4.279.vca_c1e2fdd24b_

🐛 Bug fixes

• OicUserProperty was discarded after saving the user config page (#332) @jglick

📦 Dependency updates

• Bump crowdin/github-action from 1 to 2 (#331) @dependabot

4.269.va_7526f34f306

🚀 New features and improvements

• Rework security realm config GUI (#312) @michael-doubez

🌐 Localization and translation

• Update french localization (#325) @github-actions

👻 Maintenance

• Add HOWTO on groups configuration (#309) @michael-doubez

4.257.v5360e8489e8b_

Fix issue(#304) caused by JWKS parsing. This release disables the signature verification if parsing failes but idtoken content is still validated.

If token verification was disabled due to previous version, it can be re-activated to perform content verification. Side effect will be a unique warning at the first failure of JWKS URI parsing.

🚀 New features and improvements

• Ensure login doesn't redirect to logout URL (#303) @michael-doubez

🐛 Bug fixes

• Disable JWKS verification if not supported by client library (#308) @michael-doubez

4.250.v5a_d993226437

Improve security by verifying signature of provider's idtoken and, if applicable, userinfo. This requires the configuration of the JWKS endpoint of the provider; this is automatic if auto mode is used. At the same time, the idtoken generation and expiry times are verified as per idtoken token verification specs.

A new flag can be configured for bypassing the new checks.

🚀 New features and improvements

• Add JWKS parameters for verifying web token signatures (#297) @michael-doubez

🚩 Known issues

• Issue(#304): JWKS server URL is expected to contain alg parameter which breaks login - workaround: use new flag to disable token signature verification

👻 Maintenance

• Add open rewrite to pom.xml (#298) @michael-doubez

4.239.v325750a_96f3b_

🚀 New features and improvements

• Gracefully handle missing and invalid idtoken (#292) @michael-doubez

4.238.v0021f710b_b_f4

🌐 Localization and translation

• Add localization of help html files (#294) @michael-doubez

📦 Dependency updates

• Bump mailer from 1.34.2 to 448.v5b_97805e3767 (#293) @michael-doubez

4.236.v4124503b_a_f88

Fix regression(#290) on PKCE code verification. PKCE can be re-enabled in configuration.

🐛 Bug fixes

• Reimplement PKCE to serialize verifier in session (#291) @michael-doubez

👻 Maintenance

• Improve code cleaning (#289) @michael-doubez

📦 Dependency updates

• Jenkins minimal version to v2.361.4 (#289) @michael-doubez

4.229.vf736b_fec02f4

Fix security SECURITY-3168 regarding escape hatch password stored in a recoverable format. Instead of relying on system security, only a hash of the password is stored on disk.

🐛 Bug fixes

• Hash escape hatch password in configuration - fix CVE-2023-50770 (#287) @michael-doubez

🚩 Known issues

• Regression(#290): PKCE code verification no longer works (must be disabled in config)

4.228.v0c3e8682ff1f

🚀 New features and improvements

• Compatibility with Jenkins clustered setup (#288) @Vlatombe

🚩 Known issues

• Regression(#290): PKCE code verification no longer works (must be disabled in config)

4.227.v36610663f760

Fix regression(#285), introduced in v3.0, where a bug causes failure of redirect after login when Jenkins root url contains a path.

🐛 Bug fixes

• Fix invalid redirect computation (fix #285) (#286) @michael-doubez