Releases: spring-projects/spring-authorization-server
Releases · spring-projects/spring-authorization-server
0.3.1
⭐ New Features
- OpenID Provider Configuration response should return introspection_endpoint #779
- Add authenticationDetailsSource to AuthorizationEndpointFilter #768
- Add the possibility to add at_hash claim to ID Token #744
- Add token revocation endpoint to OpenID Provider Configuration endpoint #710
- OpenID Provider Configuration endpoint should include the revocation token endpoint #687
- Improve error message when redirect_uri contains localhost #680
🪲 Bug Fixes
- PKCE token request with no code_challenge_method results in 400 with "server_error" #770
🔨 Dependency Upgrades
- Downgrade to hsqldb:2.5.2 #771
⏪ Non-passive
- Downgrade to Java 8 #761
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.3.0
⏪ Breaking Changes
- Change interface that only contain constants to final class #728
- Move OAuth2TokenCustomizer to token package #730
- Remove deprecations #732
- Remove JwtEncoder and associated classes #724
- Remove OAuth2TokenClaimsContext.Builder.claims() #731
- Remove OAuth2TokenIntrospectionClaimAccessor #725
- Remove support for "plain" code_challenge_method parameter (PKCE) #756
- Upgrade to Java 11 #694
⭐ New Features
- Add asciidoctor support for building documentation #690
- Add copyright notice to docs #742
- Add docs outline with Antora skeleton #554
- Add reference documentation #499
- Deploy documentation artifacts to docs.spring.io #695
- Enhance validation for configured Issuer #649
- How-to: Customize the OpenID Connect 1.0 UserInfo response #537
- How-to: Implement the core services with JPA #545
- ref-doc: Document Configuration Model #670
- ref-doc: Document Core Model / Components #671
- ref-doc: Document Getting Help #668
- ref-doc: Document Getting Started #669
- ref-doc: Document Overview #667
- ref-doc: Document Protocol Endpoints #672
- ref-doc: Reorganize the feature list #708
- Remove temporary OAuth2AccessTokenResponseHttpMessageConverter #726
- Simplify authorization server filter chain in samples #707
- Switch from Jenkins to GitHub Actions #691
- Update jdk version in Prerequisites #693
- Upgrade to Gradle 7 #572
- Use OAuth2ErrorCodes.INVALID_REDIRECT_URI #727
- Use OAuth2Token instead of AbstractOAuth2Token #733
🪲 Bug Fixes
- Javadoc search feature is broken in Java 11 #711
- There is a bug in the JPA usage guide code provided #697
🔨 Dependency Upgrades
- Update to com.squareup.okhttp3:4.9.3 #755
- Update to jackson-bom:2.13.3 #752
- Update to mockito-core:4.5.1 #754
- Update to nimbus-jose-jwt:9.22 #753
- Update to Spring Boot 2.7.0 #749
- Update to Spring Framework 5.3.20 #750
- Update to Spring Security 5.7.1 #751
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.2.3
⭐ New Features
- Apply default settings for public client type #656
- Decompose OAuth2ClientAuthenticationProvider #655
- Optimize InMemoryOAuth2AuthorizationService #654
- Federated Identity sample #641
- Use OAuth2TokenGenerator for OAuth2AuthorizationCode #639
- Add OAuth2TokenGenerator implementation for OAuth2RefreshToken #638
- Allow Token Introspection to be customized #630
- Introduce OAuth2TokenGenerator #628
- Add Assert.notNull() for AuthenticationProvider additions #530
- Support opaque access tokens #500
- Allow Token Introspection to be customized #493
- Seperate JWT Token generation #414
- Add a login with Google Authorization Server Sample #106
🪲 Bug Fixes
- Dynamic client registration should not generate client_secret for private_key_jwt #657
- /.well-known/openid-configuration endpoint Expected @transient Authentication #632
🔨 Dependency Upgrades
- Update to Reactor 2020.0.16 #661
- Update to Spring Security 5.5.5 #660
- Update to Spring Framework 5.3.16 #659
- Update to Spring Boot 2.5.10 #658
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
transient
Assets 2
0.2.2
⭐ New Features
- Improve support for large data columns in JdbcOAuth2AuthorizationService #604
- Deprecate OAuth2TokenIntrospectionClaimAccessor #597
- Deprecate JwtEncoder and associated classes #596
- JdbcOAuth2AuthorizationService supports clob and text datatype for token columns #491
- Allow Token Revocation to be customized #490
- Adds userinfo_endpoint to authorization server metadata #489
- Authorization server metadata is missing userinfo_endpoint #488
- JdbcOAuth2AuthorizationService should support clob and text datatype for token columns #480
- Support resolving issuer from current request #479
- Allow Token Revocation to be customized #476
- Client authentication with JWT assertion #293
- Support JWT Bearer Client Authentication #59
🪲 Bug Fixes
- Missing
statein initial request + deny consent results in failure #595 - Throw invalid_grant when invalid token request with PKCE #581
- Default schema exceeds mysql row limits #550
- OAuth2ClientAuthenticationToken should not be persisted across requests #482
🔨 Dependency Upgrades
- Update to Jackson 2.12.6 #609
- Update to Spring Boot 2.5.9 #608
- Update to Reactor 2020.0.15 #607
- Update to Spring Security 5.5.4 #606
- Update to Spring Framework 5.3.15 #605
- Upgrade
io.spring.ge.conventionsto 0.0.9 #578 - Update gradle enterprise to 3.8 to address CVE-2021-45105. #547
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.2.1
⭐ New Features
- Allow subclassing OAuth2AuthenticationContext #492
- Restructure samples #485
- Update README.adoc #471
- Customize OAuth2AuthorizationConsent prior to saving #470
- Make OAuth2ClientAuthenticationToken @transient #450
- authenticationDetailsSource of OAuth2TokenEndpointFilter should be customizable #448
- Implement User Info Endpoint #441
- Make OAuth2AuthorizationConsent customizable #436
- authenticationDetailsSource of OAuth2TokenEndpointFilter should be customizable #431
- Implement Client Configuration Endpoint #427
- Removed an empty statement #421
- Implement Client Configuration Endpoint #355
- Implement UserInfo Endpoint #176
🪲 Bug Fixes
- Missing state parameter in Authorization Consent request throws 500 #503
- Fix registration access token cannot be deserialized #497
- Registration access token cannot be de-serialized when calling Client Configuration Endpoint #495
- Documentation links in README.adoc to Spring Security are broken #494
- Require code_verifier if code_challenge provided #465
- JdbcOAuth2AuthorizationService now uses LobCreator in findBy method #464
- Add support for deserializing LinkedHashSet #460
- Jackson throws IllegalArgumentException when loading OAuth2Authorization from JdbcOAuth2AuthorizationService #457
- JdbcOAuth2AuthorizationService.findBy should use LobCreatorArgumentPreparedStatementSetter #455
- Require code_verifier if code_challenge provided #453
- Update RegisteredClient.Builder to use getters #451
- OAuth2 token introspection assuming issuer claim is present #438
- Client secret double encoding issue when updating an existing registered client #433
- Refreshed access token is inactive after token revocation #432
- Fix cancel consent functionality on default consent page #411
- Cancel consent button does not submit form #393
- Client secret double encoding issue when updating an existing registered client #389
🔨 Dependency Upgrades
- Update to jackson-bom 2.12.5 #517
- Update to Spring Boot 2.5.7 #516
- Update Reactor to 2020.0.13 #515
- Update to Spring Security 5.5.3 #514
- Update to Spring Framework 5.3.13 #513
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
transient
Assets 2
0.2.0
⭐ New Features
- Use OAuth2AuthenticationException(String errorCode) #402
- Replace stream usage with for loops #401
- Polish loopback address validation in DefaultRedirectUriOAuth2AuthenticationValidator #396
- Validate redirect_uri on dynamic client registration #392
- JdbcRegisteredClientRepository hashes client secret on save #381
- Provide capability for customizing client authentication #380
- Hash RegisteredClient client_secret on save #378
- Provide configuration for refresh token generator #377
- Provide configuration for authorization code generator #376
- Introduce OAuth2AuthenticationValidator #374
- Add post processor to register ProviderSettings @bean #373
- Add update support in JdbcRegisteredClientRepository #365
- Add update support in JdbcRegisteredClientRepository #356
🪲 Bug Fixes
- Authorization failure should not clear current Authentication #409
- The JDBC-based sample code does not work properly #385
- Do not issue refresh token to public client #379
- Remove use of deprecated ClientAuthenticationMethod's #350
- Cannot request access token for client with CLIENT_SECRET_BASIC #346
- OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client #296
🔨 Dependency Upgrades
- Update to nimbus-jose-jwt 9.10.1 #408
- Update to jackson-bom 2.12.4 #407
- Update to Spring Boot 2.5.3 #406
- Update Reactor to 2020.0.10 #405
- Update to Spring Security 5.5.2 #404
- Update to Spring Framework 5.3.9 #403
⏪ Non-passive
- Disable Oidc client registration by default #398
- Move OAuth2AuthorizationCode #395
- Polish JwtEncoder APIs #391
- OAuth2ClientAuthenticationToken should support any type of credentials #382
- Remove Context.of() #375
- Extract constants from Settings implementations #369
- Remove OAuth2ErrorCodes2 #368
- Remove OAuth2RefreshToken2 #367
- Make Settings implementations immutable #366
- Use OAuth2Token in OAuth2Authorization #364
- Rename ClientSettings.requireUserConsent() to requireAuthorizationConsent() #363
- Remove deprecated code #362
- Remove OAuth2ParameterNames2 #361
- Make AuthenticationProvider implementations final #360
- Make Filter implementations final #359
- Reduce visibility of default endpoint URI constants #358
- Move AuthenticationConverter's to web.authentication package #357
- Rename OAuth2TokenIntrospectionClaimAccessor.getScope() to getScopes() #354
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
bean
Assets 2
0.1.2
⭐ New Features
- Provide capability for customizing the authorization endpoint #342
- Update authorization server sample to use jdbc #337
- Provide sample based on JDBC #329
- Include WebAuthenticationDetails in token requests #322
- Provide capability for customizing the token endpoint #319
- Refresh token grant may issue ID token #318
- Provide JDBC implementation of OAuth2AuthorizationConsentService #314
- Provide JDBC implementation of OAuth2AuthorizationConsentService #313
- Provide JDBC implementation of OAuth2AuthorizationService #304
- JDBC implementation of RegisteredClientRepository #291
- Refresh token grant may issue ID token #287
- Provide configuration for custom Authorization Consent page #283
- Remember user consent and make consent page configurable #280
- Introduce integration tests for the sample oauth server #277
- Provide JDBC implementation of RegisteredClientRepository #265
- Provide JDBC implementation of OAuth2AuthorizationService #245
🪲 Bug Fixes
- Add jackson module for authorization server #331
- Attributes column of the authorization table is to small #328
- Fix NPE saving public client #327
- JdbcRegisteredClientRepository throws NPE when saving public client #326
- OAuth2AuthorizationCodeAuthenticationProvider does not properly deserialize OAuth2Authorization object attributes #324
- Temporarily fix expires_in for access token response #321
- Fix authorization code expired check #299
- OAuth2AuthorizationCodeAuthenticationProvider should check if the code has expired #290
- Oauth2 Client expects "expires_in" to be a number #281
🔨 Dependency Upgrades
- Update dependencies for 0.1.2 release #344
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.1.1
⭐ New Features
- master->main #284
- Use PasswordEncoder in OAuth2ClientAuthenticationProvider #272
- Use PasswordEncoder to verify client credentials #271
- Redirect URI validation for loopback address #244
- Redirect URI validation for loopback address #243
- Implement OpenID client registration endpoint #189
- Implement OAuth 2.0 Server Metadata (RFC 8414) #167
- Implement Token Introspection Endpoint #161
- Implement OpenID Connect 1.0 Client Registration Endpoint #57
- Implement OAuth 2.0 Authorization Server Metadata #54
- Implement Token Introspection Endpoint #52
🪲 Bug Fixes
- Sample auth server doesn't work #273
- Login page should not be configured in OAuth2AuthorizationServerConfigurer #267
- Scope "openid" should be in access token scopes #252
🔨 Dependency Upgrades
- Use nimbus-jose-jwt and oauth2-oidc-sdk versions from spring-security #257
- Align dependencies with the version of Spring Security being used #256
- Bump Jacoco to 0.8.6 #246
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.1.0
⭐ New Features
- Propagate additional token request parameters #226
- openid scope should not require user consent #225
- Set iss claim in Jwt using configured issuer #223
- Add OAuth2Authorization.id #220
- Introduce base Authentication for authorization grant #216
- Add JoseHeader.builder() #215
- Use configuration from ProviderSettings in OAuth2AuthorizationServerConfigurer #201
- Use ProviderSettings in OAuth2AuthorizationServerConfigurer #182
- Allow customizing Jwt claims and headers #173
- Register SecurityFilterChain instead of WebSecurityConfigurerAdapter #163
- Implement OpenID Provider Configuration endpoint #143
- Add client secret POST authentication method support #140
- Support client authentication method POST #134
- Implement OpenID Provider Configuration endpoint #55
- Implement OpenID Connect 1.0 Authorization Code Flow #53
🪲 Bug Fixes
- OAuth2AccessToken.scopes includes authorized or requested scopes #224
- InMemoryOAuth2AuthorizationService.save() should support insert and update #222
- JwkSet endpoint returns empty keys #198
- token_type_hint should be used as a hint only #188
- token_type_hint should be used as a hint only #175
- Unknown token_type_hint should be ignored #174
- Configured TokenSettings.accessTokenTimeToLive() not used #172
- Ensure refresh token is not revoked #169
- Refresh token should not be issued if client is not configured with refresh_token grant type#155 #168
- Ensure refresh token is not revoked #158
- Refresh token should not be issued if client is not configured with refresh_token grant type #155
- Sample not working with Spring Boot 2.4.0 #154
- Building the project fails #153
🔨 Dependency Upgrades
- Update to json-path 2.4.0 #239
- Update to okhttp3:okhttp 3.14.9 #238
- Update to okhttp3:mockwebserver 3.14.9 #237
- Update to mockito-core 3.6.28 #236
- Update to assertj-core 3.18.1 #235
- Update to junit 4.13.1 #234
- Update to javax.servlet-api 4.0.1 #233
- Update to nimbus-jose-jwt 9.1.3 #232
- Update to oauth2-oidc-sdk 8.23.1 #231
- Update to Reactor 2020.0.3 #230
- Update to Spring Security 5.4.2 #229
- Update to Spring Framework 5.3.3 #228
- Update to Spring Boot 2.4.2 #227
⏪ Non-passive
- Improve naming of KeyManager and ManagedKey #105
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.0.3
⭐ New Features
- Reuse client authentication assertion #144
- Enforce one-time use for authorization code #138
- Introduce OAuth2Tokens #137
- Add Refresh Token grant support #128
- Implement Token Revocation Endpoint #84
- Implement Token Revocation Endpoint #83
- Add Refresh Token Grant #50
❤️ Contributors
We'd like to thank all the contributors who worked on this release!