This minor release introduces a property that allows deployers to change the subject c14n post-login flow list bean. Additionally, it addresses a NullPointerException when the RP processes claims from an OP that contain null values.
This patch aims to add the missing subjectDecorator wiring to the flow descriptor; set using the property idp.authn.oidc.rp.subjectDecorator.
This is a patch release aimed at fixing an issue with version 2.1.0. By mistake, the previous version enabled PKCE support by default. Since this is a shared property with the OP, installing RP version 2.1.0 would automatically enable PKCE support on the OP as well.
This version enables, by mistake, PKCE support for both RP and OP when installed. In case you have installed both these plugins and did not intend to enable PKCE support, please ensure that the property "idp.oidc.forcePKCE" is commented out in "authn/oidc-rp.properties". |
This release adds the following features to the RP plugin:
PCKE (RFC 7636) support for the authorization code flow. Enabled by setting the OIDC property idp.oidc.forcePKCE = true.
Supports the display authentication request parameter. Set using a relying-party override e.g. p:display="popup".
Allows arbitrary claims to be sent to the authorization request in the request object. Supported using a custom BiConsumer<ProfileRequestObject, ClaimsSet> claims function defined using a bean named shibboleth.authn.oidc.rp.CustomRequestObjectClaimsStrategy.
Adds a tighter Content-Security-Policy to views.
Which the RP only uses when making authorization requests using the form_post method.
This latest release addresses a problem where an internal IdP jar file was inadvertently included in the plugin's distribution. This caused conflicts with the IdP's classpath making it difficult for users to upgrade to newer versions of the IdP from version 5.0.0.
This release is compatible with version 5.0.0 of the Shibboleth IdP. There are no new features, but a few important bug fixes (especially around HTTP resource leaks).
This release adds two new features to the RP and addresses some configuration cleanups suggested by early adopters. The two new features are:
Proxying passive authentication requests to the upstream OP by setting the prompt authentication request parameter to none.
Support for the client_secret_jwt and private_key_jwt client authentication methods when authenticating to the Token endpoint (in addition to the already supported client_secret_basic and client_secret_post methods).