Skip to main content
Version: 13.x (Current)

CHANGELOG

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

3.7.1 - 07-11-2024

Fixed

  • logout redirect when a query params set in the redirect path

3.7.0 - 30-10-2024

Added

  • add TLS connection support for Redis in normal and sentinel mode

3.6.0 - 26-02-2024

Added

  • Add client_id to Auth0 logout endpoint when AUTH0_LOGOUT_CLIENT_ID_ENABLED env is true

3.5.0 - 20-02-2024

Added

MKB-26: Add authorizeStateRequired configuration to make the state query parameter required for /authorize endpoint

3.4.0 - 02-02-2024

Added

  • add users Jobs endpoints:
    • users bulk import
    • get bulk import status
    • get bulk import errors

3.3.2 - 10-01-2024

Added

  • support for Redis username and password when using standalone mode

3.3.1 - 16-12-2022

Added

  • Possibility to configure SameSite cookie

3.3.0 - 30-09-2022

Added

  • API to get currently active users

3.2.3 - 15-12-2021

Fixed

  • Added parentheses to surround the query filter conditions before concatenating connection filter in AND in Lucene query

3.2.2 - 10-11-2021

Added

  • Exposed OpenAPI 3 documentation API

3.2.1 - 12-07-2021

Changed

  • Increased State TTL from 30s to 10m.

3.2.0 - 03-06-2021

Added

  • added support to translate $in operator in Lucene query
  • when an ACL is provided through the acl_rows header the generated Lucene query are set between parentheses and applied in logical AND with the acl itself

3.1.2 - 02-03-2021

Updated

  • dependencies updates

3.1.1 - 13-01-2021

Fixed

  • updated glogger to prevent HTML escape in logs
  • connection in user list API query generation gets treated last and set in AND to prevent getting always all users during search.

3.1.0 - 21-12-2020

Added

  • added wildcard support to user list API

3.0.2 - 22-10-2020

Added

  • Filtering multiple openid scopes from configuration, since it's applied by default by the service

Fixed

  • Password grant type provides now openid scope by default

Updated

  • Updated gitlab-ci.yml mongo dependency, from this version mongo 4.4 support is guaranteed.
  • Updated redis dependency, from this version redis 6 support is guaranteed.

3.0.1 - 08-10-2020

Changed

  • changed auth0helpers to retrieve a token by reading a json response
  • config.schema.json to accept also defaultConnection
  • modified getIDToken error message into access token is empty
  • returning 403 instead of 500 in the case of failed password credentials token

3.0.0 - 06-10-2020

BREAKING CHANGE

  • Updated glogger v2.0.3 which brings new logging format, possibly breaking for log processing stack

2.3.0 - 03-04-2020

Added

  • implemented initial connection support for all currently supported Auth0 routes. Note that this change is not breaking: if clients configuration is not modified to support specific connection then the APIs will work as before. Changed routes are the following:
    • GET /authorize: will select connection based on request, using first available connection if none is provided;
    • POST /oauth/token: in a similar fashion to /authorize will use selected connection if supported otherwise defaults to the first available if none is provided.
    • GET /users: will filter request connections based on ManagementClient supported connection, if none is provided all supported connections are used;
    • POST /user/:userId: will use default connection from ManagementClient if no connection is provided, otherwise will use the one provided (if supported)

2.2.1 - 24-02-2020

Added

  • handle graceful shutdown, configurable with new environment variable DELAY_SHUTDOWN_SECONDS

2.2.0

Added

  • handle grant_type password on /oauth/token endpoint;

Fixed

  • userinfo, logout and refresh base their flows on Authorization or Cookie headers, ignoring website scope.

Updated

  • Added in the README file a specification for X-Forwarded-Host and Host header usage, specified also configuration usage for the website scope to get a session cookie instead of an Access Token.

2.0.0 - 08-01-2020

BREAKING CHANGE

  • changed required env variable REDIS_HOST to REDIS_HOSTS;
  • changed configuration file structure;
  • added scope website to obtain a session cookie, otherwise oidc token are returned;

Added

  • supported redis sentinel and multiple redis hosts;

Fixed

  • do not set Max-Age for sid cookie deletion;
  • use configlib library instead of helpers package into service. This fixes the configuration file to be case sensitive;

Refactor

  • use glogger instead of logger package into service.

1.0.0 - 02-12-2019

Added

  • handling all app_metadata query strings on GET /users API. Note that groups filtering has been moved beneath the app_metadata scope, and is no more handled has a standalone query string;
  • forwarding some query string when translating Auth0 Get users API params;
  • implemented change password API;
  • implemented user list retrieval API;
  • implemented user delete API;
  • implemented users update API;
  • implemented a mux middleware for client configuration selection and context injection and users creation API;
  • implemented redirectUri query string for provisioning of a redirect uri at the end of the /oauth/token flow;
  • implemented refresh API;
  • implemented session deletion from redis on logout;
  • implemented refresh token flow and integrated it into userinfo flow;
  • implemented token management with redis caching;
  • basic endpoints for login, logout and user info gathering: /authorize, /oauth/token, /logout, /userinfo, /users/me;
  • clients configuration file definition and dynamic client selection in request handlers.