UniAuth.ID
Changelog
Getting StartedQuick StartAccount SetupConfigurationAuthenticationMulti-Factor AuthBackup CodesPassword PolicyRoles & PermissionsSessionsOAuth2 / OIDCDevice FlowTokensIntegrationsWebhooksSCIM ProvisioningSDKsReactNext.jsPHPAPI ReferenceError ReferenceRate LimitsSecurityRecovery PhraseOperationsDeploymentChangelog

Changelog

A summary of major releases and features added to UniAuth.

SDK v2.0 — Modern SDK

Complete SDK modernization with JWKS-based ID token verification, pluggable storage, cross-tab sync, and React SDK composition. SDK v1.0 is deprecated and no longer supported.

  • RS256 ID token verification — ID tokens are now verified against the JWKS endpoint by default. Signatures are validated using Web Crypto API (RS256). Key rotation is handled automatically via kid mismatch detection.
  • Pluggable storage — Choose between memory, sessionStorage, or localStorage for token persistence. Custom adapters supported via the TokenStorage interface.
  • Cross-tab auth sync — Login, logout, and token refresh events are synchronized across browser tabs via BroadcastChannel (localStorage fallback for older browsers).
  • Organization support — Pass organization to scope authorization requests to a specific org tenant.
  • ACR/LoA claims — Request specific authentication assurance levels via acrValues. ID token claims include acr, amr, sid, and groups.
  • Network resilience — Optional fetchWithRetry with exponential backoff and jitter for 5xx/network errors.
  • React SDK rewrite — Provider rewritten from 272 to 117 lines by composing the JS SDK class. New hooks: useAccessToken(), useOrganization(), useIdTokenClaims().
  • CJS + ESM + IIFE outputs — JS SDK ships CommonJS, ES Module, and IIFE bundles. React SDK ships CJS and ESM.
  • SDK v1.0 archived — v1.0 is deprecated and will not receive updates. v1.0 lacked ID token signature verification, had no cross-tab sync, and the React SDK duplicated 200+ lines of PKCE/OAuth logic instead of composing the JS SDK.

v3.0 — Production Readiness

Full production hardening, comprehensive test coverage, mobile-optimized admin panel, and official SDK publishing.

  • 5,969 automated tests — Comprehensive test suite covering authentication flows, OAuth2/OIDC conformance, 2FA, WebAuthn, admin operations, and both SDKs.
  • Redis rate limiting — Distributed rate limiting via Redis for multi-instance deployments, with automatic fallback to in-memory stores.
  • Mobile-optimized admin panel — Responsive admin interface with touch-friendly navigation, collapsible sidebar, and mobile-first table layouts.
  • OIDC conformance — Full OpenID Connect certification-level compliance including all required and optional endpoints.
  • Documentation site — Complete documentation with guides for authentication, OAuth2/OIDC, SDKs, admin, security, and API reference.

v2.0 — Enterprise Features

Enterprise-grade identity management with SAML, SCIM provisioning, advanced OAuth2 extensions, webhooks, analytics, and admin impersonation.

  • SAML 2.0 Identity Provider — Full SAML IdP support with SP-initiated SSO, configurable attribute mapping, and signed assertions.
  • SCIM 2.0 Provisioning — Automated user and group provisioning via the SCIM protocol for enterprise directory sync (Azure AD, Okta, etc.).
  • DPoP (Demonstrating Proof-of-Possession) — Sender-constrained access tokens to prevent token theft and replay attacks.
  • PAR (Pushed Authorization Requests) — Server-side authorization request storage for enhanced security and confidentiality.
  • Webhooks — Real-time event notifications for user lifecycle events (registration, login, password change, account deletion) with HMAC signature verification.
  • Analytics dashboard — Admin analytics with user growth, login activity, 2FA adoption, and OAuth client usage metrics.
  • Admin impersonation — Secure impersonation flow allowing administrators to sign in as any user for debugging, with full audit logging.
  • Device authorization flow — OAuth 2.0 Device Authorization Grant (RFC 8628) for input-constrained devices (smart TVs, CLI tools).
  • Dynamic client registration — OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591) for automated client onboarding.
  • Backchannel logout — OpenID Connect Back-Channel Logout for coordinated session termination across relying parties.

v1.0 — Core Identity Provider

The foundational release establishing UniAuth as a complete, security-first identity provider with OAuth2/OIDC authorization server capabilities.

  • Email/password authentication — Argon2id password hashing with transparent bcrypt migration, zxcvbn strength validation, and HaveIBeenPwned breach detection.
  • Social login — Google and GitHub OAuth with PKCE (S256 code challenge), encrypted token storage, and automatic account linking.
  • Multi-factor authentication — TOTP (authenticator apps), email OTP, and SMS OTP (via Twilio) with multi-method support and default method selection.
  • WebAuthn / Passkeys — Passwordless authentication with direct attestation, Conditional UI (autofill), and hardware key support.
  • OAuth2/OIDC Authorization Server — Full OAuth 2.0 and OpenID Connect provider with authorization code flow, PKCE, refresh token rotation, family-based replay detection, and pairwise subject identifiers.
  • Post-quantum cryptography — ML-DSA-44 (FIPS 204) session signatures and ML-KEM-768 (FIPS 203) key encapsulation for future-proof security.
  • Encryption at rest — AES-256-GCM encryption for TOTP secrets, OTP codes, OAuth tokens, and PQC private keys.
  • Progressive account lockout — Escalating lockout durations (1 min to 1 hr) based on failed login attempts.
  • Session security — 24-hour inactivity timeout, max 10 concurrent sessions, fingerprint-based hijack detection, and password-change revocation.
  • Threat detection — Statistical login risk scoring based on IP history, user agent, time-of-day patterns, and burst detection.
  • Backup codes — One-time-use recovery codes with SHA-256 hashing for 2FA bypass scenarios.
  • OIDC standard claims — Full user profile with 12 extended columns following OpenID Connect Core 1.0 Section 5.1.
  • Admin panel — User management, session monitoring, activity logs, role-based access control, system settings, and OAuth client administration.
  • Developer console — Self-service OAuth app registration (up to 10 apps per user) with client credentials management.
  • Data retention — Automated cleanup of expired sessions (30d), tokens (7d), OTPs (24h), and activity logs (1yr).