- Password compromission check :issue:`179`
- :attr:`~canaille.core.configuration.CoreSettings.ADMIN_EMAIL` and :attr:`~canaille.core.configuration.CoreSettings.ENABLE_PASSWORD_COMPROMISSION_CHECK` and :attr:`~canaille.core.configuration.CoreSettings.API_URL_HIBP` :issue:`179`
- PostgreSQL and MySQL extras does not rely on libraries that need to be compiled.
- With LDAP backend, updating another user groups could result in a permission lost for the editor. :issue:`202`
- :attr:`~canaille.core.configuration.CoreSettings.MAX_PASSWORD_LENGHT` and :attr:`~canaille.core.configuration.CoreSettings.MIN_PASSWORD_LENGHT` configuration options :issue:`174`
- Password strength visual indicator. :issue:`174`
- Security events logs. :issue:`177`
- Support for Python 3.13. :pr:`186`
- Update to HTMX 2.0.3. :pr:`184`
- Migrate the Python project management tool from poetry to uv. :pr:`187`
- The
sql
package extra is now split betweensqlite
,postgresql
andmysql
.
- End support for Python 3.9. :pr:`179`
- Use poetry-core build backend. :pr:`178`
- Group member removal can be achieved from the group edition page. :issue:`192`
- Model management commands. :issue:`117` :issue:`54`
- Model identifier_attributes are fixed.
- Bump to HTMX 1.9.12. :pr:`172`
- Dark theme colors for better readability.
- Crash for passwordless users at login when no SMTP server was configured.
- env_prefix :meth:`~canaille.create_app` variable can select the environment var prefix.
- env_file create_app variable can customize/disable the .env file.
- Locked users cannot be impersonated anymore.
- Minimum Python requirement is 3.9.
- Display the menu bar on error pages.
- Sign in/out events are logged in. :issue:`177`
- HTMX and JAVASCRIPT configuration settings.
- Compatibility with old sessions IDs.
- LDAP user group removal.
- Display an error message when trying to remove the last user from a group.
- LDAP
objectClass
guessing exception.
- Lazy permission loading exception.
- Saving an object with the LDAP backend keeps the
objectClass
un-managed by Canaille. :pr:`171`
- Internal indexation mechanism of :class:`~canaille.backends.memory.model.MemoryModel`.
- Fix the default LDAP
USER_FILTER
value. - Fix the OIDC feature detection.
Warning
Configuration files must be updated.
- Add
created
andlast_modified
datetime for all models. - Sitemap to the documentation. :pr:`169`
- Configuration management with pydantic-settings. :issue:`138` :pr:`170`
- Use default Python logging configuration format. :issue:`188` :pr:`165`
- Bump to HTMX 1.99.11. :pr:`166`
- Use the standard tomllib Python module instead of toml starting from Python 3.11. :pr:`167`
- Use shibuya as the documentation theme :pr:`168`
- Avoid to fail on imports if
cryptography
is missing.
- OIDC support for the
create
value of theprompt
parameter. :issue:`185` :pr:`164`
- Correctly set up :attr:`~canaille.oidc.basemodels.Client.audience` during OIDC dynamic registration.
post_logout_redirect_uris
was ignored during OIDC dynamic registration.- Group field error prevented the registration form validation.
- The
THEME
setting can be a relative path.
- Crash when no ACL were defined.
- OIDC Userinfo endpoint is also available in POST.
- Fix redirection after password reset. :issue:`159`
- Convert all the PNG pictures in Webp. :pr:`162`
- Update to Flask 3. :issue:`161` :pr:`163`
- Handle 4xx and 5xx error codes with HTMX. :issue:`171` :pr:`161`
- Avoid crashing when LDAP groups references unexisting users.
- Password reset and initialization mails were only sent to the preferred user email address.
- Password reset and initialization mails were not sent at all the user addresses if one email address could not be reached.
- Password comparison was too permissive on login.
- Encrypt passwords in the SQL backend.
- Refresh token grant supports other client authentication methods. :pr:`157`
- Implement a SQLAlchemy backend. :issue:`30` :pr:`158`
- Disable HTMX boosting during the OIDC dance. :pr:`160`
- Canaille installations without account lockabilty could not delete users. :pr:`153`
- If users register or authenticate during a OAuth Authorization phase, they get redirected back to that page afterwards. :issue:`168` :pr:`151`
- The flask-babel and pytz libraries are now part of the front packaging extras.
- Bump to fomantic-ui 2.9.3. :pr:`152`
- Bump to HTMX 1.9.6. :pr:`154`
- Support for Python 3.12. :pr:`155`
- OIDC jwks endpoint do not return empty kid claim.
- Documentation details on the Canaille models.
- Additional inmemory backend. :issue:`30` :pr:`149`
- Installation extras. :issue:`167` :pr:`150`
- Configuration option to disable the forced usage of OIDC nonce parameter. :pr:`143`
- Validate phone numbers with a regex. :pr:`146`
- Email verification. :issue:`41` :pr:`147`
- Account registration. :issue:`55` :pr:`133` :pr:`148`
- The check command uses the default configuration values.
- Modals do not need use Javascript at the moment. :issue:`158` :pr:`144`
Warning
Configuration files must be updated.
Check the new format with git diff 0.0.29 0.0.30 canaille/conf/config.sample.toml
- Configuration option to disable Javascript. :pr:`141`
- The configuration parameter
USER_FILTER
is parsed with Jinja. - Configuration use
PRIVATE_KEY_FILE
instead ofPRIVATE_KEY
andPUBLIC_KEY_FILE
instead ofPUBLIC_KEY
.
- Disabled HTMX boosting on OIDC forms to avoid errors.
- A template variable was misnamed.
Warning
Configuration files must be updated.
Check the new format with git diff 0.0.26 0.0.27 canaille/conf/config.sample.toml
- Configuration entries can be loaded from files if the entry key has a _FILE suffix and the entry value is the path to the file. :issue:`134` :pr:`134`
- Field list support. :issue:`115` :pr:`136`
- Pages are boosted with HTMX. :issue:`144` :issue:`145` :pr:`137`
- Bump to jquery 3.7.0. :pr:`138`
- Profile edition when the user RDN was not
uid
. :issue:`148` :pr:`139`
- Stop support for Python 3.7. :pr:`131`
- Implemented account expiration based on OpenLDAP ppolicy overlay. Needs OpenLDAP 2.5+. :issue:`13` :pr:`118`
- Timezone configuration entry. :issue:`137` :pr:`130`
- Avoid setting
None
in JWT claims when they have no value. - Display password recovery button on OIDC login page. :pr:`129`
Warning
- Configuration files must be updated.
- Check the new format with
git diff 0.0.25 0.0.24 canaille/conf/config.sample.toml
- Renamed user model attributes to match SCIM naming convention. :pr:`123`
- Moved OIDC related configuration entries in
OIDC
. - Moved
LDAP
configuration entry toBACKENDS.LDAP
. - Bumped to HTMX 1.9.0. :pr:`124`
- ACL filters are no more LDAP filters but user attribute mappings. :pr:`125`
- Bumped to HTMX 1.9.2. :pr:`127`
OIDC.JWT.MAPPING
configuration entry is really optional now.- Fixed empty model attributes registration. :pr:`125`
- Password initialization mails were not correctly sent. :pr:`128`
- Fixed avatar update. :pr:`122`
- Organization field. :pr:`116`
- ETag and Last-Modified headers on user photos. :pr:`116`
- Dynamic form validation. :pr:`120`
- CSRF protection on every forms. :pr:`119`
- The Faker library is not imported anymore when the clean command is called.
- Display TOS and policy URI on the consent list page. :pr:`102`
- Admin token deletion. :pr:`100` :pr:`101`
- Revoked consents can be restored. :pr:`103`
- Pre-consented clients are displayed in the user consent list, and their consents can be revoked. :issue:`69` :pr:`103`
- A
populate
command can be used to fill the database with random users generated with faker. :pr:`105` - SMTP SSL support. :pr:`108`
- Server side pagination. :issue:`114` :pr:`111`
- Department number support. :issue:`129`
- Address edition support (but not in the OIDC claims yet). :pr:`112`
- Title edition support. :pr:`113`
- Client deletion also deletes related :class:`~canaille.oidc.basemodels.Consent`, :class:`~canaille.oidc.basemodels.Token` and :class:`~canaille.oidc.basemodels.AuthorizationCode` objects. :issue:`126` :pr:`98`
- Removed the DataTables Javascript library.
- Spanish translation. :pr:`85` :pr:`88`
- Dedicated connectivity test email. :pr:`89`
- Update to jquery 3.6.3. :pr:`90`
- Update to fomantic-ui 2.9.1. :pr:`90`
- Update to DataTables 1.13.1. :pr:`90`
- Fix typos and grammar errors. :pr:`84`
- Fix wording and punctuations. :pr:`86`
- Fix HTML lang tag. :issue:`122` :pr:`87`
- Automatically trims the HTML translated strings. :pr:`91`
- Fixed dynamic registration scope management. :issue:`123` :pr:`93`
- Ensures the token expires_in claim and the access_token exp claim have the same value. :pr:`83`
- OIDC end_session was not returning the
state
parameter in thepost_logout_redirect_uri
. :pr:`82`
- Fixed LDAP operational attributes handling.
- User can chose their display name. :pr:`77`
- Bumped to Authlib 1.2. :pr:`78`
- Implemented :rfc:`RFC7592 <7592>` OAuth 2.0 Dynamic Client Registration Management Protocol. :pr:`79`
- Add the
nonce
parameter to theclaims_supported
server metadata list.
- Fixed translation catalogs packaging.
- Fixed a bug on the contacts field in the admin client form following the LDAP schema update of 0.0.12.
- Fixed a bug happening during RP initiated logout on clients without post_logout_redirect_uri defined.
- Gitlab CI fix. :pr:`64`
- Fixed client_secret display on the client administration page. :pr:`65`
- Fixed non-square logo CSS. :pr:`67`
- Fixed schema path on installation. :pr:`68`
- Fixed RFC7591
software_statement
claim support. :pr:`70` - Fixed client preconsent disabling. :pr:`72`
- Python 3.11 support. :pr:`61`
apparmor
slapd configuration instructions in the documentation page for contributions. :pr:`66`preferredLanguage
attribute support. :pr:`75`
- Replaced the use of the deprecated FLASK_ENV environment variable by FLASK_DEBUG.
- Dynamically generate the server metadata. Users won't have to copy and
manually edit
oauth-authorizationserver.json
andopenid-configuration.json
. :pr:`71` - The FROM_ADDR configuration option is not mandatory anymore. :pr:`73`
- The JWT.ISS configuration option is not mandatory anymore. :pr:`74`
- Basic WebFinger endpoint. :pr:`59`
- Bumped to FomanticUI 2.9.0.
- Implemented Dynamic Client Registration. :pr:`60`
- Default theme has a dark variant. :pr:`57`
- Fixed missing
canaille
binary. :pr:`58`
- Online demo. :pr:`55`
- The consent page was displaying scopes not supported by clients. :pr:`56`
- Fixed end session when user are already disconnected.
DISABLE_PASSWORD_RESET
configuration option to disable password recovery. :pr:`46`edit_self
ACL permission to control user self edition. :pr:`47`- RP-initiated logout implementation. :pr:`54`
- Bumped to Authlib 1. :pr:`48`
- Various documentation improvements. :pr:`50`
- Use poetry instead of setuptools as project management tool. :pr:`51`
- Additional tests for the OIDC
nonce
parameter. :pr:`52`
HIDE_INVALID_LOGIN
behavior and default value.- Compiled translation catalogs are not versioned anymore. :pr:`49` :pr:`53`
- Fixed dependencies.
- Fixed spaces and escaped special char in LDAP
cn/dn
attributes. :pr:`43`
- Access token are JWT. :pr:`38`
- Default groups on invitations. :pr:`41`
- LDAP schemas are shipped within the Canaille package. :pr:`42`
- LDAP model objects have new identifiers. :pr:`37`
- Client pre-authorization. :pr:`11`
- LDAP permissions check with the check command. :pr:`12`
- Update consents when a scope required is larger than the scope of an already given consent. :pr:`13`
- Theme customization. :pr:`15`
- Logging configuration. :pr:`16`
- Installation command. :pr:`17`
- Invitation links. :pr:`18`
- Advanced permissions. :pr:`20`
- An option to not use OIDC. :pr:`23`
- Disable some features when no SMTP server is configured. :pr:`24`
- Login placeholder dynamically generated according to the configuration. :pr:`25`
- Added an option to tune object IDs. :pr:`26`
- Avatar support. :pr:`27`
- Dynamical and configurable JWT claims. :pr:`28`
- UI improvements. :pr:`29`
- Invitation links expiration. :pr:`30`
- Invitees can choose their IDs. :pr:`31`
- LDAP backend refactoring. :pr:`35`
- Fixed ghost members in a group. :pr:`14`
- Fixed email sender names. :pr:`19`
- Fixed filter being not escaped. :pr:`21`
- Demo script good practices. :pr:`32`
- Binary path for Debian. :pr:`33`
- Last name was not mandatory in the forms while this was mandatory in the LDAP server. :pr:`34`
- Spelling typos. :pr:`36`
- Two-steps sign-in. :issue:`49`
- Tokens can have several audiences. :issue:`62` :pr:`9`
- Configuration check command. :issue:`66` :pr:`8`
- Groups management. :issue:`12` :pr:`6`
- Introspection access bugfix. :issue:`63` :pr:`10`
- Introspection sub claim. :issue:`64` :pr:`7`
- Login page is responsive. :issue:`1`
- Adapt mobile keyboards to login page fields. :issue:`2`
- Password recovery interface. :issue:`3`
- User profile interface. :issue:`4`
- Renamed the project Canaille. :issue:`5`
- Command to remove old tokens. :issue:`17`
- Improved password recovery email. :issue:`14` :issue:`26`
- Use Flask SERVER_NAME configuration variable instead of URL. :issue:`24`
- Improved consents page. :issue:`27`
- Admin user page. :issue:`8`
- Project logo. :pr:`29`
- User account self-deletion can be enabled in the configuration with SELF_DELETION. :issue:`35`
- Admins can impersonate users. :issue:`39`
- Forgotten page UX improvement. :pr:`43`
- Admins can remove clients. :pr:`45`
- Option HIDE_INVALID_LOGIN that can be unactivated to let the user know if the login he attempt to sign in with exists or not. :pr:`48`
- Password initialization mail. :pr:`51`
- Form translations. :issue:`19` :issue:`23`
- Avoid to use Google Fonts. :issue:`21`
- 'My tokens' page. :issue:`22`
- Initial release.