Releases: openwallet-foundation/eudiplo
Releases · openwallet-foundation/eudiplo
v4.4.0
v4.3.0
4.3.0 (2026-05-08)
Features
- issuer: Add schema metadata management UI and documentation (#699) (68a3f6c)
- enforce single-use validation for presentation and issuance offers (#695) (f4a1a01), closes #503 openwallet-foundation-labs/eudiplo#503
- improve schema metadata workflows and registrar integration (#700) (91b9b8c)
This release is also available on:
v4.2.0
4.2.0 (2026-04-30)
Bug Fixes
- fixing oidf tests (#683) (b8c5d75)
- improve dashboard and check AC availability (#690) (d7e73d1)
- mdoc validation (#689) (a4bf740)
- oid4vp: use accessKeyChainId when building client_id in offer URI (#691) (8d03d92), closes #687
Features
- auth: Add external OIDC user management with temporary password onboarding (#680) (d493708)
- add max retry counter for tx_code validation in OID4VCI pre-authorized code flow (#692) (cdb79da), closes #673
This release is also available on:
v4.1.0
4.1.0 (2026-04-25)
Bug Fixes
- add refresh token support for chained AS token flow (#677) (668a66d), closes #676
- allow attestation key chains as fallback for status list signing (#599) (8ec65c4), closes #593
- move status_list_aggregation_endpoint to AS metadata (#649) (6544ddd)
- OIDF conformance test suite fixes (#635) (4811d39)
- optimize ci execution (#627) (9cac735)
- optimize linking to grafana (#642) (9fe03df)
- prevent null values from overwriting existing issuer config (#633) (0934ac3), closes #629 #627
- proxy issuer metadata fetch to avoid CORS failures (#667) (2e58e4c)
- migrations: quote SQL identifiers for PostgreSQL compatibility (#609) (cdf058e)
- recreate offer for issuance and presentation sessions (#648) (1aa6947)
- restrict client endpoints to clients:manage role only (#597) (9ba2ed4), closes #591
- small refresh token adjustment (#678) (81185ed)
- trust list parsing and public URL (#645) (d6bef75)
Features
- add claims metadata to issuer credential configuration (#634) (36a3297), closes #632 #632 #632
- verifier: add OID4VP spec-compliant error handling and session failure tracking (#626) (e52566b), closes #552 #552
- verifier: cache registration certificates per presentation config (#679) (45252e0)
- implement OID4VCI refresh token support with configurable lifetime (#659) (07952d5)
- implement OID4VP Section 13.3 direct_post security model (#651) (c43dfae)
- webhook: implement raw token pass-through in webhooks (#595) (b01cdb7)
- registrar: improve security and wizard enrollment flow (#625) (9b753bc), closes #616 #618
- issuer: make credential_response_encryption metadata opt-in (#671) (68ffea9)
- replace Prometheus metrics with OpenTelemetry observability stack (#600) (0002da5)
- client: restructure config pages into grouped tabs (#676) (657f70a)
This release is also available on:
v4.0.0
4.0.0 (2026-03-23)
Bug Fixes
- add correct migration files (#544) (faff5be)
- mdoc: correctly extract claims from all credential namespaces (#551) (d1f23c8)
- docker health check (#579) (989e94f)
- fix edit function for issuer config (#519) (3cac134)
- resolve content type for local file storage (#576) (75c3cf1)
- transform authz details (#529) (fff9b3b)
- update of request body type to form encode (#531) (5b9df5d)
- use non-privileged port 8080 for client nginx container (#555) (e6e2cdb)
- use uuid type for sessionId column on PostgreSQL + dual DB docs (#571) (fcdc747)
Features
- add AWS KMS adapter for key management (#532) (603496f)
- add persistent session log storage with configurable granularity (#561) (c086ec4)
- add static route prefixes and split OpenAPI documents (#560) (2bd527f)
- issuer: extract Attribute Providers and Webhook Endpoints as tenant-level resources (#554) (53e13d8)
- unified Key Chain model for key and certificate management (#533) (c0ca77b)
BREAKING CHANGES
- Protocol route paths changed. All issuer protocol
endpoints are now prefixed withissuers/(e.g.
/issuers/:tenantId/vci/...instead of/:tenantId/vci/...).
OID4VP endpoints are prefixed withpresentations/(e.g.
/presentations/:sessionId/oid4vp/...instead of/:session/oid4vp/...).
Management API endpoints are now prefixed with/api.
The deprecated:tenantId/.well-known/...route variants have been
removed in favor of.well-known/.../:tenantId.
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- chore: format
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- fix: use getAuthzIssuer() for iss parameter in authorization response
The iss value in the authorization response was missing the /issuers/ path
segment, causing a mismatch with the issuer value in the authorization server
metadata (RFC 9207).
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- fix: add migration test
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- fix: remove legacy router warnings
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- All management API endpoints are now prefixed with
/api/ (e.g., /tenant -> /api/tenant, /session -> /api/session).
Protocol endpoints (OID4VCI, OID4VP, well-known, OAuth2, health,
metrics) remain at the root path. The SDK must be regenerated with
pnpm run gen:api after deploying the updated backend. Swagger UI
moved from /api to /api/docs (management) and /docs (protocol).
The SWAGGER_ALL environment variable is removed.
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- chore: add note how to add a reverse proxy
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- The client container now listens on port 8080 instead
of port 80. Update any custom port mappings or reverse proxy configs
that target the container's internal port directly (e.g. change
-p 4200:80to-p 4200:8080).
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- issuer: Credential configurations no longer accept inline
claimsWebhook and notificationWebhook objects. Use attributeProviderId
to reference an Attribute Provider for claims fetching, and
webhookEndpointId to reference a Webhook Endpoint for notifications.
Existing inline configurations are migrated automatically by the
database migration.
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- chore: format files
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
This release is also available on:
v3.1.2
v3.1.1
v3.1.0
v3.0.0
3.0.0 (2026-02-27)
Bug Fixes
- allow empty strings for database config in case of sqlite (d264730)
- auth client creation (fe0f26c)
- change DB_SYNCHRONIZE default to true for fresh installs (0b9dedf)
- #470: credential query to make use of the correct type for claims query. Claim query id is optional. (f416453), closes #470
- docs: improve wallet overview chapter (#489) (207d65c)
- k8s files (8f0cd2a)
- remove claim webhook (9b9dd60)
- resolve SonarCloud code quality issues (#487) (070d9f8)
- restore accidentally deleted tsconfig.scripts.json (ad87c72)
- session metrics initialization for multi-tenant (2f8c3aa)
- simplify baseline migration to marker-only approach (7dcc0b8)
- update packages (4a5b933)
- update s3 handling (#510) (c61f526)
Features
- database: add TypeORM migration support (0231c90)
BREAKING CHANGES
- database: Schema synchronization is now disabled by default.
- Add migration infrastructure with baseline migration for v2.0.0
- Disable synchronize by default (DB_SYNCHRONIZE=false)
- Enable auto-run migrations on startup (DB_MIGRATIONS_RUN=true)
- Add migration CLI scripts (generate, run, revert, show)
- Create data-source.ts for TypeORM CLI operations
- Update validation schema with new config options
- Document migration workflow in database.md
Existing databases are automatically detected - the baseline migration
skips table creation if tables already exist from synchronize mode.
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
This release is also available on:
v2.0.0
2.0.0 (2026-02-19)
- refactor!: rename JWT_SECRET to MASTER_SECRET (57c5574)
Bug Fixes
- add link to role usage (09a9e36)
- ci handling (b960f01)
- handling authorization servers (ec5aa47)
- harden system (bd23ba3)
- improve client handling for issuance (d151244)
- improve navigation (d41e28a)
- merge github actions (589a760)
- pass envs (4eb5d4b)
- protect metric endpoint (180726a)
- remove default values for root user (e30f838)
- remove example chain as config (b003f1c)
- remove unused imports (be60ed1)
- replace presentation:offer with presentation:request (dd24fd7)
- url (34d67a9)
- validate wua for chained as (b85429a)
Documentation
- update container examples to require auth credentials (503dd1c)
Features
- add chained as (5ffce55)
- add Dependabot automation workflows (c4fb7f5)
- add healthcheck to sdk (4ac7d71)
- add secret manager (e1d859e)
- make session events available via sse (3ebf01f)
BREAKING CHANGES
- MASTER_SECRET, AUTH_CLIENT_ID, AUTH_CLIENT_SECRET now required
- Update quick-start.md docker run commands to include required env vars
- Update README.md demo setup to generate credentials instead of defaults
- Clarify .env.example that all three auth vars are required
- Update deployment .env examples to show required credentials
- Add AUTH_CLIENT_ID and AUTH_CLIENT_SECRET to env vars table
- Add METRICS_TOKEN to production deployment examples
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
- The environment variable JWT_SECRET has been renamed to MASTER_SECRET
to better reflect its multi-purpose usage (JWT signing and encryption key derivation).
This change provides clearer semantics as the secret is used for:
- JWT token signing (when using integrated OAuth2)
- Encryption key derivation via HKDF (for data at rest)
Migration: Update your .env files and deployment configs to use MASTER_SECRET
instead of JWT_SECRET. The minimum 32-character requirement remains unchanged.
Updated files:
- Backend auth and encryption modules
- All .env.example files
- CI/CD workflows
- Kubernetes and Docker Compose deployment configs
- Documentation
Signed-off-by: Mirko Mollik mirko.mollik@eudi.sprind.org
This release is also available on: