When prompt=none  is sent by the RP and the session is not authenticated the request is sent back in accordance to https://openid.net/specs/openid-connect-core-1_0.html#AuthError

When setting up an OIDC OP  the scenario now produces a jwks_uri based on the defined authorization endpoint URL domain + tenantID. (Same pattern as token_endpoint) . 

The kid param of the valve is now automatically set based on the selected keystore for the jwt signing.

Token endpoint is now constructed using tenant in URI. Previously the tenant was put as a parameter in the query string.

"userInfo" end point  is now created at guide completion.

Scenario configurations  creates a jwt with a proper "amr" configuration. Data type now is array.

Removed “alg“ from jwks response. The parameter is optional. Sign algos should be configured in the “well-known/openid-configuration“ response. Currently defaults to RS256 which is the only alg supported.

By default discovery URL's are re-discovered every 60 minutes.

When sending error response back when violating the  promt=none request. The response must be sent back using HTTP - POST.

Most if the OIDC scenarios have been disabled for new creation. Already added scenarios remain and can be edited.

It is now recommended to use the OIDC->SAML Identity Provider scenario. Using this scenario provides accessibility to all authentication methods included in the platform. Using this scenario also makes it feasible to use already added SAML Identity Providers, both internal and external.

Events written has been updated to better fit the usecase.

Faulty behaviour when unlocking account in AD fixed.

Fixed mix of languages shown in PSS.

For customizing UI in PSS follow instructions here: 

https://document.phenixid.net/m/96177/l/1462959-how-to-customize-pss-4-1-or-later

Existing updates done may need to be verified.