4.0.0

Added scope support. The majority of this work was done by @sybeck2k in #15 and #17. The resulting API, consisting primarily of a new grantScopes hook, is documented in the README. Additionally, there is now a res.sendUnauthorized() call you can use to send an error to the client when it tries to access things outside its scope. For more details on this, check out the cc-with-scopes example.

Changed the signature of all the hooks. All hooks now take arguments in the form (credentials, req, cb), or (token, req, cb) for authenticateToken. The contents of credentials depend on the flow being used and the stage of authentication and/or authorization the token request is in. The req object contains the client request, as requested in #18. The end result is to allow more flexible authentication or authorization processes, e.g. based on GeoIP or based on a combination of client and resource owner credentials. See individual hook documentation for more details.

The authenticateToken hook no longer automatically sets clientId or username properties. You no longer need to call back with the client ID or username; instead simply call back with true, and set any such properties yourself. This allows more flexibility in the names chosen (see e.g. #13), and allows setting any additional relevant properties—such as scopes, for example.

3.0.1

Fixed an issue where we were not calling next() or next(err) in some cases, preventing further parts of the chain, like Restify's audit logger, from running. Thanks to @apriendeau for bringing this to our attention in #16.

3.0.0

Renamed res.sendUnauthorized to res.sendUnauthenticated. In preparation for upcoming work to introduce scopes, we need to be more precise about differentiating authentication from authorization, and the purpose of this method was really to signal failed authentication, so it should be named as such. Once scopes are introduced, res.sendUnauthorized will return, but with different semantics that more accurately reflect its name.

For the ROPC flow, changed the error_type value for usernames/passwords that fail the grantUserToken hook to be invalid_grant, instead of invalid_client. Per RFC 6749 §5.2, this is more correct; invalid_client should be reserved for invalid client credentials, whereas invalid_grant is the right error type for invalid resource owner credentials.

2.1.0

Fixed various error responses to be more accurate to spec, per RFC 6570 §3.1:

• Invalid requests should be 400 Bad Request errors, not 401 Unauthorized.
• When sending the WWW-Authenticate header in response to invalid requests or invalid tokens, the appropriate error code and description can be included in that header.

2.0.0

Added the client credentials flow, which can be used if you only need to authenticate the client, but not the resource owner.

The public API changed from restifyOAuth2(server, options) to restifyOAuth2.cc(server, options) or restifyOAuth2.ropc(server, options).

1.0.1

Added the "grant-types" and "token-types" fields to the "oauth2-token" link header given in response to failed authentication, per draft-wmills-oauth-lrdd-07 §3.2.

1.0.0

Initial release. Extracted from some closed-source code originally, but overhauled to be more usable and general over a period of sporadically working on it for almost a year before finally open-sourcing it.