Full Changelog: v2.8.0...v2.8.3
Bug Fixes
OIDC: Reverted default scope to openid email profile (#391)
The OIDC_SCOPE default fallback was changed in v2.8.0 to include groups, which caused invalid_scope errors with providers that do not support that scope (e.g. Google, Apple).
The default has been reverted to openid email profile. The groups scope can still be added via the OIDC_SCOPE environment variable for providers that support it (e.g. Authentik, Keycloak).
Affected file: server/src/routes/oidc.ts
Documentation
- Corrected the
OIDC_SCOPEdefault value inserver/.env.exampleandREADME.mdto match the actual runtime default. - Clarified that
OIDC_SCOPEoverrides the entire scope string — not just appends to it. - CI pipeline now skips the Docker build/publish step for documentation-only pushes.
- Removed stale
AUDIT_FINDINGS.mdfrom the repository root.
Internal / Tests
- Updated integration test
TRIP-002to reflect the correct 7-day default window behaviour introduced in v2.8.0.
Upgrade Notes
No database migrations or breaking changes. Drop-in replacement for v2.8.0.
If you are using a custom OIDC_SCOPE that includes groups — your configuration is unaffected. Only deployments that relied on the (broken) default fallback need to re-verify their OIDC login flow.