New Features

OIDC prompt parameter support (#57)

Full implementation of the OIDC prompt parameter on the /auth/authorize endpoint:

• prompt=none — Silent authentication. Returns an error if the user is not already authenticated or if consent is required, without displaying any UI.
• prompt=login — Forces re-authentication even if the user has an active session.
• prompt=consent — Forces the consent screen even if consent was previously granted.
• Combinations — Values can be combined (e.g., prompt=login consent), except none which must be used alone.
• Advertised in the /.well-known/openid-configuration discovery endpoint via prompt_values_supported.

Client logo management (#33)

Clients can now have a logo image displayed on authentication and consent screens:

• Upload, view, and delete logos via the admin console (Logo tab in client settings) or the REST API.
• Public endpoint GET /client/logo/{clientIdentifier} serves logos with ETag and Cache-Control headers for efficient caching.
• Supported formats: JPEG, PNG, GIF, WebP. Max dimensions: 512x512. Max size: 3MB.

Client display settings

New fields on clients to control how they appear to users during authentication:

• displayName — A human-friendly name shown instead of the client identifier. Falls back to the client identifier if empty.
• description — A short description shown on auth/consent screens.
• websiteURL — A link to the client's website, shown on the consent screen.
• Visibility toggles — showLogo, showDisplayName, showDescription, showWebsiteURL control which elements are visible on auth screens.
• Display name can be set during client creation (admin console and API).

System-level entity editing

System-level clients (admin-console-client) and resources (authserver) can now be edited with targeted immutability guards:

• Identifiers are protected — cannot be renamed.
• Deletion is blocked — system-level entities cannot be removed.
• All other settings are editable — description, display name, redirect URIs, permissions, etc.
• Built-in permission identifiers on the authserver resource (userinfo, manage-account, manage, admin-read, manage-users, manage-clients, manage-settings) cannot be renamed or deleted, but new permissions can be added.

Improvements

• Dockerfile reliability — curl commands for downloading yq and Tailwind CLI now include --retry options for more resilient builds.
• Dependency updates — Go module dependencies updated across all three modules (core, authserver, adminconsole). Test integration app dependencies updated.

Database Migrations

Four new migrations are included (applied automatically on startup):

No breaking changes

Update to v1.5.0 using your preferred deployment method (Docker images or native binaries). Database migrations will run automatically on first startup.

New Features

OIDC Claims in ID Tokens - Configurable Behavior (#56)

Added controls for including OpenID Connect scope claims (email, profile, phone, address) in ID tokens:

• New global setting: IncludeOpenIDConnectClaimsInIdToken (default: enabled)
• Per-client override available (default/on/off)
• Claims remain available via /userinfo endpoint regardless of setting
• Default behavior matches industry standards (Auth0, Microsoft, Keycloak)
• For strict OIDC Core 5.4 conformance, claims can now be restricted to /userinfo only

Use case: Organizations requiring strict OIDC conformance or wanting to minimize ID token size can now disable scope claims in ID tokens while maintaining full claim access via the userinfo endpoint.

Improvements

• Developer Experience: Added make format target to all modules for consistent code formatting
• Test Organization: Split monolithic test files into focused, maintainable modules:
  • authorize_test.go (5,597 lines) → 5 focused test files
  • token_test.go (1,665 lines) → 7 focused test files

Changes

• Applied consistent code formatting across entire codebase
• Database migration 000013 adds new configuration columns (auto-applied on startup)

Breaking Changes

None - fully backward compatible.

Added

• Email verification code generation for users, including a new API endpoint (thanks @Joebeurg) #54
• Timezone data generator based on IANA tzdata.
• time/tzdata fallback import for systems lacking OS timezone data. #49

Changed

• Documentation updates for profile picture and group attribute REST APIs.
• Dependency updates across the project (including docs Astro/Starlight).

Removed

• fix-ownership.sh script (no longer needed).

Bug fixes

• Fixed AuthContext preservation when session is invalidated (#46) - The authorization flow now correctly preserves the AuthContext when a user's session is invalidated mid-flow, preventing authentication failures.

Improvements

• Replaced Mailhog with Mailpit in devcontainer and tests - Mailpit provides a more modern and actively maintained email testing solution.
• Enhanced version management script - Refactored update-versions.sh with an interactive menu for better usability.
• Added Node.js/npm to devcontainer - Enables npm package management for test integration apps.

Test integration apps

• Updated react-vite demo app - Significant improvements including new TokenInspector component, AdminArea page, improved auth context, and better styling.
• Updated go-webapp test application - Various improvements and updates.
• Updated js-only (browser-based) test application - Improved OAuth2 browser-only integration example.

Dependencies

• Updated dependencies across multiple Go modules and npm packages

Multi-architecture docker images

#45

Docker images now support both linux/amd64 and linux/arm64 architectures. This enables native support for:

• Intel/AMD x86_64 servers and PCs
• ARM64 devices (Raspberry Pi 4/5, Orange Pi, AWS Graviton, Apple Silicon Macs)

No more platform mismatch warnings when running on ARM64 devices.

Thanks for reporting @sehogas

New Features

1. Granular API Scopes (#43) - Fine-grained admin authorization with new scopes for precise API access control instead of the single authserver:manage permission
2. OAuth2 Implicit Flow - Configurable implicit flow support for legacy clients (response_type=token, id_token, id_token token). Disabled by default, can be enabled globally or per-client
3. OAuth2 Resource Owner Password Credentials (ROPC) Flow - RFC 6749 Section 4.3 implementation for direct username/password authentication. Disabled by default, can be enabled globally or per-client
4. User Profile Pictures (#18) - Upload/manage profile pictures with OIDC picture claim support:
   - Self-service and admin management
   - Public /userinfo/picture/{subject} endpoint
   - Client-side image cropping with Cropper.js
   - Server-side validation (PNG, JPEG, GIF; max 2MB; 64-2000px)
5. Configurable PKCE - PKCE can now be configured globally or per-client (required/optional)
6. Client Secret Basic Authentication - Support for client_secret_basic authentication method (Authorization header)
7. POST Body Access Token for Userinfo - Support for access token in POST body per OIDC 5.3.1

Security Improvements

1. Constant-time client secret comparison - Prevents timing attacks on client authentication
2. Timing-safe user enumeration protection - DummyPasswordHash implementation prevents user enumeration via timing analysis
3. Improved error handling for redirect URI parsing - Better validation in authorization flows

Bug Fixes & Compliance

1. RFC 6749 compliant error responses - Detailed error codes and WWW-Authenticate headers for client authentication failures
2. Refresh token scope compliance - Refresh tokens now match original scope per RFC 6749
3. AMR claim format fix - Now correctly returns JSON array per OIDC Core 1.0 Section 2
4. Session ACR/AMR step-up fix - Centralized ACR comparison logic for proper step-up authentication
5. Removed typ claim from ID token - Satisfies OIDC conformance suite requirements
6. auth_time handling - Properly set based on current authentication completion in implicit flow

Updated docs

What's new in release v1.3.0

OpenAPI Specification

• Added complete OpenAPI 3.0 specification accessible at {authserver-base-url}/openapi.yaml for automatic client generation and API testing tools integration

REST API Documentation

• Complete REST API documentation with step-by-step setup instructions

Configuration simplification

• Removed internal base URL configuration for admin console and streamlined environment variable documentation

⚠️ BREAKING CHANGE

This release includes a database schema change for permission management. The migration runs automatically on startup but requires a brief downtime:

• Admin console permissions have been migrated from adminconsole resource to authserver resource
• Migration 000005_move_adminconsole_permissions will execute automatically
• Applies to all database types (MySQL, PostgreSQL, SQL Server, SQLite)
• Recommendation: backup your database before upgrading!

The migration is backward-compatible and handles the transition automatically.

What's new in v1.2.1?

• goiabada-setup CLI tool: new interactive command line setup wizard to help users configure and deploy Goiabada with Docker Compose and Kubernetes. No more complicated two-staged bootstraps.
• New documentation site: migrated from Mkdocs to Astro Starlight with improved UX
• Updated dependency modernc.org/libc to v1.67.1
• Improved GitHub Actions workflows with Go module caching for faster builds

Check out the new website! https://goiabada.dev

v1.2 introduces important architectural refactoring and enhancements.

Architecture improvements

• Admin console refactoring: The admin console previously communicated with the database directly. In this release, it now communicates with the auth server using secure HTTP calls (OAuth2), ensuring only the auth server accesses the database directly. This separation of concerns improves security and scalability.

• Enhanced session management: Introduced a new Chunked Cookie Store for improved HTTP session handling, enabling support for larger session data with automatic chunking and metadata management.

New features

• Dynamic Client Registration (RFC 7591) #24 . Added standards-compliant Dynamic Client Registration, allowing OAuth2 clients to self-register programmatically. Good for MCP servers and native applications. Thanks @katesclau for the suggestion!

• 'nbf' (Not Before) claim #25 . JWT tokens now include the nbf claim (defaulting to the same value as iat) for improved token validation and security. Thanks @Henelik for the suggestion!

Bug fixes

• Session deletion handling #26 . Fixed session deletion to properly trigger logout for current sessions, ensuring users are immediately logged out when their sessions are removed. Thanks @mur4s4m3 for reporting!

Maintenance

• Dependency updates: Updated all dependencies to their latest versions, including Go 1.25.4, Tailwind CSS 4.1.12, DaisyUI 5.5.5, and PostgreSQL 18.3

⚠️ Breaking Changes - Migration from v1.1 to v1.2

Version 1.2 requires configuration changes for existing installations. Follow these migration steps carefully before upgrading.

Before upgrading to v1.2:

• Backup your database (important for rollback if needed).
• Plan for brief downtime. Users will be logged out during upgrade.
• Prepare environment variable changes (detailed below).

Step-by-step migration guide

Step 1: generate session keys

Version 1.2 requires four new session keys (previously stored in the database). Generate them using OpenSSL:

# Generate auth server authentication key (64 bytes = 128 hex characters) openssl rand -hex 64 # Generate auth server encryption key (32 bytes = 64 hex characters) openssl rand -hex 32 # Generate admin console authentication key (64 bytes = 128 hex characters) openssl rand -hex 64 # Generate admin console encryption key (32 bytes = 64 hex characters) openssl rand -hex 32 

Save these keys. You'll add them to your configuration in the next steps.

Step 2: retrieve admin console OAuth credentials

The admin console now authenticates to the auth server using OAuth2. You need to retrieve the OAuth client secret from your v1.1 installation.

To get the client secret:

1. Log in to your v1.1 admin console (before upgrading)
2. Navigate to Clients in the menu
3. Find and click on the client named admin-console-client
4. Go to the Authentication tab
5. Copy the client secret and save it securely

Note: The client identifier is always "admin-console-client". You only need to copy the secret. Save this secret.

Step 3: update environment variables

Auth Server - add these variables

# Session keys (generated in Step 1) - REQUIRED GOIABADA_AUTHSERVER_SESSION_AUTHENTICATION_KEY=<your-128-char-hex-key> GOIABADA_AUTHSERVER_SESSION_ENCRYPTION_KEY=<your-64-char-hex-key> # Internal base URL for container-to-container communication - REQUIRED GOIABADA_AUTHSERVER_INTERNALBASEURL=http://goiabada-authserver:9090 # Optional but recommended for production GOIABADA_AUTHSERVER_RATELIMITER_ENABLED=true 

Admin Console - add these variables

# Session keys (generated in Step 1) - REQUIRED GOIABADA_ADMINCONSOLE_SESSION_AUTHENTICATION_KEY=<your-128-char-hex-key> GOIABADA_ADMINCONSOLE_SESSION_ENCRYPTION_KEY=<your-64-char-hex-key> # OAuth credentials (retrieved in Step 2) - REQUIRED GOIABADA_ADMINCONSOLE_OAUTH_CLIENT_ID=admin-console-client GOIABADA_ADMINCONSOLE_OAUTH_CLIENT_SECRET=<your-client-secret> # Auth server internal URL - REQUIRED GOIABADA_AUTHSERVER_INTERNALBASEURL=http://goiabada-authserver:9090 

Admin Console - remove these variables

The admin console no longer accesses the database. Remove these variables from your configuration:

GOIABADA_ADMINCONSOLE_LOG_SQL GOIABADA_ADMINCONSOLE_AUDIT_LOGS_IN_CONSOLE GOIABADA_DB_TYPE GOIABADA_DB_USERNAME GOIABADA_DB_PASSWORD GOIABADA_DB_HOST GOIABADA_DB_PORT GOIABADA_DB_NAME GOIABADA_DB_DSN 

Step 4: upgrade and verify

1. Stop your current v1.1 deployment:
   docker-compose down
2. Backup your database (if not already done)
3. Pull the v1.2 images:
   docker-compose pull
4. Start the services:
   docker-compose up -d
5. Monitor the logs:

# Watch auth server logs docker-compose logs -f goiabada-authserver # Watch admin console logs docker-compose logs -f goiabada-adminconsole 

7. Verify startup:

• Auth server should start without session key validation errors
• Database migrations (000003, 000004) should run automatically
• Admin console should successfully authenticate with auth server

8. Test functionality:

• Log in to the admin console
• Verify you can access user management, client management, etc.
• Check that all features work as expected

• Fixed a bug where the application crashed when admin was searching for members of a group.
• Improved error message when there's a panic.
• Added integration tests.
• Bumped dependencies.
• Other minor UI/text updates.