v9.5.2

Refactor

• change new Debug() to debug() (#1363) (b86b47c)

v9.5.1

Fixes

• safeguard global navigator access (1caae21)

v9.5.0

Features

• support ML-DSA JWS algorithm identifiers (f308b09)

Refactor

• add a warning for more unsupported runtimes (c55d58e)
• make warn/info warnings colorization a no-op in nonTTY (0c0a5b6)

v9.4.2

Fixes

• check for native logout redirect allowed same way as during auth (419f286), closes #1351

v9.4.1

Documentation

• add an getAttestationSignaturePublicKey example (3a7730c)

Refactor

• avoid code generation from strings by pre-compiling eta views (f997073)
• drop the default implementation of pairwiseIdentifier (6a2338a)
• remove oidc-token-hash dependency (b607491)

v9.4.0

Features

• Experimental support for Attestation-Based Client Authentication (d655ebd)

Refactor

• consistently lowercase header names and use req/res aliases (1748a54)
• cors: update default client-based cors helper (77e06eb)
• reconcile dpop and attestation challenge implementations (e31f639)

Documentation

• updated documentation for configuration options (5710d61)

v9.3.0

Features

• revocation: add an allowed token revocation policy helper (a7e47e4)

Documentation

• update README.md (857c34d)

Fixes

• introspection: use unsupported_token_type to indicate structured jwt tokens cannot be introspected (c9001be)
• revocation: use unsupported_token_type to indicate structured jwt tokens cannot be revoked (b45b00c)

Refactor

• pull structured token rejection to a shared middleware (30367af)

v9.2.0

Features

• expose RFC8414 Authorization Server Metadata route (c5bd90f)

v9.1.3

Fixes

• ensure an account's accountId and claims().sub is the same (9b89153), closes #1336

v9.1.2

Fixes

• ignore allowOmittingSingleRegisteredRedirectUri when FAPI 2.0 is used (e2de529)