CHANGELOG¶
v3.0.0 (2026-05-21)¶
Bug Fixes¶
- jwks-cache: Convert aio clear_*_cache helpers to async
(
06e4236)
Breaking Changes¶
- jwks-cache: Callers of
py_identity_model.aio.token_validation'sclear_discovery_cacheandclear_jwks_cachemust nowawaitthem. The sync mirrors inpy_identity_model.sync.token_validationare unchanged.
v2.19.14 (2026-05-21)¶
Bug Fixes¶
-
jwks-cache: Use monotonic clock and capture request_time inside fetch lock (
d00dcb3) -
tests: Backdate cached_at via time.monotonic for stale-entry test (
c724a93)
v2.19.13 (2026-05-17)¶
Bug Fixes¶
- tests: Unblock CI — Ory 429 in fixture + per-URI lock test flake
(
c476753)
v2.19.12 (2026-05-17)¶
Bug Fixes¶
-
jwks-cache: Cap DoS amplification, clamp env config, bound cache size (
d9dfde2) -
jwks-cache: Close second-review findings on cooldown lifecycle (
616f5d7) -
jwks-cache: Invalidate stale entry on uncacheable refresh and reject empty keys (
86b5d12) -
jwks-cache: Respect HTTP cache headers for no-store, no-cache, and failed responses (
e54d503) -
jwks-cache: Use per-URI lock striping so distinct issuers fetch in parallel (
c6cf4d5) -
token-validation: Harden kid-miss refresh path with diagnostic, fixed test priming, and negative regression (
df9c881) -
token-validation: Refresh JWKS on cached kid miss (
4f02bfc)
Build System¶
- conformance: Wait for app-level readiness in conformance-up
(
b901cea)
Testing¶
-
integration: Skip caching benchmarks when provider sends no-store/no-cache (
bf22ae6) -
token-validation: Pin kid-miss stampede protection (
3dd72d7)
v2.19.11 (2026-04-19)¶
Bug Fixes¶
-
security: Prevent cache stampede on TTL expiry (
58026c4) -
security: Prevent redundant sequential fetches in _refresh_jwks (
0283782) -
security: Reject JWKS responses with missing Content-Type (
19bc96a)
Testing¶
- security: Add _refresh_jwks freshness guard coverage
(
7a570f1)
v2.19.10 (2026-04-19)¶
Bug Fixes¶
-
security: Address review findings for require_https wiring (
dde0341) -
security: Wire require_https through to DiscoveryPolicy (
372e20e)
Testing¶
- security: Add require_https wiring tests for token validation
(
28f2b8a)
v2.19.9 (2026-04-18)¶
Bug Fixes¶
-
Use deepcopy to prevent mutable list field leakage in deprecated function (
84c73f2) -
security: Add JWKS max key count limit and KeyError guard (
ba97325) -
security: Address review findings for JWKS key count limit (
a69c477) -
security: Deprecate get_public_key_from_jwk to prevent cached key mutation (
d74be8e) -
security: Log warning on malformed Content-Length header (
4691f06)
Testing¶
-
security: Add key count limit and KeyError guard tests (
312a797) -
security: Add tests for cached key mutation prevention (
c7fd2c0)
v2.19.8 (2026-04-13)¶
Bug Fixes¶
-
conformance: Fix 7 CodeQL alerts in harness — stack traces and sensitive logging (
9f09a55) -
conformance: Remove token logging and --show-token flag (
4728e4b)
v2.19.7 (2026-04-13)¶
Bug Fixes¶
-
security: Add JWKS size limit and fix async cleanup lock race (
da859e3) -
security: Enforce key type / algorithm consistency to prevent algorithm confusion (
d02d523)
v2.19.6 (2026-04-13)¶
Bug Fixes¶
-
security: Auto-trust discovery URL authority for endpoint validation (
2f173ec) -
security: HTTP hardening — disable redirects, enforce HTTPS, validate JWKS Content-Type, derive endpoint authority from issuer (
93f7ce5) -
security: Thread discovery_policy through validate_token for endpoint authority control (
95124ca)
v2.19.5 (2026-04-13)¶
Bug Fixes¶
- jwt: Block options pass-through from disabling signature verification
(
0378f19)
Continuous Integration¶
- Remove pre-push hook from pre-commit config
(
8e212b8)
Documentation¶
- Update CLAUDE.md to reflect pre-push hook removal
(
65f82f2)
v2.19.4 (2026-04-13)¶
Bug Fixes¶
-
cache: Overhaul caching — TTL-based discovery, remove JWT/PyJWK caches (
8d84620) -
conformance: Update cache clearing to use clear_discovery_cache() (
7042913)
v2.19.3 (2026-04-12)¶
Bug Fixes¶
- conformance: Make UserInfo sub mismatch fatal and display claims
(
47a86ed)
v2.19.2 (2026-04-12)¶
Bug Fixes¶
-
conformance: Add cert-init service for SSL cert sharing (#343) (#343,
928e9ad) -
conformance: Add SAN extension and nginx dependency to cert-init (#343) (#343,
5ccc88d) -
conformance: Allow config-rp to continue on known signing-key-rotation timeout (#343) (#343,
dff76bc) -
conformance: Clear discovery and JWKS caches between test modules (#343) (#343,
924e39f)
v2.19.1 (2026-04-12)¶
Bug Fixes¶
Chores¶
- Sync uv.lock with 2.19.0
(
52ff89b)
v2.19.0 (2026-04-12)¶
v2.18.1 (2026-04-10)¶
Bug Fixes¶
Continuous Integration¶
v2.18.0 (2026-04-10)¶
Features¶
v2.17.4 (2026-04-07)¶
Bug Fixes¶
- userinfo: Add sub claim mismatch validation per OIDC Core 5.3.4
(
e97555c)
v2.17.3 (2026-04-07)¶
Bug Fixes¶
- parsers: Handle missing kid in JWT header per OIDC Core Section 10.1
(
fbd6d1e)
v2.17.2 (2026-04-05)¶
Bug Fixes¶
v2.17.1 (2026-03-30)¶
Bug Fixes¶
- ci: Add git identity config to uv.lock sync step in release workflow
(
5167464)
v2.17.0 (2026-03-30)¶
Refactoring¶
v2.16.0 (2026-03-30)¶
v2.15.0 (2026-03-30)¶
v2.14.0 (2026-03-30)¶
v2.13.0 (2026-03-30)¶
v2.12.0 (2026-03-30)¶
v2.11.0 (2026-03-30)¶
Features¶
v2.10.0 (2026-03-30)¶
Features¶
v2.9.0 (2026-03-30)¶
Features¶
v2.8.0 (2026-03-30)¶
v2.7.0 (2026-03-30)¶
Features¶
v2.6.0 (2026-03-30)¶
Features¶
v2.5.0 (2026-03-30)¶
Features¶
v2.4.1 (2026-03-30)¶
Bug Fixes¶
- ci: Remove tracked worktree directory breaking CI checkout
(
4fbaa7e)
v2.4.0 (2026-03-30)¶
Features¶
v2.3.0 (2026-03-30)¶
Bug Fixes¶
-
authorize: Address code review and security findings (
1976416) -
authorize: Guard against None inputs in callback parsing and state validation (
2e696c5) -
authorize: Make state accessible on error responses per RFC 6749 (
1a77957) -
test: Make authorization_endpoint HTTPS assertion conditional on require_https (
2cd2801)
Chores¶
-
Auto-commit before merge (loop primary) (
7e42771) -
Exclude init.py from SonarCloud duplication analysis (
7886657) -
deps: Automated dependency update (
244735d) -
deps: Automated dependency update (
b0ed1fe) -
deps: Automated dependency update (
104cb62)
Continuous Integration¶
- Add pull_request trigger to build workflow
(
30399f9)
Documentation¶
-
authorize: Add API docs for callback response and state validation (
41b63b6) -
authorize: Add authorization callback usage examples (
530cec6)
Features¶
-
authorize: Add AuthorizeCallbackResponse model and parser (
4d8351f) -
authorize: Add state parameter validation (
2f4f826) -
authorize: Export callback response and state validation API (
6c3ddd9) -
exceptions: Add AuthorizeCallbackException (
4804ae2)
Refactoring¶
- test: Reduce code duplication in authorize callback tests
(
76dfc6c)
Testing¶
-
Add coverage for review fix findings (
e4a396a) -
authorize: Add integration tests for callback parsing and state validation (
02a9f94) -
authorize: Add unit tests for callback response and state validation (
1b83e10)
v2.2.0 (2026-03-14)¶
Features¶
v2.1.5 (2026-03-10)¶
Bug Fixes¶
v2.1.4 (2026-02-24)¶
Bug Fixes¶
v2.1.3 (2026-02-24)¶
Bug Fixes¶
v2.1.2 (2026-02-24)¶
Bug Fixes¶
v2.1.1 (2026-02-24)¶
Bug Fixes¶
v2.1.0 (2026-02-18)¶
Build System¶
Features¶
- userinfo: Add OpenID Connect UserInfo endpoint support
(
9e35dce)
v2.0.0 (2026-01-29)¶
v2.0.0-rc.1 (2026-01-17)¶
Bug Fixes¶
-
Add retry logic to token client endpoint (
8ec1cc6) -
Add thread-safe SSL certificate backward compatibility for httpx (
55b8fe4) -
Address high priority issues from PR #108 code review (
15ccf1d) -
Centralize HTTP default constants and improve content-type handling (
0989b59) -
Export to_principal in root init.py (
6443dec) -
Optimize token validation with multi-layer caching (
e42dbb4) -
Reduce code duplication and improve test coverage (
3de5c0a) -
Remove private reset functions from public all exports (
a9bf2ef)
Chores¶
- Remove implementation plan before PR merge
(
5ea55b4)
Continuous Integration¶
-
Trigger prerelease on PR events with auto-versioning (
bbd1fc7) -
Unify release workflow with workflow_dispatch for prereleases (
735690c)
Documentation¶
-
Add httpx performance note to cached functions (
05d969e) -
Add Phase 8 architecture improvements to roadmap (
abe7397) -
Complete Phase 5 documentation and examples (
306e99f)
Features¶
-
Add async support and modular architecture (
55af9f3) -
Add retry logic with exponential backoff for rate limiting (
ef667e0) -
Add SSL certificate backward compatibility and fix Docker examples (
808b16c) -
Complete async optimizations and add coverage reporting (
155d682) -
Complete async support and add SonarCloud integration (
70f5031) -
Optimize integration tests with session-scoped fixtures (
c01b691)
Performance Improvements¶
-
Add httpx connection pooling for sync HTTP requests (
54952ee) -
Add parallel test execution to all test commands (
7496d72) -
Add public key caching to async token validation (
c34fbd3) -
Add selective parallel test execution to avoid rate limiting (
7b88001)
Refactoring¶
-
Eliminate code duplication with shared response processors (
5c023c6) -
Extract common token validation logic to reduce duplication (
b28779b) -
Fix Sonar code quality issues (
d52a03f) -
Reduce code duplication by extracting shared logic (
ea66a42) -
Reduce cognitive complexity and eliminate string duplication (
452ea1a)
Testing¶
-
Add cache validation tests and restore benchmark threshold (
3c5de99) -
Add comprehensive coverage for parsers module (
d1645f4) -
Update network error test to handle both error types (
41743e5)
v1.2.0 (2025-11-08)¶
Features¶
- Async/Await Support - Full asynchronous API via
py_identity_model.aiomodule - Async versions of all client methods (discovery, JWKS, token validation, token client)
- Async caching with
async-lrufor discovery and JWKS - Full backward compatibility maintained (sync API unchanged)
- Comprehensive async test suite (10 new async tests)
-
Examples for both FastAPI and concurrent operations
-
Modular Architecture - Clean separation between HTTP layer and business logic
- Extracted shared business logic to
core/module - Eliminated code duplication between sync/async implementations
- Major code reduction: sync/jwks.py (390→78 lines), sync/discovery.py (378→246 lines)
-
All 146 tests passing with zero regressions
-
HTTP Client Migration - Migrated from
requeststohttpx - Single library supporting both sync and async operations
- Configurable timeouts (30s default on all HTTP calls)
-
Automatic connection pooling
-
Add comprehensive logging and exception handling (#107,
98f88d6)
Documentation¶
-
Consolidate documentation into mkdocs instead of Wiki (#99,
71f5fcb) -
Add comprehensive async examples and architecture documentation
- Update roadmap to reflect completed features
v1.1.1 (2025-10-21)¶
Bug Fixes¶
- docs: Remove awesome-pages plugin to fix navigation
(
95904d7)
Documentation¶
v1.1.0 (2025-10-21)¶
Chores¶
Features¶
v1.0.0 (2025-05-31)¶
v1.0.0-rc.1 (2025-05-31)¶
Chores¶
-
Adds release automation (
bd882e3) -
Adds release automation (
1d0ebad) -
Adds release automation (
d2f22cc) -
Fixes makefile (
34096c3) -
Fixes makefile (
b2ace65) -
Fixes workflow (
cb2003b) -
Fixes workflow (
ce5ed88) -
Fixes workflow (
0e73021)
Features¶
-
Adds automated versioning (
c4f9846) -
Adds automated versioning (
05549ab) -
Cleans up workflow files (
425ed08) -
Cleans up workflow files (
b612011) -
Cleans up workflow files (
f906d8c) -
Cleans up workflow files (
6febcbe) -
Cleans up workflow files (
38bff6f) -
Cleans up workflow files (
30451ec) -
Moves from poetry to uv (
33cac19) -
Moves from poetry to uv (
1d5920e)
v0.11.4 (2024-06-20)¶
- Initial Release