v6.8.3

Documentation

• note a workaround for redirect_uri with query string or bare origin (e9689de), closes #868

Fixes

• passport: delete one-time state on callback (1e7dd2e)

v6.8.2

Fixes

• use duplex: half for fetchProtectedResource with ReadableStream body input (f6f84e2)

v6.8.1

Refactor

• workaround dpop nonce caching caveats with customFetch (a9eb50f)

v6.8.0

Features

• respect retry-after in CIBA and Device Authorization Grant polling (6ce3411)

Documentation

• remove mention of Edge Runtime from the readme (2e41ad5)

v6.7.1

Fixes

• passport: include req.host from express@5 for ease of use in express@4 (81f6c12)

v6.7.0

Features

• support for the ML-DSA Algorithm Identifiers (9543da5)

v6.6.4

Fixes

• recognize N_A in the token exchange grant (770b177)

v6.6.3

Documentation

• fix TokenEndpointResponseHelpers.claims() note (b77c786)

Refactor

• passport: allow custom logic to drive initiating auth requests (0b57115), closes #811

v6.6.2

Fixes

• RFC8414: strip any terminating "/" when pathname is present (e884302)

v6.6.1

Revert

• revert to use 302 instead of 303 for the redirect (54f2170)