Skip to content

Commit

Permalink
Release 7.1.8
Browse files Browse the repository at this point in the history
Signed-off-by: Pierre Belloy <[email protected]>
  • Loading branch information
pbe-axelor committed Oct 17, 2024
1 parent b53fa17 commit d6cdda5
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 17 deletions.
24 changes: 24 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,27 @@
## 7.1.8 (2024-10-17)

#### Security

* Always rely on codes when fetching user from profile

<details>

Any extends of `com.axelor.auth.pac4j.AuthPac4jUserService.getUser` should takes
care to rely on fetch users by code only (instead of fetching by code and email).

In case your application use SSO authentication, a carefully review is needed.
As we now rely on users codes to retrieve users, make sure the users codes match
the user profile username or email provided by the identity provider (we rely on
pac4j user profile mapping for this). For example, OpenID Connect providers commonly
use `preferred_username` claim as username,but for others such as Azure OpenID Connect
provider, it will use the `upn` claim as username. As fallback is will use the `email`
claim as email. In case of existing users codes not matching identity providers username
or email, it will not retrieve them and users will not be able to log in. Manually change
will be needed, by updating users codes with their email for example.

</details>


## 7.1.7 (2024-10-07)

#### Change
Expand Down
17 changes: 0 additions & 17 deletions changelogs/unreleased/fix-wrong-user.yml

This file was deleted.

0 comments on commit d6cdda5

Please sign in to comment.