Update dependency @cloudflare/workers-oauth-provider to ^0.4.0#4
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
Update dependency @cloudflare/workers-oauth-provider to ^0.4.0#4renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/cloudflare-workers-oauth-provider-0.x
branch
from
bf40251 to
65862db
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.0.5→^0.4.0Release Notes
cloudflare/workers-oauth-provider (@cloudflare/workers-oauth-provider)
v0.4.0Compare Source
Minor Changes
57cdbe9Thanks @mattzcarey! - Path-aware resource URIs (RFC 9728):https://example.com/mcp) now correctly serve metadata at/.well-known/oauth-protected-resource/mcpand return the derived resource identifier in theresourcefield.resource_metadataURL withinWWW-Authenticateheaders (RFC 9728 §5.1). API endpoints with path components now advertise the correct path-suffixed metadata URL so clients can discover the resource-specific metadata.resourceMatchOriginOnlyoption for seamless migration. When enabled, resource downscoping validation compares only the origin (scheme + host + port) instead of exact URI matching, allowing grants issued before v0.4.0 (with origin-only resources) to work with path-aware resource requests without invalidating existing refresh tokens.v0.3.3Compare Source
Patch Changes
38d1e6bThanks @threepointone! - Reverting 0.3.2v0.3.2Compare Source
Patch Changes
#173
1fe656eThanks @mattzcarey! - Support path-suffixed well-known URLs for OAuth Protected Resource Metadata (RFC 9728 §3.1). Resources with path components (e.g.https://example.com/mcp) now correctly serve metadata at/.well-known/oauth-protected-resource/mcpand return the derived resource identifier in theresourcefield.#174
ac120ffThanks @mattzcarey! - Include the request path in theresource_metadataURL withinWWW-Authenticateheaders (RFC 9728 §5.1). API endpoints with path components (e.g./mcp) now advertise the correct path-suffixed metadata URL so clients can discover the resource-specific metadata.v0.3.1Compare Source
Patch Changes
46629ccThanks @rlucioni! - Allow any port for localhost redirect URIs to support native apps that use localhost with ephemeral ports like Claude Codev0.3.0Compare Source
Minor Changes
#158
b26f7ffThanks @mattzcarey! - AddclientIdMetadataDocumentEnabledoption to make CIMD (Client ID Metadata Document) support explicitly opt-in. Previously, CIMD auto-enabled when theglobal_fetch_strictly_publiccompatibility flag was present, which could cause crashes for servers where URL-shaped client_ids hit bot-protected endpoints. When not enabled (the default), URL-formatted client_ids now fall through to standard KV lookup instead of throwing.#144
49a1d24Thanks @mattzcarey! - AddrevokeExistingGrantsoption tocompleteAuthorization()that revokes existing grants for the same user+client after creating a new one. Defaults totrue, fixing infinite re-auth loops when props change between authorizations (issue #34). Set tofalseto allow multiple concurrent grants per user+client.Revoke tokens and grant when an authorization code is reused, per RFC 6749 §10.5. This prevents authorization code replay attacks by invalidating all tokens issued from the first exchange.
Breaking behavior change: Previously, re-authorizing the same user+client created an additional grant, leaving old tokens valid. Now, old grants are revoked by default. If your application relies on multiple concurrent grants per user+client, set
revokeExistingGrants: falseto preserve the old behavior.Patch Changes
#164
4b640a3Thanks @pnguyen-atlassian! - Includeclient_secret_expires_atandclient_secret_issued_atin dynamic client registration responses when aclient_secretis issued, per RFC 7591 §3.2.1.#165
9cce070Thanks @mattzcarey! - UsePromise.allSettledinstead ofPromise.allfor best-effort grant revocation incompleteAuthorization(), ensuring all grants are attempted even if one fails.v0.2.4Compare Source
Patch Changes
#136
a8c5936Thanks @mattzcarey! - Add/.well-known/oauth-protected-resourceendpoint (RFC 9728) for OAuth 2.0 Protected Resource Metadata discovery, as required by the MCP authorization specification. The endpoint is always served with sensible defaults (request origin as resource and authorization server), and can be customized via the newresourceMetadataoption.#151
dbb150eThanks @mattzcarey! - AddallowPlainPKCEoption to enforce S256-only PKCE as recommended by OAuth 2.1. When set to false, the plain PKCE method is rejected and only S256 is accepted. Defaults to true for backward compatibility.#140
65d5cfaThanks @mattzcarey! - Fix apiHandler route matching when set to '/' to use exact match instead of prefix match, preventing it from matching all routes and breaking OAuth endpoints#150
734738cThanks @mattzcarey! - Fix TypeScript types by making OAuthProviderOptions generic over Env, eliminating the need for @ts-expect-error workarounds when using typed environments#145
6ce5c10Thanks @mattzcarey! - Add RFC 8252 Section 7.3 compliance: allow any port for loopback redirect URIs (127.x.x.x, ::1) to support native apps that use ephemeral ports#143
8909060Thanks @mattzcarey! - Includeresource_metadataURL inWWW-Authenticateheaders on 401 responses per RFC 9728 §5.1, enabling clients to discover the protected resource metadata endpoint directly from authentication challenges.v0.2.3Compare Source
Patch Changes
#117
b2c5877Thanks @DeanMauro! - AddgetOAuthApihelper function to access OAuthHelpers outside of thefetchmethod. This enables OAuth functionality in worker RPC methods and other entry points.#109
9f118f3Thanks @bokhi! - fix: path-aware audience validation for RFC 8707 resource indicators. Include request pathname inresourceServercomputation for both internal and external token validation. Replace strict equality inaudienceMatches()with origin + path-prefix matching on path boundaries. Origin-only audiences (e.g.https://example.com) still match any path (backward compatible). Path-aware audiences (e.g.https://example.com/api) match the exact path and sub-paths (/api/users) but not partial matches (/api-v2).#120
155c410Thanks @DeanMauro! - Add OAuth 2.0 Token Exchange (RFC 8693) support. Clients can exchange an existing access token for a new one with narrowed scopes, a different audience, or a shorter TTL — without requiring the user to re-authorize. Gated behind theallowTokenExchangeGrantoption (defaultfalse). Also adds scope downscoping (RFC 6749 Section 3.3) to authorization code and refresh token flows.v0.2.2Compare Source
Patch Changes
#129
1e14e05Thanks @threepointone! - feat: add Client ID Metadata Document (CIMD) support(by @mattzcarey in #112)
CIMD support allows clients to use HTTPS URLs as client_id values that
point to metadata documents.
When a client_id is an HTTPS URL with a non-root path, the provider
fetches and validates the metadata document instead of looking up in KV
storage. Added validation to ensure client_id in the document matches
the URL and redirect_uris are present.
matches the new authorization spec for MCP
https://modelcontextprotocol.io/specification/draft/basic/authorization
v0.1.0Compare Source
Minor Changes
818a557Thanks @mattzcarey! - feat: add audience validation for OAuth tokens per RFC 7519v0.0.13Compare Source
Patch Changes
#98
0982a1cThanks @threepointone! - Enhance redirect URI scheme validation for securityAdded a robust helper to validate redirect URI schemes, preventing dangerous pseudo-schemes (e.g., javascript:, data:, vbscript:) with normalization and case-insensitive checks. Expanded test coverage to include bypass attempts using mixed case, whitespace, control characters, and edge cases to ensure comprehensive protection against XSS and related attacks.
v0.0.12Compare Source
Patch Changes
5a59d78Thanks @roerohan! - fix: open redirect vulnerability in completeAuthorizationv0.0.11Compare Source
Patch Changes
32560d1Thanks @rc4! - Use rejection sampling to avoid bias ingenerateRandomString()v0.0.10Compare Source
Patch Changes
#87
1804446Thanks @threepointone! - explicitly block javascript: (and other suspicious protocols) in redirect urisIn #80, we blocked redirects that didn't start with http:// or https:// to prevent xss attacks with javascript: URIs. However this blocked redirects to custom apps like cursor:// et al. This patch now explicitly blocks javascript: (and other suspicious protocols) in redirect uris.
v0.0.9Compare Source
Patch Changes
#81
d18b865Thanks @deathbyknowledge! - Add resolveExternalToken to support external token auth flowsAdds resolveExternalToken to support auth for external tokens. The callback only runs IF internal auth check fails. E.g. a canonical OAuth server is used by multiple services, allowing server-server communication with the same token.
v0.0.8Compare Source
Patch Changes
9d4b595Thanks @ghostwriternr! - Add configurable refresh token expirationrefreshTokenTTLoption to set global expiration for refresh tokenstokenExchangeCallbackinvalid_granterror, forcing reauthenticationv0.0.7Compare Source
Patch Changes
#62
239e753Thanks @whoiskatrin! - token revocation endpoint support#76
0b064bfThanks @ghostwriternr! - Fix token revocation returning HTTP 500 instead of 200#80
9587b58Thanks @threepointone! - block javascript: redirect URIsv0.0.6Patch Changes
fe6b721Thanks @cnallam! - Fix for the Missing Validation for ClientIdConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.