From d6cdda584efdbe64d48302a0016270ea9a1a28de Mon Sep 17 00:00:00 2001 From: Pierre Belloy Date: Thu, 17 Oct 2024 15:22:53 +0200 Subject: [PATCH] Release 7.1.8 Signed-off-by: Pierre Belloy --- CHANGELOG.md | 24 ++++++++++++++++++++++++ changelogs/unreleased/fix-wrong-user.yml | 17 ----------------- 2 files changed, 24 insertions(+), 17 deletions(-) delete mode 100644 changelogs/unreleased/fix-wrong-user.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 026e8be8d2..b6eef0965d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,27 @@ +## 7.1.8 (2024-10-17) + +#### Security + +* Always rely on codes when fetching user from profile + +
+ + Any extends of `com.axelor.auth.pac4j.AuthPac4jUserService.getUser` should takes + care to rely on fetch users by code only (instead of fetching by code and email). + + In case your application use SSO authentication, a carefully review is needed. + As we now rely on users codes to retrieve users, make sure the users codes match + the user profile username or email provided by the identity provider (we rely on + pac4j user profile mapping for this). For example, OpenID Connect providers commonly + use `preferred_username` claim as username,but for others such as Azure OpenID Connect + provider, it will use the `upn` claim as username. As fallback is will use the `email` + claim as email. In case of existing users codes not matching identity providers username + or email, it will not retrieve them and users will not be able to log in. Manually change + will be needed, by updating users codes with their email for example. + +
+ + ## 7.1.7 (2024-10-07) #### Change diff --git a/changelogs/unreleased/fix-wrong-user.yml b/changelogs/unreleased/fix-wrong-user.yml deleted file mode 100644 index ab0d5cad03..0000000000 --- a/changelogs/unreleased/fix-wrong-user.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Always rely on codes when fetching user from profile -type: security -description: | - Any extends of `com.axelor.auth.pac4j.AuthPac4jUserService.getUser` should takes - care to rely on fetch users by code only (instead of fetching by code and email). - - In case your application use SSO authentication, a carefully review is needed. - As we now rely on users codes to retrieve users, make sure the users codes match - the user profile username or email provided by the identity provider (we rely on - pac4j user profile mapping for this). For example, OpenID Connect providers commonly - use `preferred_username` claim as username,but for others such as Azure OpenID Connect - provider, it will use the `upn` claim as username. As fallback is will use the `email` - claim as email. In case of existing users codes not matching identity providers username - or email, it will not retrieve them and users will not be able to log in. Manually change - will be needed, by updating users codes with their email for example. -