diff --git a/docs/self-hosted/oel/keto/changelog/v26.2.15.md b/docs/self-hosted/oel/keto/changelog/v26.2.15.md new file mode 100644 index 000000000..eb08cbe93 --- /dev/null +++ b/docs/self-hosted/oel/keto/changelog/v26.2.15.md @@ -0,0 +1 @@ +No changelog entries found for keto/oel in versions v26.2.15 diff --git a/docs/self-hosted/oel/keto/changelog/v26.2.16.md b/docs/self-hosted/oel/keto/changelog/v26.2.16.md new file mode 100644 index 000000000..b14cd0a3a --- /dev/null +++ b/docs/self-hosted/oel/keto/changelog/v26.2.16.md @@ -0,0 +1 @@ +No changelog entries found for keto/oel in versions v26.2.16 diff --git a/docs/self-hosted/oel/kratos/changelog/v26.2.15.md b/docs/self-hosted/oel/kratos/changelog/v26.2.15.md new file mode 100644 index 000000000..c3b589d57 --- /dev/null +++ b/docs/self-hosted/oel/kratos/changelog/v26.2.15.md @@ -0,0 +1,20 @@ +## v26.2.15 + +### Block invisible-character duplicate accounts + +Hidden characters in an email or username — zero-width spaces, joiners, soft hyphens, the byte-order mark, and similar invisibles +— are now removed before the identifier is stored. This stops someone from registering a second account that looks identical to an +existing one but is treated as different. Identifiers are also case- and width-normalized, so `ALICE@example.com` and +`alice@example.com` are the same account. + +International identifiers keep working: Hebrew, Arabic, and emoji are all accepted. Characters that merely look alike across +scripts — such as the Cyrillic “а” and the Latin “a” — are kept distinct and do not collide. + +### Fix SCIM Group attribute filtering returning HTTP 500 + +`GET /scim/{client}/v2/Groups/{id}?attributes=...` and `GET /scim/{client}/v2/Groups?attributes=...` now return the requested +attributes correctly. Previously, any `attributes=` value on a Group endpoint caused a server-side panic that surfaced as HTTP 500 +with an internal stack trace in the response body. + +The `excludedAttributes=` form on Group endpoints, and all attribute filtering on User endpoints, were unaffected and continue to +work as before. diff --git a/docs/self-hosted/oel/kratos/changelog/v26.2.16.md b/docs/self-hosted/oel/kratos/changelog/v26.2.16.md new file mode 100644 index 000000000..82dfd88f7 --- /dev/null +++ b/docs/self-hosted/oel/kratos/changelog/v26.2.16.md @@ -0,0 +1,17 @@ +## v26.2.16 + +### SCIM accepts schema-qualified attribute paths in PATCH and filters + +SCIM endpoints now accept attribute paths and filters that are qualified with a full schema URN, as some identity providers (for +example Microsoft Entra) send. + +Previously a `PATCH` operation whose `path` was qualified with a schema URN — for example +`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager` — failed with `Could not decode request body`. Those paths +now parse and apply correctly. The same applies to `filter` query parameters on the `Users` and `Groups` list endpoints and to +value-path filters inside a patch path. + +A patch path or filter qualified with a schema the resource does not support is now rejected with a clear `400` error that names +the schema. The schema comparison is case-insensitive. + +SCIM request bodies and `filter` query parameters are now size-limited; an oversized body is rejected with `413` instead of being +read in full, and an over-long filter with `400`. diff --git a/docs/self-hosted/oel/oathkeeper/changelog/v26.2.15.md b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.15.md new file mode 100644 index 000000000..548619ed6 --- /dev/null +++ b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.15.md @@ -0,0 +1 @@ +No changelog entries found for oathkeeper/oel in versions v26.2.15 diff --git a/docs/self-hosted/oel/oathkeeper/changelog/v26.2.16.md b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.16.md new file mode 100644 index 000000000..9506a2c23 --- /dev/null +++ b/docs/self-hosted/oel/oathkeeper/changelog/v26.2.16.md @@ -0,0 +1 @@ +No changelog entries found for oathkeeper/oel in versions v26.2.16 diff --git a/docs/self-hosted/oel/oauth2/changelog/v26.2.15.md b/docs/self-hosted/oel/oauth2/changelog/v26.2.15.md new file mode 100644 index 000000000..5b5398af4 --- /dev/null +++ b/docs/self-hosted/oel/oauth2/changelog/v26.2.15.md @@ -0,0 +1 @@ +No changelog entries found for hydra/oel in versions v26.2.15 diff --git a/docs/self-hosted/oel/oauth2/changelog/v26.2.16.md b/docs/self-hosted/oel/oauth2/changelog/v26.2.16.md new file mode 100644 index 000000000..627a66342 --- /dev/null +++ b/docs/self-hosted/oel/oauth2/changelog/v26.2.16.md @@ -0,0 +1,9 @@ +## v26.2.16 + +### Accept the OpenID Connect `prompt=select_account` value + +OAuth 2.0 authorization requests that include `prompt=select_account` are now accepted instead of being rejected with an +`invalid_request` error. This brings support for all OpenID Connect `prompt` values defined in the specification. + +Because a login session is tied to a single account, `select_account` is treated like `login`: the user is always sent to the +login screen, where they can authenticate with the account of their choice. diff --git a/docs/self-hosted/oel/oel-hydra-image-tags.md b/docs/self-hosted/oel/oel-hydra-image-tags.md index 567a773c7..631d837cb 100644 --- a/docs/self-hosted/oel/oel-hydra-image-tags.md +++ b/docs/self-hosted/oel/oel-hydra-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.16 | 2026-06-05 | +| 26.2.15 | 2026-06-02 | | 26.2.14 | 2026-05-29 | | 26.2.13 | 2026-05-22 | | 26.2.12 | 2026-05-20 | diff --git a/docs/self-hosted/oel/oel-keto-image-tags.md b/docs/self-hosted/oel/oel-keto-image-tags.md index bd3de7579..69a17a981 100644 --- a/docs/self-hosted/oel/oel-keto-image-tags.md +++ b/docs/self-hosted/oel/oel-keto-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.16 | 2026-06-05 | +| 26.2.15 | 2026-06-02 | | 26.2.14 | 2026-05-29 | | 26.2.13 | 2026-05-22 | | 26.2.12 | 2026-05-20 | diff --git a/docs/self-hosted/oel/oel-kratos-image-tags.md b/docs/self-hosted/oel/oel-kratos-image-tags.md index 7818c2bd8..566cac32b 100644 --- a/docs/self-hosted/oel/oel-kratos-image-tags.md +++ b/docs/self-hosted/oel/oel-kratos-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.16 | 2026-06-05 | +| 26.2.15 | 2026-06-02 | | 26.2.14 | 2026-05-29 | | 26.2.13 | 2026-05-22 | | 26.2.12 | 2026-05-20 | diff --git a/docs/self-hosted/oel/oel-oathkeeper-image-tags.md b/docs/self-hosted/oel/oel-oathkeeper-image-tags.md index 44ebd7bad..831912cb2 100644 --- a/docs/self-hosted/oel/oel-oathkeeper-image-tags.md +++ b/docs/self-hosted/oel/oel-oathkeeper-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.16 | 2026-06-05 | +| 26.2.15 | 2026-06-02 | | 26.2.14 | 2026-05-29 | | 26.2.13 | 2026-05-22 | | 26.2.12 | 2026-05-20 | diff --git a/docs/self-hosted/oel/oel-polis-image-tags.md b/docs/self-hosted/oel/oel-polis-image-tags.md index d830229bb..aa8be649e 100644 --- a/docs/self-hosted/oel/oel-polis-image-tags.md +++ b/docs/self-hosted/oel/oel-polis-image-tags.md @@ -1,5 +1,7 @@ | Image Tag | Release Date | | ---------------------------------------- | ------------ | +| 26.2.16 | 2026-06-05 | +| 26.2.15 | 2026-06-02 | | 26.2.14 | 2026-05-29 | | 26.2.13 | 2026-05-22 | | 26.2.12 | 2026-05-20 | diff --git a/docs/self-hosted/oel/polis/changelog/v26.2.15.md b/docs/self-hosted/oel/polis/changelog/v26.2.15.md new file mode 100644 index 000000000..f39d6ed08 --- /dev/null +++ b/docs/self-hosted/oel/polis/changelog/v26.2.15.md @@ -0,0 +1 @@ +No changelog entries found for polis/oel in versions v26.2.15 diff --git a/docs/self-hosted/oel/polis/changelog/v26.2.16.md b/docs/self-hosted/oel/polis/changelog/v26.2.16.md new file mode 100644 index 000000000..9368169bf --- /dev/null +++ b/docs/self-hosted/oel/polis/changelog/v26.2.16.md @@ -0,0 +1 @@ +No changelog entries found for polis/oel in versions v26.2.16