Glewlwyd Versions Save

• Security: Fix possible buffer overflow in webauthn registration (CVE-2021-40818)
• Update dependencies versions

• Fix UI bugs
• UI: Improve session expiration error
• Update SQLite3 password management by increasing PBKDF2 iterations and allowing to set iterations value
• IO: Add German translation, thanks to Andy2903
• OIDC: Support more signature and encryption algorithms
• Fix CORS bug
• Implement OAuth 2.0 JWT Secured Authorization Request (JAR) Draft 32
• Allow default properties on client registration
• Allow access tokens use in clent registration to be used only once
• Improve client and client grant management in the profile page

• Fix annoying bug in scheme validation during login
• Fix scheme verification bug
• Fix docker image builder

• Add identify action to authenticate via schemes oauth2 or certificate without giving the username
• Fix change password issue in the admin interface
• Add oidc config restrict-scope-client-property to restrict a client to certain scopes if needed
• Allow to reconnect on session closed

The "Recontainment Release"

• Fix aud property to fit JWT access token spec
• Add support for OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) Draft 01
• Allow multiple passwords for users
• Implement Resource Indicators for OAuth 2.0 for OIDC plugin
• Implement Content-Encoding to compress response bodies using gzip or deflate when relevant
• Implement OAuth 2.0 Rich Authorization Requests Draft 03
• Implement OAuth 2.0 Pushed Authorization Requests Draft 05

The "Second Wave Release"

• Allow user to update its e-mail
• Allow user to reset its credentials
• Handle callback url for registration and reset credentials
• Update certificate scheme management: remove online certiticate generation and add certificate validation via DN
• Implement revoke tokens on code replay for oauth2 and oidc plugins
• Show client_id and redirect_uri on grant scope
• Remove parameters object on *_load() functions result
• Scheme WebAuthn: disable fmt none by default
• Allow to add granted scope list in id_token and /userinfo
• Fix last login refresh without authentication bug
• Add endpoint /mod/reload/ to reload modules lists
• Add Event log messages
• Add parameter Scheme Required to a scope scheme group
• Add API key to use administration APIs via scripts without a cookie session

• Limit scheme available output This is a security release, please upgrade your Glewlwyd version. To mitigate server configuration leaks, I recommend the following actions:
  • If you use the TLS Certificate Scheme with Allow to emit PKCS#12 certificates for the clients enabled, please revoke the issuer certificate and use new ones
  • If you use the Webauthn Scheme, it's reommended to regenerate the Random seed used to mitigate intrusion
  • If you use the Oauth2 Scheme, please change the clients secrets
  • If yout use the Email code scheme and use a SMTP password, please to change this password

• Allow to specify a public JWKS for OIDC plugin
• Fix official docker image builder
• Fix load module files on filesystems that don't fully support readdir(), closes #150
• Fix Small UI bugs
• Add manpage
• Add documentation on reverse proxy with examples for Apache and Nginx

• Upgrade Bootstrap to 4.5
• Replace Font-Awesome 5 with Fork-Awesome
• Fix Mock scheme in profile page

The "Saint-Jean-Baptiste Release"

• Replace libjwt with Rhonabwy
• Allow messages encryption (incoming and outcoming)
• Allow OIDC plugin to use multiple signing or encryption keys via a JWKS
• Add support for CRYPT hash in ldap modules, closes #114
• Add Session Management for OIDC plugin
• Update access token claims to fit JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - draft 05
• Add JWT Response for OAuth Token Introspection
• Adapt client registration redirect_uri check to make Glewlwyd OIDC plugin conform to OAuth 2.0 for Native Apps specification
• Add OAuth 2.0 Device Grant
• Add id_token in response type password when the scope openid is added
• Disable response type password by default for OIDC plugin config
• Scope openid is assumed to be always granted to clients for OIDC plugin
• Add one-time-use refresh token option
• Add OAuth 2.0 Dynamic Client Registration Management Protocol for OIDC plugin
• Breaking change since 2.2: Client Registration input parameters are now conform to OAuth 2.0 Dynamic Client Registration Protocol
• Add OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
• Allow multi-languages e-mails in e-mail scheme and registration plugin
• Multiple bugfixes in UI and API