Skip to content

release 1.8.3
Compare
Choose a tag to compare
@zandbelt zandbelt released this 19 Jun 18:15
· 1444 commits to master since this release
v1.8.3
89f40fb

2015/06/23: fixed the erroneous upload of Debian Wheezy/Precise backports

Features

  • merge claims from id_token into those obtained from the user info endpoint for authorization purposes; this allows e.g. for using the iss claim in Require claim directives (when not returned from the user info endpoint)
  • improve error logging on encountering non-supported JWT signing/encryption algorithms
  • allow JSON string values for the "active" claim in access token validation responses (as used by e.g. the WebSphere Liberty authorization server) (thanks @stevemart)
  • make public keys for encrypted JWT access tokens available for OAuth 2.0 configurations (see issue #74 esp. last comments)
  • remove exceptions for accounts.google.com since Google is OpenID Connect compliant now

Bugfixes

  • fix at_hash and c_hash comparisons when the input is padded (thanks @steverc, issue #65)
  • perform validation on post-logout URLs to prevent open redirects, response splitting and cache poisoning (thanks @davidbernick, issue #68)
  • fix post-logout URL being set to SSO URL

Packaging

  • the *bpo70*.deb packages will work on Debian Wheezy and Ubuntu Precise
  • the regular *.deb packages will work on Debian Jessie, Ubuntu Trusty and Ubuntu Utopic
Assets 9
Loading