| | Release 3.2.0 | | | | | Done | Jun 30, 2022 | Jun 30, 2022 | | |
| | Stricter-then-standard parameter checking | | | | | Won't Do | May 30, 2022 | May 31, 2022 | | |
| | PROTOCOL_MESSAGE.OAUTH2 log appender to trace all the exchanged protocol messages | | | | | Done | May 30, 2022 | Jun 28, 2022 | | |
| | Support manipulating claims encoded inside authz code and tokens | | | | | Done | May 27, 2022 | Jun 17, 2022 | | |
| | IDTokenLifetime property misspelled in metadata-backed wiring | | | | | Fixed | May 20, 2022 | May 20, 2022 | | |
| | SAML Metadata for OIDC does not support space delimiter in response_types | | | | | Fixed | May 19, 2022 | Jun 21, 2022 | | |
| | Release 3.1.2 | | | | | Completed | May 17, 2022 | May 17, 2022 | | |
| | Support to manipulate claims within the ID_Token | | | | | Done | May 10, 2022 | Jun 10, 2022 | | |
| | Introspection and revocation endpoint authentication failing with private_key_jwt | | | | | Fixed | May 2, 2022 | May 17, 2022 | | |
| | TokenDeliveryClaimsClaimsSet class seems unneeded | | | | | Done | Apr 27, 2022 | Jun 14, 2022 | | |
| | Releasing IAT, EXP and NBF claims from the UserInfo endpoint | | | | | Won't Do | Apr 22, 2022 | Apr 26, 2022 | | |
| | Support OAuth 2.0 Authorization Server Issuer Identification as per RFC9207 | | | | | Completed | Apr 22, 2022 | Jun 15, 2022 | | |
| | OIDC Access token using RFC 9068 "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" on Authorization Code Flow with PKCE | | | | | Duplicate | Apr 22, 2022 | Apr 22, 2022 | | |
| | support C_HASH in ID_Token also for Authorization Code Flow with PKCE | | | | | Answered | Apr 22, 2022 | Jun 15, 2022 | | |
| | Still unable to request a claim to be placed in the ID_token | | | | | Fixed | Apr 22, 2022 | May 17, 2022 | | |
| | Release 3.1.1 | | | | | Completed | Apr 21, 2022 | Apr 26, 2022 | | |
| | Missing oauth2-authn-config.xml breaks on Windows | | | | | Fixed | Apr 20, 2022 | May 16, 2022 | | |
| | Windows compatibility in spring inport | | | | | Duplicate | Apr 20, 2022 | Apr 20, 2022 | | |
| | Support for refresh token rotation | | | | | Done | Apr 19, 2022 | Jun 30, 2022 | | |
| | Public clients are not able to access the token endpoint | | | | | Fixed | Apr 18, 2022 | May 16, 2022 | | |
| | Revocation of individual tokens | | | | | Done | Apr 15, 2022 | Jun 30, 2022 | | |
| | Inbound and outbound interceptor flows are not wired to the OIDC flows | | | | | Fixed | Apr 11, 2022 | Apr 15, 2022 | | |
| | Honoring semantics for forceAuthn flag in the same manner as SAML | | | | | Fixed | Apr 7, 2022 | Apr 15, 2022 | | |
| | Hashed IdP Session ID audit log token for OIDC | | | | | Fixed | Apr 2, 2022 | Apr 15, 2022 | | |
| | Facilitate login_hint sanitization | | | | | Done | Mar 31, 2022 | Apr 15, 2022 | | |
| | OIDC SSO happens even with different ACR | | | | | Invalid | Mar 18, 2022 | Mar 25, 2022 | | |
| | Admin flow to read/delete client registrations | | | | | Done | Mar 17, 2022 | Apr 15, 2022 | | |
| | Dyn.reg. profile config setting secretExpirationPeriod is not honored | | | | | Fixed | Mar 17, 2022 | Apr 15, 2022 | | |
| | Profile config flag refreshTokensEnabled not honored by the token flow | | | | | Fixed | Mar 17, 2022 | Apr 15, 2022 | | |
| | Extension of well-known configuration | | | | | Done | Mar 14, 2022 | Apr 15, 2022 | | |
| | Claims-parameter in the authn request only affects attribute filtering | | | | | Fixed | Mar 11, 2022 | Apr 15, 2022 | | |
| | Wrong JSONObject type when decoding claims from Signed JAR Authentication request | | | | | Fixed | Mar 9, 2022 | Apr 15, 2022 | | |
| | Facilitate custom response header settings (e.g. CORS) | | | | | Completed | Feb 18, 2022 | Apr 15, 2022 | | |
| | Logging ID for flows is defined globally instead of per-flow. | | | | | Fixed | Jan 31, 2022 | Apr 15, 2022 | | |
| | Release 3.0.4 | | | | | Done | Jan 31, 2022 | Feb 1, 2022 | | |
| | Support for requests by reference is unconstrained | | | | | Fixed | Jan 28, 2022 | Jan 31, 2022 | | |
| | Expand the set of supported claims in dynamic client registration | | | | | Done | Jan 14, 2022 | Apr 15, 2022 | | |
| | Lack of openid scope in metadata doesn't prevent id_token issuance | | | | | Fixed | Jan 5, 2022 | Apr 15, 2022 | | |
| | Scope handling changes to accomodate client_credentials grant | | | | | Done | Jan 4, 2022 | Apr 15, 2022 | | |
| | Release 3.0.3 | | | | | Done | Jan 3, 2022 | Feb 1, 2022 | | |
| | Request object (JWT) validation is incomplete | | | | | Fixed | Dec 30, 2021 | Mar 17, 2022 | | |
| | Introspection and revocation flows don't support SAML metadata | | | | | Fixed | Dec 22, 2021 | Mar 17, 2022 | | |
| | JWT client authentication support is incomplete | | | | | Fixed | Dec 20, 2021 | Mar 17, 2022 | | |
| | Refactor client authentication on OAuth2 endpoints into a login flow | | | | | Done | Dec 14, 2021 | Apr 15, 2022 | | |
| | Missing required PKCE code challenges should raise an error in the authorization endpoint | | | | | Fixed | Dec 10, 2021 | Apr 15, 2022 | | |
| | Profile config for bypassing attribute resolution not honored | | | | | Done | Dec 9, 2021 | Apr 15, 2022 | | |
| | Support metadata policies in the dyn. reg. profile configuration | | | | | Completed | Dec 3, 2021 | Apr 15, 2022 | | |
| | Remove assumption that configuration skeleton is a file resource | | | | | Done | Nov 30, 2021 | Apr 15, 2022 | | |
| | kid missing from id_token header after upgrading from extension | | | | | Invalid | Nov 1, 2021 | Nov 2, 2021 | | |
| | Make default audit extractors accessible in audit.xml | | | | | Fixed | Sep 24, 2021 | Apr 15, 2022 | | |
