back to the server to verify the state and nonce of an id token in Chrome 80+. To read more about the Same Site changes chrome is making, please see https://www.chromium.org/updates/same-site.

To get the benefit of this, you will need to explicitly opt into the cookieSameSite option. This is opt in because it requires that you validate your webserver accepts the cookie option we set. For instance Express 3 will not accept the Same Site cookie attribute and will require that you upgrade to Express 4.

• Passport-azure-ad will only support node.js version 6 and above from this release.

• #383 Update base64url to fix vulnerability

• Added option 'loggingNoPII' to OIDCStrategy and BearerStrategy per Microsoft policy.

If this is set to true, then Passport-azure-ad won't log anything related to personal identification information, such as id_token, claims, etc. The default value is true. If you want the full log as before, you have to explicitly set 'loggingNoPII' to false in the constructor of OIDCStrategy and BearerStrategy.

• #365 Metadata caching in Bearer Strategy breaks and cannot be recovered if request fails

• #365 Metadata caching in Bearer Strategy breaks and cannot be recovered if request fails

• #354 Support passing tenant name or id in BearerStrategy

• #338 Allow query parameters in the identityMetadata config key

• #346 Fix: Cannot set cookie on the response

• #333 jwt should not check sub for access token

• #338 Allow query parameters in the identityMetadata config key

• #328 OIDC session key fails to serialize for certain session middleware options

• Support advanced policy name with prefix b2c_1a_

• #301 Error: a key with kid %s cannot be found

• #309 "State" gets encoded and causes invalid state error

• #317 Undefined "token_type"

• #296 scope validation for BearerStrategy

• #301 Error: a key with kid %s cannot be found

• #285 express-session free support

  We used to save state etc in express session, so you cannot be session free even if { session : fase } option is used in passport.authenticate. Now we provide an option to save state etc in cookie via encryption and decryption, so OIDCStrategy no longer relies on express session.

  More details can be found in README.md, section 5.1.4.

• added support of id_token in JWE compact serialization format.

  Supported key encryption algorithms (alg) are: RSA1_5, RSA-OAEP, A128KW, A256KW, dir

  supported content encryption algorithms (enc) are: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, and A256GCM.

• added support for prompt, login_hint and domain_hint parameters

• added tfp claim support for B2C

• token validation clock skew is now configurable using clockSkew option

• added thumbprint and privatePEMKey options for client assertion support.

• token validation clock skew is now configurable using clockSkew option

• added end to end automated tests for OIDCStrategy and BearerStrategy

• #231 Support client_asserton for OIDC auth flow

• #245 Make clock skew configurable

• #251 Multiple Audiences with Bearer Strategy

• #254 passReqToCallback does not work with bearer strategy

• #256 Support 'tfp' for B2C

• #261 prompt,domain_hint and login_hint are missing in the query params sent to endpoint

• #264 OIDC authentication fails when oauth token_type is 'bearer' and not 'Bearer'

• #248 End_to_end_test showing up in test folder

• removed dependency on oniyi-object-transform

• allow 5 minutes clock skew for token validation

• specify tenant per request

  Now you can specify the tenant per request, using the tenantIdOrName option in passport.authenticate. More details on the usage can be found in README.md. tenantIdOrName enables two features:

  • B2C common endpoint support

    Now you can use the B2C common endpoint by specifying the tenant for each login request using the tenantIdOrName option. A login request is any request that doesn't contain code or id_token.

  • extensive issuer validation on common endpoint

    Previously, you had to provide an issuer value in configuration to validat the issuer on the common endpoint. Alternatively, you can now specify the tenant for each login request.

• #239 Problems with signin in the updated sample

• #233 Provide documentation with more details

• #229 use tenant id dynamically for each request

• #123 Question: what is the difference between OIDCStrategy and BearerStrategy. Which one should I use?

• We no longer support SAML and WSFED starting from version 3.0.0, please use release 2.0.3 instead.

• skipUserProfile option: this option is no longer provided. We will load 'userinfo' if we can get an access_token for 'userinfo'. More specifically, if you are using AAD v1 with 'code', 'code id_token' or 'id_token code' flow, and the resource is not specified. For all other scenarios, we do an 'id_token' fallback.

• returnURL/callbackURL option: this option is renamed to redirectUrl. redirectUrl can only be a https url now unless you set the allowHttpForRedirectUrl option to true.

• removed email claim.

• added oid, upn and emails claim. emails claim is always an array. You might get upn claim from non B2C tenants, and you might get emails claim from B2C tenants.

• identityMetadata option: common endpoint is no longer allowed for B2C. Tenant-specific endpoint should be used, for instance: https://login.microsoftonline.com/your_B2C_tenant_name.onmicrosoft.com/v2.0/.well-known/openid-configuration or https://login.microsoftonline.com/your_B2C_tenant_guid/v2.0/.well-known/openid-configuration.

• isB2C option: this is a new option. If you are using a B2C tenant, set this option to true.

• tenantName: this option is no longer used.

• multiple nonce and state support in OIDCStrategy. Provided nonceLifetime option to configure the lifetime of nonce saved in session.

• enabled issuer validation against common endpoint. To validate issuer on common endpoint, user must specify the allowed issuer(s) in issuer option, and set validateIssuer option to true.

• user-provided state support. The usage is as follows:

  passport.authenticate('azuread-openidconnect', { customState : 'the_state_you_want_to_use' });

• We no longer accept access_token sent by request query. access_token should either be put in the request header or request body.

• We no longer support the certificate option. Now we always fetch the keys from the metadata url and generate the pem key.

• identityMetadata: common endpoint is no longer allowed for B2C. Tenant-specific endpoint should be used, for instance: https://login.microsoftonline.com/your_B2C_tenant_name.onmicrosoft.com/v2.0/.well-known/openid-configuration or https://login.microsoftonline.com/your_B2C_tenant_guid/v2.0/.well-known/openid-configuration.

• isB2C option: this is a new option. If you are using a B2C tenant, set this option to true.

• tenantName: this option is no longer used.

• enabled issuer validation against common endpoint. To validate issuer on common endpoint, user must specify the allowed issuer or array of issuers in issuer option, and set validateIssuer option to true.

• #218 Missing email claim for B2C

• #195 Remove default query support for access_token in bearerStrategy

• #194 Error message for 'sub' mismatch is incorrect after redeeming 'code'

• #189 Extensibility to allow issuer validation when going against common endpoint

• #188 Mocha tests for B2C to prevent regressions

• #187 p parameter is not being passed in each flow through the passport.js library

• #171 multiple nonce and state handling

• #165 validationConfiguration.callbackUrl should be named redirectUrl

• #164 By default redirect URL should be https

• Updated telemetry version.

• Increased the size of nonce and state in OIDCStrategy.

• Version 2.0.1 fixes a known security vulnerability affecting versions <1.4.6 and 2.0.0. All users should upgrade to 2.0.1 or greater immediately. For more details, see the Security-Notice for more details.

• Metadata is loaded only once in 2.0.0, which happens at the creation time of the strategy. In 2.0.1 we load metadata for each request that requires authentication. We keep the metadata in memory cache for 30 minutes. Whenever we need to load the metadata, we check the memory cache first. If we don't find it we then load the metadata from AAD and save it in memory cache. This way BearerStrategy can automatically handle the key rolling of Azure Active Directory.
• The default value of validateIssuer is true.

• For OIDCStrategy, we now support 'code id_token' as the response_type, in addition to 'code', 'id_token code' and 'id_token'.
• The default value of validateIssuer is true.

• For non-server-related errors, in 2.0.1 we call Strategy.fail function instead of throwing an error, so the user can do the failure redirection.
• Added chai-passport-strategy testing tool and more unit tests.
• Fixed some bugs in examples.
• Added telemetry parameters in both OIDCStrategy and BearerStrategy when sending requests to Azure Active Directory.

1. This patch updates the library that your application runs, but does not change the current state of your users, including any sessions they had open. This applies to malicious users who could have exploited this vulnerability to gain access to your system. If your application has users with existing sessions open, after applying the patch, ensure all these sessions are terminated and users are required to sign in again.

2. In previous versions of the Passport-Azure-AD for NodeJS library, the issuer wasn't validated, even if you had set validateIssuer to true in your configuration. This is fixed in versions 1.4.6 and 2.0.1. However, this may mean you get 401s if you are using the common endpoint in the identityMetadata config setting and have validateIssuer to true. If you are using the common endpoint (which looks like "https://login.microsoftonline.com/common/.well-known/openid-configuration"), issuers cannot be validated. You can fix this in two ways:

• If you are a single-tenant app, you can replace 'common' with your tenantId in the endpoint address. The issuer will be validated. IdentityMetadata set to support a single tenant should look like "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011dddd/.well-known/openid-configuration" with your tenant GUID replaced in the path or "https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/.well-known/openid-configuration" with your tenant name replaced in the path.

• If you are a multi-tenant app and need to go against the common endpoint, you must set validateIssuer to false. Be aware that the issuer field of the token will not be validated and all issuers will be accepted.

• #71 Cryptic error message when the client ID is null/undefined
• #90 Cannot read property 'keys' of undefined
• #117 TypeError: Invalid hex string in aadutils.js
• #112 done is not a function. bearerstrategy.js:149
• #121 Error with regex into pem.js

• Updated telemetry version.

• Increased the size of nonce and state in OIDCStrategy.

• Version 1.4.6 fixes a known security vulnerability affecting versions <1.4.6. All users should upgrade to 1.4.6 or greater immediately. For more details, see the Security-Notice.

• The default value of validateIssuer is true.

• For OIDCStrategy, we now support 'code id_token' as the response_type, in addition to 'code', 'id_token code' and 'id_token'.
• The default value of validateIssuer is true.
• Validating options at the time of creating strategy, instead of when authenticate method is called.

• For non-server-related errors, in 1.4.6 we call Strategy.fail function instead of throwing error, so user can do the failure redirection.
• Added chai-passport-strategy testing tool and more unit tests.
• Added telemetry in both OIDC and Bearer strategy when sending requests to AAD.
• Fixed some bugs in examples.

1. This patch updates the library that your application runs, but does not change the current state of your users, including any sessions they had open. This applies to malicious users who could have exploited this vulnerability to gain access to your system. If your application has users with existing sessions open, after applying the patch, ensure all these sessions are terminated and users are required to sign in again.

2. In previous versions of the Passport-Azure-AD for NodeJS library, the issuer wasn't validated, even if you had set validateIssuer to true in your configuration. This is fixed in versions 1.4.6 and 2.0.1. However, this may mean you get 401s if you are using the common endpoint in the identityMetadata config setting and have validateIssuer to true. If you are using the common endpoint (which looks like "https://login.microsoftonline.com/common/.well-known/openid-configuration"), issuers cannot be validated. You can fix this in two ways:

• If you are a single-tenant app, you can replace 'common' with your tenantId in the endpoint address. The issuer will be validated. IdentityMetadata set to support a single tenant should look like "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011dddd/.well-known/openid-configuration" with your tenant GUID replaced in the path or "https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/.well-known/openid-configuration" with your tenant name replaced in the path.

• If you are a multi-tenant app and need to go against the common endpoint, you must set validateIssuer to false. Be aware that the issuer field of the token will not be validated and all issuers will be accepted.