Tags

0.0.86

[0.0.86] - 2025-09-30
---------------------

Fixed
^^^^^
- Hypercorn launch with proxy settings turned on.

0.0.85

[0.0.85] - 2025-09-25
---------------------

Added
^^^^^
- Hypercorn can be configured by env vars, config file or CLI args. :issue:`280` :pr:`297`
- Hypercorn ``PROXY_MODE`` and ``PROXY_TRUSTED_HOPS`` settings to handle deployment behind proxies.

0.0.84

[0.0.84] - 2025-09-19
---------------------

Fixed
^^^^^
- The ``max_age`` parameter of session cookies is an int.

0.0.83

[0.0.83] - Unreleased
---------------------

.. warning::

    Manual migration required for LDAP backend: remove any existing ``oauthTrusted``
    attributes from client entries.
    Please follow the :ref:`ldap_schema_update` section.

Added
^^^^^
- OIDC originated connections display information about the client application on all
  the authentication pages. :issue:`271`
- Account selection screen on login page. Previously logged-in users are displayed
  as clickable cards with photos and names for quick re-authentication. :issue:`277`
- "Remember me" checkbox on login page. When checked (default), creates a 365-day
  session and adds user to login history. When unchecked, session expires on
  browser close and user is not saved to login history.

Changed
^^^^^^^
- Replace client ``trusted`` attribute with dynamic ``TRUSTED_DOMAINS`` configuration.
  Clients are now automatically trusted based on their ``client_uri`` domain matching
  patterns in the ``TRUSTED_DOMAINS`` setting. :issue:`290`

Fixed
^^^^^
- The SCIM endpoint correctly manages patching user passwords.
- Locale guessing prefer prefix matches. :issue:`128`
- Make the ``get`` command flags accept negative boolean. :issue:`266`
- The SQL backend can perform exact match searches on JSON list attributes. :issue:`278`
- Fix HTMX swapping for inline validation on email fields. :issue:`279`
- Fix Docker commands in the documentation. :issue:`283`
- Remove deprecated ``X-XSS-Protection`` header example in web server configurations. :issue:`293`

0.0.82

[0.0.82] - 2025-08-26
---------------------

Fixed
^^^^^
- Don't display the welcome flash when redirected to a client application after login.
- Sign OIDC ``id_token`` according to ``id_token_signed_response_alg`` client metadata.

0.0.81

[0.0.81] - 2025-08-23
---------------------

Fixed
^^^^^
- JWK algorithm detection with OKP keys.
- OIDC Client ``acess_token`` and ``refresh_token`` are unique in the SQL backend.
- The OIDC metadata indicate that some more algs, including `EdDSA` are supported.

Added
^^^^^
- OIDC ``iat`` claims are now float, with milli/micro-second precision. :issue:`292`
- LDAP dates are stored with milliseconds precision and timezones.

0.0.80

[0.0.80] - 2025-08-22
---------------------

Fixed
^^^^^
- Error during JWK generation.

0.0.79

[0.0.79] - 2025-08-22
---------------------

Changed
^^^^^^^
- Default JWK are OKP instead of RSA.

Fixed
^^^^^
- SCIM server advertise that ``externalId`` fields are not supported.
- Fix a bug happening at OIDC logout when ``post_logout_redirect_uri`` is empty.

Added
^^^^^
- Deterministic default JWK generation base on the ``SECRET_KEY``.
- Model management CLI have ``--quiet`` and ``--ignore_errors`` parameters. :issue:`291`
- SCIM PATCH server-side operations support. :pr:`285`

0.0.78

[0.0.78] - 2025-07-25
---------------------

Fixed
^^^^^
- Fix ``fake_groups`` call with no user.

0.0.77

[0.0.77] - 2025-06-20
---------------------

.. warning::

    This version comes with a configuration breaking change.

    The authentication factors configuration part have been reworked:

    - ``CANAILLE.EMAIL_OTP`` and ``CANAILLE.SMS_OTP`` have been removed.
    - ``CANAILLE.AUTHENTICATION_FACTORS`` has been introduced as a replacement.

Changed
^^^^^^^
- The configuration parameter :attr:`~canaille.core.configuration.CoreSettings.AUTHENTICATION_FACTORS` is added.
  The configuration parameters ``EMAIL_OTP`` and ``SMS_OTP`` are removed. :pr:`279`

0.0.76

[0.0.76] - 2025-06-06
---------------------

Fixed
^^^^^
- bs4 is not required for test mode.

0.0.75

[0.0.75] - 2025-06-06
---------------------

.. warning::

    This version comes with a configuration breaking change.

    The OIDC configuration part have been reworked:

    - ``CANAILLE_OIDC.JWT.MAPPING`` becomes ``CANAILLE_OIDC.USERINFO_MAPPING``
    - ``CANAILLE.JWT`` is removed. You can migrate your keys with this script:

    .. code-block:: python

        import tomlkit
        from joserfc import jwk

        with open("canaille.toml") as fd:
            config = tomlkit.load(fd)

        key = jwk.RSAKey.import_key(config["CANAILLE_OIDC"]["JWT"]["PRIVATE_KEY"])
        config["CANAILLE_OIDC"]["ACTIVE_JWKS"] = [key.as_dict()]

        with open("canaille.toml", "w") as fd:
            config = tomlkit.dump(config, fd)

.. warning::

    This version comes with a schema breaking change.
    The LDAP schema has evolved. If you use the LDAP schema, please follow the :ref:`ldap_schema_update` section.

Changed
^^^^^^^
- Reworked the JWK configuration. :issue:`119`
- OIDC UserInfo endpoint is managed with Authlib. :issue:`244`
- The default behavior of ``canaille config dump`` is to write the configuration in the standard output.

Added
^^^^^
- Support for :rfc:`RFC9101 JWT-Secured Authorization Request (JAR) <9101>` :issue:`254`
- Adds a docker image on hubdocker :issue:`262`
- Update the doc to use and update the docker image :issue:`260`

Fixed
^^^^^
- The email field was losing focus when updated with HTMX. :issue:`279`

0.0.74

[0.0.74] - 2025-04-24
---------------------

Added
^^^^^
- Mock gettext when ``flask-babel`` dependency is not installed.

0.0.73

0.0.72

[0.0.72] - 2025-04-07
---------------------

.. warning::

    This version comes with a schema breaking change.
    The LDAP schema has evolved. If you use the LDAP schema, please follow the :ref:`ldap_schema_update` section.

Added
^^^^^
- ``updated_at`` claim in ``id_token`` and ``userinfo`` endpoint.
- Support for POST method in OIDC authorization endpoint. :issue:`263`

Fixed
^^^^^
- Client JWT authentication for OIDC refresh_token and password grants. :issue:`233`
- Ensure `id_token` has a `kid` header. :issue:`245`
- ``id_token`` session authentication time.
- Configuration exception when a feature is configured but its dependencies are missing.

0.0.71

[0.0.71] - 2025-03-31
---------------------

Fixed
^^^^^
- Remove config dump in about page.

0.0.70

[0.0.70] - 2025-03-28
---------------------

Added
^^^^^
- Add a :attr:`~canaille.core.configuration.CoreSettings.LOGIN_ATTRIBUTES` configuration
  parameter to allow to disable https forced redirections.

0.0.69

[0.0.69] - 2025-03-28
---------------------

Added
^^^^^
- Configuration automatically discovers local SMTP server when available. :issue:`216`
- :class:`~canaille.oidc.configuration.OIDCSettings.ENABLE_OIDC` configuration parameter.
- Content Security Policy. :pr:`266`

Fixed
^^^^^
- Locked account cannot reset their password. :issue:`250`
- Canaille has default admin ACLs. :issue:`253`
- Phone number edition raising 400 with HTMX. :issue:`259`

0.0.68

[0.0.68] - 2025-03-18
---------------------

Fixed
^^^^^
- LDAP partial restore. :issue:`257`

0.0.67

[0.0.67] - 2025-03-18
---------------------

.. warning::

    This version comes with a schema breaking change.
    The LDAP schema has evolved. If you use the LDAP schema, please follow the :ref:`ldap_schema_update` section.

Added
^^^^^
- Full OIDC Dynamic Client Registration implementation. :issue:`231`