Added
- OpenID Connect backends can now opt in to PKCE support
Changed
- PKCE defaults now match RFC 7636 requirements
Security
- Tightened redirect URL validation
- Tightened OAuth state handling for Clever, Eventbrite, GoClio, MailChimp, SurveyMonkey and Untappd backends
- SAML authentication now restores saved sessions only after response validation