[Openid-specs-ab] Issue #2182: OpenID Connect Session Management 1.0 and CryptoJS (openid/connect)
Andrii Deinega
issues-reply at bitbucket.org
Mon Aug 18 18:33:40 UTC 2025
New issue 2182: OpenID Connect Session Management 1.0 and CryptoJS
https://bitbucket.org/openid/connect/issues/2182/openid-connect-session-management-10-and
Andrii Deinega:
One of the provided examples in [https://openid.net/specs/openid-connect-session-1\_0.html](https://openid.net/specs/openid-connect-session-1_0.html) uses the CryptoJS library, which in fact, is discontinued now.
[https://www.npmjs.com/package/crypto-js](https://www.npmjs.com/package/crypto-js) says
> Active development of CryptoJS has been discontinued. This library is no longer maintained.
>
> Nowadays, NodeJS and modern browsers have a native `Crypto` module. The latest version of CryptoJS already uses the native Crypto module for random number generation, since `Math.random()` is not crypto-safe. Further development of CryptoJS would result in it only being a wrapper of native Crypto. Therefore, development and maintenance has been discontinued, it is time to go for the native `crypto` module.
The suggestion is to move to native [Crypto](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest).
More information about the Openid-specs-ab
mailing list