Version: 2026.1

Upgrade Notes

2026.1.0

Removed all ExtJS/Admin Classic UI related implementations.
PimcoreOpenIdConnectBundle no longer implements PimcoreBundleAdminClassicInterface and no longer uses BundleAdminClassicTrait. The getJsPaths() and getCssPaths() methods have been removed.
Removed the ContentSecurityPolicyUrlsPass compiler pass (DependencyInjection\Compiler\ContentSecurityPolicyUrlsPass) and the related build() method from PimcoreOpenIdConnectBundle.
Removed ExtJS controllers: Controller\AuthController, Controller\ButtonInjectionController, Controller\ConfigController.
Removed ExtJS-based event listeners: EventListener\LoginRedirectListener, EventListener\LostPasswordListener.
Removed Session\Configurator (legacy AdminSessionBagListener wrapper).
Removed Routing\StudioRouteLoader — studio routes are now loaded unconditionally.
Removed ExtJS JavaScript assets (pimcore/startup.js, pimcore/configPanel.js, ext_extensions.js) and CSS assets (login.css, admin.css).
Removed legacy services_legacy.yml service definitions (Pimcore ≤ 10 compatibility).
Removed legacy Pimcore version checks (Version::getMajorVersion()) throughout the bundle.

Migrated legacy admin controllers to the Studio backend architecture (PR #138).
New Studio backend controllers added under Controller\Studio\:
- Auth\DebugController, Auth\EndpointController, Auth\LoginController, Auth\ScriptController
- Config\GetController, Config\UpdateController
New interfaces introduced (all marked @internal):
- Hydrator\ConfigurationHydratorInterface
- Service\Studio\Auth\EndpointServiceInterface
- Service\Studio\Auth\LoginServiceInterface
- Service\Studio\Auth\RenderServiceInterface
- Service\Studio\Configuration\ServiceInterface
New schemas added: Schema\Configuration, Schema\EndpointParameters, Schema\ScriptParameters, Schema\SuccessResponse, Schema\UpdateConfigurationParameters.
New Studio frontend module added for OpenID Connect configuration and login buttons (assets/studio/).
Added OidcPublicAuthorizationVoter (Security\Voter\OidcPublicAuthorizationVoter) to authorize public OIDC routes within the Studio firewall.
Added AppConfig\OidcAppConfigProvider to supply provider names to the Studio UI app config.
Added Webpack\WebpackEntryPointProvider to register the Studio frontend build entry point.
Studio Backend and Studio UI YAML configurations are now always loaded unconditionally.
Studio backend routes are now loaded unconditionally (replacing the conditional StudioRouteLoader).

OpenIdConnectAuthenticator now extends AbstractAuthenticator (Symfony) directly instead of AdminAbstractAuthenticator (Pimcore Admin bundle). Custom code extending or decorating this class must be updated accordingly.
Removed dependency on Pimcore\Bundle\AdminBundle\Security\Authenticator\AdminAbstractAuthenticator.

Added rate limiter configuration for public OIDC endpoints via a new Resources/config/prepend/rate_limiter.yaml.
- oidc_endpoint: fixed-window, 30 requests per 5 minutes (allows ~10 OAuth2 login attempts).
- oidc_script: fixed-window, 50 requests per 5 minutes (for login-page JavaScript asset).

[General] Dropped support of Pimcore 10, bumped minimum requirement of pimcore/pimcore to ^11.2. Replaced all $request->get() with their explicit input source.
[Composer] Replaced the abandoned jwt related required packages with jwt-library
[Composer] Bumped minimum required PHP version to 8.1 and added support to 8.2 and 8.3

[Plugins] Replaced plugins backend UI with JS event listener.
[Session] Replaced SessionConfigurator with OpenSessionBagListener and added related deprecation triggers.
[Session] Deprecated Configurator::SESSION_BAG_NAME, use OpenSessionBagListener::SESSION_BAG_NAME instead.
[Session] Replaced usage of deprecated Symfony\Component\HttpFoundation\Session\Attribute\NamespacedAttributeBag in favor of AttributeBag
If you are upgrading to pimcore 11, then please install the pimcore/admin-ui-classic-bundle bundle.