ProAuth 2.0.48 Stable

This release marks a significant milestone for the ProAuth platform, introducing a major upgrade to .NET 8, a complete rewrite of the OpenID Connect protocol core, and significant enhancements to security and observability.

ACTION REQUIRED

This release contains significant architectural changes and manual migration steps:

MVC View Refactoring: Views have been refactored to use strongly typed ViewModels. If you have customized views, you must adjust them to match the new models (#2670).
E-Mail Templates Migration: E-mail templates have migrated from module options to Views. Existing templates must be manually migrated to the new View-based system (#2568).
AKS Entra Workload Identity: This requires new Kubernetes service accounts (proauth-service-account and proauth-dbdeploy-service-account). Custom role bindings for the default account must be mapped to these new accounts (#2728).

Core Identity & Protocol

OIDC Core Rewrite Core Breaking Change

A complete rewrite of the OpenID Connect protocol implementation improves performance and ensures stricter compliance with modern identity standards (#2369).

Federated Claims: All claims from federation are now prefixed with fed_ (e.g., fed_us_profile).
Strict Validation: Authentication now fails if unallowed resources or scopes are requested, rather than silently removing them.
Claim Names: ProAuth claim type names have been shortened (e.g., pa_issuer_ to pa_iss_).

Security Hardening Security

Token Uniqueness: Added JTI (JWT ID) claims to all tokens to enforce uniqueness and prevent reuse (#2749).
Hardened Containers: Docker images now use chiseled base images with a configurable security context for improved security (#2565).
AKS Entra Workload Identity: Added native support for Entra Workload Identity in Azure Kubernetes Service deployments (#2728).
Password Security: Introduced a new Password Hasher to support migrations from legacy ASP.NET Membership systems (#2716).

Platform Infrastructure

.NET 8 Upgrade Infrastructure

The entire ProAuth stack has been upgraded to .NET 8, providing significant performance improvements and access to the latest runtime features (#2720).

Observability Observability

Migrated the entire observability suite to OpenTelemetry (OTEL) libraries. This includes new internal endpoints for metrics and improved trace propagation across services (#2694).

Deployment & Config Infrastructure

External Certificate Support: Support for custom TLS certificate validation in HTTP clients (#2726).
Email Template Management: E-mail templates are now managed within the Custom View engine, allowing for more flexible layouts and branding (#2568).

Administration & API

API & Batch Operations AdminApp Breaking Change

Several API routes have been renamed for consistency and expanded to support batch updates (#2695).

Routes changed from bulk to batch or import/bulk to import/batch (affects Label, UserProfile, and ViewDefinition controllers).
Added bulk delete capability for ProAuth Users (#2639) and batch profile creation/updates (#2534).

Self-Service & User Management Core

Password Management: Added a dedicated ChangePassword endpoint for User Store users that can be accessed outside the standard login flow (#2714).
Password Resets: Added a "Send password reset e-mail" action to the User Store API (#2711).
Tenant Isolation: Extended endpoints, user groups, and client application filtering to be tenant-specific for better multi-tenant isolation (#2643, #2641, #2616).

Platform Stability & Bug Fixes

Core Reliability

SCIM Integration: Fixed SCIM external ID breakage after login (#2748) and improved revocation logic for inactive users (#2636).
Session Management: Resolved an issue where OIDC sessions remained alive after logout (#2746).
Auth Integrity: Fixed incorrect claim type mapping for OIDC IDP instances (#2745, #2747).
DB Stability: Fixed async issues and deployment failures on .NET 8 (#2736, #2715).

UI & Administration

Audit Trails: Fixed AdminUI connectivity issues for audit trail views (#2740) and added coverage for previously undefined model types (#2703).
Navigation: Fixed User Store group mapping deletion during first login (#2686) and improved admin UI navigation for login restrictions (#2753).

For more information, please refer to the Technical Documentation.

ProAuth 2.0.48 Stable ​

Core Identity & Protocol ​

OIDC Core Rewrite Core Breaking Change ​

Security Hardening Security ​

Platform Infrastructure ​

.NET 8 Upgrade Infrastructure ​

Observability Observability ​

Deployment & Config Infrastructure ​

Administration & API ​

API & Batch Operations AdminApp Breaking Change ​

Self-Service & User Management Core ​

Platform Stability & Bug Fixes ​

Core Reliability ​

UI & Administration ​