glewlwyd

• Minor bugfixes and improvements
• Improve e-mail scheme security model by adding a mutex lock when generating codes, and adding a code prefix sent in the trigger method to mitigate stolen codes
• Update cmake script for a cleaner build
• Add config values user_backend_api_run_enabled, user_middleware_backend_api_run_enabled, client_backend_api_run_enabled, scheme_api_run_enabled to list authorized backend or schemes for a Glewlwyd instance
• Add config value originating_ip_header to specify the header value containg the originating IP address, if any
• Add config values response_body_limit and max_header to limit download sizes when relevant
• Rework Docker files to build from source instead of downloading packages from github
• cmake: split package build options in 3 (tar.gz, deb and rpm), and set all packages build to off by default
• Security: Fix possible buffer overflow in webauthn attestation

• Build with flag -Wconversion

• Minor bugfixes

This release contains a security fix in the library rhonabwy. If you allow encrypted tokens using RSA-OAEP algorithms, please upgrade your Glewlwyd version.

• Enforce client public key verification on registration
• Add config value login_api_enabled to enable/disable authentication APIs
• Add config value plugin_api_run_enabled to list authorized plugins for a Glewlwyd instance
• Minor bugfixes

• Improve security verification
• Add config value response_allowed_compression to enable/disable API response compression
• Breaking: Add config value admin_session_authentication to enable/disable admin API authentication methods, API key is disabled by default
• Add config value profile_session_authentication to enable/disable user profile API authentication methods
• Add config value allow_multiple_user_per_session to enable/disable multiple users per session

• Allow to disable static files server
• Allow to send an e-mail on password change or scheme registration
• Add additional CORS related header configuration
• Add config values cookie_same_site and max_post_size
• Add additional-parameters to access tokens for client authorization
• Improve resource parameter in OIDC plugin, remove resource change allowed option
• If enc algorithms is restricted, show only allowed algorithms in discovery endpoint, and forbid to use these algorithms in client registration
• Security: Fix deprecated glewlwyd_resource.c bug with token verification

The "Third dose Release"

• Bugfixes
• Fix delegation session
• Add SMTP configuration template
• Allow to send an e-mail to an account when a new connection occurs
• Allow to fetch a geolocation API to improve the issued_for records
• Fix oidc plugin bug: allow to add the username as claim in the access token
• Improve OIDC DPoP implementation to Draft 07
• Front-end: Remove polyfill build script
• Fix Rich Authorization Requests and update its implementation to Draft 11
• Allow Import/Export users/clients/modules/plugins in the UI
• UI Improvements
• Security: Fix directory traversal bug (CVE-2022-29967)

This is a security release, if you use the webauthn scheme, please upgrade your Glewlwyd version.

• Security: Fix possible buffer overflow in webauthn assertion (CVE-2022-27240)

This is a security release, please upgrade your Glewlwyd version.

• Fix bug in OTP registration
• Fix several UI bugs
• Improve user registration UI and OTP scheme registration
• Add callback function plugin_user_revoke in plugins
• Add config file option add_x_frame_option_header_deny to allow removing header X-Frame-Options: deny
• Security: Fix escalation bug (CVE-2021-45379)

The "Green Zone Release"

• Add option to forbid a scheme to be registered in the profile and/or the reset credentials pages
• Add prometheus metrics endpoint
• Improve security when updating modules
• Allow to force PKCE all the time or when use specified scopes
• Implement Client-Initiated Backchannel Authentication Flow
• Implement OAuth 2.0 Authorization Server Issuer Identification
• Improve IETF strict option in OIDC plugin by handling signatures and encryption properties
• User registration: suggest a new username when a username exists
• Allow to remove all sessions and/or revoke all tokens
• Implement OpenID Connect Front-Channel Logout 1.0 - draft 04
• Implement OpenID Connect Back-Channel Logout 1.0 - draft 06
• Upgrade DPoP implementation to draft 4.0

• Security: Fix possible buffer overflow in webauthn registration (CVE-2021-40818)
• Update dependencies versions

• Fix UI bugs
• UI: Improve session expiration error
• Update SQLite3 password management by increasing PBKDF2 iterations and allowing to set iterations value
• IO: Add German translation, thanks to Andy2903
• OIDC: Support more signature and encryption algorithms
• Fix CORS bug
• Implement OAuth 2.0 JWT Secured Authorization Request (JAR) Draft 32
• Allow default properties on client registration
• Allow access tokens use in clent registration to be used only once
• Improve client and client grant management in the profile page

• Fix annoying bug in scheme validation during login
• Fix scheme verification bug
• Fix docker image builder

• Add identify action to authenticate via schemes oauth2 or certificate without giving the username
• Fix change password issue in the admin interface
• Add oidc config restrict-scope-client-property to restrict a client to certain scopes if needed
• Allow to reconnect on session closed

The "Recontainment Release"

• Fix aud property to fit JWT access token spec
• Add support for OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) Draft 01
• Allow multiple passwords for users
• Implement Resource Indicators for OAuth 2.0 for OIDC plugin
• Implement Content-Encoding to compress response bodies using gzip or deflate when relevant
• Implement OAuth 2.0 Rich Authorization Requests Draft 03
• Implement OAuth 2.0 Pushed Authorization Requests Draft 05

The "Second Wave Release"

• Allow user to update its e-mail
• Allow user to reset its credentials
• Handle callback url for registration and reset credentials
• Update certificate scheme management: remove online certiticate generation and add certificate validation via DN
• Implement revoke tokens on code replay for oauth2 and oidc plugins
• Show client_id and redirect_uri on grant scope
• Remove parameters object on *_load() functions result
• Scheme WebAuthn: disable fmt none by default
• Allow to add granted scope list in id_token and /userinfo
• Fix last login refresh without authentication bug
• Add endpoint /mod/reload/ to reload modules lists
• Add Event log messages
• Add parameter Scheme Required to a scope scheme group
• Add API key to use administration APIs via scripts without a cookie session

• Limit scheme available output
  This is a security release, please upgrade your Glewlwyd version.
  To mitigate server configuration leaks, I recommend the following actions:
  • If you use the TLS Certificate Scheme with Allow to emit PKCS#12 certificates for the clients enabled, please revoke the issuer certificate and use new ones
  • If you use the Webauthn Scheme, it's reommended to regenerate the Random seed used to mitigate intrusion
  • If you use the Oauth2 Scheme, please change the clients secrets
  • If yout use the Email code scheme and use a SMTP password, please to change this password

• Allow to specify a public JWKS for OIDC plugin
• Fix official docker image builder
• Fix load module files on filesystems that don't fully support readdir(), closes #150
• Fix Small UI bugs
• Add manpage
• Add documentation on reverse proxy with examples for Apache and Nginx

• Upgrade Bootstrap to 4.5
• Replace Font-Awesome 5 with Fork-Awesome
• Fix Mock scheme in profile page

The "Saint-Jean-Baptiste Release"

• Replace libjwt with Rhonabwy
• Allow messages encryption (incoming and outcoming)
• Allow OIDC plugin to use multiple signing or encryption keys via a JWKS
• Add support for CRYPT hash in ldap modules, closes #114
• Add Session Management for OIDC plugin
• Update access token claims to fit JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - draft 05
• Add JWT Response for OAuth Token Introspection
• Adapt client registration redirect_uri check to make Glewlwyd OIDC plugin conform to OAuth 2.0 for Native Apps specification
• Add OAuth 2.0 Device Grant
• Add id_token in response type password when the scope openid is added
• Disable response type password by default for OIDC plugin config
• Scope openid is assumed to be always granted to clients for OIDC plugin
• Add one-time-use refresh token option
• Add OAuth 2.0 Dynamic Client Registration Management Protocol for OIDC plugin
• Breaking change since 2.2: Client Registration input parameters are now conform to OAuth 2.0 Dynamic Client Registration Protocol
• Add OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
• Allow multi-languages e-mails in e-mail scheme and registration plugin
• Multiple bugfixes in UI and API