Glewlwyd Versions Save

Experimental Single Sign On server, OAuth2, Openid Connect, multiple factor authentication with, HOTP/TOTP, FIDO2, TLS Certificates, etc. extensible via plugins

v2.7.6

6 months ago
  • Minor bugfixes and improvements
  • Improve e-mail scheme security model by adding a mutex lock when generating codes, and adding a code prefix sent in the trigger method to mitigate stolen codes
  • Update cmake script for a cleaner build
  • Add config values user_backend_api_run_enabled, user_middleware_backend_api_run_enabled, client_backend_api_run_enabled, scheme_api_run_enabled to list authorized backend or schemes for a Glewlwyd instance
  • Add config value originating_ip_header to specify the header value containg the originating IP address, if any
  • Add config values response_body_limit and max_header to limit download sizes when relevant
  • Rework Docker files to build from source instead of downloading packages from github
  • cmake: split package build options in 3 (tar.gz, deb and rpm), and set all packages build to off by default
  • Security: Fix possible buffer overflow in webauthn attestation

v2.7.5

1 year ago
  • Build with flag -Wconversion

v2.7.4

1 year ago
  • Minor bugfixes

v2.7.3

1 year ago

This release contains a security fix in the library rhonabwy. If you allow encrypted tokens using RSA-OAEP algorithms, please upgrade your Glewlwyd version.

  • Enforce client public key verification on registration
  • Add config value login_api_enabled to enable/disable authentication APIs
  • Add config value plugin_api_run_enabled to list authorized plugins for a Glewlwyd instance
  • Minor bugfixes

v2.7.2

1 year ago
  • Improve security verification
  • Add config value response_allowed_compression to enable/disable API response compression
  • Breaking: Add config value admin_session_authentication to enable/disable admin API authentication methods, API key is disabled by default
  • Add config value profile_session_authentication to enable/disable user profile API authentication methods
  • Add config value allow_multiple_user_per_session to enable/disable multiple users per session

v2.7.1

1 year ago
  • Allow to disable static files server
  • Allow to send an e-mail on password change or scheme registration
  • Add additional CORS related header configuration
  • Add config values cookie_same_site and max_post_size
  • Add additional-parameters to access tokens for client authorization
  • Improve resource parameter in OIDC plugin, remove resource change allowed option
  • If enc algorithms is restricted, show only allowed algorithms in discovery endpoint, and forbid to use these algorithms in client registration
  • Security: Fix deprecated glewlwyd_resource.c bug with token verification

v2.7.0

2 years ago

The "Third dose Release"

  • Bugfixes
  • Fix delegation session
  • Add SMTP configuration template
  • Allow to send an e-mail to an account when a new connection occurs
  • Allow to fetch a geolocation API to improve the issued_for records
  • Fix oidc plugin bug: allow to add the username as claim in the access token
  • Improve OIDC DPoP implementation to Draft 07
  • Front-end: Remove polyfill build script
  • Fix Rich Authorization Requests and update its implementation to Draft 11
  • Allow Import/Export users/clients/modules/plugins in the UI
  • UI Improvements
  • Security: Fix directory traversal bug (CVE-2022-29967)

v2.6.2

2 years ago

This is a security release, if you use the webauthn scheme, please upgrade your Glewlwyd version.

  • Security: Fix possible buffer overflow in webauthn assertion (CVE-2022-27240)

v2.6.1

2 years ago

This is a security release, please upgrade your Glewlwyd version.

  • Fix bug in OTP registration
  • Fix several UI bugs
  • Improve user registration UI and OTP scheme registration
  • Add callback function plugin_user_revoke in plugins
  • Add config file option add_x_frame_option_header_deny to allow removing header X-Frame-Options: deny
  • Security: Fix escalation bug (CVE-2021-45379)

v2.6.0

2 years ago

The "Green Zone Release"