Flask-multipass

------------

- Allow overriding the message of ``NoSuchUser`` and ``InvalidCredentials``, and
make its other arguments keyword-only

-----------

- Include the username in the ``identifier`` attribute of the ``NoSuchUser``
exception so applications can apply e.g. per-username rate limiting
- Fail silently when there's no ``objectSid`` for an AD-style LDAP group

-----------

- Reject ``next`` URLs containing linebreaks gracefully
- Look for ``logout_uri`` in top-level authlib provider config instead of the
``authlib_args`` dict (the latter is still checked as a fallback)
- Include ``id_token_hint`` in authlib logout URL
- Add ``logout_args`` setting to authlib provider which allows removing some of
the query string arguments that are included by default

-----------

- Support multiple id fields in SAML identity provider
- Include ``client_id`` in authlib logout URL since some OIDC providers may require this
- Allow setting timeout for authlib token requests (default: 10 seconds)
- Add new ``MULTIPASS_HIDE_NO_SUCH_USER`` config setting to convert ``NoSuchUser``
exceptions to ``InvalidCredentials`` to avoid disclosing whether a username is valid
- Include the username in the ``identifier`` attribute of the ``InvalidCredentials``
exception so applications can apply e.g. per-username rate limiting

-----------

- Drop support for Python 3.8 (3.8 is EOL since Oct 2024)
- Remove upper version pins of dependencies
- Support friendly names for SAML assertions (set ``'saml_friendly_names': True``
in the auth provider settings)
- Include more verbose authentication data in ``IdentityRetrievalFailed`` exception details

-------------

- Reject invalid ``next`` URLs with backslashes that could be used to trick browsers into
redirecting to an otherwise disallowed host when doing client-side redirects