Overview
Request 831365 accepted
- Update to version 2.4.4
* Security
- prevent XSS and open redirect on OIDC session management OP iframe,
introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady
- add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name
* Bugfixes
- fix double Set-Cookie behaviour when using OIDCSessionType client-cookie,
calling the session info hook and writing out a session update (twice); thanks @deisser
- reverse order of creating HTML response and writing the (client-type)
session cookie in the session info hook so the session data is actually saved; thanks @deisser
- delete state cookie when it cannot be decoded/decrypted
- avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP
* Features
- add conditional expression to OIDCUnAuthAction to override auto-detection of
non-browser requests; see #479; thanks @raro42 and @marcstern
* Other
- fixes for various compiler warnings/issues (older and newer versions of GCC)
- add grant_types to dynamic client registration request [OIDC conformance test suite]
- don't send access_token in user info request when method is set to POST
[OIDC conformance test suite]
- add recommended cache headers on backchannel logout response
https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite]
- allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite] (forwarded request 831329 from stroeder)
Request History
pgajdos created request
- Update to version 2.4.4
* Security
- prevent XSS and open redirect on OIDC session management OP iframe,
introducing generic OIDCRedirectURLsAllowed primitive; thanks Andrew Brady
- add OIDCStateCookiePrefix primitive for the state cookie prefix to anonymise the state cookie name
* Bugfixes
- fix double Set-Cookie behaviour when using OIDCSessionType client-cookie,
calling the session info hook and writing out a session update (twice); thanks @deisser
- reverse order of creating HTML response and writing the (client-type)
session cookie in the session info hook so the session data is actually saved; thanks @deisser
- delete state cookie when it cannot be decoded/decrypted
- avoid an Apache authorisation error and HTTP 500 when logout is triggered by a different RP
* Features
- add conditional expression to OIDCUnAuthAction to override auto-detection of
non-browser requests; see #479; thanks @raro42 and @marcstern
* Other
- fixes for various compiler warnings/issues (older and newer versions of GCC)
- add grant_types to dynamic client registration request [OIDC conformance test suite]
- don't send access_token in user info request when method is set to POST
[OIDC conformance test suite]
- add recommended cache headers on backchannel logout response
https://openid.net/specs/openid-connect-backchannel-1_0.html#rfc.section.2.8 [OIDC conformance test suite]
- allow Content-Type check on backchannel logout to have postfixes (utf-8 etc.) [OIDC conformance test suite] (forwarded request 831329 from stroeder)
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
dimstar_suse added as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:9"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:adi:9"
dimstar accepted review
dimstar_suse accepted review
Staging Project openSUSE:Factory:Staging:adi:9 got accepted.
dimstar_suse approved review
Staging Project openSUSE:Factory:Staging:adi:9 got accepted.
dimstar_suse accepted request
Staging Project openSUSE:Factory:Staging:adi:9 got accepted.