@clerk/backend@3.11.1
Breaking Changes📦 clerkView on GitHub →
⚠ 1 breaking🐛 1 fixes
Summary
This patch enforces the presence of the `azp` claim when `authorizedParties` is configured, fixing a security bypass, and updates dependencies.
⚠️ Breaking Changes
- If you configure `authorizedParties`, session tokens that are missing the `azp` claim will now be rejected. Previously, these tokens were accepted, bypassing the authorized-parties check.
Migration Steps
- If you rely on session tokens missing the `azp` claim while using `authorizedParties`, ensure your tokens now include the `azp` claim.
🐛 Bug Fixes
- Enforced the `azp` (authorized party) claim check when `authorizedParties` is configured, preventing bypasses via missing `azp` claims.