ProAuth Release Notes

Appearance

ProAuth 2.0.50 Stable

ProAuth 2.0.50 is a major milestone release, introducing a significant core rewrite with a custom OpenID Connect protocol implementation, an upgrade to .NET 8, and enhanced security features such as AKS Entra Workload Identity support and hardened container images.

ACTION REQUIRED

This release contains significant architectural changes and manual migration steps:

  • MVC View Refactoring: Views have been refactored to use strongly typed ViewModels. If you have customized views, you must adjust them to match the new models (#2670).
  • E-Mail Templates Migration: E-mail templates have migrated from module options to Views. Existing templates must be manually migrated to the new View-based system (#2568).
  • AKS Entra Workload Identity: This requires new Kubernetes service accounts (proauth-service-account and proauth-dbdeploy-service-account). Custom role bindings for the default account must be mapped to these new accounts (#2728).
  • OIDC Core Rewrite: All claims from federation are now prefixed with fed_ (e.g., fed_us_profile). Claim names have been shortened (e.g., pa_issuer_ to pa_iss_). Authentication now fails if unallowed resources or scopes are requested (#2369).
  • API Batch Operations: Several API routes have changed from bulk to batch or import/bulk to import/batch (e.g., Label, ProAuthUserProfile, UserStore UserProfile) (#2695).

New Features

  • .NET 8 Upgrade: The entire ProAuth stack has been upgraded to .NET 8 (#2720).
  • Observability: Migrated observability to OpenTelemetry libraries and added internal metrics endpoints (#2694).
  • AKS Entra Workload Identity: Added support for Entra Workload Identity in Azure Kubernetes Service deployments (#2728).
  • Token Uniqueness: Added JTI claims to all tokens to enforce uniqueness and improve security (#2749).
  • Hardened Containers: Docker images now use chiseled base images with a configurable security context for improved security (#2565).
  • Password Migration: Added a new Password Hasher to support migrations from legacy ASP.NET Membership systems (#2716).
  • Enhanced Configuration:
    • Support for custom TLS certificate validation in HTTP clients (#2726).
    • Configurable DATAS GC mode for container images (#2732).
    • Tenant-specific issuer support for OIDC (#2696).

Major Updates

  • User Store Improvements:
    • Dedicated PasswordChange view for user store users outside the authentication flow (#2714).
    • Added "Send password reset e-mail" functionality to the User Store API (#2711).
    • Support for bulk deletion of ProAuth users and CLI integration (#2639, #2640).
  • Health & Monitoring:
    • Added health checks for IDP instances to monitor database availability and schema status (#2638).
    • Enhanced exception handling for User Store login failures (#2697).
  • Data Model:
    • Extended ProAuthGroup with a TenantId field for optional tenant assignment (#2641).
    • Added metadata support for IDP and Two-Factor instances (#2735).

Bug Fixes

Security & Authentication

  • Session Handling: Fixed an issue where OIDC IDP logout would incorrectly keep the ProAuth session active (#2746).
  • Claims Mapping: Fixed incorrect inbound claim type mapping for OIDC IDP instances (#2745, #2747).
  • Concurrency: Resolved concurrency exceptions in ServiceClientFactory (#2756).
  • Token Security: Sensitive API parameters in the User Store API are now passed in the request body instead of query parameters (#2710).
  • SCIM: Fixed broken SCIM external ID synchronization after login (#2748).

Infrastructure & Deployment

  • TLS Certificates: Resolved issues with Cert-Manager generated TLS certificates and async issues for Azure DefaultCredentialTokens (#2736).
  • Container Configuration: Fixed missing default values in DbDeploymentWorker and explicitly configured web optimizer cache directories (#2715, #2750).
  • Logging: Improved log level configuration for modular pipelines (#2751).

User Interface & Administration

  • Audit Logs: Fixed issues where AuditTrails were not displayed due to incorrect service URLs or missing entity configurations (#2703, #2740, #2576).
  • Admin UI:
    • Fixed group and user relationship display for login restrictions (#2753).
    • Fixed validation errors when removing tenant keys (#2630).
    • Fixed UI issues with single quotes in GridFilters (#2625).
  • Internationalization: Fixed incorrect request culture identification and added translations for validation error messages (#2725, #2663).

This version is primarily a maintenance release that consolidates the enhancements and fixes from the earlier 2.0.x releases.