Back to all versions

4.16.0

2025-05-22
minor

Features 2

  • Allow managing invite code in secret generators (#12109)
    Instance admins can now manage the expiry and character sets of invite codes via the Admin API.
    Admin API
  • FIPS 140-3 compliant build and runtime checks (#12233)
    Added FIPS 140-3 compliant build and runtime checks, including a separate build matrix for certified images.
    Security/Build

Bug Fixes 8

  • Correct scope validation in token exchange (#12312, #12319, #12322) critical
    Fixes a regression in v4.15.3 where Token Exchange flows using subject_token_type=user_id or id_token would fail with invalid_scope.
    Token Exchange
  • Redirect to loginname instead of empty accounts page when organization scope filters all sessions (#12346, #11914)
    The Login V2 flow now correctly filters sessions by organization scope; if no eligible sessions exist, it redirects straight to the login name screen instead of an empty account selection.
    Login V2
  • Use correct requestId prefix in OIDC login flows with Prompt.LOGIN (#12376, #11946) major
    Ensures that OIDC authorization requests using Prompt.LOGIN and loginHint correctly preserve the 'oidc_' prefix on the requestId, fixing broken redirects to /signedin.
    Login V2
  • Increase performance of ListUser by login name (ignore case) (#12350)
    Optimized the ListUser query by login name to perform case-insensitive searches more efficiently.
    Core Architecture
  • Allow custom protocols for native apps in login flow again (#12332)
    Restored support for custom protocol schemes (e.g., myapp://) for native apps by bypassing CSP prefetch restrictions.
    Login V2
  • Prevent IDP auto-creation failure when name fields are missing (#11070)
    Prevents IDP auto-creation failures when profile fields are missing required data by redirecting to the registration completion step.
    Login V2
  • Prevent double triggering of verification emails (#11995)
    Moved verification email triggering to server-side POST handlers to prevent race conditions that caused duplicate emails.
    Email Service
  • Migrate Tailwind opacity utilities and fix checkbox contrast color (#12360)
    Updated Tailwind opacity utilities and fixed checkbox contrast by using CSS variables.
    UX/UI