2025-03-19
New features
- Orchestrator logs can now be filtered to suppress or reduce specific log messages. For more information, see Filters.
Use log filters with caution. Strata advises to only enable log filters if absolutely necessary. There is the possibility of inadvertently suppressing critical security logs. In addition, log filters can negatively impact orchestrator performance.
- DPoP Nonces can be disabled optionally. By default, when DPoP is enabled, the DPoP Nonce is also enabled. However, if desired you can now disable the DPoP nonce. The Orchestrator will be able to issue and validate DPoP-bound tokens without requiring the nonce. For more info, see the docs.
Strata advises against disabling the DPoP Nonce. Disabling the DPoP Nonce increases the risk of being subject to replay attacks. The DPoP nonce ensures the maximum age of the DPoP proof and prevents an attacker from minting DPoP proofs in the future.
-
As part support for the OAuth Hybrid flow, support for the
response_mode
request parameter has been added. For more information, please see the spec. -
The LDAP Connector now supports logout. Query parameters are preserved as part of the logout flow in order to ensure a seamless integration when single logout (SLO) is also used.
Resolved issues
- Resolved an issue where the OIDC Provider did not return standard grants as part of the well-known response. After this fix, the
grant_types_supported
that are returned align with standard OAuth grants as per section 1.3 of the RFC.