> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# 2025

<Update label="December 19 2025" description="v2025.12.4">
  * **MCP Proxy:** Harden implementation
</Update>

<Update label="December 16 2025" description="v2025.12.3">
  * **MCP Proxy:** Proxy inbound client info when initializing session with upstream server
  * **MCP Proxy:** Add networking configurations with reasonable defaults
  * **Security:** Resolved CVE-2025-64702
  * **MCP Provider:** Add namespacing for tools
</Update>

<Update label="December 11 2025" description="v2025.12.2">
  * **MCP Proxy:** Expose streamable MCP Proxy app config
  * **MCP Provider:** Remove default tools
  * **OIDC Connector:** Use contextual logger when handling callback errors
  * **MCP Proxy:** Add base proxy functionality
  * **Service Extensions:** Fix ROPC initiated from within LDAP Provider SEs bug
  * **MCP Proxy:** Add inbound and outbound authorization to tool calls
  * **MCP Provider:** Update streamable MCP server and client to use custom Orchestrator logger
  * **MCP Provider:** Make the MCP Provider server name configurable
  * **MCP Proxy:** Add support for custom client TLS configurations
</Update>

<Update label="December 3 2025" description="v2025.12.1">
  * **MCP Provider:** Add support for delegated token exchange to bridge apps
  * **OIDC Provider:** Add support for X-Maverics-Oauth-Access-Token-Lifetime
  * **MCP Provider:** Add per-tool access token lifetime configuration
</Update>

<Update label="November 20 2025" description="v2025.11.7">
  * **Security:** Resolved CVE-2025-47914 and CVE-2025-58181
  * **OIDC Provider:** Remove inherited audience in token exchange grant
  * **OIDC Provider:** Add support for delegated token exchange
</Update>

<Update label="November 19 2025" description="v2025.11.6">
  * **OIDC Provider:** Clean up logs made by session-less access token generation
  * **OIDC Provider:** Add evaluation of access token minting policies to implicit/hybrid grants
  * **OIDC Provider:** Add access token minting policies to ROPC grant
  * **Security:** Resolved CVE-2025-47913
  * **OIDC Provider:** Populate access token minting policy fields
  * **LDAP Provider:** Add ability to determine the bound DN in Service Extensions
</Update>

<Update label="November 13 2025" description="v2025.11.5">
  * **OIDC Provider:** Add access token minting policies to authorization code grant
  * **Config Bundle:** Handle filesystem error and prevent panic
  * **OIDC Provider:** Add access policy evaluation to refresh\_token grant
</Update>

<Update label="November 11 2025" description="v2025.11.3">
  Internal improvements and maintenance updates.
</Update>

<Update label="November 10 2025" description="v2025.11.2">
  * **OIDC Provider:** Handle authorization requests when made via POST
</Update>

<Update label="November 7 2025" description="v2025.11.1">
  * **MCP Provider:** Add initial MCP proxy app config structure
  * **OIDC Provider:** Add support for custom access token minting policies
  * **Cache:** Add ability to disable key-prefixes on cache entries
</Update>

<Update label="October 29 2025" description="v2025.10.5">
  * **config:** Ensure that multiple env vars are read in separately via json
  * **MCP Provider:** Support inlined OpenAPI specs for MCP Bridge apps
  * **OIDC Provider:** Support custom scopes with ROPC grant
  * **OIDC Provider:** Preserve backwards-compatibility with unrecognized cu…
</Update>

<Update label="October 23 2025" description="v2025.10.4">
  * **OIDC Provider:** Enable custom scopes for the authorization\_code grant type
  * **MCP Provider:** Enable graceful shutdown of MCP clients via HTTP BaseContext
  * **OIDC Provider:** Add support for custom scopes with the client\_credentials grant
  * **OIDC Provider:** Add support for custom scopes with the refresh\_token grant
  * **OIDC Provider:** Add support for custom scopes with the implict and hybrid grant types
  * **OPA:** Update input schema for Rego policies
  * **MCP Provider:** Add reload capability
</Update>

<Update label="October 14 2025" description="v2025.10.3">
  * **Security:** Resolved CVE-2025-59530
  * **OIDC Provider:** Add access policies to token exchange grant
</Update>

<Update label="October 8 2025" description="v2025.10.2">
  * **FIPS:** Build a FIPS compliant version of the Debian package
  * **MCP Bridge:** Add support for loading OPA policies from the filesystem
  * **OIDC Provider:** Add custom scopes to token exchange grant
  * **MCP Provider:** Add support for token exchange to bridge apps
</Update>

<Update label="October 3 2025" description="v2025.10.1">
  * **OPA:** Setup OPA to be used across multiple Orchestrator components
  * **MCP Provider:** Add support for loading OpenAPI files using relative paths
  * **FIPS:** Build FIPS version of the RPM package
  * **FIPS:** Build FIPS compliant version of the maverics docker image
  * **Config:** Merge TLS settings from environment variables with Maverics config
  * **MCP Provider:** Separate inbound and outbound authorization in support of token exchange
  * **Connectors:** Add token exchange to OIDC connector
  * **Config:** Merge TLS settings with Windows environment variables
</Update>

<Update label="September 25 2025" description="v2025.09.5">
  * **MCP Provider:** Enhance observability and context around policy decisions
  * **MCP Provider:** Add ability to make policy decisions based on the source IP address
</Update>

<Update label="September 18 2025" description="v2025.09.4">
  * **MCP Provider:** Add base MCP docs for provider and bridge apps
  * **MCP Broker:** Improve documentation
  * **MCP Provider:** Use context bound logger in bearer token middleware
  * **Security:** Fix mTLS security issue by starting with an empty cert pool when constructing 'ClientCAs' used in TLS configs
</Update>

<Update label="September 11 2025" description="v2025.09.3">
  * **OIDC Provider:** Add option to configure refresh token lifetime
  * **MCP Bridge:** Add basic Rego authorization policy
</Update>

<Update label="September 8 2025" description="v2025.09.2">
  **Resolved Issues**

  * Fixed an issue that prevented the Orchestrator from starting when loading configuration bundles larger than 1 MB from a GitHub repository.
</Update>

<Update label="September 3 2025" description="v2025.09.1">
  **New Features**

  * **Service Extensions:** Expose functions from the secp256k1 pkg to Service Extensions
    **Resolved Issues**
  * **OIDCProvider:** Support token revocation from `client_credentials` grant
  * **Config:** Allow float when setting TLS Min Version
</Update>

<Update label="August 21 2025" description="v2025.08.4">
  **Resolved Issues**
  **OIDC Provider**
  This release resolves an issue with the end-session endpoint not supporting POST requests. As per the [spec](https://openid.net/specs/openid-connect-rpinitiated-1_0.html), both GET and POST requests are now supported.

  This release also resolves an issue with how redirect URIs are matched. The matching logic has been updated to not consider query params when validating the requested redirect URI against the pre-defined set of allowed redirect URIs.
</Update>

<Update label="August 19 2025" description="v2025.08.3">
  **New Features**

  **OIDC applications**
  OIDC apps now support defining allowed origins and allowed credentials for CORS requests. For more information, please see the [CORS](https://developer.strata.io/orchestrator/configuration/app/oidc/#cors) documentation.
</Update>

<Update label="August 14 2025" description="v2025.08.2">
  **New Features**

  **Cloud Configuration Storage Providers**
  Blob Storage in Azure Gov Cloud cloud can now be defined as a configuration storage provider. For more information, [read the docs](https://developer.strata.io/orchestrator/setup/remote-config/#azure-blob-storage).

  **Secrets Providers**
  Key Vault in Azure Gov Cloud can now be defined as a secret provider. The entraIDHost query parameter as part of the MAVERICS\_SECRET\_PROVIDER environment variable connection string. For more information, please see the [Azure Key Vault docs](https://developer.strata.io/orchestrator/setup/secrets-management/#entra-id-host-option).

  **OIDC Provider**
  The OIDC provider can now optionally correlate back-channel requests with the resource owner’s session. This can help you trace backchannel token requests to the resource owner. For more information, please see OIDC Provider [Session Correlation](https://developer.strata.io/orchestrator/configuration/providers/oidcprovider/#session-correlation).

  **OIDC applications**
  OIDC apps now support the insecureSkipPKCE option. This field can be used to bypass using PKCE when using the Authorization Code grant type for public clients.

  **ATTENTION**:
  Per [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1), public clients MUST use PKCE when using the Authorization Code grant type. The insecureSkipPKCE option should only be used for legacy apps that are unable to use PKCE. Avoid using this configuration unless absolutely necessary.
</Update>

<Update label="August 8 2025" description="v2025.08.1">
  **New Features**
  **Connectors**
  The offline access [feature](https://developer.strata.io/orchestrator/configuration/connectors/oidc-connector/#offline-access) found on OIDC connectors now ensures revoked ID token claims do not remain on the user's session. This change bolsters security by guaranteeing claims removed at the IDP do not remain on a user's session after a successful refresh request.

  **Resolved Issues**
  **Connectors**
  SAML connectors now set the Maverics session cookie as part of SAML login flows. This fix ensures sticky session configurations that use application cookie persistence will continue to operate as expected.

  **OIDC Provider**
  The OIDC Provider now removes whitespace around redirect URLs.
</Update>

<Update label="July 28 2025" description="v2025.07.3">
  **New Features**
  **Connectors**
  The OIDC and Azure connectors now support silently refreshing a resource owner's ID token and access token without user interaction. For more information, please see the [docs](https://developer.strata.io/orchestrator/configuration/connectors/oidc-connector/).

  **OIDC Apps**
  This release adds basic support for the token exchange grant (RFC 8693). Future releases will include additional functionality for the handling of custom scopes and for defining advanced access policies. For more information, please see the [docs](https://developer.strata.io/orchestrator/configuration/providers/oidcprovider/).
</Update>

<Update label="July 22 2025" description="v2025.07.2">
  **New Features**
  **Applications**
  All application types now support aggregating authorization policy rules with different logical operators. This feature enables the creation of advances policies. For more information, please see the application [docs](https://developer.strata.io/orchestrator/configuration/app/).

  **Security enhancements**
  Patched security and performance related issues. Contact your account representative for a detailed overview.
</Update>

<Update label="July 17 2025" description="v2025.07.1">
  **New features**
  **Session Management**
  This release introduces revamped session management in order to improve security, enhance performance, and to enable pluggable backing data stores. For more information, read the docs: [https://developer.strata.io/orchestrator/configuration/globalsettings/sessions-user-state/](https://developer.strata.io/orchestrator/configuration/globalsettings/sessions-user-state/)

  **Resolved Issues**

  * Resolved CVE-2025-49140 and CVE-2025-49140
</Update>

<Update label="June 24 2025" description="v2025.06.5">
  **New Features**
  **OIDC Applications**
  OIDC applications can now be configured to use a default redirect URL. This option can be used for applications that are unable to set the `redirect_uri` parameter on the authorization request. For more information, see the [docs](https://developer.strata.io/orchestrator/configuration/app/oidc/#default-redirect-url)
  ATTENTION: Per the OIDC RFC, the `redirect_uri` is a [required](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) parameter. The `allowDefaultRedirectURI` option should only be used for apps that are unable to provide a redirect URI. Strata recommends to avoid using this configuration unless absolutely necessary.
</Update>

<Update label="June 20 2025" description="v2025.06.4">
  **New Features**
  **SAML Provider**
  The SAML Provider now has the ability to load the signing certificate and key from the filesystem. For more details, please see the [docs](https://developer.strata.io/orchestrator/configuration/providers/samlprovider/#signature).

  **Service Extensions**
  Service extensions can now leverage the `IsAvailable` method on the `idfabric.IdentityProvider` interface. This feature enables service extensions to determine whether a given IDP is available. For more info, please see the [docs](https://github.com/strata-io/service-extension/blob/main/idfabric/idfrabric.go#L19-L22).

  **Resolved Issues**
  **OIDC Apps**
  This change adds the missing `at_hash` and `c_hash` claims to ID token during hybrid and implicit flows. These claims were previously missing and are required by the RFC.

  **Service Extensions**
  When calling `Login` with a nil HTTP request or response writer a runtime panic will no longer occur.
</Update>

<Update label="June 12 2025" description="v2025.06.3">
  **New Features**
  **Support for ROPC login option in Azure and Continuity identity services**
  The Azure and Continuity identity services have been updated to support authentication via the Resource Owner Password Credentials (ROPC) grant. Service extensions can leverage the `WithGrantTypeROPC` login option to specify an ROPC flow for authenticating a user. This flow is typically used for legacy applications that require a username and password to authenticate the user directly.
  For more information, please see the [docs](https://github.com/strata-io/service-extension/blob/main/idfabric/idfrabric.go#L95-L99).
</Update>

<Update label="June 5 2025" description="v2025.06.2">
  **New Features**

  **Support for ROPC login option in OIDC identity service**
  Service extensions can now leverage a new login option that enables authentication via the Resource Owner Password Credentials (ROPC) grant. The `WithGrantTypeROPC` function specifies the ROPC flow for authenticating a user. This flow is typically used for legacy applications that require a username and password to authenticate the user directly. For more information, please see the [docs](https://github.com/strata-io/service-extension/blob/main/idfabric/idfrabric.go#L95-L99).
  NOTE: Strata does not recommend using the ROPC flow for public facing applications. The OAuth 2.1 spec suggests a more secure flow, such as Authorization Code (with PKCE).
  For more information, see [https://pkg.go.dev/github.com/strata-io/service-extension@v0.22.0/idfabric#WithGrantTypeROPC](https://pkg.go.dev/github.com/strata-io/service-extension@v0.22.0/idfabric#WithGrantTypeROPC)
</Update>

<Update label="June 4 2025" description="v2025.06.1">
  **New Features**

  **Support for multiple SAML entity IDs**
  This release introduces support for defining multiple entity IDs on a SAML app. This functionality is compatible with both SP-initiated logins and IDP-initiated logins. For more information, please see the [docs](https://developer.strata.io/orchestrator/configuration/app/saml/).
</Update>

<Update label="May 30 2025" description="v2025.05.3">
  **New Features**
  **HYPR**
  The HYPR connector now exposes a dynamic link and QR fallback code that can be used in custom login page templates. These fields serve as backup mechanisms for when scanning the QR code via the HYPR app fails. For more info, please see the [docs](https://developer.strata.io/orchestrator/configuration/connectors/hypr-connector/#custom-interstitial-page).
</Update>

<Update label="May 28 2025" description="v2025.05.2">
  **New Features**
  **OIDC Apps**
  OIDC apps now support PKCE for public clients. This functionality enables applications that cannot securely store client credentials to interact with the Orchestrator as an OIDC Provider. For more information, please reference the [documentation](https://developer.strata.io/orchestrator/configuration/app/oidc/#public).
</Update>

<Update label="May 27 2025" description="v2025.05.1">
  **New Features**
  **Config Parsing**
  This release introduces strict configuration validation. Any unknown fields, misspellings, or unrecognized keys will cause an immediate validation failure. These changes are intended to ensure configuration correctness and eliminate silently ignored errors that may lead to unexpected behavior.

  **Breaking Changes**
  Orchestrator v2025.05.1 removes many long-deprecated features. All removed features have a migration path to a supported substitute feature set. For more information, please reference the deprecation advisory notice issued in November 2024
</Update>

<Update label="May 14 2025" description="v0.113.0">
  **New features**

  **Use Authorization Service Extension and Conditional Policies for authorization**
  This release introduces the ability to use the IsAuthorized service extension and authorization rules together. This allows more granular control of user authorization to protected resources. This feature is supported on SAML, OIDC, and Proxy apps.
  Note: Both the authorization service extension and the authorization rules must be validated as true to grant a user access. If either validates as false, the user is denied access.
  For more details see [Authorization](https://developer.strata.io/orchestrator/configuration/app/oidc/#isauthorized-service-extension).

  **Custom Unauthorized Page for SAML Apps**
  SAML apps now support an error page for unauthorized users. Custom unauthorized pages for SAML apps will be configurable from the user interface in an upcoming release of the Maverics Console.
</Update>

<Update label="May 7 2025" description="v0.112.0">
  **New features**

  **Support for custom query parameter in Entra ID (OIDC) and generic OIDC identity services**
  Orchestrator now supports routing a custom query parameter to a declared Entra ID or OIDC IDP via service extension. Orchestrator passes the query parameter which then gets captured by the browser.
  Service extensions should be updated per the Go documentation for idfabric: [https://pkg.go.dev/github.com/strata-io/service-extension@v0.20.0/idfabric](https://pkg.go.dev/github.com/strata-io/service-extension@v0.20.0/idfabric)

  **Field ordering of orchestrator logs**
  Readability of orchestrator logs can be improved by enabling `fieldOrdering` (optional). `fieldOrdering` organizes the fields in the log output, setting values in the following order: `ts` , `level`, `service`, `traceID`, `sessionID`, and `msg`.
  Please note that enabling `fieldOrdering` will impact orchestrator performance. If performance must remain optimal, Strata recommends leaving this option disabled. For more information, see [Logging](https://developer.strata.io/orchestrator/configuration/monitoring/logger/#field-ordering).
</Update>

<Update label="May 1 2025" description="v0.111.0">
  **New features**

  **Orchestrator heartbeat**
  The Orchestrator now includes a heartbeat. This lightweight service logs runtime details at a configurable time interval. Enabled by default, the heartbeat service prints a log message containing the orchestrator ID, orchestrator version, orchestrator config version, as well as CPU count, usage, and total memory. By default, the heartbeat service logs at the info level.

  The heartbeat service is part of the Health configuration block. It will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see [Heartbeat](https://developer.strata.io/orchestrator/configuration/monitoring/health/#heartbeat).

  **Access logs enabled by default**
  HTTP access logs are now enabled by default. This change is meant to provide customers with greater insight into how requests flow through the system and can be used to confirm that all requests result in a corresponding response.

  By default, access logs are logged at the debug level. If desired, access logs can be disabled via the orchestrator config. Access logs will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see [Access Logs](https://developer.strata.io/orchestrator/configuration/globalsettings/http-server/#accesslog).

  **LDAP custom login page and localization**
  Orchestrator v0.111.0 introduces support for an optional custom login page when using LDAP as an IDP. By defining `customLogin` in the orchestrator configuration, the orchestrator delivers a custom HTML page stored in the filesystem.

  In addition, the custom login page now supports standards-based language localization (BCP 47). By default, the localization selection is driven from the `Accept-Language` header, but can be customized to meet deployment specific needs.

  LDAP custom login and localization will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see [Custom Login](https://developer.strata.io/orchestrator/configuration/connectors/ldap-connector/#custom-login).
</Update>

<Update label="April 22 2025" description="v0.110.0">
  **New features**

  **Logging enhancements**

  * Logs in the `CreateHeader` service extension have been updated to include `traceID`, `sessionID`, and `service` attributes.

  * API service extensions can now leverage a newly exposed function that allows for retrieving a logger from the context of a request. The `log.WithRequest` function can be used to ensure logs include the `traceID` and `sessionID` attributes. For more information, refer to the [API examples](https://docs.strata.io/orchestrator/configuration/api/#examples).
    INFO
    Customers running API service extensions must update their service extensions to use the new function ONLY if they want to their logs to include `traceID` and `sessionID`. Strata advises customers to first test this new orchestrator release against their existing API service extensions in a lab or lower environment to ensure their service extensions continue to operate normally. For more information, refer to [Serve Service Extension](https://docs.strata.io/orchestrator/configuration/api/#serve-service-extension).

  **Resolved issues**
  This release resolves an issue in which orchestrator telemetry data was being sent to the Maverics Console even though telemetry was disabled. This issue was introduced in v0.107.0 and only impacts customers that are using Maverics Console.
</Update>

<Update label="April 16 2025" description="v0.109.0">
  **New features**

  **Logging enhancements**
  Logs in the following identity services have been updated to include `traceID` and `service` attributes:

  * 1Kosmos
  * HYPR
  * PingFederate
  * SAML
  * Windows Client Authenticator (WCA)
  * WSO2

  API service extension logs have been updated to include `traceID`, `service`, 'seName', 'seFuncName', and 'seChecksum' attributes.

  **Resolved issues**

  * This release resolves an issue in which re-authentications triggered by session expiry would fail when an OIDC identity provider using PKCE.

  * **APIs:** Enhance API SE logger with attributes by (#2879)

  * **Connectors:** Use contextual logger in PingFederate connector (#2873)

  * **Connectors:** Use contextual logger in SAML connector (#2876)

  * **Connectors:** Use contextual logger in 1Kosmos connector (#2872)

  * **Connectors:** Use contextual logger in WSO2 connector (#2877)

  * **Connectors:** Use contextual logger in HYPR connector (#2869)

  * **Connectors:** Use contextual logger in WCA connector (#2875)

  * **Session:** Resolved issue causing newly Set attributes to have an expiry in the past (#2878)
</Update>

<Update label="April 14 2025" description="v0.108.0">
  **New Features**
  Orchestrator v0.108.0 adds improvements to observability, including HTTP access logs, contextual logging, tracing, and standard telemetry. These changes provide more detailed logs for better insight into transactions from all areas of the orchestrator including service extensions.

  **HTTP Access Logging**
  All HTTP requests and responses are now optionally logged. Access logs are logged at debug level by default. Currently, access logs can be enabled/disabled in the orchestrator config. Access logging can be enabled/disabled from the user interface in a forthcoming update to Maverics Console. For more info, please see the [reference docs](https://docs.strata.io/orchestrator/configuration/globalsettings/http-server/#accesslog).

  **Logging**
  The logger now includes a `traceID` attribute in log messages that can be used to trace requests through the system. Additionally, logs now include the `service` key to help clearly identify the source of logs. For service extensions, the `seName`, `seFuncName`, and `seChecksum` keys are also now included.

  **Security enhancements**

  * **Security:** Resolved CVE-2025-22872
</Update>

<Update label="March 27 2025" description="v0.107.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 25 2025" description="v0.106.1">
  * **Security:** Resolved CVE-2025-29923
  * **Session v2:** Fix Cache Store Configuration
</Update>

<Update label="March 19 2025" description="v0.106.0">
  * **Dependencies:** Resolved CVE-2025-22870
</Update>

<Update label="March 14 2025" description="v0.105.3">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 13 2025" description="v0.105.2">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 13 2025" description="v0.105.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 13 2025" description="v0.105.0">
  * **OIDC Provider:** Expose config to disable the DPoP nonce
</Update>

<Update label="March 13 2025" description="v0.104.1">
  * **Connectors:** Preserve query parameters during LDAP logout
</Update>

<Update label="March 12 2025" description="v0.104.0">
  * **OIDC Provider:** Add customizable response\_mode to implicit flow
</Update>

<Update label="March 12 2025" description="v0.103.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 11 2025" description="v0.103.0">
  * **Connector:** Implement LDAP connector Logout method
</Update>

<Update label="March 10 2025" description="v0.102.8">
  * **OIDC Provider:** Correct 'response\_types\_supported' and 'grant\_types\_supported' attributes of well-known response
</Update>

<Update label="March 8 2025" description="v0.102.7">
  * disable jfrog and e2e for testing orchestrator release process change
</Update>

<Update label="March 7 2025" description="v0.102.6">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 6 2025" description="v0.102.5">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 6 2025" description="v0.102.4">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 5 2025" description="v0.102.3">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 5 2025" description="v0.102.2">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 5 2025" description="v0.102.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 4 2025" description="v0.102.0">
  * **OIDC Provider:** Add implicit grant type
</Update>

<Update label="March 3 2025" description="v0.101.5">
  Internal improvements and maintenance updates.
</Update>

<Update label="March 3 2025" description="v0.101.4">
  * **Security:** Resolved CVE-2025-27144
</Update>

<Update label="March 3 2025" description="v0.101.3">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 28 2025" description="v0.101.2">
  * **OIDC Provider:** Fix introspect endpoint not handling custom nested claims
</Update>

<Update label="February 28 2025" description="v0.101.1">
  * **Security:** Resolved CVE-2025-22869
</Update>

<Update label="February 27 2025" description="v0.101.0">
  * **Connectors:** Add support for error page to Auth0 connector
</Update>

<Update label="February 27 2025" description="v0.100.0">
  * **Connectors:** Add support for silent authentication to Auth0 connector
</Update>

<Update label="February 26 2025" description="v0.99.8">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 26 2025" description="v0.99.7">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 26 2025" description="v0.99.6">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 26 2025" description="v0.99.5">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 26 2025" description="v0.99.4">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 25 2025" description="v0.99.3">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 25 2025" description="v0.99.2">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 24 2025" description="v0.99.1">
  * **OIDC Provider:** Ensure reload works successfully when the end session endpoint is defined
</Update>

<Update label="February 24 2025" description="v0.99.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 21 2025" description="v0.98.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 21 2025" description="v0.97.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 20 2025" description="v0.96.0">
  * **Secret Provider:** Add support for multiple secret paths in hashicorp vault secret provider
</Update>

<Update label="February 19 2025" description="v0.95.0">
  * **Secret Provider:** Load Hashicorp Vault secrets lazily
</Update>

<Update label="February 18 2025" description="v0.94.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 18 2025" description="v0.93.2">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 14 2025" description="v0.93.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 13 2025" description="v0.93.0">
  * **OIDC Provider:** Expose DPoP-Nonce header to support CORS
</Update>

<Update label="February 13 2025" description="v0.92.0">
  * **OIDC Provider:** Harden DPoP implementation
</Update>

<Update label="February 11 2025" description="v0.91.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="February 10 2025" description="v0.91.0">
  * **OIDC Provider:** Add support for dpop nonce validation
</Update>

<Update label="February 8 2025" description="v0.90.2">
  * **Observability:** Add new telemetry config format for metrics
</Update>

<Update label="February 1 2025" description="v0.90.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 31 2025" description="v0.90.0">
  * **OIDC Provider:** Add support for dpop checking at userinfo endpoint
</Update>

<Update label="January 31 2025" description="v0.89.0">
  * **OIDC Provider:** Add support for DPoP bound refresh tokens
</Update>

<Update label="January 29 2025" description="v0.88.2">
  * **Proxy Apps:** Resolved attribute providers config not being respected
</Update>

<Update label="January 29 2025" description="v0.88.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 28 2025" description="v0.88.0">
  * **OIDC Provider:** Add support opaque access tokens when using DPoP
</Update>

<Update label="January 28 2025" description="v0.87.1">
  * **Security:** Resolved CVE-2024-45339
</Update>

<Update label="January 23 2025" description="v0.87.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 23 2025" description="v0.86.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 23 2025" description="v0.85.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 23 2025" description="v0.84.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 23 2025" description="v0.83.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 23 2025" description="v0.82.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 23 2025" description="v0.81.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 22 2025" description="v0.80.0">
  * **OIDC Provider:** Update metadata endpoint to return DPoP signing algorithms
</Update>

<Update label="January 22 2025" description="v0.79.0">
  * **OIDC Provider:** Add support for DPoP bound access tokens
</Update>

<Update label="January 22 2025" description="v0.78.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 22 2025" description="v0.77.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 22 2025" description="v0.76.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 22 2025" description="v0.75.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 21 2025" description="v0.74.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 21 2025" description="v0.74.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 21 2025" description="v0.73.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 21 2025" description="v0.72.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 20 2025" description="v0.71.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 20 2025" description="v0.70.3">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 17 2025" description="v0.70.2">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 7 2025" description="v0.70.1">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 7 2025" description="v0.70.0">
  Internal improvements and maintenance updates.
</Update>

<Update label="January 7 2025" description="v0.69.2">
  Internal improvements and maintenance updates.
</Update>
