Skip to content

v0.2.5 — OAuth /authorize idempotency fix

Choose a tag to compare

@keysersoft keysersoft released this 30 Jun 09:59

Fixed

  • OAuth /authorize 404 with some clients (e.g. Microsoft Copilot Studio). The login strategy distinguished initiate vs validate by the login cookie alone, so re-hitting /authorize while the short-lived login cookie was set made passport fall through to a 404. /authorize now always redirects to login; the cookie is only consumed at /callback. Existing clients (Claude, DCR) are unaffected.
  • setup.sh: the generated Caddyfile now routes /callback and /revoke to the backend (the OAuth authorization code is issued at /callback).