2.3.0 (23rd June, 2025)

This minor release requires version 3 of the OIDCConfig plugin. It addresses a bug in the attribute decoding function of the RP, which could lead to the loss of aliased IdP attributes. Additionally, it introduces options to help mitigate the risk of an audience injection attack. Although the RP is not directly impacted by this issue, implementing these options will represent a stronger security posture moving forward, provided the upstream OP supports them. Please refer to the section below for more details.

JWT client authentication configuration

An Audience Injection Attack for, amongst others, private key JWT client authentication is discussed in a research paper. The paper outlines a mitigation strategy that involves setting the value of the audience (aud) claim in a JWT assertion to match the issuer identifier of the OP instead of the token (or target) endpoint URL. This approach is also described in the draft RFC 7523.

While we keep the existing default configuration intact for compatibility, we provide new profile configuration options to enforce the suggested changes:

• useTargetedEndpointAsJWTAudience: A flag to enable use of the token endpoint URL as the JWT client authentication audience (defaults to true to maintain backwards compatibility). Setting this to false gives the new, more secure behaviour of using the issuer identifier of the OP.

• clientAuthenticationJWTType: Value for the typ header used within JWT authentication (defaults to JWT for backwards compatibility, but should be client-authentication+jwt).

2.2.0 (27th March, 2025)

This minor release introduces a property that allows deployers to change the subject c14n post-login flow list bean. Additionally, it addresses a NullPointerException when the RP processes claims from an OP that contain null values.

2.1.2 (15th July, 2024)

This patch aims to add the missing subjectDecorator wiring to the flow descriptor; set using the property idp.authn.oidc.rp.subjectDecorator.

2.1.1 (12th April 2024)

This is a patch release aimed at fixing an issue with version 2.1.0. By mistake, the previous version enabled PKCE support by default. Since this is a shared property with the OP, installing RP version 2.1.0 would automatically enable PKCE support on the OP as well.

2.1.0 (11th April 2024)

This release adds the following features to the RP plugin:

1. PCKE (RFC 7636) support for the authorization code flow. Enabled by setting the OIDC property idp.oidc.forcePKCE = true.

2. Supports the display authentication request parameter. Set using a relying-party override e.g. p:display="popup".

3. Allows arbitrary claims to be sent to the authorization request in the request object. Supported using a custom BiConsumer<ProfileRequestObject, ClaimsSet> claims function defined using a bean named shibboleth.authn.oidc.rp.CustomRequestObjectClaimsStrategy.

4. Adds a tighter Content-Security-Policy to views.

   1. Which the RP only uses when making authorization requests using the form_post method.

2.0.1 (19th March 2024)

This latest release addresses a problem where an internal IdP jar file was inadvertently included in the plugin's distribution. This caused conflicts with the IdP's classpath making it difficult for users to upgrade to newer versions of the IdP from version 5.0.0.

2.0.0 (14th Sept 2023)

This release is compatible with version 5.0.0 of the Shibboleth IdP. There are no new features, but a few important bug fixes (especially around HTTP resource leaks).

1.1.0 (27th June 2023)

This release adds two new features to the RP and addresses some configuration cleanups suggested by early adopters. The two new features are:

1. Proxying passive authentication requests to the upstream OP by setting the prompt authentication request parameter to none.

2. Support for the client_secret_jwt and private_key_jwt client authentication methods when authenticating to the Token endpoint (in addition to the already supported client_secret_basic and client_secret_post methods).