4.257.v5360e8489e8b_

Fix issue(#304) caused by JWKS parsing. This release disables the signature verification if parsing failes but idtoken content is still validated.

If token verification was disabled due to previous version, it can re-activated to perform content verification. Side effect will be a unique warning at the first failure of JWKS URI parsing.

🚀 New features and improvements

• Ensure login doesn't redirect to logout URL (#303) @michael-doubez

🐛 Bug fixes

• Disable JWKS verification if not supported by client library (#308) @michael-doubez

4.250.v5a_d993226437

Improve security by verifying signature of provider's idtoken and, if applicable, userinfo. This requires the configuration of the JWKS endpoint of the provider; this is automatic if auto mode is used. At the same time, the idtoken generation and expiry times are verified as per idtoken token verification specs.

A new flag can be configured for bypassing the new checks.

🚀 New features and improvements

• Add JWKS parameters for verifying web token signatures (#297) @michael-doubez

🚩 Known issues

• Issue(#304): JWKS server URL is expected to contain alg parameter which breaks login - workaround: use new flag to disable token signature verification

👻 Maintenance

• Add open rewrite to pom.xml (#298) @michael-doubez

4.239.v325750a_96f3b_

🚀 New features and improvements

• Gracefully handle missing and invalid idtoken (#292) @michael-doubez

4.238.v0021f710b_b_f4

🌐 Localization and translation

• Add localization of help html files (#294) @michael-doubez

📦 Dependency updates

• Bump mailer from 1.34.2 to 448.v5b_97805e3767 (#293) @michael-doubez

4.236.v4124503b_a_f88

Fix regression(#290) on PKCE code verification. PKCE can be re-enabled in configuration.

🐛 Bug fixes

• Reimplement PKCE to serialize verifier in session (#291) @michael-doubez

👻 Maintenance

• Improve code cleaning (#289) @michael-doubez

📦 Dependency updates

• Jenkins minimal version to v2.361.4 (#289) @michael-doubez

4.229.vf736b_fec02f4

Fix security SECURITY-3168 regarding escape hatch password stored in a recoverable format. Instead of relying on system security, only a hash of the password is stored on disk.

🐛 Bug fixes

• Hash escape hatch password in configuration - fix CVE-2023-50770 (#287) @michael-doubez

🚩 Known issues

• Regression(#290): PKCE code verification no longer works (must be disabled in config)

4.228.v0c3e8682ff1f

🚀 New features and improvements

• Compatibility with Jenkins clustered setup (#288) @Vlatombe

🚩 Known issues

• Regression(#290): PKCE code verification no longer works (must be disabled in config)

4.227.v36610663f760

Fix regression(#285), introduced in v3.0, where a bug causes failure of redirect after login when Jenkins root url contains a path.

🐛 Bug fixes

• Fix invalid redirect computation (fix #285) (#286) @michael-doubez

4.225.v03326773b_44b_

💥 Breaking changes

• Use JMESPath for extracting idtoken and userinfo fields (#281). This introduces a break of configuration in the case a field name contains a character outside the alphanumeric range or underscore (regex [A-Za-z_0-9]); in this case, the name of the field must quoted in the configuration. In particular for the dot character: in the previous implementation, a field.name would be found, with JMES Path, the configuration of the field must be "field.name".

🚀 New features and improvements

• Use JMESPath for extracting idtoken and userinfo fields (#281) @michael-doubez

🚩 Known issues

• Regression(#285): wrong redirect after login when jenkins base url contains path

4.224.v62720cfa_026e

Fix regression(#236) introduced in v2.6 where group configuration is not taken into account.

🐛 Bug fixes

• Fix 2.6 regression on group field and deprecate Jackson parser (fix #236) (#280) @michael-doubez

🚩 Known issues

• Regression(#285): wrong redirect after login when jenkins base url contains path