v6.8.1

Refactor

• workaround dpop nonce caching caveats with customFetch (a9eb50f)

v6.8.0

Features

• respect retry-after in CIBA and Device Authorization Grant polling (6ce3411)

Documentation

• remove mention of Edge Runtime from the readme (2e41ad5)

v6.7.1

Fixes

• passport: include req.host from express@5 for ease of use in express@4 (81f6c12)

v6.7.0

Features

• support for the ML-DSA Algorithm Identifiers (9543da5)

v6.6.4

Fixes

• recognize N_A in the token exchange grant (770b177)

v6.6.3

Documentation

• fix TokenEndpointResponseHelpers.claims() note (b77c786)

Refactor

• passport: allow custom logic to drive initiating auth requests (0b57115), closes #811

v6.6.2

Fixes

• RFC8414: strip any terminating "/" when pathname is present (e884302)

v6.6.1

Revert

• revert to use 302 instead of 303 for the redirect (54f2170)

v6.6.0

Features

• passport: automatically use form_post response mode when using hybrid response types (c9f2993)
• passport: easier way to use id_token_hint without overloads (afe24ae)
• passport: easier way to use login_hint without overloads (264db00)
• passport: easier way to use OAuth 2.0 Resource Indicators without overloads (7eb3076)
• passport: easier way to use OAuth 2.0 Rich Authorization Requests without overloads (af0f9d6)

Refactor

• passport: align use of callbackURL with other strategies and user expectations (333ad31)
• passport: use 303 See Other for the redirect (4004070)

Documentation

• passport: add clarity to oauth-specific AuthenticateOptions (dba27f3)
• passport: expand descriptions and structure (0a173ce)

v6.5.3

Fixes

• passport: handle JARM responses with authorizationCodeGrant instead of authorizationRequest (e734bec)