IdentityServer3 Versions Save

Fixed a bug where to many signin message cookies could cause high CPU load

Security patch - please update.

see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14766

• Bug fix for XSS of AngularJS expression on the authorize response page. An attack could potentially leak data on the authorization response. Releases affected are 2.4 through 2.6. Thanks to Lewis Cornick for reporting.

As part of this release we had 10 commits which resulted in 11 issues being closed.

bug fixs

• #3260 Claims valueType serialization : Introspection endpoint
• #2682 SignInId incorrect constant value

enhancements

• #3458 Include id_token in response from refresh token request
• #3352 WARN instead of ERROR for bad user credentials
• #3332 IssueClientToken with given claims
• #3244 TokenRequestValidator logs every check failure as error
• #3177 Consider removing cookies where data protection fails
• #3168 Authorization Endpoint does not support POST
• #3036 Make access tokens claims available in UserService when being called via UserInfo
• #3008 Added ShowLoginPageOnErrorResult to PostAuthenticationContext
• #2906 double exception logging

As part of this release we had 14 commits which resulted in 5 issues being closed.

bug fixs

• #3182 Null data when reading form post from OwinEnvironmentService
• #3165 Add token obfuscation to TokenRevokedEvent
• #3158 bugfix #3157
• #2821 Custom ICustomRequestValidator LocalizationService ArgumentNullException. Parameter name: name

enhancement

• #2923 #2865 Added an event for token revocation

As part of this release we had 20 commits which resulted in 6 issues being closed.

bug fixes

• #3122 Token logged in RaiseSuccessfulIntrospectionEndpointEventAsync event
• #3059 ASP.NET Core 1.0 Bug (Kestrel)
• #3053 Making the Event Details public
• #2994 GetIdentityServerIssuerUri - returns address wth trailing '/'
• #2911 TokenRequestValidator logging causes token Validation to fail
• #2903 Unexpected character encountered while parsing value: W. Path '', line 0, position 0.

As part of this release we had 4 issues closed.

bug fixs

• #3037 Fix how audience is built in IssueClientToken.
• #2971 ErrorDescription isn't returned in response from ICustomGrantValidator
• #2822 Undocumented JSON formatting change in v2.4

enhancement

• #2979 LibLog 4.2.5

As part of this release we had 16 issues closed.

bug fixs

• #2694 AuthorizeResponse method does not include the model's Custom object property
• #2678 RenderLoggedOutViewAsync assumes called in context of signing out of client
• #2638 Set the JWT nbf claim value to the token.CreationTime instead of curr…
• #2608 Sync HTTP front-channel logout implementation with spec updates
• #2575 How to get updated_at in the identity token?
• #2443 ArgumentNullException in FileSystemViewLoader

new features

• #2752 Add hardening feature for token response type
• #2636 Proof of Possession Implementation for RS256

enhancements

• #2757 Invalid CORS paths only emit informational message to log
• #2635 Validation Endpoint - option to switch errors on/off
• #2619 IdentityServer as RP needing access token
• #2613 Support RedirectUri on SignOut for external providers
• #2611 Add an option to suppress all logging output
• #2587 Provide a way to get list of the current clients for the browser session
• #2586 Add defensive check when IdP requested but user services issues different IdP
• #2520 integration tests for PKCE

As part of this release we had 23 issues closed.

bug fixs

• #2476 change secret validators and parsers to IList
• #2473 The redirect after revoking permissions seems not use public origin.
• #2445 Wrong endpoint name in RevocationEndpointController?
• #2363 Fix client_assertion_type handling in ClientAssertionSecretParser
• #2172 Internal CorsPolicyProvider should take publicOrigin in consideration

new features

• #2504 PKCE for Hybrid Flow
• #2378 Implement Proof Key for Code Exchange
• #2071 Always require logout confirmation (even when id token hint was passed)

enhancements

• #2492 Implement PKCE for Hybrid Flow
• #2477 Make IdentityServerPrincipal public
• #2475 PKCE metadata
• #2474 Allow for response_type values in the authorize request to come in in any order.
• #2432 Make GetIdentityServerIssuerUri public
• #2382 Added new service for adding custom entries to a token response
• #2290 Add hook to allow custom response data for token requests
• #2234 angular.min.js.map 404 not found
• #2171 Inject middleware with PluginConfiguration
• #2166 Add TemplateFolderPath to DefaultViewServiceOptions
• #2148 Add interface to validate incoming identity
• #2124 'Submit this form' page customization
• #2036 How to redirect to login screen with error message from failed two factor authentication
• #1838 Revalidate client allowed scopes when processing refresh tokens
• #1145 Add frame-src to CspOptions and include in CSP header

As part of this release we had 2 commits which resulted in 9 issues being closed.

bug fix

• #2315 TokenRequest should not be honoured if custom grant validator throws

new feature

• #2233 Add support for "private_key_jwt" client authentication method

enhancements

• #2310 Refactored secret parsing and validation
• #2306 Configurable Scope Restriction for Introspection Endpoint
• #2294 Added options class to configure discovery endpoint output
• #2276 Introduce signing key service