Released: May 7, 2025

v7.2.3 での更新項目

不具合の修正

• Fixed a regression where multiple WWW-authenticate headers were issued.

Released: Apr 30, 2025

v7.2.2 での更新項目

機能

• Hardened the security of the default configuration that controls the redaction in logs of parameters passed to the Pushed Authorization (PAR) and Authorize endpoint, ensuring that client secrets and client assertions are not logged by default.
  • In particular, the default value of AuthorizeRequestSensitiveValuesFilter and PushedAuthorizationSensitiveValuesFilter have been changed to both be ["client_secret", "client_assertion", "id_token_hint"].
  • PAR requests sometimes are handled by the same...

Released: Apr 16, 2025

v7.2.1 での更新項目

不具合の修正

• Fixed a bug where a private_key_jwt client authentication token would be rejected if it had no typ header, even if strict validation of such tokens was not enabled.

Released: Mar 18, 2025

v7.2.0 での更新項目

機能

• Optional strict validation of private_key_jwt audiences, implementing RFC 7523 bis.
  • (RFC 7523 bis is a proposed update to RFC 7523 in which two new requirements for private_key_jwt client assertions are proposed).
• Optional caching of the discovery endpoint.
• Less log noise when issuing the use_dpop_nonce response from the token endpoint.

不具合の修正

• Bug fixes and optimizations.