v3.2.5

What's Changed

• Update Security Policy by @maennchen in #380
• Implement Scorecard by @maennchen in #384
• fix: correct types in client_context.ex by @dustinfarris in #388
• Fix Config Worker Types by @maennchen in #395

New Contributors

• @dustinfarris made their first contribution in #388

Full Changelog: v3.2.4...v3.2.5

v3.2.4

What's Changed

• Fix Authorization Request Params by @maennchen in #378

Full Changelog: v3.2.3...v3.2.4

v3.2.3

What's Changed

• Fix JWT Authorization Query Parameters by @paulswartz in #375

Full Changelog: v3.2.2...v3.2.3

v3.2.2

What's Changed

• Update Erlang / Elixir for Dev / CI by @maennchen in #372
• Switch to attribute based documentation by @maennchen in #373
• token introspect remove client id constraint by @danj3 in #363

New Contributors

• @danj3 made their first contribution in #363

Full Changelog: v3.2.1...v3.2.2

v3.2.1

What's Changed

• Support application/jwk-set+json content-type by @caioaao in #352
• Specify that max_clock_skew is in seconds by @caioaao in #353
• Update to OTP 27 by @maennchen in #348
• Allow Clock Skew for Zitadel CT tests by @maennchen in #355
• Only export coverage for up to date OTP by @maennchen in #356
• fix: url_extension params also go in the request object by @paulswartz in #354
• Remove duplicate return type in create_redirect_url spec by @Nezteb in #358
• Prevent jwks_expired flood in worker by @maennchen in #361
• Cache Header max-age=0 fix by @maennchen in #371
• Prevent jwks_expired flood in worker 2nd try by @maennchen in #365

New Contributors

• @caioaao made their first contribution in #352
• @Nezteb made their first contribution in #358

Full Changelog: v3.2.0...v3.2.1

v3.2.0

What's Changed

• two bugs with request param by @paulswartz in #299
• introspection improvements by @paulswartz in #300
• two fixes with client JWK signing by @paulswartz in #302
• Allow to pass url_extension for token retrieval by @maennchen in #303
• Introduce Quirks option to allow unsupported grant types by @maennchen in #304
• Allow to pass body_extension for token retrieval by @maennchen in #305
• feat: document_overrides quirk to patch invalid OIDD files by @paulswartz in #307
• Properly Validate & Cast Token Responses (#306) by @maennchen in #308
• Upgrade @actions/artifact actions by @maennchen in #311
• feat: include config params for PAR, JARM, and DPoP by @paulswartz in #312
• feat: Pushed Authorization Request (PAR) by @paulswartz in #313
• fix(PAR): ensure we don't send duplicate parameters by @paulswartz in #314
• feat: Demonstrating Proof of Posession (DPoP) by @paulswartz in #315
• FAPI2 profile support by @paulswartz in #317
• Update Test Elixir / OTP Versions by @maennchen in #323
• feat: JARM by @paulswartz in #321
• feat: support encrypted ID tokens and Userinfo responses by @paulswartz in #326
• fix(jarm): check encryption/signature before validating claims by @paulswartz in #329
• tls_client_auth by @paulswartz in #328
• Fix typos by @kianmeng in #331
• fix: small fixes for DPoP by @paulswartz in #332
• feat: small features to support ConnectID.com.au profile by @paulswartz in #333
• Bump actions/cache from 3 to 4 by @dependabot in #335
• feat: function to locally validate a JWT by @paulswartz in #330
• feat: profile for mTLS sender-constrained tokens by @paulswartz in #336
• Implement backoff algorithm for configuration worker by @maennchen in #337
• Always refresh keys on empty JWK by @maennchen in #339
• Update README.md to include the SAFE audit by @mohamedalikhechine in #340
• Fix -define typo in oidcc.hrl by @matlaj in #344
• Document PAR Telemetry Events by @maennchen in #345
• Fix DPoP with JWK Set by @maennchen in #346

Security

• Patch of GHSA-mj35-2rgf-cv8p Atom Exhaustion DoS Vulnerability

New Contributors

• @kianmeng made their first contribution in #331
• @mohamedalikhechine made their first contribution in #340
• @matlaj made their first contribution in #344

Full Changelog: v3.1.2...v3.2.0

v3.2.0-beta.3

What's Changed

• two bugs with request param by @paulswartz in #299
• introspection improvements by @paulswartz in #300
• two fixes with client JWK signing by @paulswartz in #302
• Allow to pass url_extension for token retrieval by @maennchen in #303
• Introduce Quirks option to allow unsupported grant types by @maennchen in #304
• Allow to pass body_extension for token retrieval by @maennchen in #305
• feat: document_overrides quirk to patch invalid OIDD files by @paulswartz in #307
• Properly Validate & Cast Token Responses (#306) by @maennchen in #308
• Upgrade @actions/artifact actions by @maennchen in #311
• feat: include config params for PAR, JARM, and DPoP by @paulswartz in #312
• feat: Pushed Authorization Request (PAR) by @paulswartz in #313
• fix(PAR): ensure we don't send duplicate parameters by @paulswartz in #314
• feat: Demonstrating Proof of Posession (DPoP) by @paulswartz in #315
• FAPI2 profile support by @paulswartz in #317
• Update Test Elixir / OTP Versions by @maennchen in #323
• feat: JARM by @paulswartz in #321
• feat: support encrypted ID tokens and Userinfo responses by @paulswartz in #326
• fix(jarm): check encryption/signature before validating claims by @paulswartz in #329
• tls_client_auth by @paulswartz in #328
• Fix typos by @kianmeng in #331
• fix: small fixes for DPoP by @paulswartz in #332
• feat: small features to support ConnectID.com.au profile by @paulswartz in #333
• Bump actions/cache from 3 to 4 by @dependabot in #335
• feat: function to locally validate a JWT by @paulswartz in #330
• feat: profile for mTLS sender-constrained tokens by @paulswartz in #336
• Implement backoff algorithm for configuration worker by @maennchen in #337
• Always refresh keys on empty JWK by @maennchen in #339

Security

• Patch of GHSA-mj35-2rgf-cv8p Atom Exhaustion DoS Vulnerability

New Contributors

• @kianmeng made their first contribution in #331

Full Changelog: v3.1.2...v3.2.0-beta.3

v3.1.2

Patch of GHSA-mj35-2rgf-cv8p Atom Exhaustion DoS Vulnerability

Full Changelog: v3.1.1...v3.1.2

v3.0.2

Patch of GHSA-mj35-2rgf-cv8p Atom Exhaustion DoS Vulnerability

Full Changelog: v3.0.1...v3.0.2

v3.2.0-beta.2

What's Changed

• two bugs with request param by @paulswartz in #299
• introspection improvements by @paulswartz in #300
• two fixes with client JWK signing by @paulswartz in #302
• Allow to pass url_extension for token retrieval by @maennchen in #303
• Introduce Quirks option to allow unsupported grant types by @maennchen in #304
• Allow to pass body_extension for token retrieval by @maennchen in #305
• feat: document_overrides quirk to patch invalid OIDD files by @paulswartz in #307
• Properly Validate & Cast Token Responses (#306) by @maennchen in #308
• Upgrade @actions/artifact actions by @maennchen in #311
• feat: include config params for PAR, JARM, and DPoP by @paulswartz in #312
• feat: Pushed Authorization Request (PAR) by @paulswartz in #313
• fix(PAR): ensure we don't send duplicate parameters by @paulswartz in #314
• feat: Demonstrating Proof of Posession (DPoP) by @paulswartz in #315
• FAPI2 profile support by @paulswartz in #317
• Update Test Elixir / OTP Versions by @maennchen in #323
• feat: JARM by @paulswartz in #321
• feat: support encrypted ID tokens and Userinfo responses by @paulswartz in #326
• fix(jarm): check encryption/signature before validating claims by @paulswartz in #329
• tls_client_auth by @paulswartz in #328
• Fix typos by @kianmeng in #331
• fix: small fixes for DPoP by @paulswartz in #332
• feat: small features to support ConnectID.com.au profile by @paulswartz in #333
• Bump actions/cache from 3 to 4 by @dependabot in #335
• feat: function to locally validate a JWT by @paulswartz in #330
• feat: profile for mTLS sender-constrained tokens by @paulswartz in #336
• Implement backoff algorithm for configuration worker by @maennchen in #337
• Always refresh keys on empty JWK by @maennchen in #339

New Contributors

• @kianmeng made their first contribution in #331

Full Changelog: v3.1.1...v3.2.0-beta.2