View Source Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning according to OAuth / OpenID connect specifications, changes may break in order to comply with those.

[2.3.3] - 2024-03-20

Removed

removed analytics gathering repl on boruta.gen.migration task

Security

revoke previous issued tokens in case of code replay

[2.3.2] - 2023-12-23

Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

clients have a metadata attribute where one can store json objects
according to OpenID Connect core 1.0, clients have a logo_uri attribute
boruta.gen.migration triggers a form to get statistics about boruta usage

[2.3.1] - 2023-04-24

Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Fixed

public key is optional for oauth clients

[2.3.0] - 2023-04-09

Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

configuration and support for client authentication methods (client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt) RFC 7521, RFC 7523
dynamic client registration support OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1
handle userinfo signed responses
client key pair regeneration admin function Admin.regenerate_client_key_pair/1,3

[2.2.2] - 2022-10-25

Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

allow lower case bearer authorization header
prompt=none management for authorization code grant requests
store the previous code associated with the delivered access token in authorization code grants
prompt=none management for authorization code grant requests

[2.2.1] - 2022-10-16

Security

remove symmetric keys from openid jwks

[2.2.0] - 2022-09-13

Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.
Upgrade to this version need you to invalidate the cache by running Boruta.Config.cache_backend().delete_all()

Added

confidential client management as stated in OAuth 2.0 RFC, documented here. It defaults to false (already existing clients will not be confidential)
token as the created Boruta.Oauth.Token attribute in Boruta.Oauth.TokenResponse

Changed

client credentials does not check client secret by default anymore, the client has to be set as confidential to do so

Security

enable refresh token rotation, revoke previous refresh token on successful refresh token requests
fix redirect_uri injection in implicit, hybrid and code grants

[2.1.5] - 2022-06-15

Added

id tokens include kid header with the corresponding client id
Boruta.Oauth.ResourceOwner extra_claims attribute that defines claims to be included in id tokens

Security

do not not issue an access token in authorization code and hybrid grants if code was issued to an other client

Fixed

id token at_hash and c_hash binary sizes for SHA256 and SHA384 signature hash algorithms

[2.1.4] - 2022-06-07

Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

handle response_mode in hybrid requests
client id_token validation for ecto adapter
per client id token signature algorithm configuration (introduce a database schema change)

Changed

prefer invalid_grant to invalid_code and invalid_refresh_token
error messages have been improved

[2.1.3] - 2022-05-17

Added

handle response_mode in hybrid requests errors

Fixed

respond to authorize requests with token_type only when an access token is returned
generated migrations can be rollbacked
clients pkey constraint do not crash on admin create

[2.1.2] - 2022-05-02

Fixed

hybrid requests shall return all errors as fragment

[2.1.1] - 2022-04-30

Fixed

dialyzer warning on Boruta.Oauth.Error struct type

[2.1.0] - 2022-04-29

Added

OpenID Connect jwks endpoint domain and application layer generation
OpenID Connect userinfo endpoint domain and application layer generation

Fixed

OpenID Connect prompt=none login_required errors in domain

[2.0.1] - 2022-04-12

Added

expose Boruta.Oauth.Client.grant_types/0
expose Boruta.Oauth.IdToken.signature_alg/0 and Boruta.Oauth.IdToken.hash_alg/0

Changed

Admin.delete_inactive_tokens/0,1 does not return deleted tokens

Fixed

generated openid authorize controller prompt=none error params type

[2.0.0] - 2022-01-26

Added

Boruta.Ecto.Admin.get_scopes_by_names/1
Boruta.Ecto.Admin.regenerate_client_secret/1,2
Boruta.Ecto.Admin.delete_inactive_tokens/0,1
Boruta.Ecto.Client.grant_types/0
ability to insert/update clients with given id/secret
inserting/updating a client inserts non existing authorized_scopes
oauth_module injection in boruta.gen.controllers generated controllers default to Boruta.Oauth

Changed

store previous token while refreshing access tokens (need to run boruta.gen.migration mix task to be up to date)
Boruta.Ecto.Admin.list_active_tokens/0,1 returns query result instead of an Ecto.Query
Boruta.Oauth.ResourceOwners.claims/2 callback takes a Boruta.Oauth.ResourceOwner struct instead of sub as parameter

[2.0.0-rc.1] - 2021-11-17

Fixed

better Ecto errors management
remove padding from pkce code challenge checks
reduce resource_owners adapter calls

Added

domain wildcard for client redirect_uris

Removed

Ecto ClientsAdapter.get_by(id: id, secret: secret) is removed in preference of ClientsAdapter.get_client(id) and Oauth.Client.check_secret(client, secret).
Ecto ClientsAdapter.get_by(id: id, redirect_uri: redirect_uri) is removed in preference of ClientsAdapter.get_client(id) and Oauth.Client.check_redirect_uri(client, redirect_uri).

[2.0.0-rc.0] 2021-10-12

Added

OpenID Connect core 1.0 integration
- hybrid flow
- authorization code and implicit grants with OpenID Connect compatibility
public_revoke per client configuration allowing to revoke tokens without providing client secret.
introspect and revoke supported grant types per client configuration.

Changed

Boruta.Oauth.AuthorizeResponse and Boruta.Oauth.TokenResponse do not provide token value in value field but prefer giving value by token type code, access_token or id_token.
```
%AuthorizeResponse{
 type: "code",
 value: value,
 expires_in: 60
}
```
becomes
```
%AuthorizeResponse{
 type: :code,
 code: value,
 expires_in: 60
}
```
add nonce column to tokens
default column values migrations
migration management boruta.gen.migrations does incremental changes

Security

codes are revoked after first usage

Fixed

boruta.gen.controllers generated paths in umbrella apps

[1.2.1] - 2021-10-10

Security

remove redirect_uris regex pattern check

[1.2.0] - 2021-09-15

Added

public_refresh_token per client configuration allowing to refresh tokens without providing client secret.
refresh_token_ttl per client configuration setting refresh tokens duration (along with refresh_tokne_max_ttl :boruta mix configuration).
issuer :boruta mix configuration.

Fixed

boruta.gen.controllers generated paths in umbrella apps.
Refreshed tokens has associated access_token scope as default.
Requests with no client secret won't raise an error.

Changed

invalid_client do not return neither format, nor redirect_uri in Boruta.Oauth.Error.

[1.1.0] - 2021-08-16

Added

AuthorizeApplication, IntrospectApplication, RevokeApplication, and TokenApplication behaviours allowing to implement separately different OAuth use cases.
list_active_tokens Ecto admin function
Boruta.AccessTokensAdapter, Boruta.CodesAdapter, Boruta.ClientsAdapter, and Boruta.ScopesAdapter encapsulating adapters that are set in configuration.
Boruta.Oauth.AuthorizeResponse.redirect_to_url/1 function
Boruta.Oauth.Error.redirect_to_url/1 function
boruta.gen.controllers mix task
Boruta.Ecto schemas documentation

Security

do not issue access_tokens from other clients refresh tokens

Fixed

Internal server errors when no client_id provided to token and refresh_token grants

[1.0.3] - 2021-07-29

Security

Refresh token revocation

[1.0.2] - 2021-06-29

Added

Different OAuth flows integration guides

[1.0.1] - 2021-03-10

Fixed

Migration fix generated by mix boruta.gen.migration task

Added

Documentation

[1.0.0] - 2021-03-10

← Previous Page Migration from 1.X

Settings View Source Changelog

[2.3.3] - 2024-03-20

Removed

Security

[2.3.2] - 2023-12-23

Added

[2.3.1] - 2023-04-24

Fixed

[2.3.0] - 2023-04-09

Added

[2.2.2] - 2022-10-25

Added

[2.2.1] - 2022-10-16

Security

[2.2.0] - 2022-09-13

Added

Changed

Security

[2.1.5] - 2022-06-15

Added

Security

Fixed

[2.1.4] - 2022-06-07

Added

Changed

[2.1.3] - 2022-05-17

Added

Fixed

[2.1.2] - 2022-05-02

Fixed

[2.1.1] - 2022-04-30

Fixed

[2.1.0] - 2022-04-29

Added

Fixed

[2.0.1] - 2022-04-12

Added

Changed

Fixed

[2.0.0] - 2022-01-26

Added

Changed

[2.0.0-rc.1] - 2021-11-17

Fixed

Added

Removed

[2.0.0-rc.0] 2021-10-12

Added

Changed

Security

Fixed

[1.2.1] - 2021-10-10

Security

[1.2.0] - 2021-09-15

Added

Fixed

Changed

[1.1.0] - 2021-08-16

Added

Security

Fixed

[1.0.3] - 2021-07-29

Security

[1.0.2] - 2021-06-29

Added

[1.0.1] - 2021-03-10

Fixed

Added

[1.0.0] - 2021-03-10

View Source Changelog