From c08cc3039b14ca3756846329c3de6744c515ef37 Mon Sep 17 00:00:00 2001
From: mposolda <mposolda@gmail.com>
Date: Wed, 13 Jun 2018 09:29:16 +0200
Subject: [PATCH] 4.0.0 release notes - added Client Scopes and Certificate
 Bound Access Tokens

---
 release_notes/topics/4_0_0_final.adoc | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/release_notes/topics/4_0_0_final.adoc b/release_notes/topics/4_0_0_final.adoc
index b587896aa9..d5bcdc470e 100644
--- a/release_notes/topics/4_0_0_final.adoc
+++ b/release_notes/topics/4_0_0_final.adoc
@@ -1,3 +1,20 @@
-= Test Feature
+= Client Scopes and support for OAuth 2 scope parameter
 
-Some test feature.
\ No newline at end of file
+We added support for Client Scopes, which replaces Client Templates. Client Scopes are a more flexible approach and also provides
+better support for the OAuth `scope` parameter.
+
+There are changes related to Client Scopes to the consent screen. The list on the consent screen is now linked to client scopes
+instead of protocol mappers and roles.
+
+See the documentation and migration guide for more details.
+
+= OAuth 2 Certificate Bound Access Tokens
+
+We now have a partial implementation of the specification
+https://tools.ietf.org/html/draft-ietf-oauth-mtls-08[OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens] .
+More accurately we have support for the Certificate Bound Access Tokens. If your confidential client is able to use 2-way SSL,
+{project_name} will be able to add the hash of the client certificate into the tokens issued for the client. At this moment,
+it's just  the {project_name} itself, which verifies the token hashes (for example during `refresh token` requests).
+We plan to add support to adapters as well. We also plan to add support for Mutual TLS Client Authentication.
+
+Thanks to https://github.com/tnorimat[tnorimat] for the contribution.
\ No newline at end of file