v2026.6.2

What's Changed

• [AAP-68669] Allows OAuth tokens to start with "Token" by @huffmanca in #966
• [AAP-69161] Fix TOCTOU race in RBAC caching causing FK violations under concurrency by @john-westcott-iv in #967
• AAP-65871 Fix openapi spec for ATF by @bhavenst in #969
• AAP-70750 Apply optimization of skipping RoleEvaluation object materialization by @AlanCoding in #971
• AAP-65871: Fix openapi spec for oauth2 algorithms by @bhavenst in #975
• AAP-65871 fix resource_data for openapi spec by @bhavenst in #976
• [AAP-71514] Address deletion with partially completed requests in resource_sync by @huffmanca in #977
• [AAP-68463] fix: recurring error with RoleDefinition sync by @ttuffin in #978
• AAP-69542 Remove unnecessary global declaration by @AlanCoding in #955
• AAP-65739 Update cryptography for CVE-2026-26007 by @bhavenst in #981
• [AAP-70480] Introduces a profiling middleware to obtain performance data from endpoint calls by @huffmanca in #974
• [AAP-72703] - Add FEATURE_DASHBOARD_COLLECTION_ENABLED flag and migration by @cshiels-ie in #983
• [AAP-71476] Improve SonarCloud metrics by @lucasc017 in #987
• [AAP-68023] Use direct JOINs instead of nested IN subqueries in RBAC evaluation by @djyasin in #985
• [AAP-72703] Update FEATURE_DASHBOARD_COLLECTION_ENABLED flag toggle type by @cshiels-ie in #988
• [AAP-71476] Fix SonarCloud reliability and security issues by @lucasc017 in #989
• [AAP-73775] Add Hub to DAB consumers by @jerabekjiri in #986
• [AAP-72504] Add configurable page_size and jwt_expiration for resource sync by @huffmanca in #991
• AAP-72278 Fix token visibility by @bhavenst in #990
• [AAP-72446] [devel backport] CVE-2026-6266: Email change policy enforcement and ALLOW_USER_EMAIL_SELF_EDIT by @john-westcott-iv in #994
• [AAP-74692] Rename UI for FEATURE_DASHBOARD_COLLECTION_ENABLED by @cshiels-ie in #997
• [AAP-69617] Optimize related_fields() and get_summary_fields() to avoid N+1 FK queries by @huffmanca in #992
• Fix O(n) correlated subquery in get_object_by_ansible_id() by @djulich in #993
• [AAP-74442] Fix email enforcement edge cases from CVE-2026-6266 backport by @john-westcott-iv in #1001
• [AAP-45394 AAP-45047] Fix: allow maps can now recover access after an earlier deny by @bhavenst in #995
• [AAP-71149] Bump jwcrypto>=1.5.7 for CVE-2026-39373 by @bmclaughlin in #1003
• [AAP-61226] Remove FEATURE_CASE_INSENSITIVE_AUTH_MAPS_ENABLED feature flag by @Dostonbek1 in #1004
• [AAP-55298] Fix OAuth2 scope mutation causing spurious activity stream entries by @bhavenst in #998
• [AAP-59804] Extract shared resource type strings into constants by @huffmanca in #1005
• [AAP-73651] Fix cross-service RBAC sync for non-existent remote objects by @bhavenst in #1006
• [AAP-73865] Add observability app by @chrismeyersfsu in #982
• [AAP-72137] [oauth2_provider] Add RP-initiated logout support by @BrennanPaciorek in #984
• [AAP-56519] Fix: Move capture_oauth_email_pipeline after associate_user by @bhavenst in #1008
• AAP-72039 Introduce partial-recomputation of team permissions by @AlanCoding in #980
• [AAP-74082] Fix TypeError when API returns null results by @Funi1234 in #1011
• [AAP-65882] Migrate AWX Redis cache driver to DAB by @tznamena in #1015
• AAP-77154: Disable warnings-as-errors for downstream consumer tests by @AlanCoding in #1013
• AAP-65883: Add shared cache invalidation utility by @bhavenst in #1014
• [AAP-74899] Add Codecov integration for coverage tracking by @Funi1234 in #1016

New Contributors

• @ttuffin made their first contribution in #978
• @cshiels-ie made their first contribution in #983
• @lucasc017 made their first contribution in #987
• @djulich made their first contribution in #993
• @bmclaughlin made their first contribution in #1003
• @Funi1234 made their first contribution in #1011

Full Changelog: 2026.3.19...2026.6.2

v2026.3.19

What's Changed

• AAP-58540 Remove the dispatcherd feature flag by @AlanCoding in #922
• [AAP-62105] Implement default JWT scope aap_controller_automation_job for OIDC workload identity by @melissalkelly in #923
• AAP-63560 Allow not checking permission of remote objects, and do check in service-index by @AlanCoding in #926
• [AAP-62657] Rename both CLAIM_LAUNCHED_BY_USER_NAME and CLAIM_LAUNCHED_BY_USER_ID… by @melissalkelly in #929
• [AAP-64481] Remove double logging by eliminating second_logger parameter by @jay-steurer in #930
• [AAP-43414] - Add Workload Identity Token serializers by @fincamd in #925
• [AAP-64480] Add audit logging for activity stream changes by @john-westcott-iv in #931
• AAP-65704 Define TOX_DOCKER_GATEWAY to fix failing CI checks by @zkayyali812 in #938
• AAP-65704 Do not run actions on push if not for a protected branch by @AlanCoding in #928
• Add workload identity API client library by @matoval in #924
• AAP-65260: feature flag restore by @zkayyali812 in #942
• AAP-65826 - Fallback for timeout if unset by @zkayyali812 in #943
• AAP-62534 Add get_target_claim_names_to_sub_stubs() classmethod to BaseWorkloadIdentityScope and AutomationControllerJobScope by @melissalkelly in #940
• AAP-64565 Remove fallback authentication by @bhavenst in #947
• AAP-64507: Fix workload identity client to include trailing slash by @PabloHiro in #949
• [AAP-65392] Fix OIDC issuer in discovery view by @dleehr in #948
• AAP-64919 Mask encrypted fields in audit log/activitystream by @bhavenst in #950
• [AAP-64920] Adds audit logging for AAPFlag by @huffmanca in #945
• [AAP-64918] Adds AuditableModel for Role*Assignment by @huffmanca in #956
• [AAP-63312] Add workload_ttl_seconds field to WorkloadIdentityTokenRequestSerializer by @arrestle in #952
• [AAP-63314] P4.4: Add workload_ttl_seconds to WorkloadIdentityClient by @arrestle in #954
• [AAP-66890] Re-order subject claim in workload identity token to be org->job by @melissalkelly in #960
• [AAP-67004] remove workload_identity serializers by @PabloHiro in #962
• feat(AAP-68132): Gateway OIDC User Identity by @zkayyali812 in #963
• AAP-67028 Move scope_registry to DAB by @melissalkelly in #964

New Contributors

• @melissalkelly made their first contribution in #923
• @fincamd made their first contribution in #925
• @matoval made their first contribution in #924

Full Changelog: 2026.1.26...2026.3.19

v2026.1.26

What's Changed

• AAP-60514 Pin xmlsec to 1.3.17 for python 3.12 by @tznamena in #904
• AAP-60514 Add pinned lxml into requirements file for Konflux by @tznamena in #905
• AAP-60022 make drf-spectacular dep a range by @AlanCoding in #895
• AAP-60703 Pin lxml and xmlsec to versions compatible with ubi9 by @tznamena in #906
• AAP-58457 Remove IPv6 feature flag by @bhavenst in #908
• fix(AAP-62151): feature flag restore by @zkayyali812 in #911
• [AAP-62242] Updating urllib3 to 2.6.3 for CVE-2025-66471 by @john-westcott-iv in #912
• Revert "[AAP-62242] Updating urllib3 to 2.6.3 for CVE-2025-66471 (#912)" by @john-westcott-iv in #913
• [AAP-55910] Corrects OAuth2_Authentication securityScheme in openapi spec by @huffmanca in #914
• fix: Handle race condition in RoleDefinition.get_or_create by @B-Whitt in #909
• AAP-60826 Add Annon condition to visible_users by @AlanCoding in #919
• AAP-56032 [DAB devel] Slightly alter history to avoid having a Django 5 migration by @AlanCoding in #916
• [AAP-43413] FEATURE_OIDC_WORKLOAD_IDENTITY_ENABLED feature flag and OIDC endpoints by @PabloHiro in #915

New Contributors

• @B-Whitt made their first contribution in #909

Full Changelog: 2025.12.12...2026.1.26

v2025.12.12

What's Changed

• [AAP-53741] Adding log_auth_event function by @john-westcott-iv in #894
• AAP-56257 General dependency upgrade by @AlanCoding in #866
• AAP-53741: Add and use more auth log functions by @BrennanPaciorek in #899
• [AAP-53741] Social failures by @john-westcott-iv in #897
• [AAP-53741] Adding exception to explain why we can't connect to redis by @john-westcott-iv in #896
• [AAP-53741 ] Adding log message if no logger can validate the authenticating user by @john-westcott-iv in #898
• AAP-53741 Add social auth redirect logging for auditability by @BrennanPaciorek in #891
• [AAP-53741] Add RequestAuditInfoFilter for source IP and user agent logging by @john-westcott-iv in #900
• AAP-53741 Log when OAuth2 tokens are created, modified, used by @BrennanPaciorek in #893
• AAP-58240: Add git archive support for setuptools-scm by @fao89 in #901
• Make python 3.12 default by @jerabekjiri in #892

New Contributors

• @jerabekjiri made their first contribution in #892

Full Changelog: 2025.12.3...2025.12.12

v2025.12.3

What's Changed

• AAP-56793 feat: Add AuthenticatorUpdateSerializer with read-only type field by @tyraziel in #884
• AAP-56795 feat: Fix AuthenticatorMap OpenAPI schema by making triggers field required by @tyraziel in #885
• AAP-56792 fix: Add proper constraints to RoleUserAssignmentViewSet OpenAPI spec by @tyraziel in #883
• [AAP-59252] fix: Make RoleUserAssignment OpenAPI schema spec-compliant by @tyraziel in #886
• [AAP-59285] Adding openapi specification validation as a part of the sanity CI checks by @tyraziel in #887
• AAP-45875 Runtime Feature Flags by @fao89 in #875
• AAP-58622 Assure that ansible_id is prefered for content_object in all cases by @AlanCoding in #882
• [AAP-59444] Add metadata to return the AuthenticatorUpdateSerializer to say 'type' is read only by @tyraziel in #889
• Include feature flags definitions in package manifest by @fao89 in #890

Full Changelog: 2025.11.20...2025.12.3

v2025.11.20

What's Changed

• Add migration-safe utility function for global permission assignment by @fao89 in #870
• AAP-56394 Fix SAML authentication uid selection by @bhavenst in #871
• AAP-56394 Fix SAML and azuread authentication user lookup by @bhavenst in #872
• [AAP-49757] Add fallback authentication support to local authenticator by @john-westcott-iv in #868
• AAP-53278 General API optimizations for RBAC by @AlanCoding in #837
• AAP-49757: Add setting ANSIBLE_BASE_AUTHENTICATION_LOCAL_FALLBACK_AUTHENTICATORS by @BrennanPaciorek in #878
• [AAP-54064] Decoupling apps from ansible_base.rbac by @AlanCoding in #869
• AAP 51882 - shared jwt authenticator class by @pb82 in #874
• AAP-51895 improve logging by @chrismeyersfsu in #876
• [AAP-58239] Fix pytest error in prefixed authentication tests by @huffmanca in #880
• AAP-56282: Include x-ai-description in generated spec by @huffmanca in #879
• AAP-58110 Update django version for CVE by @bhavenst in #881

New Contributors

• @pb82 made their first contribution in #874
• @huffmanca made their first contribution in #880

Full Changelog: 2025.10.20...2025.11.20

v2025.10.20

What's Changed

• Adding OAuth2 scope to view by @john-westcott-iv in #841
• [AAP-54064] Allowing for RBAC to not be installed in the JWT consumer by @john-westcott-iv in #848
• AAP-54064 Delete DABPermission entries if model is not registered and not used by @AlanCoding in #851
• AAP-51351 [devel-only] Drop python 3.9, add 3.12 by @AlanCoding in #842
• AAP-53611 Exclude test_app from code coverage by @AlanCoding in #843
• AAP-51352 Allow running tests with --nomigrations by @AlanCoding in #853
• AAP-53946 [devel-only] Forever ensure that ansible_base.lib.* is importable by @AlanCoding in #844
• [AAP-52663] Add SonarCloud badges to README.md by @john-westcott-iv in #856
• [AAP-52663] Refactor SonarCloud workflow to use workflow_run pattern by @john-westcott-iv in #857
• [AAP-52663] Make SONAR_TOKEN retrieve the correct secret by @john-westcott-iv in #860
• [AAP-55305] Short circuiting claims processing if user is a super user by @john-westcott-iv in #863
• AAP-51940 [devel-only] Remove role-tracking feature no longer used by @AlanCoding in #827
• AAP-56029 Collect test coverage from everything in the matrix by @AlanCoding in #865
• AAP-51350 Support Django 5.2 as well as Django 4.y by @AlanCoding in #855
• AAP-42306 Revert #623 Do not intercept is_superuser JWT auth by @bhavenst in #867

Full Changelog: 2025.9.17...2025.10.20

v2025.9.17

What's Changed

• [AAP-51575] Fix AttributeError in _lowercase_attr_triggers for list values by @john-westcott-iv in #802
• [AAP-50837] Adding domain validation function by @john-westcott-iv in #792
• AAP-50805 Ignore role content types not known to system in sync by @AlanCoding in #811
• AAP-51654 Enforce that references to objects are strictly done in claims data, not token data by @AlanCoding in #809
• [AAP-51419] Fix remote object handling in RBAC assignments and resource sync by @fao89 in #808
• AAP-51789 - allow_null for field created_by_ansible_id by @zkayyali812 in #813
• AAP-51883 Fix unsafe assumption about org content type by @AlanCoding in #814
• AAP-50879 Add data, remove dups, RBAC access list serializer by @AlanCoding in #815
• [AAP-48398] Add periodic role assignment fallback sync by @jessicamack in #810
• [AAP-50420] Add Default JWT Algorithms by @zkayyali812 in #820
• AAP-50803 500 server error when creating a custom role missing the "View" permission by @arrestle in #822
• AAP-50843 Allow normal users access to role types by @arrestle in #823
• AAP-51502 Make authenticator.configuration reqd by @bhavenst in #819
• [AAP-52187] Fix rbac user access viewset permissions by @arrestle in #826
• [AAP-52133] Improve RoleUserAssignmentsCache.cache_existing method by @john-westcott-iv in #824
• [AAP-52121] Fix attribute handling with 'and' condition by @tznamena in #830
• [AAP-52434] Rework the SonarQube Cloud integration by @thenets in #829
• [AAP-52434] Fix SonarQube Cloud organization by @thenets in #835
• AAP-46641 Increase trusted header timeout by @bhavenst in #831
• AAP-52836 Fix RoleDefinition reverse-sync setting permissions to empty list by @AlanCoding in #833
• [AAP-53287] Add reverse sync to give_creator_permission by @fosterseth in #832
• [AAP-51985] Implements cross-service RBAC cleanup for object deletion by @arrestle in #834
• [AAP-53405] Expand how AzureAd searches for the USERNAME_FIELD by @john-westcott-iv in #838

New Contributors

• @jessicamack made their first contribution in #810
• @arrestle made their first contribution in #822

Full Changelog: 2025.8.18...2025.9.17

v2025.8.18

What's Changed

• [AAP-50140]: Change azure ad authenticator plugin group setting default from Group to groups by @john-westcott-iv in #798
• [AAP-47811] Update jwt_consumer to load user claims from gateway, if needed by @TheRealHaoLiu in #796
• Add IntOrUUIDConverter URL converter by @fao89 in #801
• [AAP-51570] Fix SAML security config validation error message formatting by @john-westcott-iv in #800
• AAP-47896 Improve auth map application debug output by @bhavenst in #795
• [AAP-51620] Enhance UUID-based test to handle edge case where UUID ends with PK digits by @john-westcott-iv in #805
• Removed default None file in Azure AD authenticator by @john-westcott-iv in #807
• AAP-51591 Remove LDAP composite filter splitter by @bhavenst in #803
• [AAP-47897] Use configured groups attribute in SAML authenticator by @tznamena in #797

Full Changelog: 2025.8.11...2025.8.18

v2025.8.11

What's Changed

• AAP-49910 - Delete legacy authenticator code by @zkayyali812 in #780

Full Changelog: 2025.8.7...2025.8.11