From d6cdda584efdbe64d48302a0016270ea9a1a28de Mon Sep 17 00:00:00 2001
From: Pierre Belloy
Date: Thu, 17 Oct 2024 15:22:53 +0200
Subject: [PATCH] Release 7.1.8
Signed-off-by: Pierre Belloy
---
CHANGELOG.md | 24 ++++++++++++++++++++++++
changelogs/unreleased/fix-wrong-user.yml | 17 -----------------
2 files changed, 24 insertions(+), 17 deletions(-)
delete mode 100644 changelogs/unreleased/fix-wrong-user.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 026e8be8d2..b6eef0965d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,27 @@
+## 7.1.8 (2024-10-17)
+
+#### Security
+
+* Always rely on codes when fetching user from profile
+
+
+
+ Any extends of `com.axelor.auth.pac4j.AuthPac4jUserService.getUser` should takes
+ care to rely on fetch users by code only (instead of fetching by code and email).
+
+ In case your application use SSO authentication, a carefully review is needed.
+ As we now rely on users codes to retrieve users, make sure the users codes match
+ the user profile username or email provided by the identity provider (we rely on
+ pac4j user profile mapping for this). For example, OpenID Connect providers commonly
+ use `preferred_username` claim as username,but for others such as Azure OpenID Connect
+ provider, it will use the `upn` claim as username. As fallback is will use the `email`
+ claim as email. In case of existing users codes not matching identity providers username
+ or email, it will not retrieve them and users will not be able to log in. Manually change
+ will be needed, by updating users codes with their email for example.
+
+
+
+
## 7.1.7 (2024-10-07)
#### Change
diff --git a/changelogs/unreleased/fix-wrong-user.yml b/changelogs/unreleased/fix-wrong-user.yml
deleted file mode 100644
index ab0d5cad03..0000000000
--- a/changelogs/unreleased/fix-wrong-user.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: Always rely on codes when fetching user from profile
-type: security
-description: |
- Any extends of `com.axelor.auth.pac4j.AuthPac4jUserService.getUser` should takes
- care to rely on fetch users by code only (instead of fetching by code and email).
-
- In case your application use SSO authentication, a carefully review is needed.
- As we now rely on users codes to retrieve users, make sure the users codes match
- the user profile username or email provided by the identity provider (we rely on
- pac4j user profile mapping for this). For example, OpenID Connect providers commonly
- use `preferred_username` claim as username,but for others such as Azure OpenID Connect
- provider, it will use the `upn` claim as username. As fallback is will use the `email`
- claim as email. In case of existing users codes not matching identity providers username
- or email, it will not retrieve them and users will not be able to log in. Manually change
- will be needed, by updating users codes with their email for example.
-