Added: release notes for #11689

GPortas · GPortas · commit e588be591449 · 2025-08-27T09:43:34.000+01:00
diff --git a/doc/release-notes/11689-builtin-users-api-bearer-auth-enhance.md b/doc/release-notes/11689-builtin-users-api-bearer-auth-enhance.md
@@ -0,0 +1,9 @@
+## Security improvements for `api-bearer-auth-use-builtin-user-on-id-match`
+
+We’ve strengthened the security of the `api-bearer-auth-use-builtin-user-on-id-match` feature flag. It will now only work when the provided bearer token includes an `idp` claim that matches the Keycloak Service Provider identifier.
+
+By enforcing this check, the risk of impersonation from other identity providers is significantly reduced, since they would need to be explicitly configured with this specific, non-standard identifier.
+
+See:
+- [#11622 (comment)](https://github.com/IQSS/dataverse/pull/11622#discussion_r2216017175)
+- [#11689](https://github.com/IQSS/dataverse/issues/11689)  
