This update contains a variety of frequently requested features and improvements.
Custom OAuth providers
In addition to the preconfigured providers such as Apple, Google, and GitHub, we have now added the option to configure custom OpenID Connect or OAuth providers so that they appear as “Sign in with...” buttons on the login and registration pages.
Device trust
A new device trust feature offers users the option of not having to perform 2FA again for a certain period of time after successful 2FA. Administrators can specify whether to automatically trust the device, prompt the user to trust the device, or never allow trusted devices and always enforce 2FA.
Stay signed in
This new option can be used to control whether a persistent cookie or a session cookie should be issued when the user is logging in. Persistent cookies (default) remain valid for the set session duration, i.e. the user remains logged in even if the browser is closed. Session cookies are usually deleted when the browser or browser tab is closed, so users have to log in again the next time they visit the app. A third option adds a “Stay signed in” checkbox to the login screen, which allows the user to determine the type of cookie themselves.
Last used indicators
Social SSO buttons (e.g., "Sign in with Google") now display a "Last used" label to help users remember which provider they chose on their last visit and avoid creating redundant accounts. Note that active Account Linking still allows users to change the login method to some extent, but only if the email address matches.
New admin API endpoints
The Admin API has been extended with the following new endpoints:
- password
- get
- create
- update
- delete
- webauthn
- list
- get
- delete
- otp
- get
- delete
- sessions
- list
- create
- delete
User import improvements
User import functionality has been improved. Now, more user data and credentials can be imported, e.g.:
- Usernames
- Passwords (bcrypt hashes)
- WebAuthn credentials
- OTP secrets
What's Changed
- chore: re-generate example css by @bjoern-m in #1970
- feat: add session creation endpoint by @FreddyDevelop in #1969
- fix: add missing third party provider defaults by @lfleischmann in #1976
- feat: trusted devices and 'remember me' by @bjoern-m in #1982
- feat: add last used indicator to the login page by @bjoern-m in #1957
- Admin api changes by @FreddyDevelop in #1974
- chore: autogenerate config JSON schema by @github-actions in #1986
- feat: third party custom providers by @lfleischmann in #1984
- chore: autogenerate config JSON schema by @github-actions in #1989
- fix: check server side session for REST API endpoints by @FreddyDevelop in #1988
- feat: enhance jsonschema for third_party config by @lfleischmann in #1990
- chore: autogenerate config JSON schema by @github-actions in #1991
- Fix cookie name in passcode handler by @loeffert in #1625
- Feat custom user by @FreddyDevelop in #1978
- fix: remove session id from jwt on disabled server side sessions by @lfleischmann in #1993
- chore: add missing tags by @FreddyDevelop in #1994
- Feat extend user import by @FreddyDevelop in #1992
- chore: autogenerate import JSON schema by @github-actions in #1996
- chore: update versions to 1.3.0 by @FreddyDevelop in #1998
- fix: return after suspending delete session action by @lfleischmann in #2000
- chore: add same site attribute to the device trust cookie by @bjoern-m in #2006
New Contributors
Full Changelog: backend/v1.2.1...backend/v1.3.2
