Releases: jenkinsci/oic-auth-plugin
4.421.v5422614eb_e0a_
🔒 Security
- Fix SECURITY-3473.
4.418.vccc7061f5b_6d
🚀 New features and improvements
- Use a FIPS compliant version of nimbus-jose-jwt (#440) @fcojfernandez
🐛 Bug fixes
📝 Documentation updates
- fix plugin documentation of plugin configuration for
endSessionEndpoint
(#439) @sstoffregen
4.411.v990b_9d36e74e
🐛 Bug fixes
- Filter missing non-compliant algorithms in FIPS mode (#435) @fcojfernandez
4.409.ve864b_f48b_0f3
🚀 New features and improvements
- JENKINS-73904 - Enable FIPS restrictions in the JWK signing algorithm for Token verification (#428) @fcojfernandez
🐛 Bug fixes
👻 Maintenance
- JENKINS-73849 - JEP-237 - remove the ability to disable SSL and token validation in FIPS mode (#423) @PereBueno
🚦 Tests
- Switching tests to throw generic Exception (#425) @PereBueno
✍ Other changes
- JENKINS-73892 - un-inline script in
config.jelly
and fix existing behavior (#427) @shlomomdahan
4.388.v4f73328eb_d2c
💥 Breaking changes
Caution
The plugin now requires that the Issuer
is set to enforce security and there is no option to disable this requirement as it is mandated in the Open ID Connect specification.
As such users who do not use automatic configuration via the well-known endpoint must first update to 4.355.v3a_fb_fca_b_96d4 and configure the Issuer
before updating to this version.
Failure to do so will result in users unable to login, or Jenkins failing to start.
Caution
if using manual configuration and a JWKS Server URL
has not been specified then either disable token validation
will need to be enabled or the JWKS Server URL
will need to be set before upgrading to this version.
Failure to do so will result in users unable to login.
Warning
The option to send the scopes when requesting the access token has been removed (although is still present in the UI). Users of non conformant OPs that require this functionality should remain on the previous version until the Open ID Connect Originating Party (often referred to as the iDP
) fixes their implementation.
📝 Documentation updates
4.371.vc7c0c06e8a_f5
🐛 Bug fixes
- Redirect to login page in case token is expired instead of showing an error page (#395) @eva-mueller-coremedia
📝 Documentation updates
- Update CasC documentation (#417) @fcojfernandez
- Add developer docs (#410) @jtnord
4.355.v3a_fb_fca_b_96d4
4.354.v321ce67a_1de8
🐛 Bug fixes
- Use endSessionUrl instead of endSessionEndpoint for manual configuration in UI (#402) @eva-mueller-coremedia
👻 Maintenance
4.350.v347c3b_8b_9d95
💥 Breaking changes
Important
The configuration format is backwards compatible with previous versions, but the casc format is not.
configuration of the provider side has been moved into a serverConfiguration
section and split to 2 different types wellKnown
for configuration via a auto discovery and manual
for manual configuration.
e.g.
for manual configuration:
securityRealm:
oic:
serverConfiguration:
manual:
authorizationServerUrl: https://url.example.com/authorize
jwksServerUrl: https://jwks.example.com/jwks
tokenAuthMethod: client_secret_post
tokenServerUrl: https://token.example.com/token
scopes: scopes
and for auto configuration:
securityRealm:
oic:
serverConfiguration:
wellKnown:
wellKnownOpenIDConfigurationUrl: https://idp.example.com:/someRealm/.well-known/openid-configuration
Caution
it has been reported #412 that very old configuration may not be migrated correctly.
it is therefore recommended to explicitly save the configuration in ${JENKINS_URL}/manage/configureSecurity/
before upgrading if the configuration has not been changed recently and you are not using Config-as-Code to manage the settings
✍ Other changes
4.346.v10401f543622
🐛 Bug fixes
- Compare username based on ID strategy on token refresh (#394) @eva-mueller-coremedia