v1.7.0

New Features

• OpenAPI YAML endpoint: Added /api/v1/openapi.yaml endpoint for API documentation

Full Changelog

v1.6.3...v1.7.0

v1.6.3

What's Changed

Documentation

• Added comprehensive OIDC.md guide explaining:
  • Public vs confidential clients (why no client secret for SPAs)
  • Complete authentication flow with ASCII diagrams
  • PKCE (Proof Key for Code Exchange) mechanism
  • Token validation process
  • Role-based access control
  • Docker networking considerations
  • Machine-to-machine authentication

Full Changelog: v1.6.2...v1.6.3

v1.6.2

What's Changed

Fixes

• E2E OIDC networking: Added OIDC_DISCOVERY_BASE_URL support for Docker environments where backend cannot reach localhost URLs
• Database migrations: Entrypoint now runs migrations automatically on startup
• Keycloak v26+ config: Updated hostname configuration to use full URL format

Documentation

• Added E2E architecture diagram
• Documented Docker OIDC networking configuration
• Added E2E-specific troubleshooting section
• Fixed typo in "Image Pull Failures" heading

Tests

• All 19 RBAC E2E tests pass against local Docker environment

Full Changelog: v1.6.1...v1.6.2

v1.6.1

What's Changed

Security / RBAC

• CA creation now requires admin role: Regular users can no longer create Certificate Authorities. The ca.create endpoint now uses adminProcedure with explicit role verification.

Bug Fixes

• fix(rbac): Added explicit admin role check in CA create mutation as defense-in-depth
• fix(docker): Corrected GHCR image names in docker-compose configuration
• fix(tests): Improved E2E RBAC tests to properly capture and validate API responses

Testing

• All 19 RBAC E2E tests now pass against production
• Tests properly verify that regular users receive HTTP 403 FORBIDDEN when attempting admin operations

Full Changelog: v1.6.0...v1.6.1

v1.6.0

What's Changed

🔐 Authentication - Runtime OIDC Configuration

Complete support for runtime OIDC configuration via config.json, enabling Docker deployments without rebuilding the frontend:

• Runtime config.json support - OIDC settings (authority, clientId, scope) loaded at runtime instead of build-time
• Fixed token exchange - Callback route now uses async config for token exchange
• Fixed token validation - Storage key correctly derived from runtime config
• Fixed API authentication - tRPC client retrieves tokens with correct storage key

🧪 Testing

• E2E production tests - Comprehensive Playwright test suite for OIDC authentication flow:
  • Config.json serving validation
  • Keycloak redirect for unauthenticated users
  • Complete login flow with runtime config
  • API calls with authenticated session
  • Token storage verification
  • Session persistence across page reloads
  • In-app navigation
  • Logout flow
  • Error handling for invalid credentials

📚 Documentation

• Keycloak integration guide - Comprehensive setup and configuration documentation
• Deployment instructions - Database migration and OIDC configuration guides

Upgrade Notes

No breaking changes. Existing deployments will continue to work. To enable runtime OIDC configuration:

1. Mount a config.json file to /usr/share/nginx/html/config.json in the frontend container
2. Remove VITE_OIDC_* environment variables from build process (optional)

Example config.json:

{
  "oidc": {
    "authority": "https://your-keycloak.com/realms/your-realm",
    "clientId": "your-client-id",
    "scope": "openid profile email"
  }
}

v1.5.1

Bug Fixes

CI/Build Fixes

• fix(ci): Updated pnpm-lock.yaml to include missing OIDC dependencies (oidc-client-ts, react-oidc-context)
• fix(auth): Fixed TypeScript error TS7030 in REST auth middleware - ensured all code paths return consistent void values

Auth Middleware Improvements

• fix(auth): tRPC auth middleware now skips authentication when OIDC is disabled instead of throwing INTERNAL_SERVER_ERROR
• fix(auth): Admin role middleware skips role check when OIDC is disabled
• fix(test): Updated auth tests to reflect new skip behavior when OIDC is not configured

Details

This patch release fixes CI workflow failures that were occurring due to:

1. Outdated lockfile missing frontend OIDC dependencies
2. TypeScript compilation errors in auth middleware
3. Auth middleware throwing errors instead of gracefully skipping when OIDC is not configured

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Full Changelog: v1.4.0...v1.5.0

v1.4.0

What's New

Keycloak Development Environment

Added complete Keycloak 26.5.2 integration for authentication development and testing.

Features

• Docker Compose setup - One-command Keycloak deployment (cd keycloak && docker compose up -d)
• Pre-configured realm (pki-dev) with test users and OAuth2 clients
• Python validation script - Verify environment with uv run keycloak/test_keycloak.py

Test Users

Username	Password	Role
admin	admin	admin
user	user	user

OAuth2 Clients

Client ID	Flow	Use Case
pki-service	Client Credentials	Machine-to-machine API
pki-web	Authorization Code + Password Grant	Web application

Validation Tests

• Health endpoint verification
• OpenID Connect configuration
• JWKS signing keys
• Client Credentials flow
• Password Grant flow with token claim validation

Full Changelog: v1.3.2...v1.4.0

v1.3.2

Bug Fixes

• CA certificates now include proper X.509 extensions (#2)
  • basicConstraints=critical,CA:TRUE - Identifies certificate as a CA (RFC 5280 requirement)
  • keyUsage=critical,keyCertSign,crlSign - Allows signing certificates and CRLs
  • subjectKeyIdentifier=hash - Helps identify certificates issued by this CA

This fixes certificate chain validation failures in TLS clients and Java truststores when using CA certificates created by PKI Manager.

v1.3.1

Bug Fixes

• fix: resolve certificate/key mismatch in P12/JKS downloads - Fixed critical issue where private keys in P12/JKS downloads didn't match the certificate's public key (#1)

Root Cause

When issuing certificates, the KMS certify operation wasn't using the pre-created key pair, causing a mismatch between stored private keys and certificate public keys.

Impact

⚠️ Certificates issued before v1.3.1 are affected and should be revoked and re-issued.

Changes

• Added UniqueIdentifier to certify request to reference existing public key
• Added PublicKeyLink attribute as backup mechanism
• Added test to verify certificate/private key modulus match
• Disabled key reuse for renewals (was broken for same reason)