v5.0.7
Breaking risk
Notable features
- OpenID Connect server now supports PKCE
- User information endpoint supports POST requests with access token in body
- Unsigned OpenID Connect request objects now supported
Full changelog
Tinyauth v5.0.7
Hello everyone! This is officially the last release under my username. After this last patch, Tinyauth will move to its new home tinyauthapp, no breaking changes for now. As for this release, it addresses some further issues with the Envoy proxy and improves the OpenID Connect experience.
Improvements
- The OpenID Connect server now supports PKCE
- The OpenID Connect user information endpoint now supports POST requests @scottmckendry
- The OpenID Connect user information endpoint now supports the access token in the POST request body @scottmckendry
- The OAuth flow now supports the OpenID Connect parameters and stores CSRF states server-side for anti-tampering
- Add
X-Tinyauth-Locationheader for Nginx instances to support redirect to login and unauthorized pages automatically - Support unsigned OpenID Connect request objects @scottmckendry
- Accessibility improvements
Fixes
- Use 307 redirects for Envoy proxy
- Fix TOTP field auto-fill not working in some password managers @scottmckendr
Technical
- Update dependencies
- Update translations
- Use own fork of the paerser library for better flexibility in configuration parsing
- Fail app early when the app URL is missing
Please let us know of any issues so we can address them as soon as possible.
Full Changelog: https://github.com/steveiliop56/tinyauth/compare/v5.0.6...v5.0.7