Skip to content

v1.3: Custom OAuth, device trust, stay signed in

Latest
Compare
Choose a tag to compare
@FlxMgdnz FlxMgdnz released this 17 Dec 08:43
· 9 commits to main since this release
80680a2

This update contains a variety of frequently requested features and improvements.

Custom OAuth providers

In addition to the preconfigured providers such as Apple, Google, and GitHub, we have now added the option to configure custom OpenID Connect or OAuth providers so that they appear as “Sign in with...” buttons on the login and registration pages.

Device trust

A new device trust feature offers users the option of not having to perform 2FA again for a certain period of time after successful 2FA. Administrators can specify whether to automatically trust the device, prompt the user to trust the device, or never allow trusted devices and always enforce 2FA.

Stay signed in

This new option can be used to control whether a persistent cookie or a session cookie should be issued when the user is logging in. Persistent cookies (default) remain valid for the set session duration, i.e. the user remains logged in even if the browser is closed. Session cookies are usually deleted when the browser or browser tab is closed, so users have to log in again the next time they visit the app. A third option adds a “Stay signed in” checkbox to the login screen, which allows the user to determine the type of cookie themselves.

Last used indicators

Social SSO buttons (e.g., "Sign in with Google") now display a "Last used" label to help users remember which provider they chose on their last visit and avoid creating redundant accounts. Note that active Account Linking still allows users to change the login method to some extent, but only if the email address matches.

New admin API endpoints

The Admin API has been extended with the following new endpoints:

  • password
    • get
    • create
    • update
    • delete
  • webauthn
    • list
    • get
    • delete
  • otp
    • get
    • delete
  • sessions
    • list
    • create
    • delete

User import improvements

User import functionality has been improved. Now, more user data and credentials can be imported, e.g.:

  • Usernames
  • Passwords (bcrypt hashes)
  • WebAuthn credentials
  • OTP secrets

What's Changed

New Contributors

Full Changelog: backend/v1.2.1...backend/v1.3.2