-
Notifications
You must be signed in to change notification settings - Fork 157
migration: openid-client and jose migration #785
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 12 commits
6302c75
fd04c9e
27963f2
4e95839
9c63bd8
3d99deb
56b8799
796d59f
51ad64c
f1db455
119567f
22a7bcb
bfe775e
a4f79e0
0318dea
c6711e1
621dcc9
40cae2f
331a8e3
dea71ff
6c7a7a5
20a2a01
5221f75
6d16d7a
628954a
be90b7d
0236ae7
63855bc
12b3350
6159f01
f1cf167
4205d24
a354554
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,190 @@ | ||
| # V3 Migration Guide | ||
|
|
||
| `v3.x` upgrades the underlying OpenID Connect and JWT dependencies (`openid-client` v4 → v6, `jose` v2 → v6) to their latest major versions, bringing improved security, performance, and standards compliance. | ||
|
|
||
| **Important:** While this is a major version bump for the library, **there are ZERO breaking changes to the public API**. Your application code does not need to change. | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we soften this claim or update it after the remaining compatibility questions are resolved ? Right now we may still have user-visible behavior changes, like If those changes are intentional, they should be listed in this migration guide. If they are not intentional, we should fix them before saying there are zero public API breaking changes.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Updated the migration guide with all the breaking changes, providing a summary at the start and then describing each breaking change in detail in their own section. |
||
|
|
||
| --- | ||
|
|
||
| **Public API:** No breaking changes - all configuration, middleware, and context APIs work exactly the same | ||
| **Node.js Version:** Now requires `^20.19.0 || ^22.12.0 || >= 23.0.0` (previously Node.js 14+) | ||
| **Module Support:** Works with BOTH CommonJS and ESM apps | ||
|
|
||
| --- | ||
|
|
||
| ## Breaking Changes | ||
|
|
||
| ### Node.js Version Requirement | ||
|
|
||
| **The only breaking change is the specific Node.js version requirement.** | ||
|
|
||
| | Version | Minimum Node.js | Status | | ||
| | ------- | --------------------------------------- | ------- | | ||
| | v2.x | Node.js 14+ | Old | | ||
| | v3.x | `^20.19.0 \|\| ^22.12.0 \|\| >= 23.0.0` | **New** | | ||
|
|
||
| #### Why These Specific Versions? | ||
|
|
||
| The updated dependencies (`openid-client` v6 and `jose` v6) are **ESM-only packages**. | ||
|
|
||
| Node.js added `require(ESM)` support in: | ||
|
|
||
| - **v20.19.0** (backported to v20.x LTS) | ||
| - **v22.12.0** (backported to v22.x LTS) | ||
| - **v23.0.0+** (included by default) | ||
|
|
||
| There is **no workaround** - you must upgrade to a supported Node.js version. | ||
|
|
||
| #### Module System Support | ||
|
|
||
| **Works with BOTH CommonJS and ESM apps** - same Node.js requirements for both: | ||
|
|
||
| ```javascript | ||
| // CommonJS - Works on supported Node.js versions | ||
| const { auth } = require('express-openid-connect'); | ||
|
|
||
| // ESM - Works on supported Node.js versions | ||
| import { auth } from 'express-openid-connect'; | ||
| ``` | ||
|
|
||
| **Note:** ESM apps need `"type": "module"` in `package.json` but have identical Node.js version requirements as CommonJS apps. | ||
|
|
||
| ### Configuration | ||
|
|
||
| All configuration options work exactly as before. No changes needed. | ||
|
|
||
| ```js | ||
| const { auth } = require('express-openid-connect'); | ||
|
|
||
| // This configuration works EXACTLY the same in v3.x | ||
| app.use( | ||
| auth({ | ||
| authRequired: false, | ||
| auth0Logout: true, | ||
| baseURL: 'https://example.com', | ||
| clientID: 'YOUR_CLIENT_ID', | ||
| issuerBaseURL: 'https://YOUR_DOMAIN', | ||
| secret: 'LONG_RANDOM_STRING', | ||
|
|
||
| // All these options still work | ||
| idpLogout: true, | ||
| idTokenSigningAlg: 'RS256', | ||
| clientAuthMethod: 'client_secret_post', | ||
| pushedAuthorizationRequests: true, | ||
| // ... etc | ||
| }), | ||
| ); | ||
| ``` | ||
|
|
||
| ### Middleware | ||
|
|
||
| All middleware functions work identically. | ||
|
|
||
| ```js | ||
| const { auth, requiresAuth } = require('express-openid-connect'); | ||
|
|
||
| // All these work EXACTLY the same | ||
| app.use(auth(config)); | ||
| app.get('/admin', requiresAuth(), (req, res) => { | ||
| res.send('Admin page'); | ||
| }); | ||
| ``` | ||
|
|
||
| ### Request Context (req.oidc) | ||
|
|
||
| The entire `req.oidc` API remains unchanged. | ||
|
|
||
| ```js | ||
| // Before (v2.x) | ||
| app.get('/profile', async (req, res) => { | ||
| const user = req.oidc.user; | ||
| const claims = req.oidc.idTokenClaims; | ||
| const isAuthenticated = req.oidc.isAuthenticated(); | ||
| const idToken = req.oidc.idToken; | ||
| const accessToken = req.oidc.accessToken; | ||
| const refreshToken = req.oidc.refreshToken; | ||
| const userInfo = await req.oidc.fetchUserInfo(); | ||
|
|
||
| res.oidc.login({}); | ||
| res.oidc.logout({}); | ||
| }); | ||
|
|
||
| // After (v3.x) - SAME | ||
| app.get('/profile', async (req, res) => { | ||
| const user = req.oidc.user; | ||
| const claims = req.oidc.idTokenClaims; | ||
| const isAuthenticated = req.oidc.isAuthenticated(); | ||
| const idToken = req.oidc.idToken; | ||
| const accessToken = req.oidc.accessToken; | ||
| const refreshToken = req.oidc.refreshToken; | ||
| const userInfo = await req.oidc.fetchUserInfo(); | ||
|
|
||
| res.oidc.login({}); | ||
| res.oidc.logout({}); | ||
| }); | ||
| ``` | ||
|
|
||
| ### Routes | ||
|
|
||
| Custom route configuration remains unchanged. | ||
|
|
||
| ```js | ||
| // This works the same in v3.x | ||
| app.use( | ||
| auth({ | ||
| routes: { | ||
| login: '/custom/login', | ||
| logout: '/custom/logout', | ||
| callback: '/custom/callback', | ||
| postLogoutRedirect: '/custom/post-logout', | ||
| }, | ||
| }), | ||
| ); | ||
| ``` | ||
|
|
||
| ### Session Handling | ||
|
|
||
| Session configuration, custom stores, and lifecycle hooks all work the same. | ||
|
|
||
| ```js | ||
| // Session configuration - UNCHANGED | ||
| app.use( | ||
| auth({ | ||
| session: { | ||
| rolling: true, | ||
| rollingDuration: 86400, | ||
| absoluteDuration: 86400 * 7, | ||
| store: customStore, // Custom session stores still work | ||
| }, | ||
| }), | ||
| ); | ||
| ``` | ||
|
|
||
| ### Authentication Methods | ||
|
|
||
| All client authentication methods continue to work: | ||
|
|
||
| ```js | ||
| // All these still work in v3.x | ||
| const config = { | ||
| clientAuthMethod: 'client_secret_basic', | ||
| clientAuthMethod: 'client_secret_post', | ||
| clientAuthMethod: 'client_secret_jwt', | ||
| clientAuthMethod: 'private_key_jwt', | ||
| clientAuthMethod: 'none', | ||
| }; | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ```bash | ||
| node --version | ||
| ``` | ||
|
|
||
| **Required:** `v20.19.0+`, `v22.12.0+`, or `v23.0.0+` | ||
|
|
||
| If your version is older: | ||
|
|
||
| - **v20.0.0 - v20.18.0** → Upgrade to v20.19.0+ | ||
| - **v22.0.0 - v22.11.0** → Upgrade to v22.12.0+ | ||
| - **v18.x or earlier** → Upgrade to v22.12.0+ (recommended LTS) | ||
Uh oh!
There was an error while loading. Please reload this page.