Back to all versions

4.15.2

2025-01-27
patch

Bug Fixes 10

  • Connection handling in setup after migrations (#12293)
    Closes currently open database connections after migration steps 40, 64, and 70 to ensure correct type mapping for the eventstore.command2 database type.
    Setup Database
  • Allow overwriting resource owner of events (#12261)
    Introduced a new eventstore command type with an explicit enforce_owner flag, allowing the eventstore to intentionally overwrite resource owners for aggregates reused across owners.
    Eventstore
  • Apply PKCE when building OAuth and OIDC providers (#12247, #12054, #12036, #12054)
    Ensures Login V2 intent-based flows correctly send the code_challenge when Generic OIDC or OAuth IdPs are configured with PKCE.
    IDP Login V2
  • Accept IDP sessions on passkey registration (#12275)
    Updated session validation logic to recognize the 'intent' factor, preventing 'You have to authenticate' errors when redirecting to passkey registration after an IDP login.
    Login V2
  • Load custom font from branding settings and allow in CSP (#12279, #11200)
    Correctly applies branding font settings by using the absolute fontUrl and updating the Content Security Policy (CSP) to include the Zitadel service URL in the font-src directive.
    Login V2 Branding
  • Remove unnecessary entry from default denylist (#12294)
    Cleaned up the default denylist by removing redundant IPv4-mapped IPv6 entries that are already covered by v4 resolution.
    Network
  • Always validate exp and iat claims of JWT IdPs
    Ensures that for JWT IdPs, the exp (expiration) and iat (issued at) claims are always validated to prevent token replay or lifetime bypasses.
    IDP Security
  • Client_id verification during code exchange and refresh token flows
    Correctly verify the client_id during code exchange and refresh token flows to prevent impersonation or token leakage.
    OIDC Security
  • JWT IDP: Manage and validate audience
    Improved management and validation of the audience (aud) claim for JWT IdPs to ensure tokens are intended for the correct recipient.
    IDP Security
  • Use protected http client for outgoing connections
    Enforces the use of a protected HTTP client for all outgoing connections to mitigate potential SSRF or unintended internal access.
    Network Security