Release v0.5.7

🎯 Highlights

This release focuses on improving the standalone Docker container experience with enhanced admin account management, better modularization, updated dependencies, and optimized CI/CD workflows.

✨ New Features

Admin Account Management

• New unlock-admin-account CLI command - Directly unlock the admin account via database connection when locked out
• Added convenient wrapper scripts for better container CLI experience
• Improved admin account security with better rate limiting defaults (100 requests/60 seconds)

Standalone Container Improvements

• Refactored Dockerfile.standalone for better maintainability with modular setup scripts
• Added version identifier to /health endpoint response for easier deployment tracking
• Optimized container build process with better caching and reduced image size
• Consolidated to single optimized Dockerfile (removed minimal variant)
• Database connections now use dedicated authly user instead of postgres superuser

🔧 Infrastructure & DevOps

CI/CD Improvements

• Optimized Docker builds with PostgreSQL builder caching strategy
  • Separated postgres-builder stage for better caching
  • Multi-stage caching reduces build times significantly
  • Cached builder images stored in GitHub Container Registry
• Python 3.13 adoption in CI/CD pipelines
  • Updated conformance tests to use Python 3.13
  • Modernized test runner configurations
• Enhanced release workflow
  • Split Docker builds into production and standalone variants
  • Improved deployment summaries with clearer instructions
  • Better image tagging and metadata handling

Build System

• Modularized container setup into separate scripts:
  • configure-all.sh - Main configuration orchestrator
  • setup-environment.sh - Environment variables setup
  • setup-postgres.sh - PostgreSQL configuration
  • setup-python.sh - Python environment setup
  • setup-s6-services.sh - S6 supervision configuration
  • setup-wrappers.sh - CLI wrapper scripts

Testing

• Added PostgreSQL builder cache testing script
• Enhanced health check endpoint with version information
• Removed "90% Target" from OIDC conformance tests (now achieving 100% compliance)

📦 Dependencies

• Python: Updated to 3.13.6
• Docker base images: Updated to latest versions
• UV lock file: Refreshed with latest compatible dependencies

📚 Documentation

• Archived completed AI assistant instructions
• Updated Gemini project memory
• Enhanced Docker standalone documentation
• Added comprehensive implementation notes for Docker improvements

🔄 Changes Summary

• 11 commits since v0.5.6
• 34 files changed: 1,408 insertions(+), 635 deletions(-)
• Major refactoring of standalone Docker implementation
• Improved developer experience with better CLI tools
• Optimized CI/CD pipeline with better caching strategies

New Admin Unlock Feature

If the admin account gets locked due to failed login attempts:

# Direct database unlock
./scripts/unlock-admin-account.sh

# Or within container
docker exec authly-standalone authly-unlock-admin

📝 Notes

• The minimal Dockerfile variant has been removed in favor of a single optimized build
• Rate limiting defaults have been adjusted to 100 requests per 60 seconds for better security
• The health endpoint now returns version information for easier deployment verification
• CI/CD builds now leverage multi-stage caching for faster deployments

---

Full Changelog: v0.5.6...v0.5.7

Release v0.5.6 - OIDC Conformance & Standalone Container

🎉 Highlights

This release brings 100% OIDC core conformance, a new standalone all-in-one Docker container for development/testing, and numerous improvements to testing infrastructure and documentation.

🚀 New Features

Standalone Docker Container

• All-in-one development container with embedded PostgreSQL and Redis (Dockerfile.standalone)
  • Zero-dependency deployment for evaluation, testing, and CI/CD pipelines
  • ~150MB size with Alpine Linux base
  • Includes s6-overlay for process supervision
  • Pre-configured with development defaults (NOT for production use)
  • Normal text logging by default (not JSON structured)

OIDC Conformance

• Achieved 100% OIDC core specification compliance
• 90% overall OIDC conformance including optional features
• Implemented comprehensive OIDC conformance testing suite
• Added new TCK (Technology Compatibility Kit) pipeline for continuous conformance validation
• Reorganized TCK documentation for better clarity

Script Improvements

• Renamed api-test.sh to simple-auth-flow.sh for better clarity
• Enhanced integration test scripts with runtime password patching
• Added SQL-based user seeding (replacing complex Python async approach)

🐛 Bug Fixes

• Fixed OAuth token endpoint validation errors
• Resolved user management integration test failures
• Fixed discovery endpoints compliance in pipelines
• Fixed integer expression errors in logging functions
• Improved waiting strategies for conformance suite containers
• Enhanced robustness of Authly health checks

📚 Documentation

• Updated README with latest features and capabilities
• Enhanced future planning documentation
• Added roadmap item for renaming script integration tests to end-to-end tests
• Improved OIDC conformance documentation

🔧 Infrastructure & CI/CD

• Updated GitHub workflows to accurately report OIDC implementation status
• New dedicated TCK pipeline for conformance testing
• Improved test organization and stability

📊 Statistics

• 24 commits since v0.5.5
• 159 files changed: 19,985 insertions(+), 1,079 deletions(-)
• Test Coverage:
  • simple-auth-flow: 16/16 tests passing
  • Integration tests: 9/9 passing (2 expected skips)
  • OIDC Conformance: 100% core, 90% overall

⚠️ Important Notes

Standalone Container Security Warning

The new standalone container includes insecure default secrets and is NOT suitable for production use. It's designed exclusively for:

• Development environments
• Testing and evaluation
• CI/CD pipelines
• Quick demonstrations

For production deployments, use the standard Authly container with external PostgreSQL/Redis and provide secure secrets.

🏷️ Compatibility

• Python 3.11+
• PostgreSQL 14+
• Redis 6+
• Docker 20.10+

🔄 Upgrading

No breaking changes for existing production deployments. The standalone container is an additional offering and doesn't affect existing installations.

To use the new standalone container:

docker build -f Dockerfile.standalone -t authly-standalone .
docker run -p 8000:8000 authly-standalone

---

Full Changelog: v0.5.5...v0.5.6

Release 0.5.5

Authly v0.5.5 - Complete OAuth 2.1/OIDC Authorization Server

This major release completes the OAuth 2.1 and OpenID Connect implementation, delivering a production-ready authorization server with comprehensive administrative capabilities.

🚀 Major Features

OAuth 2.1 Compliance & OIDC Implementation

• Complete OAuth 2.1 authorization server with PKCE support and security best practices
• Full OpenID Connect provider with UserInfo endpoint and profile management
• OIDC-compliant user profile updates with scope-based validation
• Enhanced security model with proper token handling and session management

Comprehensive Admin Portal

• Complete user management system with CRUD operations, advanced filtering, and pagination
• Session management capabilities including user session monitoring and revocation
• Password reset functionality with secure temporary password generation
• Performance-optimized queries with caching layer for dashboard statistics
• Advanced filtering system with text search, date ranges, and status filtering

Infrastructure & Performance

• Query optimization with CTE-based operations and performance indexes
• Caching layer with configurable TTL for admin operations (30-60s)
• Connection pooling with enhanced database performance
• Parallel testing support with restructured test suite (680+ tests)

🔄 Breaking Changes

API Endpoint Changes

OAuth endpoints have been moved for better organization:

• GET/POST /api/v1/auth/token → GET/POST /api/v1/oauth/token
• POST /api/v1/auth/refresh → POST /api/v1/oauth/refresh
• POST /api/v1/auth/revoke → POST /api/v1/oauth/revoke

User Management Security

Enhanced security for user operations:

• /api/v1/users/{id} endpoints now require admin privileges
• /api/v1/users/me deprecated in favor of /oidc/userinfo
• User listing and management operations restricted to admins only

Migration Required

• Update client applications to use new OAuth endpoints
• Update OAuth discovery configurations to reflect endpoint changes
• Verify endpoint references in external integrations

✨ New Endpoints

Admin User Management

• GET /admin/users - List users with advanced filtering and pagination
• GET /admin/users/{user_id} - Get detailed user information
• POST /admin/users - Create new users with temporary passwords
• PUT /admin/users/{user_id} - Update user profiles and settings
• DELETE /admin/users/{user_id} - Delete users with cascade cleanup
• POST /admin/users/{user_id}/reset-password - Reset user passwords securely

Session Management

• GET /admin/users/{user_id}/sessions - List user sessions with filtering
• DELETE /admin/users/{user_id}/sessions - Revoke all user sessions
• DELETE /admin/users/{user_id}/sessions/{session_id} - Revoke specific session

OIDC Compliance

• PUT /oidc/userinfo - OIDC-compliant profile updates with scope validation
• Enhanced /oidc/userinfo endpoint with full OIDC claims support

🔧 Technical Improvements

Database & Performance

• Optimized queries with Common Table Expressions (CTEs)
• Performance indexes for admin operations and session management
• Connection pooling with 10 min / 50 max connections for tests
• Query result caching with configurable TTL settings

Error Handling & Validation

• Comprehensive error handling with 20+ standardized admin error codes
• Request tracing middleware with processing time metrics
• Business rule validation for users, clients, and scopes
• Field-level validation with detailed error responses

Code Quality & Testing

• Complete linting compliance with modern ruff configuration
• Restructured test suite into 7 feature domains for better organization
• 680+ comprehensive tests covering all functionality
• Parallel testing support with pytest-xdist integration

📦 Dependencies

Updated

• psycopg-toolkit → v0.2.2 (enhanced field handling)
• anyio → v4.10.0
• certifi → v2025.8.3
• coverage → v7.10.2
• redis → v6.3.0

Added

• pytest-xdist for parallel test execution

🏗️ Infrastructure

Configuration Enhancements

• Configurable cache TTL for different admin operations
• Server configuration with environment variable support
• Security settings for lockout duration and login attempts
• Improved dependency injection throughout the application

Test Infrastructure

• Feature-based test organization (auth, oauth, oidc, admin, infrastructure)
• Comprehensive test documentation with clear domain separation
• Performance testing scripts for validation and optimization
• Enhanced test fixtures with proper resource cleanup

📚 Documentation

• Complete implementation roadmaps for OAuth 2.1 and OIDC features
• Comprehensive API documentation for all admin endpoints
• Migration guides for breaking changes
• Parallel testing guide for development workflow
• External libraries documentation with usage guidelines

🔒 Security Enhancements

• Admin-only field restrictions for sensitive user data
• Session invalidation on password resets
• Cascade cleanup on user deletion
• Scope-based OIDC claim filtering
• Business rule validation preventing system integrity issues
• Audit logging for administrative operations

🎯 What's Next

This release completes Phase 2 of the OAuth 2.1/OIDC implementation. Future releases will focus on:

• Redis backend integration for production caching
• Advanced OIDC features and compliance enhancements
• API rate limiting and advanced security features
• Multi-tenant support and organization management

---

Full Changelog: [View on GitHub](https://github.com/your-org/authly/compare/v0.5.4...v0.5.5)

Migration Guide

1. Update OAuth Endpoints

- POST /api/v1/auth/token
+ POST /api/v1/oauth/token

- POST /api/v1/auth/refresh  
+ POST /api/v1/oauth/refresh

- POST /api/v1/auth/revoke
+ POST /api/v1/oauth/revoke

2. Update User Profile Access

- GET /api/v1/users/me
+ GET /oidc/userinfo

- PUT /api/v1/users/{id} 
+ PUT /oidc/userinfo  # For user's own profile
+ PUT /admin/users/{id}  # For admin operations

3. Update Discovery Metadata

Ensure your OAuth discovery configurations point to the new /oauth/* endpoints instead of /auth/*.

Release 0.5.4

🔧 Security Middleware Improvements

What's Changed

🔄 Middleware Consolidation

• Removed duplicate security middleware from auth router to prevent conflicts
• Centralized security headers management in dedicated middleware module
• Cleaned up module exports by removing redundant SecurityHeadersMiddleware from API exports

📚 Documentation Support

• Path-specific CSP policies that adapt based on request endpoints
• Enhanced documentation access with relaxed CSP for /docs and /redoc endpoints
• CDN resource support for Swagger UI and ReDoc functionality from cdn.jsdelivr.net
• Maintained security for all other endpoints with strict default policies

Technical Improvements

• Consolidated duplicate middleware implementations
• Added intelligent CSP policy selection based on request path
• Improved documentation endpoint functionality without compromising overall security
• Better separation of concerns between auth logic and security headers

Breaking Changes

None - this is a refactoring release that maintains all existing functionality.

For Developers

The /docs and /redoc endpoints now properly load external resources needed for the interactive API documentation while maintaining strict security policies for all authentication and OAuth endpoints.

Release v0.5.3

🚀 Enhanced Security and Observability

What's New

✨ Structured Logging System

• JSON-formatted logs with correlation ID tracking for better observability
• Request tracing middleware that automatically tracks HTTP requests with timing and context
• Specialized logging helpers for OAuth events, authentication, admin actions, and security incidents
• Environment-configurable logging with support for both JSON and text formats

🔒 Security Headers Middleware

• Comprehensive security headers including HSTS, Content Security Policy, and frame protection
• OAuth-optimized CSP policies that balance security with authentication UI requirements
• Configurable security settings via environment variables
• Cross-origin protection with COEP, COOP, and CORP headers

🔧 Infrastructure Improvements

• Fixed OAuth discovery service dependency injection for more reliable database connections
• Updated Docker configurations with proper secrets management for production
• Fixed Redis Commander connection issues in development environment
• Enhanced test coverage with comprehensive security and logging tests

Breaking Changes

None - this release is fully backward compatible.

Migration Notes

• The new structured logging is enabled by default. To disable JSON logging, set LOG_JSON=false
• Security headers are automatically applied to all endpoints
• OAuth discovery endpoints now require proper database connectivity

Technical Details

• Added correlation ID tracking across all requests
• Implemented environment-based security configuration
• Enhanced error handling and request tracing
• Improved Docker Compose setup for development and production

Release v0.5.2

Test publish to docker hub

Release v0.5.1

v0.5.1

Breaking Changes

• Migrated from singleton pattern to dependency injection architecture
• Replace singleton database connections with FastAPI dependency injection
• Update OIDC endpoints to follow standard conventions (/oidc/userinfo)
• All APIs now require proper FastAPI dependency context

Security Fixes

• CVE-2024-47874: Update starlette to 0.47.2 (DoS via multipart/form-data, CVSS 8.7)
• CVE-2025-54121: Update starlette to 0.47.2 (event loop blocking on large file uploads, CVSS 5.3)
• Fix Cross-site Scripting (XSS) vulnerability in HTML parameter input rendering
• Update fastapi to 0.116.1, uvicorn to 0.35.0, httpx to 0.28.1

Added

• Redis integration for distributed caching, rate limiting, and sessions with automatic fallback to memory backends
• Backend factory pattern with abstract interfaces for pluggable storage systems (src/authly/core/backend_factory.py)
• Configuration-driven Redis feature toggles (src/authly/config/config.py)
• Comprehensive PyPI release pipeline with automated publishing (.github/workflows/release-pypi.yml)
• Full test suite execution (510 tests) with coverage reporting before release
• Release validation with version consistency checks between git tags and pyproject.toml
• Artifact attestation for enhanced security in release pipeline
• OAuth 2.1 authorization code flow testing with PKCE support
• Admin authentication and management API integration tests
• Client and scope management testing via Admin API
• Test orchestration with configurable test scopes (infrastructure, admin, clients, userauth, oauth, comprehensive)
• Docker Compose configuration for isolated test environment setup
• Git hooks with auto-fixing capabilities for ruff linting and formatting
• AUTHLY_NO_AUTO_FIX environment variable to disable auto-fixing
• Auto re-stage files after fixing linting and formatting issues
• AdminAPIError exception class for structured error handling
• Context-aware error messages for common API failures
• OIDC conformance testing plan documentation
• Codecov integration with coverage badges
• GitHub Actions badges for full stack integration tests

Changed

• Implement AuthlyResourceManager with mode-adaptive configuration (PRODUCTION, EMBEDDED, CLI, TESTING)
• Migrate all API routers, services, and repositories to DI pattern
• Integrate psycopg-toolkit Database with comprehensive lifecycle management
• Update CI/CD for Python 3.11 compatibility (changed from 3.13)
• Update serve command documentation with new options (--seed, --log-level, --access-log)
• Update status command to use correct API response structure (statistics field)
• Streamline full-stack-test-with-docker.yml with docker-build, full-stack-integration-test, and full-stack-summary jobs
• Remove hardcoded UV version from GitHub Actions workflows to always use latest version
• Replace interactive prompts with automatic formatting in git hooks

Fixed

• Lint errors and formatting issues across codebase
• GitHub Actions build-test-native.yml pipeline configuration
• Build-test-with-docker.yml pipeline execution issues
• Issue with async call in Authly CLI login command
• Admin command invocations to use proper Click context and ctx.invoke()
• Remove problematic asyncio.run() calls causing command execution errors
• Add parameter validation for client creation (require redirect URI)
• Map CLI parameters correctly to admin command expectations
• Integration tests --stop-after option cleanup and remove redundant ADMIN_PASSWORD variable
• Ruff configuration in pyproject.toml
• TOML parsing error in pyproject.toml for Redis dependency groups configuration
• Status code parameter added to all AdminAPIError exceptions
• Integration tests updated to expect AdminAPIError instead of HTTPStatusError
• Mock response objects in unit tests to include status_code attribute

Dependencies

• Update starlette to 0.47.2
• Update fastapi to 0.116.1
• Update fastapi-testing to 0.3.1
• Update uvicorn to 0.35.0
• Update httpx to 0.28.1
• Update fluent/fluentd Docker tag to v1.18
• Update Python to 3.13.5 (development environments)
• Update GitHub Actions to v6

Modern Architecture

• AuthlyResourceManager with mode-adaptive configuration (PRODUCTION, EMBEDDED, CLI, TESTING)
• Dependency injection pattern replacing singleton database connections
• psycopg-toolkit Database integration with comprehensive lifecycle management
• Mode-optimized configurations for different deployment contexts

🐛 Key Fixes

• Resolved async call issues in Authly CLI login command
• Fixed parameter validation for client creation
• Corrected GitHub Actions pipeline configurations
• Addressed Python linter issues throughout codebase
• Fixed integration test cleanup and error handling
• Fixed TOML parsing for Redis dependency groups configuration in pyproject.toml

Release v0.5.0

OIDC Session Management & Security Enhancements

🚀 Major Features

OIDC Specification Compliance

• Complete OIDC Session Management 1.0 implementation with browser-based logout flows
• OIDC Core 1.0 standard claims support for profile, phone, and address scopes
• Cross-client session coordination and front-channel logout
• Enhanced ID token generation with intelligent claim population

Security Enhancements

• Mandatory password changes for admin users on first login
• Secure admin bootstrap with generated passwords (removes default Admin123!)
• Development mode option for CI/CD and local development workflows

Configuration Management

• Centralized configuration system with environment variable support
• Configurable security parameters (rate limiting, key sizes, token lengths)
• Operational parameters (URLs, timeouts, field limits, pagination)
• Dynamic validation models based on configuration

Tooling Modernization

• Migrated from Poetry to UV package manager for faster builds
• PEP 621 compliance with modern Python packaging standards
• Consolidated linting with ruff replacing flake8, black, and isort
• Performance improvements and modern Python 3.11+ targeting

Infrastructure

• Reorganized Docker infrastructure with production-ready configuration
• SSL certificate generation scripts for development
• Updated monitoring and logging configuration

🧪 Testing & Quality

• Comprehensive OIDC test suites (1,450+ lines of new tests)
• OIDC compliance verification and flow validation
• Complete test coverage for security features

💥 Breaking Changes

• Admin bootstrap now requires password change on first login
• Poetry workflows must be replaced with UV commands
• Docker volume mount paths have changed

📊 Statistics

• 26 commits with 10 major features
• Complete OIDC Session Management 1.0 specification implementation
• Enhanced security posture and configuration flexibility

Release of v0.2.0

Authly v0.2.0 - OAuth 2.1 Authorization Server with OpenID Connect

Overview

We're pleased to announce Authly v0.2.0, which adds OpenID Connect 1.0 support to our OAuth 2.1 authorization server. This release achieves 156 of 163 tests passing (95.7% success rate).

OAuth 2.1 & OpenID Connect Features

• OAuth 2.1 Authorization Server - Authorization code flow with PKCE, token introspection, revocation support
• OpenID Connect Core - ID token generation, UserInfo endpoint, Discovery endpoint, JWKS endpoint
• Security Implementation - PKCE mandatory for all flows, secure session handling, CSRF protection
• Standard Scopes - Full support for openid, profile, email scopes with appropriate claim mappings

Architecture & Implementation

• Unified Service - Single python -m authly command for all operations
• Modular Design - Clean separation between OAuth and OIDC components
• Database Backend - PostgreSQL with proper transaction handling
• Development Mode - Embedded PostgreSQL option for local development
• API Design - RESTful admin API for client management
• Test Coverage - 163 comprehensive tests covering OAuth and OIDC flows

Technical Implementation

• ID Token Signing - JWT tokens with HS256 algorithm
• Token Management - Access tokens, refresh tokens, authorization codes
• Client Types - Support for public and confidential clients
• Discovery Metadata - Auto-generated .well-known/openid-configuration
• JWKS Endpoint - Public key distribution for token verification
• UserInfo Claims - Standard claims including sub, name, email, picture

Documentation

• Getting Started - Quick setup and basic OAuth/OIDC flows
• API Reference - Complete endpoint documentation
• Configuration Guide - Server and client configuration options
• Integration Examples - Sample code for common scenarios
• Security Guide - Best practices and implementation notes

Installation and Setup

# Install
pip install authly==0.2.0

# Development with embedded PostgreSQL
python -m authly serve --embedded

# Production deployment
python -m authly serve

# Create OAuth/OIDC client
python -m authly admin client create \
  --name "My Application" \
  --type confidential \
  --scope "openid profile email" \
  --redirect-uri "https://app.example.com/callback"

Configuration Example

# Client configuration for OIDC
{
    "client_id": "generated-client-id",
    "client_secret": "generated-secret",
    "client_type": "confidential",
    "redirect_uris": ["https://app.example.com/callback"],
    "scope": "openid profile email",
    "grant_types": ["authorization_code"],
    "response_types": ["code"],
    "token_endpoint_auth_method": "client_secret_basic"
}

Current Limitations

• ID tokens use HS256 (RS256 planned for next release)
• UserInfo endpoint returns standard claims only
• No dynamic client registration
• Refresh token rotation not yet implemented

Metrics

• Test Suite: 163 tests (156 passing, 7 pending)
• Code Coverage: 85% for core flows
• Endpoints: 12 OAuth + 4 OIDC endpoints
• Response Time: <100ms for token generation
• Database: PostgreSQL 12+ required

Release v0.1.4

Features:

• Added VS Code settings.json with Python path and test configuration
• Added bcrypt password hashing documentation and terminal usage guide
• Added comprehensive test suite for password hash verification

Improvements:

• Upgraded fastapi-testing from 0.1.1 to 0.2.0
• Migrated all test fixtures to use AsyncTestServer for better async support
• Renamed test files for better clarity:
  • test_auth.py → test_auth_api.py
  • test_users.py → test_users_api.py

Bug Fixes:

• Removed deprecated Pydantic Config class from token models
• Removed redundant JSON schema examples from token models
• Fixed version constraint for fastapi-testing dependency

This release focuses on improving the developer experience with better VS Code integration, comprehensive password hashing documentation, and modernized async testing infrastructure.