Release date 2026/07/02
Bugfix
-
Fixed an issue where token introspection crashed when
client_authwas set toprivate_key_jwtandclient_jwkwas provided as a JSON string. -
Fixed an issue where downstream scope-based ACL evaluation used claims from the inbound token instead of the exchanged token when token exchange was enabled.
-
Fixed an issue where token exchange actor tokens were not sourced correctly from
token_exchange.request, ensuring correct forwarding of actor tokens configured in headers or plugin config. -
Fixed an issue where
token_exchange.cache.enabled = falsewas ignored and exchanged tokens were still cached because the cache toggle incorrectly readtoken_exchange.cache.ttlinstead oftoken_exchange.cache.enabled.