Releases

This release fixes an issue in the password reset flow, ensuring that the correct communication channel is selected based on user configuration.
FoxIDs now correctly respects user-specific channel restrictions when both SMS and email are available in the authentication method.

Bugs Resolved

Password reset channel selection

• Correct channel selection for password reset codes
  Fixed an issue where FoxIDs could attempt to send a password reset code via SMS even when SMS was disabled for the user.

• Improved channel prioritisation
  If the authentication method allows both SMS and email, but the user is only permitted to reset their password via either SMS or email, the permitted method is selected.

This release introduces Directory Connector support, enabling FoxIDs to integrate with external authoritative user directories while maintaining internal user records.
It allows organisations to delegate authentication and password lifecycle operations to external systems such as Active Directory, while still leveraging FoxIDs for identity orchestration and claims handling.

In addition, a deployable Active Directory Directory Connector component is provided, simplifying integration with on-premises environments.
The release also strengthens security and consistency by enforcing stricter validation of enabled user identifiers in login authentication methods.

⚠️ The External Login – API is now obsolete and will be phased out in a future release. It is recommended to migrate to the Directory Connector for all external authentication scenarios.

New Features and Improvements

Directory Connector

Added Directory Connector support for validating users against an external authoritative directory while maintaining internal FoxIDs users.

• Validate username and password against an external directory.
• Delegate password change and set-password operations to the external directory.
• Save a local password copy by default, allowing future transition to internal validation without forcing password resets.
• Automatically disable or delete internal users when the external directory reports changes.
• Support external directory identifiers via directoryUserId.
• Support password policy error codes from the external directory, enabling clear validation messages.
• Create or update internal users on successful authentication with identifiers, claims, and properties from the directory.
• Includes a documented API contract and sample implementation.

Active Directory Directory Connector Component

Added a deployable Active Directory Directory Connector component for Windows/IIS environments.

• Deployable as a standalone ZIP package.
• Uses static API key protection via FoxIDs Basic authentication, with optional X-FoxIDs-Api-Key support for reverse proxy scenarios.
• Supports user lookup by email, phone, or username.
• Returns directoryUserId as base64 encoded Active Directory objectGUID.
• Authenticates users by validating passwords against AD.
• Supports password change and set-password operations in AD (requires appropriate privileges).
• Returns configurable AD attributes as FoxIDs claims.
• Optional support for nested AD group claims.
• Includes a health endpoint for operational status and AD connectivity checks.
• Comprehensive documentation for configuration, IIS installation, deployment, patching, and updates.

Authentication Improvements

• Stricter user identifier validation
  Enforced stricter compliance for which user identifiers are enabled in login authentication methods, improving consistency and reducing configuration errors.

This release introduces Access Structure, a powerful new feature for modelling hierarchical access across both internal and external users.
It enables organisations to define structured access models such as departments, roles, or customers, and automatically resolve user memberships into claims at login.

By converting hierarchical relationships into fixed local claims, the feature integrates seamlessly with existing claim transforms and authorisation logic without requiring dynamic claim handling.
Additional improvements include enhanced token decoding capabilities in the Control Client for better diagnostics and troubleshooting.

New Features and Improvements

Access Structure

FoxIDs now includes a new Access Structure feature for modelling hierarchical access for both internal and external users.

• Hierarchical access modelling
  Define access using a node hierarchy and assign user memberships to specific nodes.
  Each access structure contains a single node hierarchy.

• Resolved access at login
  At login, FoxIDs resolves user membership and inherited hierarchy into fixed local claims, enabling use in existing claim transforms and authorisation flows.

• Optional claim forwarding
  If the default-enabled Forward access structure claims to applications setting is enabled, resolved access claims are forwarded to downstream applications.

Local claims emitted in claim transforms

• _local:access_node
• _local:access_claim
• _local:access_path_claim

Example use cases

• Model customer, department, and role hierarchies
• Assign approver or reader responsibilities through node membership
• Enrich users with resolved access context before claim transforms execute
• Forward resolved access claims to applications when needed

Control Client Improvements

• Token decoding enhancements
  Added support for decoding:

  • UserInfo access_token
  • Logout id_token_hint

  This improves troubleshooting and visibility into authentication flows directly within the Control Client.

This release improves standards compliance for OpenID Connect tokens by correcting how the amr (Authentication Methods References) claim is issued.
The change aligns FoxIDs with the OpenID Connect specification and improves compatibility with standards-compliant clients, libraries, and downstream token validation.

Additionally, the release improves Control Client validation logic by adding missing UI checks for various username formats, ensuring more consistent handling of phone numbers, email addresses, and username combinations.

Improvements

OpenID Connect amr Compliance

• Correct data type for amr claim
  The amr claim is now issued as an array, in accordance with the OpenID Connect specification.

• Improved interoperability
  Previously, amr could be returned as a string, which could cause issues with strict or standards-compliant clients.
  This has been corrected to ensure consistent and reliable token processing across integrations.

Control Client Validation Improvements

• Improved username validation checks
  Added missing UI checks for certain username types, including combinations of:

  • Phone numbers
  • Email addresses
  • Usernames

  This ensures more consistent validation and reduces the risk of invalid or ambiguous user input.

This release improves standards compliance for OpenID Connect tokens by correcting how the auth_time claim is issued.
The change ensures better compatibility with standards-compliant clients, libraries, and downstream validation systems by aligning with the official specification.

Improvements

OpenID Connect auth_time Compliance

• Correct data type for auth_time claim
  The auth_time claim is now issued as a numeric value, in accordance with the OpenID Connect specification.

• Improved interoperability
  Previously, auth_time could be returned as a string, which could lead to compatibility issues with strict or standards-compliant clients.
  This has now been corrected to ensure consistent and reliable token validation across integrations.

This release improves network handling, scalability, and Control Client usability in FoxIDs.
Enhancements include more accurate client IP detection when using proxies, increased limits for home realm discovery (HRD), and refined user interfaces for managing applications and authentication methods.

In addition, HTTP request handling has been strengthened with case-insensitive header processing, improved diagnostics through full header logging, and simplified forwarded header support.

New Features and Improvements

Network and IP Handling

• Improved client IP detection
  Client IP address handling now supports proxy-style comma-separated IP lists.
  The system parses and uses the first non-empty value as the client IP address, improving accuracy in proxy and load-balanced environments.

• Increased HRD IP limits
  The number of supported Home Realm Discovery (HRD) IP addresses and IP ranges has been increased from 10 to 20, allowing more flexible routing configurations.

Control Client Improvements

• Enhanced application and authentication UI
  Improved the user experience when adding applications and authentication methods in the Control Client.

HTTP Request Handling

Case-Insensitive Request Header Handling

• Ignore request header casing
  Request headers are now handled in a case-insensitive manner, ensuring consistent behaviour regardless of how headers are formatted by clients or intermediaries.

Enhanced HTTP Request Diagnostics

• Full HTTP request header logging
  FoxIDs can now log all incoming HTTP request headers. This capability is intended for troubleshooting and diagnostic scenarios and should only be enabled temporarily when investigating issues.

Simplified Forwarded Header Handling

• Removed support for underscore variants of forwarded headers
  Support has been removed for the following non-standard header variants:
  • X_Forwarded_For
  • X_Forwarded_Scheme
  • X_Forwarded_Proto

This release improves the tenant creation experience, strengthens data binding reliability in the Control Client, and resolves issues in the CosmosDB to PostgreSQL migration tooling.

New Features and Improvements

Improved Tenant Creation

• Admin user claims during tenant creation
  It is now possible to create a tenant while assigning claims to the initial admin user, such as given_name and family_name.

• Company name for new tenants
  A company name can now be specified when creating a new tenant, improving tenant identification and management.

Control Client Improvements

• More robust voluntary claim data binding
  Added a key to the voluntary claim element in the Control Client scope list to ensure more reliable data binding and reduce UI inconsistencies.

Migration Tooling Improvements

• CosmosDB to PostgreSQL migrator packaging fix
  Added the appsettings.json file to the CosmosDbToPostgreSQLMigrator build package and corrected a dependency issue affecting the migration tool.

This release introduces flexible multi-factor authentication (MFA) capabilities, expanded claims diagnostics, improved token and log visualization, and enhanced infrastructure tooling.
Authentication methods such as OIDC, SAML 2.0, and TrackLink can now be configured as MFA steps alongside traditional factors like SMS, Email, and Authenticator App, allowing highly customizable authentication flows.

The release also improves developer and administrator insight by enhancing claim transform logging, adding token decoding directly in logs, and introducing more precise log filtering. Additionally, a new CosmosDB-to-PostgreSQL migration asset has been added to simplify database transitions.

New Features and Improvements

Multi-Factor Authentication (MFA) with Authentication Methods

• Added support for multi-factor authentication (MFA) where authentication methods can be used as MFA steps.
• Authentication methods such as OIDC, SAML 2.0, and TrackLink can now participate in MFA alongside traditional factors like SMS, Email, and Authenticator App.
• Enabled with a Enable multi-factor flag on the Login authentication method.
• Allows configuration of an ordered list of MFA steps with specific ACR values for fine-grained authentication control.

Uppercase SMS and Email Codes

SMS and email verification codes are now automatically converted to uppercase as users type in the browser. This improves usability by reducing errors caused by letter casing and makes code entry more consistent across authentication and confirmation flows.

This applies to SMS and email code entry in:

• Two-factor authentication
• Passwordless sign-in
• Email and phone confirmation
• Email and phone set-password flows

Enhanced Claims Diagnostics and Visualisation

• Improved claims logging by recording both input and output claims in claim transforms.
• Local _local: claims are now also visible in logs.
• Claim logs in the Control Client are now colour-coded and easier to read.

Token Decoding in Logs

• Added support for decoding tokens directly in logs:
  • ID tokens
  • Access tokens
  • SAML 2.0 tokens
• Tokens are displayed in a formatted and colour-coded view in the Control Client for easier inspection.

Improved Log Filtering

• Logs and audit logs can now be filtered using from-time and to-time instead of fixed intervals in the Control Client.

Claim Transform Improvements

• Claim transform queries now ignore claim value casing when searching internal and external users.
• Claim selection based on claim value is now case-insensitive.

Forwarded Header Compatibility

• Added support for reading forwarded headers with underscores and case-insensitive matching:
  • X_Forwarded_For
  • X_Forwarded_Scheme
  • X_Forwarded_Proto

Migration Tooling

• Added the CosmosDB-to-PostgreSQL migrator as an assets component to simplify database migration scenarios.

This release improves the onboarding and billing experience in FoxIDs Cloud, making it easier to start with a paid plan while maintaining flexibility in the Control Client interface.
New tenants can now be created with a paid plan that includes the first month free, and payment warning messages in the Control Client can be dismissed for improved usability.

New Features and Improvements

• Improved paid plan onboarding in FoxIDs Cloud
  Creating a new tenant with a paid plan in FoxIDs Cloud has been streamlined.
  New paid plans now include the first month free, making it easier to get started without immediate billing impact.

• Dismissible payment warnings
  Payment warning messages in the Control Client can now be closed.

This release enhances SAML 2.0 metadata handling, improves OpenID Connect ACR claim behavior, and introduces stronger testing capabilities in the Control Client.
Key updates include support for reading SAML metadata via URL or file upload, faster metadata refresh intervals for earlier certificate updates, and new re-login and MFA enforcement options in test applications.
Several Control Client usability issues have also been resolved.

New Features and Improvements

SAML 2.0 Metadata Enhancements

• Metadata import via URL and file upload
  Added support for reading SAML 2.0 metadata from both a URL and a file directly in application configuration.

• Faster metadata refresh interval
  Reduced the SAML 2.0 metadata update rate from 2 days to 24 hours, ensuring certificate changes are detected earlier.

OpenID Connect ACR Claim Improvements

• ACR claim passthrough support
  Added support for passing the ACR claim from an OpenID Connect application to the OpenID Connect authentication method.

Control Client Test Application Improvements

• Re-login and MFA enforcement
  Added support for triggering re-login and requiring MFA in Control Client test applications, improving authentication flow testing.

Bugs Resolved

• Fixed an issue that prevented deleting the last scope in OpenID Connect and OAuth application configurations in the Control Client.
• Fixed an issue where the Extended UI submit button text did not correctly fall back to “Log in” when an empty button label was configured.