docs: update verbiage "provider" > "authorization server"

README.md

@@ -87,7 +87,7 @@ If you or your company use this module, or you need help using/upgrading the mod
 ## [Documentation](/docs/README.md) & Configuration
 
 oidc-provider can be mounted to existing connect, express, fastify, hapi, or koa applications, see
-[how](/docs/README.md#mounting-oidc-provider). The provider allows to be extended and configured in
+[how](/docs/README.md#mounting-oidc-provider). The authorization server allows to be extended and configured in
 various ways to fit a variety of uses. See the [documentation](/docs/README.md) and [example folder](/example).
 
 ```js

example/README.md

@@ -3,11 +3,11 @@
 See the following examples
 
 - [Koa](/example/koa.js)
-  - the provider is a part of your Koa application
+  - the authorization server is a part of your Koa application
 - [Express](/example/express.js)
-  - the provider is a part of your express application
+  - the authorization server is a part of your express application
 - [Standalone](/example/standalone.js)
-  - the provider is completely standalone
+  - the authorization server is completely standalone
 
 Further resources
 

lib/helpers/defaults.js

@@ -195,7 +195,7 @@ async function secretFactory(ctx) {
 async function defaultResource(ctx, client, oneOf) {
   // @param ctx - koa request context
   // @param client - client making the request
-  // @param oneOf {string[]} - The OP needs to select **one** of the values provided.
+  // @param oneOf {string[]} - The authorization server needs to select **one** of the values provided.
   //                           Default is that the array is provided so that the request will fail.
   //                           This argument is only provided when called during
   //                           Authorization Code / Refresh Token / Device Code exchanges.
@@ -360,7 +360,7 @@ async function postLogoutSuccessSource(ctx) {
   shouldChange('features.rpInitiatedLogout.postLogoutSuccessSource', 'customize the look of the default post logout success page');
   const {
     clientId, clientName, clientUri, initiateLoginUri, logoUri, policyUri, tosUri,
-  } = ctx.oidc.client || {}; // client is defined if the user chose to stay logged in with the OP
+  } = ctx.oidc.client || {}; // client is defined if the user chose to stay logged in with the authorization server
   const display = clientName || clientId;
   ctx.body = `<!DOCTYPE html>
     <html>
@@ -597,7 +597,7 @@ function makeDefaults() {
     /*
      * acrValues
      *
-     * description: Array of strings, the Authentication Context Class References that the OP supports.
+     * description: Array of strings, the Authentication Context Class References that the authorization server supports.
      */
     acrValues: [],
 
@@ -668,7 +668,7 @@ function makeDefaults() {
      *
      * description: Array of objects representing client metadata. These clients are referred to as
      * static, they don't expire, never reload, are always available. In addition to these
-     * clients the provider will use your adapter's `find` method when a non-static client_id is
+     * clients the authorization server will use your adapter's `find` method when a non-static client_id is
      * encountered. If you only wish to support statically configured clients and
      * no dynamic registration then make it so that your adapter resolves client find calls with a
      * falsy value (e.g. `return Promise.resolve()`) and don't take unnecessary DB trips.
@@ -920,7 +920,7 @@ function makeDefaults() {
      *   be aware that breaking changes may occur between draft implementations and that those
      *   will be published as minor versions of oidc-provider. See the example below on how to
      *   acknowledge the specification is a draft (this will remove the warning log) and ensure
-     *   the provider instance will fail to instantiate if a new version of oidc-provider bundles
+     *   the Provider instance will fail to instantiate if a new version of oidc-provider bundles
      *   newer version of the RFC with breaking changes in it.
      *
      * example: Acknowledging an experimental feature
@@ -1408,7 +1408,7 @@ function makeDefaults() {
          * features.pushedAuthorizationRequests.requirePushedAuthorizationRequests
          *
          * description: Makes the use of `PAR` required for all authorization
-         * requests as an OP policy.
+         * requests as an authorization server policy.
          */
         requirePushedAuthorizationRequests: false,
 
@@ -1555,7 +1555,7 @@ function makeDefaults() {
         /*
          * features.registrationManagement.rotateRegistrationAccessToken
          *
-         * description: Enables registration access token rotation. The provider will discard the
+         * description: Enables registration access token rotation. The authorization server will discard the
          *   current Registration Access Token with a successful update and issue a new one, returning
          *   it to the client with the Registration Update Response. Supported
          *   values are
@@ -1898,7 +1898,7 @@ function makeDefaults() {
          * features.requestObjects.requireSignedRequestObject
          *
          * description: Makes the use of signed request objects required for all authorization
-         * requests as an OP policy.
+         * requests as an authorization server policy.
          */
         requireSignedRequestObject: false,
 
@@ -2107,7 +2107,7 @@ function makeDefaults() {
     /*
      * jwks
      *
-     * description: JSON Web Key Set used by the provider for signing and decryption. The object must
+     * description: JSON Web Key Set used by the authorization server for signing and decryption. The object must
      * be in [JWK Set format](https://www.rfc-editor.org/rfc/rfc7517.html#section-5). All provided keys must
      * be private keys.
      *
@@ -2138,7 +2138,7 @@ function makeDefaults() {
     /*
      * responseTypes
      *
-     * description: Array of response_type values that the OP supports. The default omits all response
+     * description: Array of response_type values that the authorization server supports. The default omits all response
      * types that result in access tokens being issued by the authorization endpoint directly as per
      * [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.2)
      * You can still enable them if you need to.
@@ -2182,7 +2182,7 @@ function makeDefaults() {
       /*
        * pkce.required
        *
-       * description: Configures if and when the OP requires clients to use `PKCE`. This helper is called
+       * description: Configures if and when the authorization server requires clients to use `PKCE`. This helper is called
        * whenever an authorization request lacks the code_challenge parameter.
        * Return
        *   - `false` to allow the request to continue without `PKCE`
@@ -2194,7 +2194,7 @@ function makeDefaults() {
     /*
      * routes
      *
-     * description: Routing values used by the OP. Only provide routes starting with "/"
+     * description: Routing values used by the authorization server. Only provide routes starting with "/"
      */
     routes: {
       authorization: '/auth',
@@ -2214,8 +2214,8 @@ function makeDefaults() {
     /*
      * scopes
      *
-     * description: Array of additional scope values that the OP signals to support in the discovery
-     *   endpoint. Only add scopes the OP has a corresponding resource for.
+     * description: Array of additional scope values that the authorization server signals to support in the discovery
+     *   endpoint. Only add scopes the authorization server has a corresponding resource for.
      *   Resource Server scopes don't belong here, see `features.resourceIndicators` for configuring
      *   those.
      */
@@ -2224,7 +2224,7 @@ function makeDefaults() {
     /*
      * subjectTypes
      *
-     * description: Array of the Subject Identifier types that this OP supports. When only `pairwise`
+     * description: Array of the Subject Identifier types that this authorization server supports. When only `pairwise`
      * is supported it becomes the default `subject_type` client metadata value. Valid types are
      *   - `public`
      *   - `pairwise`
@@ -2234,7 +2234,7 @@ function makeDefaults() {
     /*
      * pairwiseIdentifier
      *
-     * description: Function used by the OP when resolving pairwise ID Token and Userinfo sub claim
+     * description: Function used by the authorization server when resolving pairwise ID Token and Userinfo sub claim
      *   values. See [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg)
      * recommendation: Since this might be called several times in one request with the same arguments
      *   consider using memoization or otherwise caching the result based on account and client
@@ -2459,7 +2459,7 @@ function makeDefaults() {
     /*
      * rotateRefreshToken
      *
-     * description: Configures if and how the OP rotates refresh tokens after they are used. Supported
+     * description: Configures if and how the authorization server rotates refresh tokens after they are used. Supported
      *   values are
      *   - `false` refresh tokens are not rotated and their initial expiration date is final
      *   - `true` refresh tokens are rotated when used, current token is marked as
@@ -2479,7 +2479,7 @@ function makeDefaults() {
     /*
      * enabledJWA
      *
-     * description: Fine-tune the algorithms your provider will support by declaring algorithm
+     * description: Fine-tune the algorithms the authorization server supports by declaring algorithm
      *   values for each respective JWA use
      * @nodefault
      */
@@ -2488,7 +2488,7 @@ function makeDefaults() {
       /*
        * enabledJWA.clientAuthSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports for signed JWT Client Authentication
+       * description: JWS "alg" Algorithm values the authorization server supports for signed JWT Client Authentication
        *
        * example: Supported values list
        * ```js
@@ -2508,7 +2508,7 @@ function makeDefaults() {
       /*
        * enabledJWA.idTokenSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to sign ID Tokens with.
+       * description: JWS "alg" Algorithm values the authorization server supports to sign ID Tokens with.
        *
        * example: Supported values list
        * ```js
@@ -2528,7 +2528,7 @@ function makeDefaults() {
       /*
        * enabledJWA.requestObjectSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to receive signed Request Objects (`JAR`) with
+       * description: JWS "alg" Algorithm values the authorization server supports to receive signed Request Objects (`JAR`) with
        *
        * example: Supported values list
        * ```js
@@ -2548,7 +2548,7 @@ function makeDefaults() {
       /*
        * enabledJWA.userinfoSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to sign UserInfo responses with
+       * description: JWS "alg" Algorithm values the authorization server supports to sign UserInfo responses with
        *
        * example: Supported values list
        * ```js
@@ -2568,7 +2568,7 @@ function makeDefaults() {
       /*
        * enabledJWA.introspectionSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to sign JWT Introspection responses with
+       * description: JWS "alg" Algorithm values the authorization server supports to sign JWT Introspection responses with
        *
        * example: Supported values list
        * ```js
@@ -2588,7 +2588,7 @@ function makeDefaults() {
       /*
        * enabledJWA.authorizationSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to sign JWT Authorization Responses (`JARM`) with
+       * description: JWS "alg" Algorithm values the authorization server supports to sign JWT Authorization Responses (`JARM`) with
        *
        * example: Supported values list
        * ```js
@@ -2608,7 +2608,7 @@ function makeDefaults() {
       /*
        * enabledJWA.idTokenEncryptionAlgValues
        *
-       * description: JWE "alg" Algorithm values the provider supports for ID Token encryption
+       * description: JWE "alg" Algorithm values the authorization server supports for ID Token encryption
        *
        * example: Supported values list
        * ```js
@@ -2631,7 +2631,7 @@ function makeDefaults() {
       /*
        * enabledJWA.requestObjectEncryptionAlgValues
        *
-       * description: JWE "alg" Algorithm values the provider supports to receive encrypted Request Objects (`JAR`) with
+       * description: JWE "alg" Algorithm values the authorization server supports to receive encrypted Request Objects (`JAR`) with
        *
        * example: Supported values list
        * ```js
@@ -2654,7 +2654,7 @@ function makeDefaults() {
       /*
        * enabledJWA.userinfoEncryptionAlgValues
        *
-       * description: JWE "alg" Algorithm values the provider supports for UserInfo Response encryption
+       * description: JWE "alg" Algorithm values the authorization server supports for UserInfo Response encryption
        *
        * example: Supported values list
        * ```js
@@ -2677,7 +2677,7 @@ function makeDefaults() {
       /*
        * enabledJWA.introspectionEncryptionAlgValues
        *
-       * description: JWE "alg" Algorithm values the provider supports for JWT Introspection response
+       * description: JWE "alg" Algorithm values the authorization server supports for JWT Introspection response
        * encryption
        *
        * example: Supported values list
@@ -2701,7 +2701,7 @@ function makeDefaults() {
       /*
        * enabledJWA.authorizationEncryptionAlgValues
        *
-       * description: JWE "alg" Algorithm values the provider supports for JWT Authorization response (`JARM`)
+       * description: JWE "alg" Algorithm values the authorization server supports for JWT Authorization response (`JARM`)
        * encryption
        *
        * example: Supported values list
@@ -2725,7 +2725,7 @@ function makeDefaults() {
       /*
        * enabledJWA.idTokenEncryptionEncValues
        *
-       * description: JWE "enc" Content Encryption Algorithm values the provider supports to encrypt ID Tokens with
+       * description: JWE "enc" Content Encryption Algorithm values the authorization server supports to encrypt ID Tokens with
        *
        * example: Supported values list
        * ```js
@@ -2741,7 +2741,7 @@ function makeDefaults() {
       /*
        * enabledJWA.requestObjectEncryptionEncValues
        *
-       * description: JWE "enc" Content Encryption Algorithm values the provider supports to decrypt Request Objects (`JAR`) with
+       * description: JWE "enc" Content Encryption Algorithm values the authorization server supports to decrypt Request Objects (`JAR`) with
        *
        * example: Supported values list
        * ```js
@@ -2757,7 +2757,7 @@ function makeDefaults() {
       /*
        * enabledJWA.userinfoEncryptionEncValues
        *
-       * description: JWE "enc" Content Encryption Algorithm values the provider supports to encrypt UserInfo responses with
+       * description: JWE "enc" Content Encryption Algorithm values the authorization server supports to encrypt UserInfo responses with
        *
        * example: Supported values list
        * ```js
@@ -2773,7 +2773,7 @@ function makeDefaults() {
       /*
        * enabledJWA.introspectionEncryptionEncValues
        *
-       * description: JWE "enc" Content Encryption Algorithm values the provider supports to encrypt JWT Introspection responses with
+       * description: JWE "enc" Content Encryption Algorithm values the authorization server supports to encrypt JWT Introspection responses with
        *
        * example: Supported values list
        * ```js
@@ -2789,7 +2789,7 @@ function makeDefaults() {
       /*
        * enabledJWA.authorizationEncryptionEncValues
        *
-       * description: JWE "enc" Content Encryption Algorithm values the provider supports to encrypt JWT Authorization Responses (`JARM`) with
+       * description: JWE "enc" Content Encryption Algorithm values the authorization server supports to encrypt JWT Authorization Responses (`JARM`) with
        *
        * example: Supported values list
        * ```js
@@ -2805,7 +2805,7 @@ function makeDefaults() {
       /*
        * enabledJWA.dPoPSigningAlgValues
        *
-       * description: JWS "alg" Algorithm values the provider supports to verify signed DPoP proof JWTs with
+       * description: JWS "alg" Algorithm values the authorization server supports to verify signed DPoP proof JWTs with
        *
        * example: Supported values list
        * ```js

recipes/README.md

@@ -11,7 +11,7 @@ If you or your company use this module, or you need help using/upgrading the mod
 
 ---
 
-- [Accepting Dynamic OP Scope Values](dynamic_op_scope.md)
+- [Accepting Dynamic Authorization Server Scope Values](dynamic_op_scope.md)
 - [Allowing HTTP and/or localhost for implicit response types](implicit_http_localhost.md)
 - [Applying default client scope](default_scope.md)
 - [Claim configuration](claim_configuration.md)

recipes/dynamic_op_scope.md

@@ -1,4 +1,4 @@
-# Accepting Dynamic OP Scope Values
+# Accepting Dynamic Authorization Server Scope Values
 
 - built for version: ^7.1.2 || ^8.0.0
 - For dynamic scopes at the Resource Server you'd use the helpers in the `resourceIndicators` feature.

recipes/skip_consent.md

@@ -7,7 +7,7 @@ your own
 applications
 
 Sometimes your use-case doesn't need a consent screen.
-This use-case might occur if your provider has only *first-party* clients configured.
+This use-case might occur if the authorization server has only *first-party* clients configured.
 To achieve that you want to add the requested claims/scopes/resource scopes to the grant:
 
 ```js