Skip to content

Release 1.4.0

Choose a tag to compare

View all tags
@leodip leodip released this 29 Nov 20:55
· 67 commits to main since this release
v1.4.0
ee1af83

New Features

  1. Granular API Scopes (#43) - Fine-grained admin authorization with new scopes for precise API access control instead of the single authserver:manage permission
  2. OAuth2 Implicit Flow - Configurable implicit flow support for legacy clients (response_type=token, id_token, id_token token). Disabled by default, can be enabled globally or per-client
  3. OAuth2 Resource Owner Password Credentials (ROPC) Flow - RFC 6749 Section 4.3 implementation for direct username/password authentication. Disabled by default, can be enabled globally or per-client
  4. User Profile Pictures (#18) - Upload/manage profile pictures with OIDC picture claim support:
    - Self-service and admin management
    - Public /userinfo/picture/{subject} endpoint
    - Client-side image cropping with Cropper.js
    - Server-side validation (PNG, JPEG, GIF; max 2MB; 64-2000px)
  5. Configurable PKCE - PKCE can now be configured globally or per-client (required/optional)
  6. Client Secret Basic Authentication - Support for client_secret_basic authentication method (Authorization header)
  7. POST Body Access Token for Userinfo - Support for access token in POST body per OIDC 5.3.1

Security Improvements

  1. Constant-time client secret comparison - Prevents timing attacks on client authentication
  2. Timing-safe user enumeration protection - DummyPasswordHash implementation prevents user enumeration via timing analysis
  3. Improved error handling for redirect URI parsing - Better validation in authorization flows

Bug Fixes & Compliance

  1. RFC 6749 compliant error responses - Detailed error codes and WWW-Authenticate headers for client authentication failures
  2. Refresh token scope compliance - Refresh tokens now match original scope per RFC 6749
  3. AMR claim format fix - Now correctly returns JSON array per OIDC Core 1.0 Section 2
  4. Session ACR/AMR step-up fix - Centralized ACR comparison logic for proper step-up authentication
  5. Removed typ claim from ID token - Satisfies OIDC conformance suite requirements
  6. auth_time handling - Properly set based on current authentication completion in implicit flow

Updated docs

Assets 12
Loading