Refactor

• extract NON_REJECTABLE_CLAIMS into shared constant (2b7c025)
• extract shared grant handler helpers to reduce duplication (f5eee9e)
• extract shared token finder for introspection and revocation (666c2b0)

Fixes

• required PAR should not affect CIBA and DAG (8167bd0)

Features

• add RAR support to CIBA flows (0fc5893), closes #1358

Documentation

• update spec links (019fa43)

Refactor

• change new Debug() to debug() (#1363) (b86b47c)

Fixes

• safeguard global navigator access (1caae21)

Features

• support ML-DSA JWS algorithm identifiers (f308b09)

Refactor

• add a warning for more unsupported runtimes (c55d58e)
• make warn/info warnings colorization a no-op in nonTTY (0c0a5b6)

Fixes

• check for native logout redirect allowed same way as during auth (419f286), closes #1351

Documentation

• add an getAttestationSignaturePublicKey example (3a7730c)

Refactor

• avoid code generation from strings by pre-compiling eta views (f997073)
• drop the default implementation of pairwiseIdentifier (6a2338a)
• remove oidc-token-hash dependency (b607491)

Features

• Experimental support for Attestation-Based Client Authentication (d655ebd)

Refactor

• consistently lowercase header names and use req/res aliases (1748a54)
• cors: update default client-based cors helper (77e06eb)
• reconcile dpop and attestation challenge implementations (e31f639)

Documentation

• updated documentation for configuration options (5710d61)

Features

• revocation: add an allowed token revocation policy helper (a7e47e4)

Documentation

• update README.md (857c34d)

Fixes

• introspection: use unsupported_token_type to indicate structured jwt tokens cannot be introspected (c9001be)
• revocation: use unsupported_token_type to indicate structured jwt tokens cannot be revoked (b45b00c)

Refactor

• pull structured token rejection to a shared middleware (30367af)

Features

• expose RFC8414 Authorization Server Metadata route (c5bd90f)