v0.11.2

• Support for the /.well-known/change-password endpoint, as defined in
  RFC8615.
• Fixed a bug that could cause the TOTP field to not be rendered, even if it's
  required.
• Fixed a bug where users weren't getting activated using the "Create user"
  form.

v0.11.1

• Last release broke the OAuth2 authorization endpoint.

v0.11.0

• Support for a new user type: 'group'. Groups can contain users and will in a
  future release allow roles to be created with privileges that can be applied
  to entire groups.
• TOTP can now be set to 'required', 'optional' and 'disabled' via a server-
  wide flag.
• OAuth2 access, refresh and authorization code expiry times are now
  configurable.
• Better design for notifications vs. error messages.
• It's now possible for an admin to create new users via an API or form.
• It's now possible to authenticate with the a12nserver via a Bearer token,
  allowing clients to directly call a12nserver APIs.
• The OAuth2 login flow now also shows the lost password and registration
  links, if they were enabled.

v0.10.2

• Fix a small bug in the /introspect endpoint. Successful responses were not
  returning.

v0.10.1

• Fixed a small CSS layout bug on login.
• /introspect endpoint now doesn't require login.

v0.10.0

• Added a 'lost password' feature that uses email for validating using
  accounts.
• The audit log now tracks the 'User agent'.
• Better autocomplete hints on the login and registration form for password
  managers.

0.4.1

• refresh_token can now be used without a client secret.
• authorization_code no longer requires a client secret.
• authorization_code grant now returns a refresh token.
• The token endpoint now returns cors headers.

0.4.0

• Default port is 8531.
• Added a 'Getting started' guide.
• Added all database schemas to set up a new server.
• The password grant type is now supported.
• Refreshing tokens now works.
• The allowed_grant_types is now actively enforced for every client.
• Returning correct OAuth2 error responses for more internal errors.