This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
Summary
AI summaryOAuth-only login can be enforced with a config flag, disabling password forms and returning 403 on direct auth attempts.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
OAuth-only login can be enabled via `coordinator.auth.disable_password_login`. OAuth-only login can be enabled via `coordinator.auth.disable_password_login`. Source: granite4.1:30b@2026-05-20-audit Confidence: high |
— |
| Feature | Medium |
Automatic redirect to IdP is configurable with `oauth2_provider.auto_redirect`. Automatic redirect to IdP is configurable with `oauth2_provider.auto_redirect`. Source: granite4.1:30b@2026-05-20-audit Confidence: high |
— |
| Feature | Medium |
Pre-provisioned OAuth users can be limited using `coordinator.oauth2_provider.skip_auto_provision`. Pre-provisioned OAuth users can be limited using `coordinator.oauth2_provider.skip_auto_provision`. Source: granite4.1:30b@2026-05-20-audit Confidence: high |
— |
| Feature | Medium |
OAuth-only login enabled for IdP deployments (Azure / Entra ID). OAuth-only login enabled for IdP deployments (Azure / Entra ID). Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Feature | Medium |
Clearer documentation for pre-provisioned OAuth users added. Clearer documentation for pre-provisioned OAuth users added. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Feature | Medium |
Added Azure sample configuration file `examples/homer-coordinator-oauth2-azure.sample.json`. Added Azure sample configuration file `examples/homer-coordinator-oauth2-azure.sample.json`. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Dependency | Medium |
Docker environment variables for OAuth settings introduced. Docker environment variables for OAuth settings introduced. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
| Refactor | Medium |
Updated authentication-related documentation in AUTH_LDAP_AND_OAUTH.md, COORDINATOR.md, and UI_COORDINATOR_AUTH_AND_TOKENS.md. Updated authentication-related documentation in AUTH_LDAP_AND_OAUTH.md, COORDINATOR.md, and UI_COORDINATOR_AUTH_AND_TOKENS.md. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
— |
Full changelog
Homer Core 11.0.225
OAuth-only login for IdP deployments (Azure / Entra ID) and clearer docs for pre-provisioned OAuth users.
Authentication
- OAuth-only login: Set
coordinator.auth.disable_password_login: trueto hide the username/password form in the UI and return 403 onPOST /api/v4/auth/sessions. Pair withoauth2_provider.auto_redirect: trueto send users straight to the IdP. - Pre-provisioned OAuth users: Documented
coordinator.oauth2_provider.skip_auto_provision: true(login only if the user already exists in DuckDB, matched by username or email). - Azure sample: Added
examples/homer-coordinator-oauth2-azure.sample.json. - Docs: Updated
docs/AUTH_LDAP_AND_OAUTH.md,docs/COORDINATOR.md, anddocs/UI_COORDINATOR_AUTH_AND_TOKENS.md.
Configuration quick reference
{
"coordinator": {
"auth": { "disable_password_login": true },
"oauth2_provider": {
"enable": true,
"name": "azure",
"auto_redirect": true,
"skip_auto_provision": true
}
}
}
Docker env vars:
HOMER_COORDINATOR_AUTH_DISABLE_PASSWORD_LOGIN=true
HOMER_COORDINATOR_OAUTH2_PROVIDER_AUTO_REDIRECT=true
HOMER_COORDINATOR_OAUTH2_PROVIDER_SKIP_AUTO_PROVISION=true
Upgrade
Install the homer-core package or binary built from tag 11.0.225 on branch homer11.
homer --version # homer-core 11.0.225
Full changelog
https://github.com/sipcapture/homer/compare/11.0.224...11.0.225
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]