Release 1.5.1

leodip released this 26 Apr 16:54

· 10 commits to main since this release

f535493

What's New in v1.5.1

Features

Audit log database persistence (#58) — audit events can now be written to the database in addition to (or instead of) the console. Includes a configurable retention period, a background worker for cleanup, an Audit log settings admin page, and a paginated Audit log viewer with event-type filtering.
OIDC id_token_hint support (#61) — the /auth/authorize endpoint now validates the id_token_hint parameter per OIDC Core 1.0 §3.1.2.1/3.1.2.2: issuer validation, expired-token acceptance, and sub matching. Prevents the server from issuing tokens for a different user than the hint specifies.

Bug Fixes

Consistent auth_time claim across SSO requests (#60) — fixes a mismatch where two ID tokens issued from the same authenticated session could carry different auth_time values, breaking OIDC conformance test oidcc-max-age-10000. AuthenticatedAt is now propagated correctly from BumpUserSession / StartNewUserSession.
### Dependencies updated

Assets 12