v1.3: Custom OAuth, device trust, stay signed in

[FlxMgdnz]

This update contains a variety of frequently requested features and improvements.

Custom OAuth providers

In addition to the preconfigured providers such as Apple, Google, and GitHub, we have now added the option to configure custom OpenID Connect or OAuth providers so that they appear as “Sign in with...” buttons on the login and registration pages.

Device trust

A new device trust feature offers users the option of not having to perform 2FA again for a certain period of time after successful 2FA. Administrators can determine whether device trust should be established automatically, or whether the user should be asked whether they trust the device, or whether trusted devices should never be allowed and 2FA should always be enforced.

Stay signed in

This new option can be used to control whether a persistent cookie or a session cookie should be issued when the user is logging in. Persistent cookies (default) remain valid for the set session duration, i.e. the user remains logged in even if the browser is closed. Session cookies are usually deleted when the browser or browser tab is closed, so users have to log in again the next time they visit the app. A third option adds a “Stay signed in” checkbox to the login screen, which allows the user to determine the type of cookie themselves.

Last used indicators

Social SSO buttons (e.g., "Sign in with Google") now display a "Last used" label to help users remember which provider they chose on their last visit and avoid creating redundant accounts. Note that active Account Linking still allows users to change the login method to some extent, but only if the email address matches.

New admin API endpoints

The Admin API has been extended with the following new endpoints:

• password
  • get
  • create
  • update
  • delete
• webauthn
  • list
  • get
  • delete
• otp
  • get
  • delete
• sessions
  • list
  • create
  • delete

User import improvements

User import functionality has been improved. Now, more user data and credentials can be imported, e.g.:

• Usernames
• Passwords (bcrypt hashes)
• WebAuthn credentials
• OTP secrets

---

This discussion was created from the release v1.3: Custom OAuth, device trust, stay signed in.