- MCP Proxy: Fix path parameter handling and improve tolerance for common schema quirks in MCP bridge apps built from OpenAPI specs
- OIDC Provider: Add token brokering (experimental) to the OIDC provider. Clients can exchange a Maverics access token for upstream service tokens using standard RFC 8693 token exchange. The initial release supports session passthrough mode, which returns a cached upstream token. Token brokering integrates with existing OPA token minting policies for authorization.
- Telemetry: Add W3C
traceparentheader propagation to maintain a stable traceID across the entire request lifecycle. When a request enters the Orchestrator, the traceID is preserved and forwarded to all downstream services — including identity providers and MCP endpoints — enabling true end-to-end distributed tracing with a single, consistent identifier. This is especially valuable when the Orchestrator acts as an auth provider to an AI Identity Gateway, where a single user prompt can trigger a chain of token exchanges, policy evaluations, and tool invocations across multiple services. With a stable traceID, operators can trace an AI gateway request from initial authentication through policy evaluation, token minting, and downstream MCP tool calls, correlating every hop in a single distributed trace.
- SAML Provider: Make NameID name qualifiers optional
- SAML Provider: Fix WS-Fed name claim incorrectly being included in SAML assertions
- SAML Provider: Correct XML namespacing across all SAML response types
- Telemetry: Add stable Secure Orchestrator ID (
soid) to all log entries and OTel telemetry (service.instance.id) for deployment correlation - OIDC Connector: Add configurable error handling for authentication callbacks
- OIDC Provider: Fix state parameter encoding in form post response mode
- Security: Resolved security issues
- MCP Proxy: Gracefully re-establish session with the upstream MCP server and retry the request when the session is terminated
- Proxy Apps: Allow service extensions to be reused across all application types by loosening namespace validation
- Connectors: HYPR connector now reads custom HTML files from the configuration bundle
- MCP Proxy: Gracefully re-establish sessions with upstream and retry requests when a session is terminated
- Proxy Apps: Allow service extensions to be reused across all app types
- Connectors: Support reading custom HTML files from the configuration bundle for Hypr integrations
- TLS: Add max version configuration for all TLS settings
- Session: Fixed an issue where empty sessions were persisted when the SLO endpoint terminated an unestablished session
- MCP Proxy: Add configurable scopes and token lifetimes for all MCP protocol operations
- Security: Resolved security issues
- Security: Resolved CVE-2026-2405
- MCP Proxy: Respect outbound authorization policy when making list tools requests
- SAML Apps: Enable claims mapping and the BuildClaims service extension to be used together
- MCP Proxy: Explicitly handle session termination errors that are returned from the upstream
- OIDC Connector: Add client assertion authentication mechanism (rfc 7523)
- OIDC Connector: Add support for JWT client assertion authentication as part of the token exchange grant
- OIDC Provider: Demonstrate JWT client authentication can be used with authcode, token-exchange grants
- OIDC Provider: Make openid scope and scope param optional
- SAML Provider: Ensure SAML Response elements are ordered correctly
- OIDC Provider: Add Subject and Actor token claims to token minting policy