Security Versions Save

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore

2.0.1

6 years ago

Bugs Fixed

  • Port SignInScheme fix to 2.0.x (#1435)

1.0.5

6 years ago

rel/2.0.0

6 years ago

Features

  • Provide a way to prevent AuthenticationSchemeProvider from picking a specific scheme handler (#1287)
  • Remove top level methods on IServiceCollection that configure authentication (#1269)
  • Revisit SchemeBuilder/AddScheme (#1186)
  • Auth 2.0 Cleanup: Revisit cleanup events/context (#1181)
  • Changing name of correlation and nonce cookie in OpenID Connect middleware (#1033)

Bugs Fixed

  • AuthZ Regression: PolicyEvaluator always passes HttpContext for resource (#1329)
  • DisplayName in new AuthN Plumbing? (#1319)
  • Should auth options be using IOptionsMonitor? (#1282)
  • Passing in an AuthoritizationPolicy allocates an array everytime (#1274)
  • Authentication failures are not properly logged (#1265)
  • Make it easier to specify a default scheme (#1264)
  • OnRedirectToIdentityProvider - improve /// comments (#1200)
  • Consider limiting the cookies we use for nonce and correlationId to the paths that we use them on (#1133)
  • Consider revisiting OpenIdConnectOptions.PostLogoutRedirectUri in 2.0.0 (#1089)

rel/2.0.0-preview2

6 years ago

Features

  • Bind shared Default schemes to config (#1245)
  • Auth 2.0 Part II: Revenge of AuthZ (#1190)
  • Add IAuthorizationHandlerProvider interface (#1176)
  • Support for Cookie "SameSite" Flag (#908)
  • AuthZ 2.0 Improve failure scenarios + [401 vs 403?] (#901)

Bugs Fixed

  • OAuth authentication broken due to SameSite cookie policy (#1231)
  • How can you 'configure' OpenIdConnectOptions CallbackPath? (#1230)
  • Consider dropping Active in AuthorizeAttribute.ActiveAuthenticationSchemes (#1199)

rel/2.0.0-preview1

6 years ago

Features

  • The Grand Auth Redesign of 2017 (#1179)
  • Google handler should include claim for profile image url (#969)

Bugs Fixed

  • Two consecutive calls to SystemClock can result in smaller values. (#1110)
  • Provide an easy way to disable telemetry in the OpenID Connect middleware (#1035)
  • Reduce claims in ClaimsIdentity after completing OIDC protocol legs (#1024)

rel/1.1.1

7 years ago

Features

  • Update IdentityModel dependencies to 5.1.2 (#1082)

Bugs Fixed

rel/1.1.0

7 years ago

Bugs Fixed

  • [Breaking change] Parameter was renamed on OpenIdConnectHandler.HandleSignOutAsync (#1030)
  • Improper JWT used in token validation for hybrid "code id_token token" OpenId Connect flow (#1007)
  • Ensuring the generated redirect URL is valid (#903)
  • Can't perform custom error handling using OpenIdConnect OnAuthenticationFailed event (#884)

rel/1.1.0-preview1

7 years ago

Features

  • AuthZ: Add option for Fail fast (#945)
  • AuthenticationTokenExtensions should have an UpdateToken (#916)
  • AuthorizationHandlerContext responsibility split up & thread safety (#879)

Bugs Fixed

  • How to use AuthorizationEndpoint which contains query string parameters with OAuth. (#988)
  • OIDC handler bug in user info response handling for multiple claims of same type (#976)
  • CookieAuthenticationHandler, in case using SessionStore, cookieOptions.Expire is not set on renewal (#973)
  • Google middleware authorization should use prompt instead of approval_prompt (#971)
  • Microsoft.AspNetCore.Authentication.Twitter's package description is incorrect (#962)
  • CookieAuthenticationEvents.OnValidatePrincipal can result in a NullReferenceException (#949)
  • Returning true from HandleUnauthorizedAsync doesn't prevent the other automatic handlers from being invoked (#930)
  • Minor comment cleanup. (#891)
  • OpenIdConnect with AAD does not return error_description (#883)
  • Authorize(Github) may return a Facebook user (#859)
  • Cookie ExpireTimeSpan not honoured using Auzure AD OpenIDConnect authentication (#855)
  • Update CookieAuthenticationHandler.ApplyHeaders to honor AuthenticationProperties.RedirectUri (#800)
  • Google: Need better way to discover when google+ api not enabled (#53)

1.0.0

7 years ago

Features

  • JwtBearer does not return any useful info when failing to validate/accept a token (#776)
  • Get the user's e-mail address from Twitter (#765)
  • Support distributed sign-out (#423)

Bugs Fixed

  • AuthorizationHandler<TRequirement> design questions (#849)
  • Authorize policy attribute not compatible with dynamic policy provider (#841)
  • CookiePolicy middleware can't affect CookieAuthentication middleware (#814)
  • Removed space from file name (#807)
  • Clash of AuthorizationContext naming with aspnetcirelease bits rc2-* (#806)
  • Authorize GitHub causes infinite redirects or Correlation failed (#801)
  • OIDC argument validation (#795)
  • CookieAuthenticationHandler IsPersistent with UTC dates (#780)
  • Flow for authenticated but unauthorized users with OIDC is broken (infinite redirect) (#667)
  • Need to do a doc pass for new AuthZ/AuthN changes (#190)

1.0.0-rc2

7 years ago

Features

  • How can you inject a service into an implementation of IClaimsTransformer? (#718)
  • Authorization infrastructure does not handle "per action permissions" use case well (#670)
  • Consider adding Async version for AddAssertion sugar (#657)
  • SaveTokenAsClaim for JwtBearer (#639)
  • [Authorization] Consider base class to make building custom policies/requirements easier (#575)
  • Implement the hybrid flow, unify code and authorization flows (#456)
  • Populate returnURL on Forbidden mapping for cookie auth (#335)
  • [AuthZ] Investigate if we can turn policyName overloads into extension methods (#266)

Bugs Fixed

  • Update OIDC package version to be 1.0.0-rc2 (#808)
  • Exception thrown when 'Microsoft.AspNetCore.Authentication.JwtBearer' tries to log a message (#794)
  • AuthenticationHandler.InitializeAsync chokes when HandleAuthenticateAsync returns null (#760)
  • DefaultAuthorizationService call to _logger.UserAuthorizationSucceeded always has a null user (#755)
  • What should be the defaults for ResponseType for OIDC (#744)
  • Auth handlers should unregister themselves after Next (#704)
  • Clean up OIDC events (#690)
  • Return givename and surname claims from Facebook provider by default. (#688)
  • Can't find working example of getting first_name claim using Facebook rc2 (#654)
  • Consider moving GenerateCorrelationId and ValidateCorrelationId to RemoteAuthenticationHandler (#647)
  • TwitterHandler doesnt save all tokens as claims when SaveTokensAsClaims is true (#632)
  • AuthorizationHandler: where TResource : class requirement (#630)
  • Authentication cookie is badly renewed when the security stamp has been validated (#628)
  • The values of Roles property in AuthorizeAttribute aren't trimmed (#627)
  • Discussion for Scope being a list and not a string? (#614)
  • Split Microsoft.Owin.Security.Cookies.Interop into 2 packages (#611)
  • Update Twitter AuthenticationEndpoint (#600)
  • JwtBearer projects targets dnx451 and dnxcore50 (#590)
  • The dependency Microsoft.AspNet.Authentication.OpenIdConnect 1.0.0-rc2-16009 does not support framework .NETPlatform,Version=v5.4 (#576)
  • Consider making AutomaticAuthenticate true by default for Cookies (#569)
  • Update Google API endpoints (#566)
  • Update facebook provider to v2.5 APIs (#565)
  • Stop using AuthenticateResult.Success(ticket: null) (#555)
  • AuthenticationProperties is not available from OpenIdConnectAuthenticationNotifications.RedirectToIdentityProvider (#546)
  • SaveTokensAsClaims defaults (#526)
  • Update the OAuth2 handler to log error_description and error_uri when receiving an error (#512)
  • Can't get email claim from Facebook (#435)
  • Revisit the OIDC/OAuth2 bearer middleware to stop re-throwing exceptions for invalid tokens (#411)