3.47.5 (2026-04-20)

Bug Fixes

• op: allow dynamic loopback ports in post_logout_redirect_uri per RFC 8252 §7.3 (#875) (fb9fbfe), closes /datatracker.ietf.org/doc/html/rfc8252#section-7 zitadel/zitadel#6615

3.47.4 (2026-04-17)

Bug Fixes

• URL-encode client credentials in Basic Auth per RFC 6749 §2.3.1 (#873) (178e018), closes /datatracker.ietf.org/doc/html/rfc6749#section-2 #857 #858

3.47.3 (2026-04-15)

Bug Fixes

• propagate signature verification errors correctly (#872) (49664bf)

3.47.2 (2026-04-10)

Bug Fixes

• tolerate string amr claims from external providers (#855) (5f70eff)

3.47.1 (2026-04-09)

Bug Fixes

• oidc server error to http status mapping (#865) (d118dd7)

This release adds signing of opaque tokens. By secure default, all existing opaque access tokens emitted by OP implementations, will be invalid. Users will need to re-login. If you want a more gradual upgrade use the op.WithCrypto() option to pass a op.NewCompositeCrypto(). Use aop.NewAESCrypto() in the Decrypter slice with the existing master key.

This change does not affect client / RP / RS libraries.

What's Changed

• feat: use jose for bearer-token encryption by @wim07101993 in b4cf422
• chore: package upgrades by @wim07101993 in #866

Full Changelog: v3.46.0...v3.47.0

3.46.0 (2026-04-02)

Features

• Allow for reuse of cookie creation + decouple creation from http writer (#848) (4fae59b), closes #847

3.45.6 (2026-03-31)

Bug Fixes

• fixed a bunch of typos in both docs, tests and code (#861) (cab66d5)

3.45.5 (2026-03-02)

Bug Fixes

• add auth_methods client_secret_basic for refresh token and revok… (#803) (811e8b2)

3.45.4 (2026-02-09)

Bug Fixes

• grant type in device code validation error message (#845) (c238329)