Privacyidea

Enhancements:
* Enable user-agent version in subscription checks (3800)
* token-janitor now uses the click framework (3769)
* Enhance offline token to allow refill for WebAuthn tokens (3764)

Fixes:
* Use uppercase hash name for google-authenticator URLs (3812)

Fixes:
* Allow verify-enroll for paper token and TAN token (3809)
* Fix offline data, when PIN is behind the OTP value (3831)

Fixes:
* Set correct start sequence for empty tables
* Fix pi-manage backup
* Add privacyIDEA CP to list of clients, that do not
need to be unquoted. (3770)
* Fix problem with token description and verify enrollment (3798)

Features:
* Tokentype: Application Specific password (3260, 3585)
* Tokentype: Day password token (2781)
* Add machine grouping aka service IDs to be used with
application specific passwords and SSH keys (3300, 3246, 3533, 3573)

Enhancements:
* Add event handler to set token application like "offline" (3335)
* Add challenge response with pin reset for better usability with
client plugins (3261)
* Add logged_in_user to g-object during /auth request (3710)
* Allow to force description during rollout (3469)
* Allow an administrator to explicitly (only) set a description (3609)
* Add verify enrollment for indexed secret token (3452)
* Handle declined PUSH requests so that plugins know, that they do
not need to poll anymore (3599)
* Clean up the usage of PI_NODE and AUDIT_SERVERNAME to allow a
consistent naming in the audit log (3589)
* Remove PI_VASCO_LIB error message in log file (3470)
* Add event handler status to audit log (3430)
* Optimize URL decoding for different clients (3337)
* Upgrade to SQLAlchemy 1.4 (2798)
* Add event for poll_transaction (3692)
* Make LDAP Resolver pooling strategy configurable (3461)
* Disable private key checking during loading for speed up (3590)
* Add tool for exporting tokens for database re-encryption (3005)
* UI: Multiselect policies in WebUI (3493)
* UI: Make the whole header of an accordion clickable (3425)
* UI: Improved grouping in the system menu (3419)
* UI: Moved the CA menu to config->system (3419)
* UI: Add italian translation (3508)
* UI: Add user information in selfservice/user context (3688)
* Docs: Improve documentation for /validate/check-enrollment (3507)
* Docs: Improve policy mangle documentation (3565)
* Docs: Add a detailed plugin guide how to write fully functional plugins (3650)
* Docs: Fix description of preferred_client_mode (3661)
* Docs: Update documentation (3728, 3712, 3728)
* Update translations
* Infrastructure: Add Bandit and GraphQL runs for pull requests

Fixes:
* Fix /auth endpoint in case no password is available (3438)
* Return all images as data:image, so that they can be used by the
client plugins (3450)
* Fix typo in policy definition to fix revoke permission (3608)
* Add missing thread ID to audit log in case of /validate/check
(3578)
* Fix pi-manage backup with non-default SQL port (3570)
* Fix SQLAlchemy warnings (3547)
* Fix problems with naming object "." or ".." (3409)
* Use more secure secrets module instead of urandom (3623)
* UI: More explicit description for entering PIN or password (3370)
* Fetch error when decoding JWT (3028)
* UI: Fetch error when user does not exist (3672)
* Ensure subprocess calls are secure (3625)
* TOTP code cleanup: Use time2counter wherever necessary (3664)
* Fix totp.get_otp test function (3660)
* Fix typos (3661)
* Update docs about TOTP apps, that have limited capabilities (3634)
* Enhance schemas for urlopen (3622)
* Add timeout to requests calls (3621)
* Avoid exception if the provided password is shorter than the
OTP length (3467)
* Ignore PIN policy during token rollover and verify to avoid
wrong error (2886)
* Fixing response data of /auth endpoint to make the handling
more consistent (3436)
* Fix parameter error in Webhook event handler (3676)
* Fix calculation of TOTP values (3734)
* Correct ID and help-text for Daypassword (3742, 3744)

Fixes:
* Update diag tool (3146)
* Fix tokengroup error in WebUI (3441)
* Fix dependencies when deleting tokengroups (3423)
* Fix wrong QR code in enroll-via-validate (3427)
* Add missing preferred client mode in validate-check-enrollment (3429)
* Add missing enrollment parameters with challenge-response-enrollment (3478)
* Fix password problem with special chars -
Disable unquoting of LDAP-Proxy and simpleSAMLphp (3337)
* Remove false error message when user assigns a token (3499)
* Fix tags in email tokens (3330)
* Fix LDAP NTLM Authentication (3482)
* Add missing Webhook Eventhandler in UI (3475)
* Remove redundant id in SQL resolver (3454)
* Fix ca-parameter policy during enrollment (3479)
* Fix removing node from a policy (3500)

Features:
* Drop support for Python 3.5. Support for 2.7 will be dropped
in privacyIDEA 3.9 (3263)
* Add MS CA connector to issue certificates from a Microsoft CA
(3233, 3232, 2966, 2158)
* Add enrollment of HOTP, TOTP, SMS, Email or PUSH token during
authentication via Multi-Challenge (2993)
* Add webhook event handler (3178, 2938)
* Allow Kerebos Authentication for LDAP resolvers (770)
* Add token groups in preparation for SSH key and Offline-Token
management (3299)

Enhancements:
* Avoid double registration of webauthn tokens per user (3207)
* Add WebAuthn attestation format "packed" (3150)
* Support Windows Hello as WebAuthn token (3142)
* Add preferred client mode to define the authentication behaviour of
plugins (3373)
* Display multiple serials in auditlog in case of C/R (3285)
* Add PI_LOGOUT_REDIRECT_URL for using a SAML logout link from the WebUI (3257)
* Add passthru policy to audit log, even if password was wrong (3212)
* Improve the description for appimageurl (3133)
* Allow to choose padding for default security module (3115)
* Make available languages configurable in pi.cfg (3076)
* Add translation for admin error messages (3066)
* Allow HTTPSMSProvider to send data as JSON (3056)
* Rename pi-manage createdb to create-tables (2996)
* Add ed25519-sk/ecdsa-sk for SSH tokens (2792)
* Avoid spamming with SMS or Email by allowing to increase failcounter
* Add thread ID to audit log (3381)
during challenge-response (933)
* Configure Email address in the subject of a certificate request (3327)
* Be more relaxing about subscription checking of plugins (3296)
UI
* Add policy for audit_page_size (3167)
* Add search highlighting in event handler conditions (3062)
* Link online documentation in WebUI (2952)
* Search and filter for actions in configured policies (2788)
Documentation
* Add a glossary (2783)

Fixes:
* Automatically delete MachineTokenOptions when a MachineToken is deleted (3165)
* Fixing int-str conversion with Python 3.10 (3303)
* Remove pillow dependency (3268)
* Fix default AD attributes to (ObjectCategory=person) (3218)
* Fix WebAuthn trust anchor directory (3216)
* Fix enrolling SSH keys with an empty comment (3198)
* Avoid fails in case of content-type header mismatch (3194)
* Fix App device in certain cases as WebAuthn token (3136)
* Fix ImportException to be subclass of privacyIDEAError (3131)
* Fix URL encoding in TiQR URL (3121)
* Add index for timestamp in DB (3120)
* AES module also encrypts empty strings (2899)
* Fix Push_Wait if user presses decline on smartphone (2865)
* Fix fetching SSH keys under certain circumstances (3375)
* Add missing sequences for certain database tables (3356)
* Remove user fields from token API (3343)
* Add SMPP encoding check (3321)
WebUI:
* Disable realm button in case of reasolverread (UI) (3149)
* Add missing translation for PSKC import (3129)