4.3.0

What's New

RegistrationGuard SPI

A new Service Provider Interface for gating user registration across all registration paths (form, passwordless, OAuth2, OIDC). Implement RegistrationGuard to add custom pre-registration logic like invite-only access, domain whitelisting, or rate limiting.

• RegistrationGuard interface with @FunctionalInterface support for lambda implementations
• RegistrationContext record providing email, source, and provider name
• RegistrationDecision record with allow() / deny(reason) factory methods
• Default permit-all guard auto-configured via @ConditionalOnMissingBean
• Full documentation in REGISTRATION-GUARD.md

OIDC Service Alignment

Fixed four inconsistencies in DSOidcUserService to match DSOAuth2UserService behavior:

• Email normalization: Email lookup now uses trim().toLowerCase(Locale.ROOT) before findByEmail(), preventing case-sensitive and locale-dependent mismatches
• Audit events: New OIDC user registration now publishes an "OIDC Registration Success" audit event
• Transactional boundaries: Added @Transactional at class level for proper database operation handling
• Login helper integration: loadUser() now routes through LoginHelperService.userLoginHelper() to update lastActivityDate and run lockout checks

Additional Improvements

• DSUserDetails remains immutable — OIDC tokens are set via a new LoginHelperService overload rather than mutable setters
• OAuth2Error now includes the denial reason in the error description field for programmatic access by AuthenticationFailureHandler implementations
• Audit events are published after save() to prevent false-positive audit records if persistence fails
• RegistrationDecision.deny() uses String.isBlank() (Java 17+) and a named DEFAULT_DENIAL_REASON constant

Full Changelog

4.2.2...4.3.0