Releases

• Remove 2FA / KeyVault restriction from free plan.
• Add one day to OpenSearch 30 day logs to support months with 31 days.
• Add Operation ID to error page.
• Improve OpenID Connect auth method empty response error message.
• Default not adding content security policy (CSP) form-action instead of sending "*". Default disabled because Chrome/Safari block redirects and it is impossible to know about further redirects.
• Improve automatically update of OpenID Connect discovery and SAML 2.0 metadata.
• Remove two irrelevant API trace logs.

Resolve bug:

• Add TTL index to MongoDB based cache.

• Accept to return CORS with custom schemes like capacitor://localhost.

• Remove usage type logs from OpenSearch log query.
• Add usage count for external users.
• Not include the master environments in the environments usage count.

• Change logging to make Application Insights optional and support OpenSearch for logging. Configured OpenSearch with the log option OpenSearchAndStdoutErrors.
• Log properties are changed to be more readable and not start with f_.
• Improve MongoDB support and add master data in separate collections.
• Change to use MailKit instead of System.Net.Mail to support implicit TLS.
• Add IgnoreProxyHeaderDomain setting to ignore a specific domain and by that support multi tenant deployment in K8s.
• Add support for 1000 values in processing claims.

• Starting to phase out the use of KeyVault inside the FoxIDs application. KeyVault is still used for secrets in an Azure deployment.
• With this version, application elements are moved from KeyVault and into the database.

> IMPORTANT: Before updating to this version, grant the FoxIDs sites managed identity the Delete secret and Delete certificate permissions in Key Vaults Access policies.

• Kubernetes deployment improved and tested on OVHcloud.
• Docker build libraries used in the GitHub action updated to the latest version.

• Authenticate external users in an External login authentication method by calling an external API. This makes it possible to place users outsight FoxIDs, for example in an existing user store. The username can be the users email or text-based username.
• Compare JsonWebKey (certificates) by the Kid parameter instead of the X5t parameter.
• Add SAML 2.0 authn request extensions XML support.

Updated to ITfoxtec.Identity version 2.9.0, the following two changes will only have effect on new certificates:

• Add the X5tS256 value in JsonWebKey according to: The "x5t" (X.509 certificate SHA-256 thumbprint) parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280].
• Change the X5c value in JsonWebKey to be: The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280].

Resolve bug:

• Set client authentication basic incorrect in OpenID Connect authentication method and use not quite correct encoding.

• If the client authentication post method is configured and a client secret is not received, default to use the client authentication basic method.

esolve bug:

• Read client authentication basic incorrect and use not quite correct encoding.

• By default, external users are linked to the sub claim type.

Resolve bug:

• Control client has invalid configured read certificate URL starting with pi/ instead of the correct api/.

• Test applications support custom domain without a custom primary domain.
• Test applications support master environment with a custom domain configured for the other environments.
• Add error page to Control Client to display server errors in a nice way.