Omniauth Auth0 Versions Save

Added

• [SDK-4410] Support Organization Name in JWT validation #184 (stevehobbsdev)

Fixed

• fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests #165 (stevehobbsdev)

Security

Misc dependabot package updates and version bumps.

Full Changelog

Added

• Add ui_locales to permitted params #135 (martijn)

Changed

• Store plain Hash in session['authorize_params'] #150 (santry)
• Redesign readme to match new style #148 (stevehobbsdev)

Fixed

• Fix authentication hash link in code sample #153 (ewanharris)

Security

• [Snyk] Fix for 1 vulnerabilities #149 (snyk-bot)
• Bump addressable from 2.7.0 to 2.8.0 #133 (dependabot[bot])
• [Snyk] Security upgrade webmock from 3.12.2 to 3.12.2 #134 (snyk-bot)

Version 3.0 introduces Omniauth v2.0 which addresses CVE-2015-9284. Omniauth now defaults to only allow POST as the allowed request_phase method. This was previously handled through the recommended mitigation using the omniauth-rails_csrf_protection v0.x.x gem to provide CSRF protection.

Upgrading to omniauth-rails_csrf_protection v1.0.0

If you are using omniauth-rails_csrf_protection to provide CSRF protection, you will need to be upgrade to 1.x.x.

BREAKING CHANGES

Now that OmniAuth now defaults to only POST as the allowed request_phase method, if you aren't already, you will need to convert any login links to use form helpers with the POST method.

# OLD -- GET request
<a href='/auth/auth0'>Login</a>

# NEW Example #1 -- POST request
<%= link_to 'Login', 'auth/auth0', method: :post %>

# NEW Example #2 -- POST request
<%= button_to 'Login', 'auth/auth0', method: :post %>

# NEW Example #3 -- POST request
<%= form_tag('/auth/auth0', method: :post) do %>
  <button type='submit'></button>
<% end %>

Allowing GET Requests

In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:

# Allowing GET requests will expose you to CVE-2015-9284 
OmniAuth.config.allowed_request_methods = [:get, :post]

v2.6.0 (2021-04-01)

Full Changelog

Added

• Org Support [SDK-2395] #124 (davidpatrick)
• Add login_hint to permitted params #123 (Roriz)

v2.5.0 (2021-01-21)

Full Changelog

Added

• Parsing claims from the id_token #120 (davidpatrick)

Changed

• Setup build matrix in CI #116 (dmathieu)

Fixed

• Fixes params passed to authorize #119 (davidpatrick)

v2.4.1 (2020-10-08)

Full Changelog

Fixed

• Verify the JWT Signature #109 (jimmyjames)

v2.4.0 (2020-09-22)

Full Changelog

Security

• Bump rack from 2.2.2 to 2.2.3 #107 (dependabot)
• Update dependencies #100 (Albalmaceda)

Added

• Add support for screen_hint=signup param #103 (bbean86)
• Add support for connection_scope in params #99 (felixclack)

Full Changelog

Fixed bugs:

• Fixes dependency issue #97 (davidpatrick)
• Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" #96 (stefanwork)

Full Changelog

Added

• Improved OIDC Compliance #74 (davidpatrick)

Full Changelog

Closed issues

• It supports custom domain? #71
• Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil #70

Added

• Custom issuer #77 (ryan-rosenfeld)
• Add telemetry to token endpoint #74 (joshcanhelp)

Changed

• Remove telemetry from authorize URL #75 (joshcanhelp)