ProAuth Release Notes

Appearance

ProAuth 2.0.59 Stable

ProAuth 2.0.59 is a comprehensive stabilization release that consolidates all major architectural changes from the 2.0.x branch into a single stable build. It includes the .NET 8 upgrade, the certified OIDC library implementation, and significant security and performance enhancements.

ACTION REQUIRED: Major Upgrade Notes

If you are upgrading from a version prior to 2.0.57, please review the ProAuth 2.0.57 release notes carefully. That release introduced fundamental changes to:

  • Kubernetes Infrastructure: Transition to Workload Identity and new Service Accounts.
  • E-Mail Templates: Migration from configuration options to custom views.
  • OIDC Claims: Standardized claim prefixes (fed_) and shortened ProAuth claim names.
  • Typed ViewModels: Requirement to update customized MVC views.

BREAKING CHANGE: API Route Renaming

To align with REST best practices, several API routes for batch operations have been renamed from bulk to batch.

  • Affected Controllers: Label, ClientAppMetadata, ClientAppResource, ClientAppScope, ProAuthGroupMetadata, ProAuthUserProfile, UserStore GroupMetadata, UserStore UserProfile.
  • ViewDefinition: import/bulk is now import/batch.
  • Impact: Only affects integrations that access the API directly via HTTP. Users of the ProAuth client libraries should update to the latest package version.

ACTION REQUIRED: UserStore API Security

Sensitive API parameters in the UserStore user API have been moved from query strings to the request body (#2710).

  • Action: Ensure you update your ProAuth client library to the latest version.
  • Compatibility: The API remains backward compatible for now (logging warnings for query parameters), but these will be removed in future releases.

New Features

OIDC & Security

  • Token Uniqueness (JTI): Added jti (JWT ID) claims to every token to enforce uniqueness and improve security tracking (#2749).
  • UserStore Password Management:
    • Added a dedicated password change view outside the authentication flow (#2714).
    • New API endpoint for triggering password reset emails (#2711).
    • Added liquid syntax support for calculating password change URLs in claim rules.
  • Identity Provider Metadata: Added metadata support for IDP and Two-Factor instances for better management (#2735).
  • Hidden IDP Instances: Identity Provider instances can now be marked as "hidden" to prevent them from appearing in the default UI while remaining active for specific flows (#2642).

Infrastructure & Deployment

  • Workload Identity Support: Fully integrated support for Azure Entra Workload Identity in AKS deployments (#2728).
  • Hardened Images: Transitioned to chiseled Ubuntu base images for reduced attack surface (#2565).
  • DATAS GC Mode: Enabled the new "Dynamic Adaptation To Application Size" Garbage Collection mode for improved container performance (#2732).
  • Helm Improvements: Fixed an issue with upper-case mounting names for inline certificates (#2758).

Audit & Observability

  • OpenTelemetry Migration: Fully migrated system observability to OpenTelemetry libraries, including internal status endpoints (#2694).
  • Audit Trail Standardization: User Store audit trails now consistently use the ProAuth User ID for easier filtering and correlation (#2766).
  • Extended Auditing: Added audit logging for password changes and resets initiated by users (#2767).

Improvements & Bug Fixes

ProAuth Core

  • Threading Fix: Resolved a critical multithreading issue where HTTPClient default headers could be set multiple times under high concurrent load (#2770).
  • SCIM Stability:
    • Resolved database errors occurring during high-volume SCIM synchronization (#2757).
    • Fixed an issue where the SCIM external ID could be corrupted after a user login (#2748).
    • Added a startup check to ensure SCIM security keys meet the minimum length requirements (#2661).
  • OIDC/Claim Handling:
    • Fixed incorrect claim type mapping for certain OIDC IDP configurations (#2745, #2747).
    • Aligned audience claim formats with OIDC specifications (#2737).
    • Enhanced the claim rule engine to handle requested UserInfo claims more accurately (#2653).
  • Session Management: Fixed a bug where OIDC logout did not correctly terminate the local ProAuth session (#2746).
  • Localization: Improved request culture identification and added missing translations for validation error messages (#2725, #2663).

AdminApp

  • Audit View Fixes:
    • Fixed a URL issue that prevented Audit Trails from loading in certain environments (#2740).
    • Resolved a bug where Audit Trail diffing failed to show actual changes (#2576).
    • Adjusted buttons and labels in Audit Trail views for better clarity (#2760).
  • UI Enhancements:
    • Rearranged the UI for restricted client application definitions to be more intuitive (#2753).
    • Fixed issues with removing tenant keys in the administration interface (#2630).
  • Token Handling: Fixed an issue where the AdminApp would prematurely require a re-login after 10 minutes (#2683).