You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This release fixes a security issue in the h2 crate: RUSTSEC-2024-0003. Portier Broker is affected by this primarily in outgoing Webfinger requests or OpenID Connect discovery requests, which may use HTTP/2 connecting to untrusted hosts. Upgrading is recommended.
Various improvements were made to improve compliance with the OpenID Connect specification. These are expected to be non-breaking.
state is now also returned with error responses.
The prompt parameter is now supported. For addresses that require email loop authentication, prompt=none will now always return an interaction_required error. For addresses that are forwarded to another OIDC provider (like Google), the prompt parameter is forwarded.
The auth_time claim was added to ID tokens.
nonce is now optional for the authorization code flow. (Portier clients typically use implicit flow, in which case nonce is still required.)
An invalid authorization code now properly returns the invalid_grant error.
OIDC "request objects" are now properly rejected. (These are the request and request_uri query parameters, not often used by clients.)
