- Security: Resolved CVE-2026-2405
- MCP Proxy: Respect outbound authorization policy when making list tools requests
- SAML Apps: Enable claims mapping and the BuildClaims service extension to be used together
- MCP Proxy: Explicitly handle session termination errors that are returned from the upstream
- OIDC Connector: Add client assertion authentication mechanism (rfc 7523)
- OIDC Connector: Add support for JWT client assertion authentication as part of the token exchange grant
- OIDC Provider: Demonstrate JWT client authentication can be used with authcode, token-exchange grants
- OIDC Provider: Make openid scope and scope param optional
- SAML Provider: Ensure SAML Response elements are ordered correctly
- OIDC Provider: Add Subject and Actor token claims to token minting policy