This release might contain breaking changes. Review the removed backends and
stricter OAuth, OpenID Connect, and Azure AD validation before upgrading.
Added
- OpenID Connect claim names for email, first name, last name, and full name can
now be configured. - GitHub backend now stores fetched emails in pipeline data.
Changed
- Azure AD backends now use OpenID configuration and JWKS for token validation.
- Built-in provider URLs now consistently use HTTPS.
AUTH_EXTRA_ARGUMENTSvalues are no longer overridden by request data unless
the key is listed inAUTH_EXTRA_ARGUMENTS_OVERRIDE_ALLOWLIST.- Requests now fall back to a default timeout when no timeout is configured.
- Improved the publishing workflow.
Removed
- Removed obsolete Rdio, Shimmering, and ThisIsMyJam backends.
- Removed legacy OAuth1 backends for Douban and Mendeley.
Security
- Apple ID backend now validates the ID token issuer.
- Azure AD backends now validate ID token signatures, issuer, audience, tenant,
and policy claims. Tokens accepted by earlier versions might now be rejected. - OpenID Connect backends now reject UserInfo responses whose
subdoes not
match the validated ID token subject.