Spring Authorization Server Versions Save

Spring Authorization Server

1.3.0-M1

3 months ago

:star: New Features

  • Allow configurable scope validation strategy in OAuth2ClientCredentialsAuthenticationProvider #1377
  • Improve logging #1467
  • Support multi-tenancy using the path component for issuer #1342

:hammer: Dependency Upgrades

  • Update to assertj-core 3.25.1 #1513
  • Update to jackson-bom 2.16.1 #1512
  • Update to Spring Framework 6.1.3 #1510
  • Update to Spring Security 6.3.0-M1 #1511
  • Update to spring-security-release-plugin 1.0.1 #1494

:heart: Contributors

Thank you to all the contributors who worked on this release:

@adamleantech and @leshalv

0.4.5

4 months ago

:beetle: Bug Fixes

  • Fix to ensure endpoints distinguish between form and query parameters #1468
  • Token endpoint should not use query parameters #1451
  • Issuer should not support path component #1435
  • Add default 15s timeout for fetching JWKSets #1433
  • Fix tests for OAuth2 Authorization Server Metadata Endpoint #1419
  • Fix tests for OIDC Provider Configuration Endpoint #1416
  • Default timeout should be set when fetching JWKSet for private_key_jwt #1413

:hammer: Dependency Upgrades

  • Update to Spring Security 5.8.9 #1479
  • Update to Spring Framework 5.3.31 #1478

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

1.1.4

4 months ago

:star: New Features

  • Remove org.webjars dependencies from demo-authorizationserver sample #1445

:beetle: Bug Fixes

  • Default timeout should be set when fetching JWKSet for private_key_jwt #1439
  • Expired ID tokens are rejected at the authorization server on an RP-initiated logout #1440
  • Fix tests for OAuth2 Authorization Server Metadata Endpoint #1421
  • Fix tests for OIDC Provider Configuration Endpoint #1418
  • Issuer should not support path component #1437

:hammer: Dependency Upgrades

  • Update to Spring Framework 6.0.15 #1480
  • Update to Spring Security 6.1.6 #1481

1.2.1

4 months ago

:beetle: Bug Fixes

  • Expired ID tokens are rejected at the authorization server on an RP-initiated logout #1474

:hammer: Dependency Upgrades

  • Update to nimbus-jose-jwt 9.37.3 #1484
  • Update to Spring Framework 6.1.2 #1482
  • Update to Spring Security 6.2.1 #1483

1.2.0

5 months ago

:star: New Features

  • Move AOT hints to main module #1446
  • Allow configurable refresh token strategy for authorization_code grant #1432
  • Allow for a configurable strategy for granting refresh_token #1430
  • Add AOT hints for demo-authorizationserver sample #1380
  • Add how-to guide for dynamic client registration with custom metadata #1376
  • ref-doc: Describe main use cases for using Spring Authorization Server #1371
  • Consider adding jti claim in JWT #1360

:notebook_with_decorative_cover: Documentation

  • How-to: Customize client metadata during dynamic client registration #1044

:hammer: Dependency Upgrades

  • Update to com.squareup.okhttp3 4.12.0 #1460
  • Update to junit-jupiter 5.10.1 #1459
  • Update to nimbus-jose-jwt 9.37.1 #1458
  • Update to jackson-bom 2.16.0 #1457
  • Update to Spring Security 6.2.0 #1456
  • Update to Spring Framework 6.1.0 #1455

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

1.2.0-RC1

6 months ago

:star: New Features

  • Add reusable default authentication failure handler #1384

:hammer: Dependency Upgrades

  • Update to nimbus-jose-jwt 9.37 #1408
  • Update to jackson-bom 2.15.3 #1407
  • Update to Spring Security 6.2.0-RC2 #1406
  • Update to Spring Framework 6.1.0-RC1 #1405

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

1.1.3

6 months ago

:beetle: Bug Fixes

  • Fix typo: context.getHeaders() to context.getJwsHeader() #1393
  • client_id and client_secret provided via query parameters are accepted for client_secret_post #1390
  • Should return hashed client_secret when registering with client_secret_jwt #1383

:hammer: Dependency Upgrades

  • Update to Spring Boot 3.1.4 #1404
  • Update to jackson-bom 2.15.3 #1403
  • Update to Spring Security 6.1.5 #1402
  • Update to Spring Framework 6.0.13 #1401

1.0.4

6 months ago

:beetle: Bug Fixes

  • Fix typo: context.getHeaders() to context.getJwsHeader() #1392
  • client_id and client_secret provided via query parameters are accepted for client_secret_post #1389
  • Should return hashed client_secret when registering with client_secret_jwt #1382

:hammer: Dependency Upgrades

  • Update to Spring Boot 3.0.11 #1400
  • Update to org.hsqldb:hsqldb 2.7.2 #1399
  • Update to Spring Security 6.0.8 #1398
  • Update to Spring Framework 6.0.13 #1397

0.4.4

6 months ago

:beetle: Bug Fixes

  • Fix typo: context.getHeaders() to context.getJwsHeader() #1391
  • client_id and client_secret provided via query parameters are accepted for client_secret_post #1378
  • Fix to return hashed client_secret when registering with client_secret_jwt #1345
  • Should return hashed client_secret when registering with client_secret_jwt #1344

:hammer: Dependency Upgrades

  • Update to Spring Boot 2.7.16 #1396
  • Update to Spring Security 5.8.8 #1395
  • Update to Spring Framework 5.3.30 #1394

:heart: Contributors

We'd like to thank all the contributors who worked on this release!

1.2.0-M1

7 months ago

:star: New Features

  • Add code challenge methods for oidc provider configuration response #1329
  • Adds ability to inject custom metadata at client registration #1326
  • Adds dynamic client registration how-to guide #1320
  • code_challenge_methods_supported field not in openid-configuration endpoint #1302
  • Migrate docs to Antora #1295
  • Antora #1292
  • Adds how-to guide on adding authorities to access tokens #1264
  • Issue 1246 adding debug log entry #1261
  • Consider logging missing code_verifier when code_challenge is included in authorization request #1248
  • Consider logging missing code_challenge when PKCE is required #1247
  • Consider logging invalid client secret #1246
  • Consider logging invalid redirect_uri and scope #1245
  • Fix :spring-authorization-server-docs:asciidoctor cacheability #1231
  • Simplify dynamic client registration with custom metadata #1172
  • How-to: Dynamic client registration #647
  • How-to: Authorize an access token containing custom authorities #542

:beetle: Bug Fixes

  • Fix: add length validation to prevent 500 error on invalid usercode #1318

:hammer: Dependency Upgrades

  • Update to okhttp 4.11.0 #1368
  • Update to junit-jupiter 5.10.0 #1367
  • Update to nimbus-jose-jwt 9.35 #1366
  • Update to Spring Security 6.2.0-M3 #1365
  • Update to Spring Framework 6.1.0-M5 #1364

:heart: Contributors

We'd like to thank all the contributors who worked on this release!