Changelog

Summary of changes made in our releases. It includes bug fixes, new features, improvements, and other relevant alterations.

Looking for our latest guides, news or features? Check out our Articles!

2025-05-19

Detection of new User Device (v 1.2.212)

  • Authway tracks user devices, which means that an e-mail can notify the user if a sign-in is from a new device or from a new country.
  • Signed in users that is triggering a SSO from a new country will be forced to sign-in again.
  • It is not possible to use a single permission in more than one module.
  • New Events:

2025-04-15

Push new Permssion (v 1.2.210)

  • It is now possible to push a new permission to all users/groups that have another permission.
  • New lookup API to get more than one user in a single call. This also replaces the API to get a user by username, since we have Firewall challenge with that API. It is now deprecated and will be removed in future versions.
  • Security improvments.

2025-03-17

Quality focus (v 1.2.208)

  • It is now possible to re-invite a user after removing all sign-in alternatives.
  • Import Client configuration, which is useful when having multiple environments.
  • Performance improvments for users with many interactions.
  • New Events:
  • Bug fix: Password handling for linked user accounts.
  • Bug fix: 504-errors in admin portal caused by cookie.
  • Bug fix: Reset password now works even if user was logged in where the reset link is used.

2025-02-07

IP address improvments (v 1.2.199)

  • Support for black- and whitelistning of IP addresses. This can be administrated by API-calls so far, but UI support will be provided.
  • More IP address information in our Events.
  • Improved handling of edge cases in One-time password (OTP).
  • Showing Identity number in listning/searching of organisations.
  • Fixed a potential SQL Injection (CVSS 2.1 Low)
  • Fixed a potential Server-side Request Forgery for custom authentication alternatives (which requires special permissions) (CVSS 7.5 High)
  • Bug fix: Passwords created through invitations always performed breached password test even if instance is configured to not block.

2024-12-13

Geographic data and new database support (v 1.2.172)

  • Audits and session information is extended with geographic data.
  • Improved UX for changing username and forgot password, by moving them closer to the usage.
  • Simplified 2FA step during sign-in by removing options.
  • Added flexibility for Swedish BankId for some scenarios.
  • Shortcut to add all functionalities in a group template.
  • Groups can have a description and built-in has been split to built-in and requires at least one user.
  • Beta support for PostgreSQL

2024-10-11

Improved UX in sign-in scenarios (v 1.2.133)

  • Improved display of errors with much better usability.
  • Extended e-mail validation. Catching common mistakes that can prevent a user from successfully creating an account.
  • Improved UX when using an old or used password reset link.
  • Added possibility to configure step-up authentication without auto-linking. This is helpful for scenarios where a stronger authentication is needed, but not associating the sign-in alternative with the user (effectively don’t display the sign-in alternative for new sign-ins).
  • Included user claims in export of personal data.
  • Only showing users that has access to module when impersonating.
  • Prevent export of external systems.
  • Search organisations that has a module activated.
  • A lot of API documentation have been added, primarly for the APIs most commonly used.

2024-09-23

Improved OTP and other minor changes (v 1.2.110)

  • Improved one-time password input.
  • Displaying external group name in search groups.
  • Improved Open API specification (operationId has better names now).
  • Bug: Fixed so that it is possible to search with a “+” sign. For example this solves so that it is possible to search for e-mail addresses with “+” sign.

2024-08-20

Server Sessions (v 1.2.88)

  • Moved to Server sessions for users, which allows Authway to display current sessions and administrators can force a sign-out of a user. Currently signed in users are automatically migrated.
  • Improved password input, which can display the password and warns about CAPS LOCK.
  • A sign-in with Swedish BankID will never be valid for more than one hour (because of legal agreement that don’t allow identity switching)
  • Rate limiting how many authroize request Authway allow for the same client and session. This is to stop clients that fails to handle a successful sign-in and therefor triggers a new sign-in, which in turn causes a never-ending loop for the user. Authway will return access_denied with “Request rate limit exceeded.” as description.
  • Support for Google Analytics/TagManager.

2024-07-17

Improved Compatibility (v 1.2.68)

  • Automatically setting e-mail as verified when it matches the value from Microsoft, Apple, Google, or other social logins that provides the e-mail verified claim.
  • Handle ui_locales so that client/application can control the language in the sign-in flow.
  • Swedish BankID can’t be used to create new users by default (because of legal agreement that won’t allow such a user to use any other sign-in method).
  • Admin UI now uses backchannel sign-out, since front-channel logout is increasily broken because of browsers blocking third party cookies.
  • Authway now has a version number that will be the same over all instances (of course depending on the version currently running in the instance).

2024-06-03

UI Improvments

  • Improved reset password flow.
  • API and UI for viewing and management of user sign-in alternatives.
  • Full support for BankId secure start.
  • Split self invite feature to, self invite and renew invite so that it is possible for a user to renew a send invitation, but not to make an invite from the sign-in flow.
  • All outgoing network traffic comes from a single IP to make it easier to configure IP restrictions in different scenarios, for example Webhooks.

2024-03-04

Resend verification code

  • New ability to resend verification code in flows where verified email/phone is required.
  • Prevent an attacker from finding out if an account exists by always presenting a local login (but not for customers who allow you to create an account instead).

2024-02-01

Improvements in admin UI

  • Administrative support for adding a SAML-based login for an organization.
  • Ability to apply a new template group to all organizations with access to the module. This can only be done once.
  • Support for åäö in the username (and thus also in the name for External Systems).
  • Improved error information when data needs to be supplemented during auto-provision.

2023-12-21

Username synchronization

  • Users are now synchronized with data from an owner-specific login. Earlier this fall, we released support for updating the person, but now this is extended to include the user, meaning that the username changes when a person changes their email address.
  • Support for exporting a client.
  • Expanded client configuration with the possibility to set Url and Logotype.

2023-12-07

Minor improvements

  • Limited the number of times you can request reset password (per user). Configurable, we allow the user to do it 5 times in 30 minutes by default. This limitation improves security.
  • Option to limit which login methods should be allowed for new organizations by default.
  • Support for importing a module again (the settings are then overwritten) to simplify changes between environments.
  • Made it possible to register multiple external groups against one group in Authway.
  • New events:
  • “Copy LogId” is not displayed by default, but it must be activated in environments where UserId is not logged, but a hash of UserId is used.

2023-11-08

Security improvements

  • Support for checking passwords against https://haveibeenpwned.com. We now have the opportunity to check that passwords are not included in the world’s largest database of leaked passwords.
  • Finer control over the lifetime of links. We have now changed so that the link in reset password is valid for 6 h by default (previously 24 h), and the link in invitations is valid for 72 h (previously 24 h) by default.

2023-10-31

Linked accounts

  • We now have support for linking organizational accounts to a personal account. Primarily for businesses with private individuals as their primary customers, but where this person sometimes needs to act in the context of an organization.
  • Improved validation on the client in the login. Progressive expansion of browser support.
  • Follows Microsoft and Google brand guidelines for “Sign in with Microsoft/Google”.
  • Improved contrast ratio on frames and buttons in the login for increased WCAG compatibility.

2023-10-05

Automatic owner selection and one-time password improvements

  • When a name is required but missing on users, it will be collected during login.
  • We show (masked) where a one-time password has been sent to increase clarity.
  • One-time passwords can now be re-sent as email (if they were sent as SMS and ended up in spam filters).
  • External login methods are sorted alphabetically.
  • When a username matches multiple users, the login options are filtered based on which users have access to the module to be logged in. This reduces instances when a user needs to select an owner or is notified that access is missing.

2023-08-25

Minor improvements

  • Removed the requirement for email to be entered when resetting the password.
  • Adjusted texts for external logins to fit smaller screens (lower resolution).
  • Security improvements in the admin interface.
  • Bug: Improved error message when a user is trying to use the same reset link again after the password reset once.

2023-06-22

Improvements to a few login cases

  • It is now possible to reset all passwords for users who are in multiple organizations (previously, these only received reset emails for one of their users). This includes a new email that must be created for everyone with custom emails.
  • Updates username/email for users created on a username, but then changes it in their organization.
  • Syncs the person’s name and email from their organization login.
  • Increased flexibility in managing (add/delete) claims for a user in ClaimFilters.
  • New event:
    • UserUsernameChanged, which means that changes to the username are no longer included in UserUpdated.
  • API improvements (and changes):
    • Exposes export of personal data (GDPR support).
    • Possibility to remove all rights from a module for a specific user (GDPR support).
    • The API key must be at least 12 characters long when registering a webhook system.
  • Fixed bugs:
    • “Load more” in a search result did not work.
    • Failed to update an identity scope.
    • Auth-data was not saved when registering the webhook (only when updating).

2023-05-26

Improved module management for organizations (owners)

  • Improved user interface for an organization’s modules
  • Ability to set the module as paid/unpaid or deactivate it (in the UI)
  • Rights and/or groups associated with a module are removed when the module is deactivated for an organization.
  • Group templates can now be configured to be added to existing users when the module is activated.
  • New events:
    • ModuleActivatedForOrganisation
    • ModuleInactivatedForOrganisation
    • ModuleUnpayedForOrganisation
    • ModulePayedForOrganisation
  • Improved sorting of rights in the administration of groups and external systems
  • Fixed bugs:
    • All modules (more than 15) are not shown in the API scope admin
    • The URL of the module is not validated, allowing it to be entered without protocol which in turn gives consequential errors.

2023-05-16

SAML logout and various minor improvements

  • A locked account is unlocked immediately when the user resets the password (improvement)
  • Possibility to copy an invitation link to share it by other means than sending invitation emails
  • SAML Identity Provider now also supports logout (also between protocols)
  • Made it possible to specify which tenant an API call applies to by sending the X-IRM-TenantId HTTP Header (provided the caller has permission to configure owners)
  • New events:
    • ModuleWentOffline
    • ModuleWentOnline

2023-04-28

GDPR improvements

  • Four different background jobs to remove information based on different GDPR scenarios.
    • Removal of empty organizations (Sole proprietorships contain personal data)
    • Removal of users who have never logged in
    • Removal of users who have not logged in for a long time
    • Removal of users who have no permissions
  • Scalability improvements in Webhook event delivery
  • Improved page titles in the login flow (for better accessibility)
  • Fixed bug: The branding of an application is dropped at the end of the password reset

2023-03-31

SAML Identity Provider

  • Authway can now act as a SAML Identity Provider in many situations, although there are parts of the SAML standard where our support will be further developed. In this first update, there is support for exposing/exporting SAML metadata, as well as the certificate used, but otherwise the administrative possibilities are not ready yet, and we have to do the configuration manually.
  • More variants of name requirements when registering an account.
  • Improved handling of confirmation e-mail/mobile in connection with login, primarily when the user takes a long time to confirm.
  • Support for selecting BankId on the same device or another device directly from the application.
  • New event:
    • FunctionalityDeleted
  • ClientId/Name in metadata for more events
  • Fixed bug:
    • The brand customization is not displayed correctly on the password reset confirmation page.

2023-02-24

Automatic re-direct back to the application after logout

  • Automatic re-direct back to the application after logout (if possible)
  • New events:
    • UserRoleAdded
    • UserRoleRemoved
  • Security enhancements and compliance improvements.
  • Fixed bugs:
    • CausedByPersonId was too often set to User.Id instead of logged in user
    • Validation of GrantTypes for a client

2023-01-18

Support for SSO tokens

  • The ability for a client to force a single-sign-on of a user
  • Fixed bugs:
    • It is possible to search users by username, even for users who do not have email as username.
    • It is possible to do Impersonate on users regardless of username type.
    • The username on details for a user gets the right type (based on the owner’s settings).
    • Settings can be displayed when administering another organization.

2023-01-12

Validation of owner at login

  • Forces the user to log in again if the client requests a different owner than the one the user belongs to
  • Forces the user to log in again if the user’s owner does not have access to the application.
  • Prevents the user from logging into an application where the module is set to offline
  • Validates that the tenant the client sends exists and otherwise deletes it.
  • Ability to edit the Client’s claim (claims)
  • Fixed bug:
    • Allowing ‘ and : in names

2022-12-16

Initiate account creation via OIDC

Full changelog available at docs.authway.co

The full changelog is available in Swedish at:
https://docs.authway.co/forandringshistorik/index.html