Releases: jenkinsci/oic-auth-plugin
4.418.vccc7061f5b_6d
🚀 New features and improvements
- Use a FIPS compliant version of nimbus-jose-jwt (#440) @fcojfernandez
🐛 Bug fixes
📝 Documentation updates
- fix plugin documentation of plugin configuration for
endSessionEndpoint(#439) @sstoffregen
Contributors
Assets 2
4.411.v990b_9d36e74e
🐛 Bug fixes
- Filter missing non-compliant algorithms in FIPS mode (#435) @fcojfernandez
Contributors
Assets 2
4.409.ve864b_f48b_0f3
🚀 New features and improvements
- JENKINS-73904 - Enable FIPS restrictions in the JWK signing algorithm for Token verification (#428) @fcojfernandez
🐛 Bug fixes
👻 Maintenance
- JENKINS-73849 - JEP-237 - remove the ability to disable SSL and token validation in FIPS mode (#423) @PereBueno
🚦 Tests
- Switching tests to throw generic Exception (#425) @PereBueno
✍ Other changes
- JENKINS-73892 - un-inline script in
config.jellyand fix existing behavior (#427) @shlomomdahan
Contributors
Assets 2
4.388.v4f73328eb_d2c
💥 Breaking changes
Caution
The plugin now requires that the Issuer is set to enforce security and there is no option to disable this requirement as it is mandated in the Open ID Connect specification.
As such users who do not use automatic configuration via the well-known endpoint must first update to 4.355.v3a_fb_fca_b_96d4 and configure the Issuer before updating to this version.
Failure to do so will result in users unable to login, or Jenkins failing to start.
Caution
if using manual configuration and a JWKS Server URL has not been specified then either disable token validation will need to be enabled or the JWKS Server URL will need to be set before upgrading to this version.
Failure to do so will result in users unable to login.
Warning
The option to send the scopes when requesting the access token has been removed (although is still present in the UI). Users of non conformant OPs that require this functionality should remain on the previous version until the Open ID Connect Originating Party (often referred to as the iDP) fixes their implementation.
📝 Documentation updates
Contributors
Assets 2
4.371.vc7c0c06e8a_f5
🐛 Bug fixes
- Redirect to login page in case token is expired instead of showing an error page (#395) @eva-mueller-coremedia
📝 Documentation updates
- Update CasC documentation (#417) @fcojfernandez
- Add developer docs (#410) @jtnord
Contributors
Assets 2
4.355.v3a_fb_fca_b_96d4
4.354.v321ce67a_1de8
🐛 Bug fixes
- Use endSessionUrl instead of endSessionEndpoint for manual configuration in UI (#402) @eva-mueller-coremedia
👻 Maintenance
Contributors
Assets 2
4.350.v347c3b_8b_9d95
💥 Breaking changes
Important
The configuration format is backwards compatible with previous versions, but the casc format is not.
configuration of the provider side has been moved into a serverConfiguration section and split to 2 different types wellKnown for configuration via a auto discovery and manual for manual configuration.
e.g.
for manual configuration:
securityRealm:
oic:
serverConfiguration:
manual:
authorizationServerUrl: https://url.example.com/authorize
jwksServerUrl: https://jwks.example.com/jwks
tokenAuthMethod: client_secret_post
tokenServerUrl: https://token.example.com/token
scopes: scopes
and for auto configuration:
securityRealm:
oic:
serverConfiguration:
wellKnown:
wellKnownOpenIDConfigurationUrl: https://idp.example.com:/someRealm/.well-known/openid-configuration
Caution
it has been reported #412 that very old configuration may not be migrated correctly.
it is therefore recommended to explicitly save the configuration in ${JENKINS_URL}/manage/configureSecurity/ before upgrading if the configuration has not been changed recently and you are not using Config-as-Code to manage the settings
✍ Other changes
Contributors
Assets 2
4.346.v10401f543622
🐛 Bug fixes
- Compare username based on ID strategy on token refresh (#394) @eva-mueller-coremedia
Contributors
Assets 2
4.340.ve70636c6590e
🚀 New features and improvements
- Allow access using a Jenkins API token without an OIDC Session (#386) @mikecirioli
