Releases

This release improves logout interoperability between OpenID Connect and SAML 2.0 authentication methods by relaxing the requirement for an ID Token hint in logout flows.
It also includes routine NuGet package upgrades to keep dependencies current and secure.

New Features and Improvements

• Relaxed ID Token hint requirement for SAML logout via OpenID Connect
  The ID Token hint is no longer required when logging out of a SAML 2.0 authentication method through OpenID Connect.
  However, it is still recommended to include the ID Token in any logout request when available.

• Dependency updates
  Updated NuGet packages across the solution.

This release adds new password management capabilities across the Control API and Control Client, including support for setting passwords via secure hashes and managing user passwords directly in the UI.
It also improves configurability of the FoxIDs client interface by allowing company branding and messaging settings to be hidden, and enhances developer experience through richer Swagger documentation.
Additionally, PgKeyValueDB has been updated to fix a runtime issue affecting the Any method.

New Features and Improvements

• Set password API with hashed password support
  Added a Set Password API and support for creating users and setting passwords using a password hash.

• Password management in Control Client
  Added support for setting a user’s password directly in the Control Client.

• Hide branding and messaging settings in client UI
  It is now possible to hide company branding (company name and address) as well as SMS and email settings in the FoxIDs client user interface. Hide settings:

  - name: "Settings__ClientUi__HideBrandingSettings"
    value: "true"
  - name: "Settings__ClientUi__HideSmsSettings"
    value: "true"
  - name: "Settings__ClientUi__HideMailSettings"
    value: "true"
  

• Improved Swagger documentation
  Added documentation in Control API XML summaries and property descriptions to improve Swagger clarity and usability.

• Server URL element in Swagger
  Swagger now includes a servers URL element for improved API discoverability and correct base URL representation.

Bugs Resolved

Resolve “Any method is not supported”

PgKeyValueDB has been updated to version 3.1.1, resolving an issue where the Any method was not supported.

Resolve "Password validation error if no current password"

Can occur if a user is created without a password and then set the password e.g. with a email code.

This release upgrades FoxIDs to .NET 10, delivering the latest runtime improvements and long term support benefits.
It also includes multiple enhancements across dependencies, Control Client usability, claims handling, and SAML interoperability.

A major addition is support for Password Policy Groups and Aging, giving administrators more flexible password control per environment. Environments can now define up to 10 named policy groups in Environment Settings and assign users to them. If no group is assigned, the environment's base password policy applies.
The policy itself has been extended with controls for maximum password length, banned characters, password history checks, maximum password age, and a soft password-change window. Users now store PasswordLastChanged, and during login passwords are validated against the active policy. Expired passwords require change, while soft aging prompts users without blocking sign in.

In addition, a critical Windows Server certificate loading issue has been resolved through fallback read methods, and a Control Client test application URL update bug has been fixed.

New Features and Improvements

Upgraded to .NET 10

FoxIDs now runs on .NET 10 for improved performance, security, and platform support.

General Platform and UI Improvements

• Dependency updates
  Updated NuGet packages across the solution, including PgKeyValueDB.

• Control Client claims and text updates

  • Improved claims mapping in the Control Client.
  • Improved rendering and handling of text pages.

• Better internal user claim handling
  Improved support for phone and email claims on internal users, instead of having the values as identifiers.

• Improved browser auto-complete
  Enhanced username and password auto-complete behavior in supported browsers.

• Improved time formatting in Control Client
  Updated date and time presentation for certificates and logs to be more consistent and readable.

• UI spacing refinements
  Added more space between buttons in button groups for clearer layouts.

• Unified SAML Authn endpoint
  Added support for using the SAML Authn endpoint as a single URL that:

  • Serves IdP metadata on GET, and
  • Handles AuthnRequests via Redirect/POST.

Password Policy Groups and Aging

This release adds support for password policy groups per environment and extends the base environment password policy.

Environments can now hold up to 10 named policy groups, each with an optional display name. Users may be linked to a group by name. If no group is assigned, the environments base password policy applies. The feature is exposed in the Control Client UI under Envionment Settings.

The password policy has been expanded with new controls:

• Maximum password length
• Banned characters list
• Password history check
• Maximum password age
• Soft password-change window

Users now also store `PasswordLastChanged, set on initial password creation and on later password changes.

Login behavior:

• Passwords are validated against the active policy during login.
• If a password exceeds maximum age, the user must change it.
• With a soft password-change window enabled, users are prompted during login and may either change immediately or continue signing in normally.
• Reset-password flows always enforce a hard password change regardless of soft window settings.

Bugs Resolved

Certificate loading reliability fix

A reliability issue affecting certificate loading on Windows Server in certain cases has been resolved.
Fallback certificate read methods have been added to ensure stable certificate handling across environments.

Unable to change client ID on test application

Resolved an issue where the test application URL was not updated when the client ID was changed.

This release strengthens session lifecycle management across FoxIDs, improving how user sessions are created, updated, and removed.
It introduces new APIs for retrieving and deleting individual active sessions, prevents unintended session creation when session tracking is disabled, and improves robustness through safer active session updates.

New Features

• Session cleanup on Control Client login
  Ensure that user sessions are deleted when logging in through the Control Client, preventing stale sessions from persisting.

• Active session retrieval and deletion APIs
  Added new APIs to:

  • Retrieve a single active session
  • Delete a single active session

• Respect disabled session settings
  Sessions are no longer created in the Login authentication method when session settings are set to 0 (disabled).

• Safer active session updates
  Added null checks before assigning applications and authentication methods to an active session, preventing unexpected failures.

This release introduces extensive improvements to claim handling, session management, authentication flows, UI functionality, and security hardening across FoxIDs.
Enhancements include richer claim transform capabilities, improved login and environment management in the Control Client, extended dynamic content and CSS generator support, stronger session validation, improved certificate handling, and refined security headers.

New Features

Claim Transform Enhancements

• Added support for saving claims on both internal and external users through a claim transform task.
• Added support for querying external users using the linked claim value in a claim transform task.
• Added the ability to select which claims are queried on internal or external users within a claim transform task.
• Added support for logging events that include claim values during claim transform execution.
• Added support for large text translations, used in UI elements displaying content such as terms and conditions.
• Dynamic content now supports checkbox fields, large text fields, and large HTML elements.
• Width support for Markdown formatting in text and large text fields.

Control Client Improvements

• Added easy access to log in to the test application again after logout.
• Environment Settings now auto-scrolls to the top after deleting an environment.
• Updated CSS generator with support for large content and checkbox elements.

Authentication and Protocol Improvements

• OpenID Connect now displays invalid redirect URIs on the generic error page.
• The SAML 2.0 application now checks the HTTP form for a login hint if it is not supplied via query parameters or the SAML 2.0 request from the relying party.
• Default behavior updated (new environments): refresh tokens are now deleted when a user changes or sets a password in master environments.
• Added support for active sessions stored in the database, allowing remote session termination.
• Access token sessions are now validated using the sid claim and active session data in the UserInfo endpoint.
• Added support for deleting refresh token grants per session ID.

Security and System Enhancements

• Health checks can now verify individual dependencies separately.
• Updated jQuery Validate JavaScript library.
• Improved handling of security headers by allowing any request headers (not only Content-Type and Authorization) in Control.
• Added broader support for Permissions-Policy security headers.
• Stream logger now flushes only Application Insights data for improved performance.
• Improved certificate upload flow and added support for PEM files (.crt + .key).

This release upgrades FoxIDs to .NET 10, bringing the latest runtime improvements and long term support benefits. It also resolves a critical Windows Server issue where certificates could not be read reliably and adding fallback read methods.

New Features

Upgraded to .NET 10

FoxIDs now runs on .NET 10 for improved performance, security, and platform support.

Bug Resolved

Certificate loading reliability fix

A reliability issue affecting certificate loading on Windows Server in certain cases has been resolved. Fallback certificate read methods have been added to ensure stable behavior across environments.

This release introduces extensive improvements to claim handling, session management, authentication flows, UI functionality, and security hardening across FoxIDs.
Enhancements include richer claim transform capabilities, improved login and environment management in the Control Client, extended dynamic content and CSS generator support, stronger session validation, improved certificate handling, and refined security headers.
A critical bug related to certificate reading on Windows Server has also been resolved.

New Features

Claim Transform Enhancements

• Added support for saving claims on both internal and external users through a claim transform task.
• Added support for querying external users using the linked claim value in a claim transform task.
• Added the ability to select which claims are queried on internal or external users within a claim transform task.
• Added support for logging events that include claim values during claim transform execution.

Control Client Improvements

• Added easy access to log in to the test application again after logout.
• Environment Settings now auto-scrolls to the top after deleting an environment.
• Added support for large text translations, used in UI elements displaying content such as terms and conditions.
• Dynamic content now supports checkbox fields, large text fields, and large HTML elements.
• Updated CSS generator with support for large content and checkbox elements.

Authentication and Protocol Improvements

• OpenID Connect now displays invalid redirect URIs on the generic error page.
• The SAML 2.0 application now checks the HTTP form for a login hint if it is not supplied via query parameters or the SAML 2.0 request from the relying party.
• Default behavior updated (new environments): refresh tokens are now deleted when a user changes or sets a password in master environments.
• Added support for active sessions stored in the database, allowing remote session termination.
• Access token sessions are now validated using the sid claim and active session data in the UserInfo endpoint.
• Added support for deleting refresh token grants per session ID.

Security and System Enhancements

• Health checks can now verify individual dependencies separately.
• Updated jQuery Validate JavaScript library.
• Improved handling of security headers by allowing any request headers (not only Content-Type and Authorization) in Control.
• Added broader support for Permissions-Policy security headers.
• Stream logger now flushes only Application Insights data for improved performance.
• Improved certificate upload flow and added support for PEM files (.crt + .key).

Bug Resolved

Certificate loading reliability fix

A reliability issue affecting certificate loading on Windows Server in certain cases has been resolved.

This release introduces extensive improvements to claim handling, session management, authentication flows, UI functionality, and security hardening across FoxIDs.
Enhancements include richer claim transform capabilities, improved login and environment management in the Control Client, extended dynamic content support, stronger session validation, and refined security headers.
A critical bug related to certificate reading on Windows Server has also been resolved.

New Features

Claim Transform Enhancements

• Added support for saving claims on both internal and external users through a claim transform task.
• Added support for querying external users using the linked claim value in a claim transform task.
• Added the ability to select which claims are queried on internal or external users within a claim transform task.
• Added support for logging events that include claim values during claim transform execution.

Control Client Improvements

• Added easy access to log in to the test application again after logout.
• Environment Settings now auto-scrolls to the top after deleting an environment.
• Added support for large text translations, used in UI elements displaying content such as terms and conditions.
• Dynamic content now supports checkbox fields, large text fields, and large HTML elements.

Authentication and Protocol Improvements

• OpenID Connect now displays invalid redirect URIs on the generic error page.
• The SAML 2.0 application now checks the HTTP form for a login hint if it is not supplied via query parameters or the SAML 2.0 request from the relying party.
• Default behavior updated (new environments): refresh tokens are now deleted when a user changes or sets a password in master environments.
• Added support for active sessions stored in the database, allowing remote session termination.
• Access token sessions are now validated using the sid claim and active session data in the UserInfo endpoint.

Security and System Enhancements

• Health checks can now verify individual dependencies separately.
• Updated jQuery Validate JavaScript library.
• Improved handling of security headers by allowing any request headers (not only Content-Type and Authorization) in Control.
• Added broader support for Permissions-Policy security headers.
• Stream logger now flushes only Application Insights data for improved performance.

Bug Resolved

• Certificate loading reliability fix
  The Read Certificate API now uses EphemeralKeySet, ensuring certificates are processed entirely in memory instead of disk.
  This fixes an issue where certificates could not be read on Windows Server in certain cases.

This release addresses a bug in the Control Client where OpenID Connect applications displayed an incorrect authority value.
The fix ensures that applications now show the correct authority configuration.

Bugs Fixed

• Incorrect authority displayed in OpenID Connect applications
  The Control Client previously showed an incorrect authority for OpenID Connect applications.
  This issue has been resolved - the correct authority is now displayed.

This update introduces a configuration change to how refresh token grants are handled during request password changes.
It improves flexibility by allowing administrators to control whether refresh tokens should be deleted when a password change or password setup is requested via email or SMS confirmation.

Changing Feature

• Configurable refresh token grant deletion
  Refresh token grants are no longer automatically deleted when a password change or a password setup via email or SMS confirmation code is requested for a user in the Control Client or Control API.
  Instead, it is configurable per Login authentication method whether refresh token grants should be deleted when a password change occurs.