v3.1.1

Fixed

• The sts/:name endpoint should have been seal-wrapped like the corresponding
  creds/:name endpoint.

v3.1.0

Added

• Add support for configuring the maximum valid lifetime of a token with a new
  maximum_expiry_seconds parameter on the creds/:name and self/:name
  endpoints.
• The OAuth 2.0 token exchange flow (RFC 8693) for impersonation is now
  supported by reading from the sts/:name endpoint.

v3.0.0

Added

• It is now possible to manage multiple authorization servers at the same time
  by writing separate provider configurations to the servers/:name endpoint.
  Listing servers is supported at the servers endpoint.
• Additionally, server configurations support a new client_secrets field that
  was not present in the plugin configuration in v2. When this field is set to a
  list, the plugin will attempt to use each secret in order until it receives a
  successful provider response.
• The plugin configuration supports selecting a default server to use by setting
  the default_server field. When upgrading from v2, this field will be
  automatically set to maintain backward compatibility.
• It is no longer necessary to explicitly specify a state when requesting an
  authorization code URL. The plugin will generate a random state and return it
  in the response.
• Add the new tuning option tune_reap_server_deleted_seconds to control how
  long the plugin should wait before automatically deleting credentials that
  refer to a nonexistent (deleted) server.

Changed

• [BREAKING] The plugin configuration no longer supports configuring a single
  provider for the entire engine. Instead, configure a provider using the new
  servers/:name endpoint and reference it in credentials.
• [BREAKING] The config/auth_code_url endpoint has been removed and replaced
  by the auth-code-url endpoint, which accepts a server name as a parameter.
• [BREAKING] The config/self/:name endpoint has been removed, and it is no
  longer possible to store an access token using the client credentials flow by
  reading from an unconfigured path at the self/:name endpoint. Instead,
  initialize such an access token by writing to the self/:name endpoint with
  any necessary configuration first.
• The device code flow support library now sends an Accept: application/json
  header to improve compatibility with legacy device code endpoints that support
  both JSON and form-encoded responses.

Fixed

• The scheduled processes for refreshing credentials, reaping credentials, and
  managing the device code flow no longer start on a Vault server configured as
  a performance secondary, performance standby, or disaster recovery secondary.

Build

• Remove darwin/386 from distribution as it is no longer supported by Go or
  Vault.

v3.0.0-beta.5

Added

• Add the option client_secrets to server configurations. When this is set to
  a list, the plugin will attempt to use each secret in order until it receives
  a successful provider response.

v3.0.0-beta.4

Added

• It is now possible to select a default server to use by setting the
  default_server field in the plugin configuration. When upgrading from v2,
  this field will be automatically set to maintain backward compatibility.
• Listing existing servers is now supported at the new servers endpoint.
• Add the new tuning option tune_reap_server_deleted_seconds to control how
  long the plugin should wait before automatically deleting credentials that
  refer to a nonexistent (deleted) server.

Fixed

• When refreshing an authorization code credential or attempting to acquire a
  device code credential, missing servers will no longer produce scheduler
  errors.

v3.0.0-beta.3

Build

• Remove darwin/386 from distribution as it is no longer supported by Go or
  Vault.

v3.0.0-beta.2

Build

• Remove darwin/386 from distribution as it is no longer supported by Go or
  Vault.

v3.0.0-beta.1

Added

• It is now possible to manage multiple authorization servers at the same time
  by writing separate provider configurations to the servers/:name endpoint.
• It is no longer necessary to explicitly specify a state when requesting an
  authorization code URL. The plugin will generate a random state and return it
  in the response.

Changed

• [BREAKING] The plugin configuration no longer supports configuring a single
  provider for the entire engine. Instead, configure a provider using the new
  servers/:name endpoint and reference it in credentials.
• [BREAKING] The config/auth_code_url endpoint has been removed and replaced
  by the auth-code-url endpoint, which accepts a server name as a parameter.
• [BREAKING] The config/self/:name endpoint has been removed, and it is no
  longer possible to store an access token using the client credentials flow by
  reading from an unconfigured path at the self/:name endpoint. Instead,
  initialize such an access token by writing to the self/:name endpoint with
  any necessary configuration first.
• [BREAKING] When writing a credential, you must reference the server to use for
  the desired flow by specifying the server parameter.
• The device code flow support library now sends an Accept: application/json
  header to improve compatibility with legacy device code endpoints that support
  both JSON and form-encoded responses.

Fixed

• The scheduled processes for refreshing credentials, reaping credentials, and
  managing the device code flow no longer start on a Vault server configured as
  a performance secondary, performance standby, or disaster recovery secondary.

v2.2.0

Added

• Add additional performance tuning options for provider timeouts and automatic credential reaping.

v2.1.1

Fixed

• Fix a regression that caused the automatic credential refresher to be disabled
  on configurations written before v2.1.0.