Skip to content

Latest commit

 

History

History
123 lines (74 loc) · 15.5 KB

File metadata and controls

123 lines (74 loc) · 15.5 KB

@mastra/auth-okta

0.1.0

Minor Changes

Patch Changes

0.1.0-alpha.0

Minor Changes

Patch Changes

0.0.7

Patch Changes

0.0.7-alpha.0

Patch Changes

  • Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the latest dist-tag forward, superseding the compromised versions that declared the malicious easy-day-js dependency. (#18056)

  • Updated dependencies [77a2351]:

    • @mastra/core@1.43.1-alpha.0

0.0.4

Patch Changes

  • Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)

  • Updated dependencies [c973db4, 552285e, 77e686c, ece8dba, e751af2, e2a8380, be3f1cd, a34d9db]:

    • @mastra/core@1.39.0

0.0.4-alpha.0

Patch Changes

  • Removed Hono from @mastra/core and auth package runtime dependencies. Auth providers now receive framework-agnostic request types that support standard Request objects and Hono-compatible request shapes. MCP and deployer avoid relying on core-bundled Hono context types at package boundaries. (#17410)

  • Updated dependencies [c973db4, 552285e, 77e686c, ece8dba, e751af2, e2a8380, be3f1cd, a34d9db]:

    • @mastra/core@1.39.0-alpha.0

0.0.3

Patch Changes

0.0.3-alpha.0

Patch Changes

  • Fix endpoint URL construction for Okta org authorization servers. (#15694)

    MastraAuthOkta concatenated /v1/authorize (and /token, /keys, /logout) directly onto OKTA_ISSUER. That yields the right endpoint for a custom authorization server (https://{domain}/oauth2/default.../oauth2/default/v1/authorize), but 404s on an Okta org authorization server (https://{domain}.../v1/authorize, whereas the real org endpoint is .../oauth2/v1/authorize).

    An internal endpointBase is now derived from the issuer — verbatim when it already contains /oauth2/, otherwise ${issuer}/oauth2 — and used for the authorize, token, keys, and logout URLs. JWT iss-claim validation still uses the raw issuer so token validation stays correct on both server types. Trailing slashes on the issuer are also normalized so OKTA_ISSUER=https://{domain}/ no longer produces .../oauth2//v1/....

  • Updated dependencies [27fd1b7, a702009, 8534d79, c78f8cd, e146aad, 1a0ec78, d52b6fe]:

    • @mastra/core@1.36.0-alpha.10

0.0.2

Patch Changes

  • fix(auth-okta): harden security defaults and address code review feedback (#14553)

    • Fix cache poisoning: errors in fetchGroupsFromOkta now propagate so the outer .catch evicts the entry and retries on next request
    • Reduce cookie size: only store user claims, id_token (for logout), and expiry — access/refresh tokens are no longer stored, keeping cookies under the 4KB browser limit
    • Add id_token_hint to logout URL (required by Okta)
    • Add console.warn for auto-generated cookie password and in-memory state store in production
    • Document missing env vars (OKTA_CLIENT_SECRET, OKTA_REDIRECT_URI, OKTA_COOKIE_PASSWORD) in README and examples
    • Expand MastraAuthOktaOptions docs to include all fields (session config, scopes, etc.)
    • Fix test to actually exercise getUserId cross-provider lookup path
  • Updated dependencies [68ed4e9, 085c1da, be37de4, 7dbd611, f14604c, 4a75e10, f3ce603, 423aa6f, f21c626, 41aee84, 2871451, 085c1da, 4bb5adc, 4bb5adc, e06b520, d3930ea, dd9c4e0]:

    • @mastra/core@1.16.0

0.0.2-alpha.0

Patch Changes

  • fix(auth-okta): harden security defaults and address code review feedback (#14553)

    • Fix cache poisoning: errors in fetchGroupsFromOkta now propagate so the outer .catch evicts the entry and retries on next request
    • Reduce cookie size: only store user claims, id_token (for logout), and expiry — access/refresh tokens are no longer stored, keeping cookies under the 4KB browser limit
    • Add id_token_hint to logout URL (required by Okta)
    • Add console.warn for auto-generated cookie password and in-memory state store in production
    • Document missing env vars (OKTA_CLIENT_SECRET, OKTA_REDIRECT_URI, OKTA_COOKIE_PASSWORD) in README and examples
    • Expand MastraAuthOktaOptions docs to include all fields (session config, scopes, etc.)
    • Fix test to actually exercise getUserId cross-provider lookup path
  • Updated dependencies [f14604c, e06b520, dd9c4e0]:

    • @mastra/core@1.16.0-alpha.4

0.0.1

Patch Changes

  • Initial release with Okta RBAC and Auth integration