Releases

This release upgrades FoxIDs to .NET 10, bringing the latest runtime improvements and long term support benefits. It also resolves a critical Windows Server issue where certificates could not be read reliably and adding fallback read methods.

New Features

Upgraded to .NET 10

FoxIDs now runs on .NET 10 for improved performance, security, and platform support.

Bug Resolved

Certificate loading reliability fix

A reliability issue affecting certificate loading on Windows Server in certain cases has been resolved. Fallback certificate read methods have been added to ensure stable behavior across environments.

This release introduces extensive improvements to claim handling, session management, authentication flows, UI functionality, and security hardening across FoxIDs.
Enhancements include richer claim transform capabilities, improved login and environment management in the Control Client, extended dynamic content and CSS generator support, stronger session validation, improved certificate handling, and refined security headers.
A critical bug related to certificate reading on Windows Server has also been resolved.

New Features

Claim Transform Enhancements

• Added support for saving claims on both internal and external users through a claim transform task.
• Added support for querying external users using the linked claim value in a claim transform task.
• Added the ability to select which claims are queried on internal or external users within a claim transform task.
• Added support for logging events that include claim values during claim transform execution.

Control Client Improvements

• Added easy access to log in to the test application again after logout.
• Environment Settings now auto-scrolls to the top after deleting an environment.
• Added support for large text translations, used in UI elements displaying content such as terms and conditions.
• Dynamic content now supports checkbox fields, large text fields, and large HTML elements.
• Updated CSS generator with support for large content and checkbox elements.

Authentication and Protocol Improvements

• OpenID Connect now displays invalid redirect URIs on the generic error page.
• The SAML 2.0 application now checks the HTTP form for a login hint if it is not supplied via query parameters or the SAML 2.0 request from the relying party.
• Default behavior updated (new environments): refresh tokens are now deleted when a user changes or sets a password in master environments.
• Added support for active sessions stored in the database, allowing remote session termination.
• Access token sessions are now validated using the sid claim and active session data in the UserInfo endpoint.
• Added support for deleting refresh token grants per session ID.

Security and System Enhancements

• Health checks can now verify individual dependencies separately.
• Updated jQuery Validate JavaScript library.
• Improved handling of security headers by allowing any request headers (not only Content-Type and Authorization) in Control.
• Added broader support for Permissions-Policy security headers.
• Stream logger now flushes only Application Insights data for improved performance.
• Improved certificate upload flow and added support for PEM files (.crt + .key).

Bug Resolved

Certificate loading reliability fix

A reliability issue affecting certificate loading on Windows Server in certain cases has been resolved.

This release introduces extensive improvements to claim handling, session management, authentication flows, UI functionality, and security hardening across FoxIDs.
Enhancements include richer claim transform capabilities, improved login and environment management in the Control Client, extended dynamic content support, stronger session validation, and refined security headers.
A critical bug related to certificate reading on Windows Server has also been resolved.

New Features

Claim Transform Enhancements

• Added support for saving claims on both internal and external users through a claim transform task.
• Added support for querying external users using the linked claim value in a claim transform task.
• Added the ability to select which claims are queried on internal or external users within a claim transform task.
• Added support for logging events that include claim values during claim transform execution.

Control Client Improvements

• Added easy access to log in to the test application again after logout.
• Environment Settings now auto-scrolls to the top after deleting an environment.
• Added support for large text translations, used in UI elements displaying content such as terms and conditions.
• Dynamic content now supports checkbox fields, large text fields, and large HTML elements.

Authentication and Protocol Improvements

• OpenID Connect now displays invalid redirect URIs on the generic error page.
• The SAML 2.0 application now checks the HTTP form for a login hint if it is not supplied via query parameters or the SAML 2.0 request from the relying party.
• Default behavior updated (new environments): refresh tokens are now deleted when a user changes or sets a password in master environments.
• Added support for active sessions stored in the database, allowing remote session termination.
• Access token sessions are now validated using the sid claim and active session data in the UserInfo endpoint.

Security and System Enhancements

• Health checks can now verify individual dependencies separately.
• Updated jQuery Validate JavaScript library.
• Improved handling of security headers by allowing any request headers (not only Content-Type and Authorization) in Control.
• Added broader support for Permissions-Policy security headers.
• Stream logger now flushes only Application Insights data for improved performance.

Bug Resolved

• Certificate loading reliability fix
  The Read Certificate API now uses EphemeralKeySet, ensuring certificates are processed entirely in memory instead of disk.
  This fixes an issue where certificates could not be read on Windows Server in certain cases.

This release addresses a bug in the Control Client where OpenID Connect applications displayed an incorrect authority value.
The fix ensures that applications now show the correct authority configuration.

Bugs Fixed

• Incorrect authority displayed in OpenID Connect applications
  The Control Client previously showed an incorrect authority for OpenID Connect applications.
  This issue has been resolved - the correct authority is now displayed.

This update introduces a configuration change to how refresh token grants are handled during request password changes.
It improves flexibility by allowing administrators to control whether refresh tokens should be deleted when a password change or password setup is requested via email or SMS confirmation.

Changing Feature

• Configurable refresh token grant deletion
  Refresh token grants are no longer automatically deleted when a password change or a password setup via email or SMS confirmation code is requested for a user in the Control Client or Control API.
  Instead, it is configurable per Login authentication method whether refresh token grants should be deleted when a password change occurs.

This release introduces several improvements to the Control API and Control Client, focusing on usability, data precision, and authentication management. Key updates include better ordering and filtering in APIs, enhanced refresh token handling, passwordless tenant creation, and refinements in login behavior and SMS configuration.
A breaking change affects the RefreshTokenGrants Control API naming conventions - see details below.

New features and improvements

• Improved ordering of applications and authentication methods
  Applications and authentication methods are now ordered by display name. If a display name is not provided, ordering falls back to technical name, and then by type in both the Control API and Control Client.

• Enhanced filtering by custom SP client ID
  Added support for filtering authentication methods by the optional custom SP client ID.

• More precise refresh token grant cleanup
  Refresh token grants are now deleted when a user is deleted, disabled, request for password change, or request for set a password using an email or SMS confirmation code.
  The cleanup process is now more accurate by also considering the authentication method type.

• Certificate management improvements
  In the Control Client, signing certificates can now be downloaded or copied in Base64 format.

• UI improvement for application creation
  Applications are now added to the list in Control Client only after the creation UI is closed, ensuring a cleaner user experience.

• Passwordless tenant creation
  The Control Client and Control API now support creating a tenant with an initially passwordless admin user.

• Improved API input handling
  All filter* parameters across the Control APIs are now trimmed before processing. This ensures that extra spaces in client inputs no longer cause empty or mismatched results.

• ⚠️ Breaking Change - Renamed fields in RefreshTokenGrants API
  To improve consistency and clarity, the following fields have been renamed:

  • authMethod → upPartyName
  • filterAuthMethod → filterUpPartyName

• SAML 2.0 login improvements

  • The login hint in SAML 2.0 query parameters is now space-trimmed and converted to lowercase.
  • The identification step is now selected based on the login hint, ignoring automatic selection.

• GatewayApi SMS label support
  Added support for configuring a label in GatewayApi SMS settings. This label is now included in API calls to GatewayApi when sending SMS messages.

Delivers finer-grained controls and a smoother setup experience in the Control Client: independently toggle SMS and email for password set/reset flows per authentication method and per user; gain full audit visibility with before/after diffs; enforce plan thresholds via tenant-scoped distributed locking; accepts a username query parameter from the SAML relying party; create applications inline with a live preview of generated values; and benefit from an improved environment selector; and improve translations for dynamic HTML links using placeholder URLs. Also fixes an issue where session links could be invalid when whitespace was present.

New features

• Granular SMS/email controls for password set/reset
  Independently enable or disable SMS and email for password set/reset flows at both:

  • The authentication-method level
  • The per-user level
    This provides precise control over how password communications are delivered.

• Comprehensive audit logging with diffs
  Every create, update, save, and delete on master and tenant documents now emits a “System‑Level Data” audit event, providing a chronological trail of configuration activity. Audit entries include a concise, serialized before/after diff so teams can quickly see exactly what changed without manual comparisons.

• Tenant‑scoped distributed locking for plan thresholds
  Introduces tenant‑scoped distributed locking to guard track and user creation when a plan enforces threshold limits, preventing race conditions and ensuring consistent enforcement.

• SAML login hint (username) passthrough Accepts a username (besides login_hint/LoginHint) query parameter from the SAML relying party used by Microsoft Entra ID.

• Inline application creation with live preview
  The “New application” modal has been removed. Application creation is now embedded directly in the page and shows application information as you type, keeping key values (e.g. authority, client ID, secret, scopes, and metadata) visible and continuously updated.

• Improved environment selector in Control Client
  The environment selector has been refined for a clearer, more consistent selection experience.

• Translations for dynamic HTML links using placeholders
  Dynamic HTML <a> elements are translated without embedding the href URL directly. Instead, translations use numbered placeholders such as {0}, {1}, etc., which are substituted with the correct URLs at runtime.

Bugs fixed

• Invalid session link due to untrimmed spaces
  Fixed an issue where leading or trailing spaces caused session links to be treated as invalid. Whitespace is now trimmed before link generation.

Delivers finer-grained controls and a smoother setup experience in the Control Client: independently toggle SMS and email for password set/reset flows per authentication method and per user; gain full audit visibility with before/after diffs; enforce plan thresholds via tenant-scoped distributed locking; create applications inline with a live preview of generated values; and benefit from an improved environment selector.

New features

• Granular SMS/email controls for password set/reset
  Independently enable or disable SMS and email for password set/reset flows at both:

  • The authentication-method level
  • The per-user level
    This provides precise control over how password communications are delivered.

• Comprehensive audit logging with diffs
  Every create, update, save, and delete on master and tenant documents now emits a “System‑Level Data” audit event, providing a chronological trail of configuration activity. Audit entries include a concise, serialized before/after diff so teams can quickly see exactly what changed without manual comparisons.

• Tenant‑scoped distributed locking for plan thresholds
  Introduces tenant‑scoped distributed locking to guard track and user creation when a plan enforces threshold limits, preventing race conditions and ensuring consistent enforcement.

• Inline application creation with live preview
  The “New application” modal has been removed. Application creation is now embedded directly in the page and shows application information as you type, keeping key values (e.g. authority, client ID, secret, scopes, and metadata) visible and continuously updated.

• Improved environment selector in Control Client
  The environment selector has been refined for a clearer, more consistent selection experience.

Enhances the FoxIDs Control Client with clearer list views and improved usability. Internal and external users now display a proper name derived from standard claims. The Applications, Authentication Methods, Internal Users, and External Users lists have been refined for consistency and readability. Initial data seeding for OpenSearch and supported databases (MongoDB, PostgreSQL, Azure Cosmos DB, and the file-based store) has been improved to make setup more reliable.

New features

• Internal and external user display names in lists
  The Control Client now shows an user’s display name by reading the standard claims name, given_name, and family_name (when available).

• Applications and Authentication Methods lists improvements
  Refined layouts and consistency in the Control Client to make these lists easier to read and manage.

• Internal Users and External Users lists improvements
  Clearer columns and navigation in the Control Client for more intuitive user management.

• Improved initial seeding for OpenSearch and databases
  More robust initial seeding for OpenSearch and for MongoDB, PostgreSQL, Azure Cosmos DB, and the file-based store to reduce setup friction and improve reliability.

Adds support for SAML relying parties to supply a login hint via the login_hint/LoginHint query parameter (commonly used by Microsoft Entra ID and Okta) that passes through to the downstream login experience when the SAML request does not include a NameID. Introduces inline asset options so logos, images, and icons can be embedded using data: URIs, reducing external requests and simplifying CSP. Also adds an in‑app CSS snippet generator to streamline styling of the login UI.

New features

• SAML login hint passthrough
  Accepts a login_hint/LoginHint query parameter from the SAML relying party. When the SAML request omits a NameID, this value is treated as a generic identifier hint and carried through the authentication flow (for example, pre‑populating the username field), preserving whatever the relying party provides.

• Inline images via data URIs in CSS
  Embed the logo or other images directly in your styles using data: URIs to avoid external HTTP requests, simplify deployment, and improve load performance.

• Inline icon configuration
  Configure the application icon (for example, favicon) using an inline data URI such as data:image/png;base64,... to embed the icon without hosting separate files.

• In‑app CSS snippet generator A built‑in generator link next to the login UI styling field opens a modal where administrators can preview template styles and append them directly to their CSS with one click.