## [1.1.0]
Multi-provider support and hardening. Existing installs behave identically after updating — the provider preset defaults to authentik and every new setting is off/neutral by default.
### Added
### Changed
- Provider presets: authentik (default), Keycloak, and Generic OIDC. Endpoints are resolved via OIDC discovery (
.well-known/openid-configuration, cached 6h), so any spec-compliant IdP works. authentik falls back to its fixed endpoints if discovery is unavailable.- Single Logout (RP-initiated): opt-in, off by default. Ends the IdP session on logout via the discovered
end_session_endpoint.- Profile-name sync: opt-in; refresh first/last name from the provider onlogin. Never touches email or password.
- Debug logging: opt-in verbose
[authentik-sso]logs. By default only warnings/errors are written and emails are masked (m***@example.com). Connection test now runs OIDC discovery and reports the issuer, endpoints found (n/3), a client-credential check, Single-Logout support, and an issuer/host mismatch warning.
### Fixed
- Settings page decluttered: concise one-line descriptions, static hints, no preset-dependent text. Game-panel setup (Pterodactyl/Pelican) moved to the guide (Section 9) instead of a preset + info box.
- "Authentik URL" is now Issuer / Base URL; the button label falls back to the provider name when left empty. Existing saved values are preserved.
- Group restriction is now case-insensitive, with a precise log hint when the
groupsclaim is absent.- Login and test routes are rate-limited.
- Duplicate login button on themes that render the
auth.loginhook (the fallback injector now detects the already-rendered button).- Potential redirect loop in Force mode when the Client Secret was missing.
- Redirect-URI copy button falls back to
execCommandon plain-HTTP panels.- A missing/incomplete configuration now redirects to the login page with a clear message instead of returning HTTP 500.
- The test button reports an expired session (HTTP 419) explicitly.
