Releases: spring-projects/spring-authorization-server
Releases · spring-projects/spring-authorization-server
0.4.0-M2
⭐ New Features
- Return registration_endpoint in OidcProviderConfigurationEndpointFilter #881
- Allow customizing Authorization Server Metadata Response #878
- validate client secret expired or not #862
- Check client secret not expired in ClientSecretAuthenticationProvider #850
- Use configured ID Token signature algorithm #787
- Ability to modify OIDC provider configuration #616
- Allow adding an AuthenticationProvider and AuthenticationConverter #417
- Return registration_endpoint in OidcProviderConfigurationEndpointFilter #370
🔨 Dependency Upgrades
- Update to okhttp:4.10.0 #904
- Update to mockito-core:4.8.0 #903
- Update to assertj-core:3.23.1 #902
- Update to jackson-bom:2.13.4 #901
- Update to nimbus-jose-jwt:9.24.4 #900
- Update to Spring Security 5.8.0-M3 #899
- Update to Spring Framework 5.3.23 #898
⏪ Non-passive
- Decompose OAuth2AuthorizationCodeRequestAuthenticationProvider #896
- Remove OAuth2AuthenticationValidator #891
- Make OAuth2AuthenticationContext an interface #890
- Remove constructor in OidcProviderConfigurationEndpointFilter #869
- Remove constructor in OAuth2AuthorizationServerMetadataEndpointFilter #868
- Make AuthorizationServerContext an interface #867
- Make AuthorizationServerContextFilter private #866
- Rename ProviderContext #865
- Rename ProviderSettings #864
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
1.0.0-M1
⭐ New Features
🔨 Dependency Upgrades
- Update to org.hsqldb:hsqldb:2.6.1 #843
- Update to com.squareup.okhttp3:okhttp:4.10.0 #842
- Update to mockito-core:4.6.1 #841
- Update to assertj-core:3.23.1 #840
- Update to nimbus-jose-jwt:9.23 #839
- Update to jakarta.servlet-api:5.0.0 #838
- Update to thymeleaf-extras-springsecurity6 #837
- Update to Spring Security 6.0.0-M6 #836
- Update to Spring Framework 6.0.0-M5 #835
- Update to Spring Boot 3.0.0-M4 #834
0.4.0-M1
⭐ New Features
- Enhance samples to call UserInfo endpoint #847
- Update custom consent page sample #802
- Add the time-to-live config for an authorization code at TokenSettings #786
- Allow configuration for authorization code time-to-live #642
🪲 Bug Fixes
- Registered scopes should not be defaulted for client_credentials grant #780
- Make the default scope empty for client_credentials grant #738
🔨 Dependency Upgrades
- Update to nimbus-jose-jwt:9.23 #857
- Update to Spring Security 5.8.0-M2 #856
- Update to Spring Framework 5.3.22 #855
- Update Gradle Enterprise plugin #788
⏪ Non-passive
- Remove generic type from OAuth2AuthorizationServerConfigurer #831
- Remove OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME #829
- Rename JwtEncodingContext.getHeaders() to getJwsHeader() #826
- Make builders final for AbstractSettings implementations #825
- Make OAuth2TokenIntrospectionEndpointConfigurer.getRequestMatcher() package-private #824
- Relocate and rename Version #823
- Relocate OAuth2TokenFormat #822
- Relocate OAuth2TokenType #821
- Relocate OAuth2AuthorizationCode #820
- Relocate OAuth2TokenIntrospection #819
- Relocate OidcUserInfoHttpMessageConverter #818
- Relocate OidcClientRegistration #817
- Relocate OidcProviderConfiguration #816
- Relocate OAuth2AuthorizationServerMetadata #815
- Relocate classes out from oauth2.core.context package #814
- Relocate classes out from oauth2.core.authentication package #813
- Relocate classes out from oauth2.core package #812
- Move AbstractSettings implementations to settings package #811
- Relocate classes out from config.annotation package #810
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.3.1
⭐ New Features
- OpenID Provider Configuration response should return introspection_endpoint #779
- Add authenticationDetailsSource to AuthorizationEndpointFilter #768
- Add the possibility to add at_hash claim to ID Token #744
- Add token revocation endpoint to OpenID Provider Configuration endpoint #710
- OpenID Provider Configuration endpoint should include the revocation token endpoint #687
- Improve error message when redirect_uri contains localhost #680
🪲 Bug Fixes
- PKCE token request with no code_challenge_method results in 400 with "server_error" #770
🔨 Dependency Upgrades
- Downgrade to hsqldb:2.5.2 #771
⏪ Non-passive
- Downgrade to Java 8 #761
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.3.0
⏪ Breaking Changes
- Change interface that only contain constants to final class #728
- Move OAuth2TokenCustomizer to token package #730
- Remove deprecations #732
- Remove JwtEncoder and associated classes #724
- Remove OAuth2TokenClaimsContext.Builder.claims() #731
- Remove OAuth2TokenIntrospectionClaimAccessor #725
- Remove support for "plain" code_challenge_method parameter (PKCE) #756
- Upgrade to Java 11 #694
⭐ New Features
- Add asciidoctor support for building documentation #690
- Add copyright notice to docs #742
- Add docs outline with Antora skeleton #554
- Add reference documentation #499
- Deploy documentation artifacts to docs.spring.io #695
- Enhance validation for configured Issuer #649
- How-to: Customize the OpenID Connect 1.0 UserInfo response #537
- How-to: Implement the core services with JPA #545
- ref-doc: Document Configuration Model #670
- ref-doc: Document Core Model / Components #671
- ref-doc: Document Getting Help #668
- ref-doc: Document Getting Started #669
- ref-doc: Document Overview #667
- ref-doc: Document Protocol Endpoints #672
- ref-doc: Reorganize the feature list #708
- Remove temporary OAuth2AccessTokenResponseHttpMessageConverter #726
- Simplify authorization server filter chain in samples #707
- Switch from Jenkins to GitHub Actions #691
- Update jdk version in Prerequisites #693
- Upgrade to Gradle 7 #572
- Use OAuth2ErrorCodes.INVALID_REDIRECT_URI #727
- Use OAuth2Token instead of AbstractOAuth2Token #733
🪲 Bug Fixes
- Javadoc search feature is broken in Java 11 #711
- There is a bug in the JPA usage guide code provided #697
🔨 Dependency Upgrades
- Update to com.squareup.okhttp3:4.9.3 #755
- Update to jackson-bom:2.13.3 #752
- Update to mockito-core:4.5.1 #754
- Update to nimbus-jose-jwt:9.22 #753
- Update to Spring Boot 2.7.0 #749
- Update to Spring Framework 5.3.20 #750
- Update to Spring Security 5.7.1 #751
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.2.3
⭐ New Features
- Apply default settings for public client type #656
- Decompose OAuth2ClientAuthenticationProvider #655
- Optimize InMemoryOAuth2AuthorizationService #654
- Federated Identity sample #641
- Use OAuth2TokenGenerator for OAuth2AuthorizationCode #639
- Add OAuth2TokenGenerator implementation for OAuth2RefreshToken #638
- Allow Token Introspection to be customized #630
- Introduce OAuth2TokenGenerator #628
- Add Assert.notNull() for AuthenticationProvider additions #530
- Support opaque access tokens #500
- Allow Token Introspection to be customized #493
- Seperate JWT Token generation #414
- Add a login with Google Authorization Server Sample #106
🪲 Bug Fixes
- Dynamic client registration should not generate client_secret for private_key_jwt #657
- /.well-known/openid-configuration endpoint Expected @transient Authentication #632
🔨 Dependency Upgrades
- Update to Reactor 2020.0.16 #661
- Update to Spring Security 5.5.5 #660
- Update to Spring Framework 5.3.16 #659
- Update to Spring Boot 2.5.10 #658
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
transient
Assets 2
0.2.2
⭐ New Features
- Improve support for large data columns in JdbcOAuth2AuthorizationService #604
- Deprecate OAuth2TokenIntrospectionClaimAccessor #597
- Deprecate JwtEncoder and associated classes #596
- JdbcOAuth2AuthorizationService supports clob and text datatype for token columns #491
- Allow Token Revocation to be customized #490
- Adds userinfo_endpoint to authorization server metadata #489
- Authorization server metadata is missing userinfo_endpoint #488
- JdbcOAuth2AuthorizationService should support clob and text datatype for token columns #480
- Support resolving issuer from current request #479
- Allow Token Revocation to be customized #476
- Client authentication with JWT assertion #293
- Support JWT Bearer Client Authentication #59
🪲 Bug Fixes
- Missing
statein initial request + deny consent results in failure #595 - Throw invalid_grant when invalid token request with PKCE #581
- Default schema exceeds mysql row limits #550
- OAuth2ClientAuthenticationToken should not be persisted across requests #482
🔨 Dependency Upgrades
- Update to Jackson 2.12.6 #609
- Update to Spring Boot 2.5.9 #608
- Update to Reactor 2020.0.15 #607
- Update to Spring Security 5.5.4 #606
- Update to Spring Framework 5.3.15 #605
- Upgrade
io.spring.ge.conventionsto 0.0.9 #578 - Update gradle enterprise to 3.8 to address CVE-2021-45105. #547
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.2.1
⭐ New Features
- Allow subclassing OAuth2AuthenticationContext #492
- Restructure samples #485
- Update README.adoc #471
- Customize OAuth2AuthorizationConsent prior to saving #470
- Make OAuth2ClientAuthenticationToken @transient #450
- authenticationDetailsSource of OAuth2TokenEndpointFilter should be customizable #448
- Implement User Info Endpoint #441
- Make OAuth2AuthorizationConsent customizable #436
- authenticationDetailsSource of OAuth2TokenEndpointFilter should be customizable #431
- Implement Client Configuration Endpoint #427
- Removed an empty statement #421
- Implement Client Configuration Endpoint #355
- Implement UserInfo Endpoint #176
🪲 Bug Fixes
- Missing state parameter in Authorization Consent request throws 500 #503
- Fix registration access token cannot be deserialized #497
- Registration access token cannot be de-serialized when calling Client Configuration Endpoint #495
- Documentation links in README.adoc to Spring Security are broken #494
- Require code_verifier if code_challenge provided #465
- JdbcOAuth2AuthorizationService now uses LobCreator in findBy method #464
- Add support for deserializing LinkedHashSet #460
- Jackson throws IllegalArgumentException when loading OAuth2Authorization from JdbcOAuth2AuthorizationService #457
- JdbcOAuth2AuthorizationService.findBy should use LobCreatorArgumentPreparedStatementSetter #455
- Require code_verifier if code_challenge provided #453
- Update RegisteredClient.Builder to use getters #451
- OAuth2 token introspection assuming issuer claim is present #438
- Client secret double encoding issue when updating an existing registered client #433
- Refreshed access token is inactive after token revocation #432
- Fix cancel consent functionality on default consent page #411
- Cancel consent button does not submit form #393
- Client secret double encoding issue when updating an existing registered client #389
🔨 Dependency Upgrades
- Update to jackson-bom 2.12.5 #517
- Update to Spring Boot 2.5.7 #516
- Update Reactor to 2020.0.13 #515
- Update to Spring Security 5.5.3 #514
- Update to Spring Framework 5.3.13 #513
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
transient
Assets 2
0.2.0
⭐ New Features
- Use OAuth2AuthenticationException(String errorCode) #402
- Replace stream usage with for loops #401
- Polish loopback address validation in DefaultRedirectUriOAuth2AuthenticationValidator #396
- Validate redirect_uri on dynamic client registration #392
- JdbcRegisteredClientRepository hashes client secret on save #381
- Provide capability for customizing client authentication #380
- Hash RegisteredClient client_secret on save #378
- Provide configuration for refresh token generator #377
- Provide configuration for authorization code generator #376
- Introduce OAuth2AuthenticationValidator #374
- Add post processor to register ProviderSettings @bean #373
- Add update support in JdbcRegisteredClientRepository #365
- Add update support in JdbcRegisteredClientRepository #356
🪲 Bug Fixes
- Authorization failure should not clear current Authentication #409
- The JDBC-based sample code does not work properly #385
- Do not issue refresh token to public client #379
- Remove use of deprecated ClientAuthenticationMethod's #350
- Cannot request access token for client with CLIENT_SECRET_BASIC #346
- OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client #296
🔨 Dependency Upgrades
- Update to nimbus-jose-jwt 9.10.1 #408
- Update to jackson-bom 2.12.4 #407
- Update to Spring Boot 2.5.3 #406
- Update Reactor to 2020.0.10 #405
- Update to Spring Security 5.5.2 #404
- Update to Spring Framework 5.3.9 #403
⏪ Non-passive
- Disable Oidc client registration by default #398
- Move OAuth2AuthorizationCode #395
- Polish JwtEncoder APIs #391
- OAuth2ClientAuthenticationToken should support any type of credentials #382
- Remove Context.of() #375
- Extract constants from Settings implementations #369
- Remove OAuth2ErrorCodes2 #368
- Remove OAuth2RefreshToken2 #367
- Make Settings implementations immutable #366
- Use OAuth2Token in OAuth2Authorization #364
- Rename ClientSettings.requireUserConsent() to requireAuthorizationConsent() #363
- Remove deprecated code #362
- Remove OAuth2ParameterNames2 #361
- Make AuthenticationProvider implementations final #360
- Make Filter implementations final #359
- Reduce visibility of default endpoint URI constants #358
- Move AuthenticationConverter's to web.authentication package #357
- Rename OAuth2TokenIntrospectionClaimAccessor.getScope() to getScopes() #354
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
bean
Assets 2
0.1.2
⭐ New Features
- Provide capability for customizing the authorization endpoint #342
- Update authorization server sample to use jdbc #337
- Provide sample based on JDBC #329
- Include WebAuthenticationDetails in token requests #322
- Provide capability for customizing the token endpoint #319
- Refresh token grant may issue ID token #318
- Provide JDBC implementation of OAuth2AuthorizationConsentService #314
- Provide JDBC implementation of OAuth2AuthorizationConsentService #313
- Provide JDBC implementation of OAuth2AuthorizationService #304
- JDBC implementation of RegisteredClientRepository #291
- Refresh token grant may issue ID token #287
- Provide configuration for custom Authorization Consent page #283
- Remember user consent and make consent page configurable #280
- Introduce integration tests for the sample oauth server #277
- Provide JDBC implementation of RegisteredClientRepository #265
- Provide JDBC implementation of OAuth2AuthorizationService #245
🪲 Bug Fixes
- Add jackson module for authorization server #331
- Attributes column of the authorization table is to small #328
- Fix NPE saving public client #327
- JdbcRegisteredClientRepository throws NPE when saving public client #326
- OAuth2AuthorizationCodeAuthenticationProvider does not properly deserialize OAuth2Authorization object attributes #324
- Temporarily fix expires_in for access token response #321
- Fix authorization code expired check #299
- OAuth2AuthorizationCodeAuthenticationProvider should check if the code has expired #290
- Oauth2 Client expects "expires_in" to be a number #281
🔨 Dependency Upgrades
- Update dependencies for 0.1.2 release #344
❤️ Contributors
We'd like to thank all the contributors who worked on this release!