4.229.vf736b_fec02f4

Fix security SECURITY-3168 regarding escape hatch password stored in a recoverable format. Instead of relying on system security, only a hash of the password is stored on disk.

🐛 Bug fixes

• Hash escape hatch password in configuration - fix CVE-2023-50770 (#287) @michael-doubez

🚩 Known issues

• Regression(#290): PKCE code verification no longer works (must be disabled in config)

4.228.v0c3e8682ff1f

🚀 New features and improvements

• Compatibility with Jenkins clustered setup (#288) @Vlatombe

🚩 Known issues

• Regression(#290): PKCE code verification no longer works (must be disabled in config)

4.227.v36610663f760

Fix regression(#285), introduced in v3.0, where a bug causes failure of redirect after login when Jenkins root url contains a path.

🐛 Bug fixes

• Fix invalid redirect computation (fix #285) (#286) @michael-doubez

4.225.v03326773b_44b_

💥 Breaking changes

• Use JMESPath for extracting idtoken and userinfo fields (#281). This introduces a break of configuration in the case a field name contains a character outside the alphanumeric range or underscore (regex [A-Za-z_0-9]); in this case, the name of the field must quoted in the configuration. In particular for the dot character: in the previous implementation, a field.name would be found, with JMES Path, the configuration of the field must be "field.name".

🚀 New features and improvements

• Use JMESPath for extracting idtoken and userinfo fields (#281) @michael-doubez

🚩 Known issues

• Regression(#285): wrong redirect after login when jenkins base url contains path

4.224.v62720cfa_026e

Fix regression(#236) introduced in v2.6 where group configuration is not taken into account.

🐛 Bug fixes

• Fix 2.6 regression on group field and deprecate Jackson parser (fix #236) (#280) @michael-doubez

🚩 Known issues

• Regression(#285): wrong redirect after login when jenkins base url contains path

4.223.v503b_9a_75a_8a_f

First release using continuous delivery of plugin.

🌐 Localization and translation

• Update localization (#262) @github-actions

✍ Other changes

• Setup fully automated versioning CD (#276) @michael-doubez

🚩 Known issues

• Regression(#285): wrong redirect after login when jenkins base url contains path
• Regression(#236): group configuration not taken into account (see workaround in issue)

📦 Dependency updates

• Bump actions/checkout from 3 to 4 (#279) @dependabot
• Bump actions/setup-java from 3 to 4 (#278) @dependabot
• Bump codecov/codecov-action from 3 to 4 (#277) @dependabot

oic-auth-3.0

What's Changed

• Fix for SECURITY-2979 / CVE-2023-50771 by @tumbl3w33d in #261
• Align POM with minimal requirements and fix tests by @michael-doubez in #274

🚩 Known issues

• Regression(#285): wrong redirect after login when jenkins base url contains path
• Regression(#236): group configuration not taken into account (see workaround in issue)

📦 Dependency updates

• Bump google-http-client from 1.43.2 to 1.43.3 by @dependabot in #239
• Bump maven-release-plugin from 2.5.3 to 3.0.1 by @dependabot in #234
• Bump git-changelist-maven-extension from 1.6 to 1.7 by @dependabot in #242

New Contributors

• @tumbl3w33d made their first contribution in #261

Full Changelog: oic-auth-2.6...oic-auth-3.0

oic-auth-2.6

Various security enhancements and updating dependencies.

What's Changed

• Add config option to enable PKCE by @michael-doubez in #191
• Use a nonce by @jglick in #110
• Make nonce verification optional by @michael-doubez in #192
• Allow data containing groups from SSO server to be a List of Maps in addition to a List of Strings. by @bsmoyers in #198
• Reload wellknown configuration at regular interval by @michael-doubez in #194
• expires can be 0 so manage this case (easily for now) by @olamy in #212

📦 Dependency updates

• Bump maven-checkstyle-plugin from 3.2.0 to 3.2.1 by @dependabot in #195
• Bump git-changelist-maven-extension from 1.4 to 1.5 by @dependabot in #201
• Bump git-changelist-maven-extension from 1.5 to 1.6 by @dependabot in #204
• Bump google-http-client from 1.42.3 to 1.43.0 by @dependabot in #207
• Bump google-http-client-jackson2 from 1.42.3 to 1.43.0 by @dependabot in #208
• Bump google-http-client-jackson2 from 1.43.0 to 1.43.1 by @dependabot in #211
• Bump google-http-client from 1.43.0 to 1.43.1 by @dependabot in #209
• Bump maven-checkstyle-plugin from 3.2.2 to 3.3.0 by @dependabot in #231
• Bump google-http-client from 1.43.1 to 1.43.2 by @dependabot in #226
• Bump maven-checkstyle-plugin from 3.2.1 to 3.2.2 by @dependabot in #224

🚩 Known issues

• Regression(#236): group configuration not taken into account (see workaround in issue)

New Contributors

• @jglick made their first contribution in #110
• @bsmoyers made their first contribution in #198
• @olamy made their first contribution in #212

Full Changelog: oic-auth-2.5...oic-auth-2.6

oic-auth-2.5

Fixing session fixation vulnerability SECURITY-2978.

What's Changed

• Recreate Jenkins session during login by @michael-doubez

Full Changelog: oic-auth-2.4...oic-auth-2.5

oic-auth-2.4

What's Changed

• Use google library response parsing instead or reimplementing it by @michael-doubez in #178
• Support application/jwt when invoking userinfo by @michael-doubez in #162
• Bump httpclient from 4.5.13 to 4.5.14 by @dependabot in #181
• Use own token for generic OIDConnect by @michael-doubez in #184
• Override wellknown parameters by @michael-doubez in #187
• Add configuration flag to send scopes in token request by @michael-doubez in #188
• Post logout URL configurable in GUI even in automatic mode by @michael-doubez in #189
• Lookup user fields in IdToken when not present in userinfo endpoint by @michael-doubez in #190

Full Changelog: oic-auth-2.3...oic-auth-2.4