Release notes 11.x versions



  • Onegini Token Server integrates with Onegini Delegated Administration for Business Partners. OAuth clients can give users more fine grained access based on the group memberships and roles from Onegini Delegated Administration for Business Partners.
  • Onegini Token Server can export security events to OneSee. These events can be used by Security Information and Event Management (SIEM) systems.
  • Cookies now have the attribute SameSite=None by default. This prevents modern browsers from blocking essential cookies when the user returns from the identity provider.

Bug fixes

  • Onegini Token Server could not handle SAML metadata from an identity provider without a validUntil attribute. This problem has been solved.



  • Public OAuth clients can now use the OAuth authorization code flow with Proof Key Code Exchange (PKCE). These clients no longer require a client secret to refresh or revoke tokens. For single page apps this flow is recommended over the implicit flow.
  • Refresh tokens did not have an expiration time and were valid until a user had revoked them. It is now possible to set an expiration time on refresh tokens. When the refresh token has expired, the user must register again. Setting this expiration time is recommended for single page apps that use the authorization code flow with PKCE.
  • The SAML authentication context can now be configured for a SAML identity provider (IdP). From now on it is also possible to configure whether the used authentication context must be exactly the same as the requested authentication context.


  • The timeout settings for communication with the Twilio SMS gateway have been changed. This makes the Token Server more resilient in case there are issues with this connection.


Some features are no longer supported. Refer to the upgrade instructions.