View Source Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning according to OAuth / OpenID connect specifications, changes may break in order to comply with those.

[2.3.3] - 2024-03-20

Removed

  • removed analytics gathering repl on boruta.gen.migration task

Security

  • revoke previous issued tokens in case of code replay

[2.3.2] - 2023-12-23

  • Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

  • clients have a metadata attribute where one can store json objects
  • according to OpenID Connect core 1.0, clients have a logo_uri attribute
  • boruta.gen.migration triggers a form to get statistics about boruta usage

[2.3.1] - 2023-04-24

  • Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Fixed

  • public key is optional for oauth clients

[2.3.0] - 2023-04-09

  • Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

[2.2.2] - 2022-10-25

  • Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

  • allow lower case bearer authorization header
  • prompt=none management for authorization code grant requests
  • store the previous code associated with the delivered access token in authorization code grants
  • prompt=none management for authorization code grant requests

[2.2.1] - 2022-10-16

Security

  • remove symmetric keys from openid jwks

[2.2.0] - 2022-09-13

  • Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.
  • Upgrade to this version need you to invalidate the cache by running Boruta.Config.cache_backend().delete_all()

Added

Changed

  • client credentials does not check client secret by default anymore, the client has to be set as confidential to do so

Security

  • enable refresh token rotation, revoke previous refresh token on successful refresh token requests
  • fix redirect_uri injection in implicit, hybrid and code grants

[2.1.5] - 2022-06-15

Added

  • id tokens include kid header with the corresponding client id
  • Boruta.Oauth.ResourceOwner extra_claims attribute that defines claims to be included in id tokens

Security

  • do not not issue an access token in authorization code and hybrid grants if code was issued to an other client

Fixed

  • id token at_hash and c_hash binary sizes for SHA256 and SHA384 signature hash algorithms

[2.1.4] - 2022-06-07

Note that you must run the boruta.gen.migration task to keep your database schema up to date while upgrading to this version.

Added

  • handle response_mode in hybrid requests
  • client id_token validation for ecto adapter
  • per client id token signature algorithm configuration (introduce a database schema change)

Changed

  • prefer invalid_grant to invalid_code and invalid_refresh_token
  • error messages have been improved

[2.1.3] - 2022-05-17

Added

  • handle response_mode in hybrid requests errors

Fixed

  • respond to authorize requests with token_type only when an access token is returned
  • generated migrations can be rollbacked
  • clients pkey constraint do not crash on admin create

[2.1.2] - 2022-05-02

Fixed

  • hybrid requests shall return all errors as fragment

[2.1.1] - 2022-04-30

Fixed

[2.1.0] - 2022-04-29

Added

  • OpenID Connect jwks endpoint domain and application layer generation
  • OpenID Connect userinfo endpoint domain and application layer generation

Fixed

  • OpenID Connect prompt=none login_required errors in domain

[2.0.1] - 2022-04-12

Added

Changed

  • Admin.delete_inactive_tokens/0,1 does not return deleted tokens

Fixed

  • generated openid authorize controller prompt=none error params type

[2.0.0] - 2022-01-26

Added

  • Boruta.Ecto.Admin.get_scopes_by_names/1
  • Boruta.Ecto.Admin.regenerate_client_secret/1,2
  • Boruta.Ecto.Admin.delete_inactive_tokens/0,1
  • Boruta.Ecto.Client.grant_types/0
  • ability to insert/update clients with given id/secret
  • inserting/updating a client inserts non existing authorized_scopes
  • oauth_module injection in boruta.gen.controllers generated controllers default to Boruta.Oauth

Changed

  • store previous token while refreshing access tokens (need to run boruta.gen.migration mix task to be up to date)
  • Boruta.Ecto.Admin.list_active_tokens/0,1 returns query result instead of an Ecto.Query
  • Boruta.Oauth.ResourceOwners.claims/2 callback takes a Boruta.Oauth.ResourceOwner struct instead of sub as parameter

[2.0.0-rc.1] - 2021-11-17

Fixed

  • better Ecto errors management
  • remove padding from pkce code challenge checks
  • reduce resource_owners adapter calls

Added

  • domain wildcard for client redirect_uris

Removed

  • Ecto ClientsAdapter.get_by(id: id, secret: secret) is removed in preference of ClientsAdapter.get_client(id) and Oauth.Client.check_secret(client, secret).
  • Ecto ClientsAdapter.get_by(id: id, redirect_uri: redirect_uri) is removed in preference of ClientsAdapter.get_client(id) and Oauth.Client.check_redirect_uri(client, redirect_uri).

[2.0.0-rc.0] 2021-10-12

Added

  • OpenID Connect core 1.0 integration
    • hybrid flow
    • authorization code and implicit grants with OpenID Connect compatibility
  • public_revoke per client configuration allowing to revoke tokens without providing client secret.
  • introspect and revoke supported grant types per client configuration.

Changed

  • Boruta.Oauth.AuthorizeResponse and Boruta.Oauth.TokenResponse do not provide token value in value field but prefer giving value by token type code, access_token or id_token.
    %AuthorizeResponse{
     type: "code",
     value: value,
     expires_in: 60
    }
    becomes
    %AuthorizeResponse{
     type: :code,
     code: value,
     expires_in: 60
    }
  • add nonce column to tokens
  • default column values migrations
  • migration management boruta.gen.migrations does incremental changes

Security

  • codes are revoked after first usage

Fixed

  • boruta.gen.controllers generated paths in umbrella apps

[1.2.1] - 2021-10-10

Security

  • remove redirect_uris regex pattern check

[1.2.0] - 2021-09-15

Added

  • public_refresh_token per client configuration allowing to refresh tokens without providing client secret.
  • refresh_token_ttl per client configuration setting refresh tokens duration (along with refresh_tokne_max_ttl :boruta mix configuration).
  • issuer :boruta mix configuration.

Fixed

  • boruta.gen.controllers generated paths in umbrella apps.
  • Refreshed tokens has associated access_token scope as default.
  • Requests with no client secret won't raise an error.

Changed

[1.1.0] - 2021-08-16

Added

Security

  • do not issue access_tokens from other clients refresh tokens

Fixed

  • Internal server errors when no client_id provided to token and refresh_token grants

[1.0.3] - 2021-07-29

Security

  • Refresh token revocation

[1.0.2] - 2021-06-29

Added

  • Different OAuth flows integration guides

[1.0.1] - 2021-03-10

Fixed

Added

  • Documentation

[1.0.0] - 2021-03-10