Product Chevon-Down
Developer-First Features Certification and Conformance Why Authlete
Solutions Chevon-Down
BY INDUSTRY
Financial Services Media, Entertainment, and Sports B2B SaaS System Integration and Consulting
BY USE CASE
CIAM Transformation Open API OAuth/OIDC Modernization
IMPLEMENTATION
Customer Stories
Pricing
Developers
Resources Chevon-Down
Datasheets and Diagrams Whitepapers and Reports Videos
Company Chevon-Down
About Leadership Careers News
Hamburger Menu
Free Trial
EN
JA

Authlete 3.0 Release Notes - December 2025

Table of Contents

Version Number : 3.0.22

Overview

This minor update introduces changes for Authlete 3.0. This new version was made available on December 11th (Thu).

New Features & Improvements

Cache control improvements

Consolidated logic to ensure that all applicable endpoints include Cache-Control: no-store and Pragma: "no-cache" in responses. This change is in accordance with RFC6749.

Orphans retrieval improvements

Added a new admin-only endpoint to retrieve orphaned service IDs.

Specs support

Support for Client ID Metadata Document (CIMD) Discovery

  • This feature was implemented following the OAuth Client ID Metadata Document (CIMD) specification
  • This allows OAuth clients to use a URL-based client_id and publish their metadata at that location
  • Introduced a new request parameter, cimdOptions, to the /auth/authorization, /auth/token, /backchannel/authentication and /device/authorization endpoints
  • Introduced a new Service property, httpAliasProhibited, which prohibits client ID aliases that start with https:// or http://, in order to prevent possible conflicts between client ID aliases and client IDs in OpenID Federation 1.0 and CIMD
  • The deleteClientOnUpdateFailure method in the CimdUtils class now removes dependencies from other tables as well

Support for OID4VCI 1.0 Final

  • Implemented support for credential_request_encryption (cf. OID4VCI 1.0 Section 10), which enables credential requests to be encrypted
  • Implemented support for RAR handling
  • Updated the implementation of credential_response_encryption, removing the alg property in favor of including it in the JWK specified by the jwk parameter
  • Updated the implementation of c_nonce in order to issue it from a dedicated endpoint
  • Updated the service table with columns matching the Credential Issuer Metadata parameters defined in the specification
  • Added an oid4vciVersion property to Service so that Authlete can support multiple versions of the OID4VCI specification

Bug fixes

Service Access Token rotation fix

Fixed an issue where an old service access token would remain valid after token rotation.

Redis flush fix

Fixed an issue where the redis-cluster backend would be incorrectly flushed, and improved logging to detect read or write failures to the cache.

EdDSA signature fix

Fixed an issue where the Nimbus JOSE+JWT library’s JWSVerificationKeySelector didn’t properly handle EdDSA/OKP keys, causing PRIVATE_KEY_JWT client authentication and DPoP token validation to fail when using EdDSA signatures.

Other

N/A