pocket-id

v2.7.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 23d Secrets & Credentials

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

idp oidc passkeys self-hosted

ReleasePort's take

Light signal

editorial:auto 13d

The release adds FILE support for S3_SECRET_ACCESS_KEY_FILE and fixes the PKCE fallback to Basic auth when client_id appears in the request body.

Why it matters: Patch to v2.7.0 immediately if you use S3 authentication or rely on PKCE flows; the fix prevents unintended Basic auth usage triggered by malformed PKCE requests.

Summary

AI summary

Fixed fallback to Basic auth when PKCE puts client_id in body.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Add support for response_mode=form_post OAuth response mode Add support for response_mode=form_post OAuth response mode Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add support for select_account prompt type Add support for select_account prompt type Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add FILE support for S3_SECRET_ACCESS_KEY_FILE environment variable Add FILE support for S3_SECRET_ACCESS_KEY_FILE environment variable Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Support reading S3_SECRET_ACCESS_KEY_FILE from file via _FILE suffix Support reading S3_SECRET_ACCESS_KEY_FILE from file via _FILE suffix Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Dependency	Medium	Upgrade dependencies to latest versions Upgrade dependencies to latest versions Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Fall back to Basic auth when PKCE puts client_id in body Fall back to Basic auth when PKCE puts client_id in body Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Add missing /api prefix to app config swagger routes Add missing /api prefix to app config swagger routes Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Invalidate cache when changing image Invalidate cache when changing image Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Low	Fallback to Basic auth if PKCE includes client_id in request body Fallback to Basic auth if PKCE includes client_id in request body Source: granite4.1:30b@2026-05-24-audit Confidence: low	—

Full changelog

Bug Fixes

add _FILE support for S3_SECRET_ACCESS_KEY_FILE env var (#1452 by @ItalyPaleAle)
invalidate cache when changing image (#1462 by @GameTec-live)
fall back to Basic auth when PKCE puts client_id in body (#1466 by @mgabor3141)

Documentation

add missing /api prefix to app config swagger routes (#1454 by @aclerici38)

Features

add support for response_mode=form_post (#1360 by @Johnwulp)
add support for "select_account" prompt (#1453 by @ItalyPaleAle)

Other

add script to update deps (f9f93f0 by @stonith404)
upgrade dependencies (20df033 by @stonith404)
post dependency upgrade fixes (e33a9b8 by @stonith404)
migrate github actions runners to depot runners (#1329 by @kmendell)
fix caching of ldap-cli e2e tests docker build (#1457 by @kmendell)
fix incorrect container name variable (5c7e5f6 by @kmendell)

Full Changelog: https://github.com/pocket-id/pocket-id/compare/v2.6.2...v2.7.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pocket-id

Get notified when new releases ship.

About pocket-id

A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.

All releases →