v2.9.0

• added and documented the optional use of request instead of got
  for deployments requiring http(s) proxies to reach out to the internet wilderness

v2.8.3

• fixed token expires_in to be based off an overloadable BaseToken expiration() instance method
• fixed token introspection response for consumed tokens

v2.8.2

• changed grant_type requires to resolve oidc-provider loading through webpack

v2.8.0

• added provider clockTolerance option
• fixed clients with jwks_uri failing to be fetched blocking the initialize call
• fixed successful client keystore refresh after failed verification to pass
• bumped node-jose dependency

v2.7.2

• adjusted the client schema to ignore extra properties for disabled features
• fixed encrypted ID Tokens without a used alg (json payload) to have cty (content-type) json
• fixed unsigned ID Tokens missing *_hash properties
• request_uri response caching now also handles expires response headers

Note: 2.7.0 and 2.7.1 yanked for the bugs they introduced

v2.6.0

• added scope to successful token (authorization_code, refresh_token) responses
• updated dependencies ([email protected], removed deprecated buffer-equals-constant)

v2.5.1

• fixed already authorized application_type=native prompt=none authorizations to be able to check
  if the authorization is still present
• bumped session management jsSHA cdn dependency version

v2.5.0

• added an option to return metadata alongside with interaction results, this metadata is then
  retrievable i.e. during the interactionCheck call. #164, #165
• added an option to return error instead of the standard interaction results, the provider
  will take this error (and error_description when provided) and resolve the authorization request
  with it. #167, #168
• fixed Token#find() swallowing adapter#find errors
• fixed introspection swallowing rethrown adapter#find errors

v2.4.1

• fixed token upsert expiration to respect token's instance expiration

v2.4.0

• added BaseToken public API, this API enables advanced users in search of features such as JWT-formatted
  Bearer tokens or not being able to reconstruct client token values from a DB backup to overload
  these methods and get those features.
• fixed keystore initialize method to allow for servers only supporting authorization flow not needing
  RS256 signature key
• fixed token introspection disclosing details for expired but found tokens
• fixed exception during token introspection auth none clients looking up non-existing tokens