This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+11 more
Affected surfaces
Summary
AI summaryReverted OIDC_SCOPE default to "openid email profile" to fix invalid_scope errors with providers lacking groups support.
Full changelog
Full Changelog: https://github.com/mauriceboe/TREK/compare/v2.8.0...v2.8.3
Bug Fixes
OIDC: Reverted default scope to openid email profile (#391)
The OIDC_SCOPE default fallback was changed in v2.8.0 to include groups, which caused invalid_scope errors with providers that do not support that scope (e.g. Google, Apple).
The default has been reverted to openid email profile. The groups scope can still be added via the OIDC_SCOPE environment variable for providers that support it (e.g. Authentik, Keycloak).
Affected file: server/src/routes/oidc.ts
Documentation
- Corrected the
OIDC_SCOPEdefault value inserver/.env.exampleandREADME.mdto match the actual runtime default. - Clarified that
OIDC_SCOPEoverrides the entire scope string — not just appends to it. - CI pipeline now skips the Docker build/publish step for documentation-only pushes.
- Removed stale
AUDIT_FINDINGS.mdfrom the repository root.
Internal / Tests
- Updated integration test
TRIP-002to reflect the correct 7-day default window behaviour introduced in v2.8.0.
Upgrade Notes
No database migrations or breaking changes. Drop-in replacement for v2.8.0.
If you are using a custom OIDC_SCOPE that includes groups — your configuration is unaffected. Only deployments that relied on the (broken) default fallback need to re-verify their OIDC login flow.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]