2.1.1 (12th April 2024)

Getting issues...

This is a patch release aimed at fixing an issue with version 2.1.0. By mistake, the previous version enabled PKCE support by default. Since this is a shared property with the OP, installing RP version 2.1.0 would automatically enable PKCE support on the OP as well.

2.1.0 (11th April 2024)

This version enables, by mistake, PKCE support for both RP and OP when installed. In case you have installed both these plugins and did not intend to enable PKCE support, please ensure that the property "idp.oidc.forcePKCE" is commented out in "authn/oidc-rp.properties".

Getting issues...

This release adds the following features to the RP plugin:

  1. PCKE (RFC 7636) support for the authorization code flow. Enabled by setting the OIDC property idp.oidc.forcePKCE = true.

  2. Supports the display authentication request parameter. Set using a relying-party override e.g. p:display="popup".

  3. Allows arbitrary claims to be sent to the authorization request in the request object. Supported using a custom BiConsumer<ProfileRequestObject, ClaimsSet> claims function defined using a bean named shibboleth.authn.oidc.rp.CustomRequestObjectClaimsStrategy.

  4. Adds a tighter Content-Security-Policy to views.

    1. Which the RP only uses when making authorization requests using the form_post method.

2.0.1 (19th March 2024)

Getting issues...

This latest release addresses a problem where an internal IdP jar file was inadvertently included in the plugin's distribution. This caused conflicts with the IdP's classpath making it difficult for users to upgrade to newer versions of the IdP from version 5.0.0.

2.0.0 (14th Sept 2023)

Getting issues...

This release is compatible with version 5.0.0 of the Shibboleth IdP. There are no new features, but a few important bug fixes (especially around HTTP resource leaks).

1.1.0 (27th June 2023)

Getting issues...

This release adds two new features to the RP and addresses some configuration cleanups suggested by early adopters. The two new features are:

  1. Proxying passive authentication requests to the upstream OP by setting the prompt authentication request parameter to none.

  2. Support for the client_secret_jwt and private_key_jwt client authentication methods when authenticating to the Token endpoint (in addition to the already supported client_secret_basic and client_secret_post methods).