Releases: curveball/a12n-server
Releases · curveball/a12n-server
v0.18.1
v0.18.0
- Added UIs for editing user information. (@mihok)
- Added preliminary support for JWT bearer tokens (draft-ietf-oauth-access-token-jwt-12).
- Added a new markdown-based home document, which will be a bit more user-
friendly for non-devs. - Added UI for setting privileges. (@mihok)
- All secret tokens are now URL-safe and generated non-blocking.
- Throw a 404 when trying to access the 'active sessions' page for a
group-principal.
v0.17.2
v0.17.1
- updated
simplewebauthn
dependencies to the latest version. - switched to 'indirect' attestation-type by default, allowing anomimized
attestations to be used. - it's now possible to set the value for the cors
allow-origin
option. by
default it's enabled, but ifcors.alloworigin
is supplied, this can be
overridden.
v0.17.0
- Privileges assigned to groups are now inherited by all users who are part of
that group, allowing the use of groups as 'roles'. - Added a
/user/by-href/:href
endpoint, allowing API clients to look up
users by their 'identity' like their email address. - Added a
hasPassword
property to each user. This is only visible on 'your
own' user or if you are an admin. - The
/token-exchange
endpoint for one-time tokes now requires aclient_id
parameter, similar to OAuth2 endpoints. - Fixed a number of internal APIs that let people generate passwords for non-
user principals, or oauth2 credentails for groups. Everything is a bit
stricter. - Internally, 'users', 'apps' and 'groups' are now more often referred to by
the name 'principal'. Before, these 3 categories of things were also referred
to as 'user'. This migration is not complete, but it's a big first step.
Eventually we'll have separate API roots for each of these.
v0.16.0
- Added a
login.defaultRedirect
option. This setting allows an admin to
specify where users should be redirected to after they log in. - Added a 'one time token' API, allowing privileged clients to exchange tokens
with regular OAuth2 access tokens. This is useful for custom implementations
of 'lost password' features. - Added an 'active sessions' API. This API lists all currently active
access/refresh tokens for a user. - Added an 'access token' endpoint, allowing you to generate a new access
token if you had an already valid session.