Breaking change

• Added option 'loggingNoPII' to OIDCStrategy and BearerStrategy per Microsoft policy.

If this is set to true, then Passport-azure-ad won't log anything related to
personal identification information, such as id_token, claims, etc. The default value is true. If you want the full log as before, you
have to explicitly set 'loggingNoPII' to false in the constructor of OIDCStrategy and BearerStrategy.

OIDCStrategy

Bug fixes

• #365 Metadata caching in Bearer Strategy breaks and cannot be recovered if request fails

BearerStrategy

Bug fixes

• #365 Metadata caching in Bearer Strategy breaks and cannot be recovered if request fails

BearerStrategy

New features

• #354 Support passing tenant name or id in BearerStrategy

OIDCStrategy

Bug fixes

• #338 Allow query parameters in the identityMetadata config key

• #346 Fix: Cannot set cookie on the response

BearerStrategy

Bug fixes

• #333 jwt should not check sub for access token

• #338 Allow query parameters in the identityMetadata config key

OIDCStrategy

Bug fixes

• #328 OIDC session key fails to serialize for certain session middleware options

• Support advanced policy name with prefix b2c_1a_

OIDCStrategy

Bug fixes

• #301 Error: a key with kid %s cannot be found

• #309 "State" gets encoded and causes invalid state error

• #317 Undefined "token_type"

BearerStrategy

New features

• #296 scope validation for BearerStrategy

Bug fixes

• #301 Error: a key with kid %s cannot be found

OIDCStrategy

New features

• #285 express-session free support

  We used to save state etc in express session, so you cannot be session free even if { session : fase }
  option is used in passport.authenticate. Now we provide an option to save state etc in cookie via
  encryption and decryption, so OIDCStrategy no longer relies on express session.

  More details can be found in README.md, section 5.1.4.

OIDCStrategy

New features

• added support of id_token in JWE compact serialization format.

  Supported key encryption algorithms (alg) are:
  RSA1_5, RSA-OAEP, A128KW, A256KW, dir

  supported content encryption algorithms (enc) are:
  A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, and A256GCM.

OIDCStrategy

New features

• added support for prompt, login_hint and domain_hint parameters
• added tfp claim support for B2C
• token validation clock skew is now configurable using clockSkew option
• added thumbprint and privatePEMKey options for client assertion support.

BearerStrategy

• token validation clock skew is now configurable using clockSkew option

Tests

• added end to end automated tests for OIDCStrategy and BearerStrategy

Bug fixes

• #231 Support client_asserton for OIDC auth flow
• #245 Make clock skew configurable
• #251 Multiple Audiences with Bearer Strategy
• #254 passReqToCallback does not work with bearer strategy
• #256 Support 'tfp' for B2C
• #261 prompt,domain_hint and login_hint are missing in the query params sent to endpoint
• #264 OIDC authentication fails when oauth token_type is 'bearer' and not 'Bearer'

Bug fixes

• #248 End_to_end_test showing up in test folder