Release notes: (v4.5)
v4.5.8:
- Only ‘SAML version 2’ in metadata
- Fix
ConcurrentModificationException
inProfileManager.removeOrRenewExpiredProfiles
- Security fix: cannot accept empty OIDC credentials
v4.5.7:
- Security fix on the
logoutUrlPattern
v4.5.6:
- Fix CVE-2022-22965
v4.5.5:
- Fix CVE-2021-44878
v4.5.4:
- Patch log4j v2 (CVE-2021-44228)
v4.5.1:
- Removed the ORCID OAuth client which no longer works. Use the
OidcClient
instead - Fixed PKCE OIDC flow support
v4.5.0:
- SAML2 identity provider metadata resolver can optionally be forced to download the metadata again.
- SAML2 identity provider metadata resolver is given the ability to support
last-modified
attributes for URLs. - Improve JWT parsing for nested attributes
- Avoid NPE with
null
domain for cookies onJEEContext
v4.4.0:
- For SAML IdP metadata defined as files, the metadata are reloaded if the file is changed
v4.3.0:
- Added a
ChainingConverter
for attributes - Fix expired access tokens for the OIDC protocol
v4.2.0:
- Serialize profiles in JSON (instead of using the Java serialization) for the MongoDB, SQL, LDAP and CouchDB
ProfileService
supports
v4.1.0 (see: what’s new in pac4j v4.1?):
- The
RememberMeAuthorizationGenerator
is deprecated and will be removed in the next version (v5) - The OpenID support (
YahooOpenIdClient
) is deprecated and will be removed in the next version (v5) - The
ProfileManagerFactory2
is deprecated and will be removed in the next version (v5) - Removed the
InternalAttributeHandler
- The default matchers/authorizers are
securityHeaders
/none
for web services instead ofcsrfToken,securityHeaders
/csrfCheck
for web applications
v4.0.3:
- Fix the expiration date for the SAML generated certificate
- Added a new
ValueRetriever
interface and its implementationSessionStoreValueRetriever
for the OpenID Connect protocol - Added support for PKCE to the OpenID Connect protocol RFC-7636
- Improved handling of expired tokens in
OidcProfile
v4.0.2:
- Fix the
ClassCastException
when receiving a SAML logout response - Send the access token as a header for the
GithubClient
- CAS front channel logout: fix the 401 error after the logout
- Fix default
CallbackUrlResolver
inCasClient
v4.0.1:
- Type parameters: add the
? extends Credentials
type parameter for theClient
in the return type of the methodfind
of theClientFinder
and add theUserProfile
type parameter for theProfileManager
in the return type of thegetProfileManager
method of theProfileManagerFactoryAware*
- Add setters on
Color
- Pull the
pac4j-saml-opensamlv3
dependency instead of thepac4j-saml
dependency - Remove deprecated behaviors: the retrieval of one
CommonProfile
in request or session via theProfileManager
and the retrieval of aString
as the requested URL - The default client name parameter used for security has a new value (
force_client
) to avoid conflicting with the default client name parameter (client_name
) used on the callback (the old value is still used as a fallback, but will be removed) - Allow
pac4j-saml
to store and generate SAML metadata and keystores using a REST API and provide options for extensibility so custom components can be designed and injected to manage metadata artifacts externally. Resolution of SAML2 identity provider metadata can be controlled/overridden. - Handle a strange use case for the
JEEContext
where therequest.getRequestURI()
returns a path starting by a double slash - Can return a custom profile when the authentication fails or is cancelled (“silent login”)
- Fix the CAS logout URL computation (for central logout without prefix)
- Introduce the
WebContextFactory
concept and theJEEContextFactory
implementation
v4.0.0:
- Improved the profile manager configuration
- Renamed
J2E
components asJEE
- Started updating dependencies via Renovate
- A client can return any kind of profile (using a custom
AuthorizationGenerator
orProfileCreator
) and even a minimal user profile (UserProfile
) - HTTP actions are no longer applied automatically to the web context (the
setResponseStatus
andwriteResponseContent
methods have been removed from theWebContext
interface), anHttpActionAdapter
must be used for that. Multiple HTTP actions (inheriting fromHttpAction
) are created to handle the necessary HTTP actions. TheRedirectAction
is replaced by the new HTTP actions inheriting fromRedirectionAction
. Theredirect
method is renamed asgetRedirectionAction
- By default, the CSRF check applies on the PUT, PATCH and DELETE requests in addition to the POST requests
- Renamed the
SAMLMessageStorage*
classes asSAMLMessageStore*
(based onStore
) - For
Google2Client
, change profile URL fromhttps://www.googleapis.com/plus/v1/people/me
tohttps://www.googleapis.com/oauth2/v3/userinfo
. This change is to prepare for the shutdown of Google plus API. This change will remove thebirthday
andemails
attribute forGoogle2Client
. - For an AJAX request, only generates the redirection URL when requested (
addRedirectionUrlAsHeader
property of theDefaultAjaxRequestResolver
) - Updated the APIs to use
Optional
instead of returningnull
- Use the 303 “See Other” and 307 “Temporary Redirect” HTTP actions after a POST request (
RedirectionActionHelper
) - Handles originally requested URLs with POST method
- Add HTTP POST Simple-Sign protocol implementation
- Properly handle states and nonces for multiple OIDC clients
- A profile can be renewed by its client when it’s expired
- Most web authorizers are now matchers. The default matchers are “securityHeaders,csrfToken” and the default authorizer is “csrfCheck”. Use “none” for no matcher or authorizer
- Use the
FindBest
utility class to find the best adapter, logic… - Support for the OIDC back-channel and front-channel logouts
- Load the profiles in the
ProfileManager
(from the session or not) like in theDefaultSecurityLogic
via thegetLikeDefaultSecurityLogic
andgetAllLikeDefaultSecurityLogic
methods - REVERT: remove the ID token in the
removeLoginData
method (previouslyclearSensitiveData
) - The
pac4j-saml
module is saved as the legacypac4j-saml-opensamlv3
module and upgraded to JDK 11 and OpenSAML v4
v3.9.0:
- Serialize profiles in JSON (instead of using the Java serialization) for the MongoDB, SQL, LDAP and CouchDB
ProfileService
supports
v3.8.3:
- Upgrade the nimbus-jose-jwt library to version 7.9 because of CVE-2019-17195
v3.8.2:
- Add customizable SAML post Logout URL
- QualifiedName must not be included by default in SAML authentication requests
- Added replay protectection to the SAML client.
- Fix SAML signature validation w.r.t. WantAssertionsSigned handling. Signing is now always required, even when WantAssertionsSigned is disabled. WantAssertionsSigned now requires explicit signing of the assertions, not the response.
- Added support for the SAML artifact binding for the authentication response.
- Sign metadata when configured to do so and open up the metadata generation API for customization.
- Never sign AuthnRequests with XMLSig when using REDIRECT binding, signing is done via the Signature query parameter.
- Added support for LinkedIn v2 API
- Added support for FigShare
v3.7.0:
- Fix SAML SP metadata signature
- CAS improvements: better service requests detection, support of the CAS server
method
parameter - Fix the
CasRestProfile
with JWT - Add HTTP POST Simple-Sign protocol implementation
- Add the
get
,post
,put
anddelete
matchers based on theHttpMethodMatcher
when not defined
v3.6.1:
- Fix Google OAuth support
v3.6.0:
- Multiple authn context class refs can be set in the SAML protocol support
- For
Google2Client
, change profile url fromhttps://www.googleapis.com/plus/v1/people/me
tohttps://www.googleapis.com/oauth2/v3/userinfo
. This change is to prepare for the shutdown of Google plus API. This change will make thebirthday
attribute returnnull
andemails
attribute resolve a single email fromemail
attribute forGoogle2Client
. - Clean shutdown of the
SAML2Client
via thedestroy
method - Do not clear the ID Token as a sensitive data in the
OidcProfile
- Improve signature and digest methods for SAML metadata
- Enhance OAuth 2 generic support
- Use the NameID as the fallback of the SessionIndex for the SAML SLO support
v3.5.0:
- Added
UserInfoOidcAuthenticator
to authenticate a user based on an access token received from an OpenID Connect login process - Updated the OpenID Connect/JWT dependencies (v6)
- Added
DirectBearerAuthClient
- Handled the inResponseTo and the RelayState in the logout response (SAML)
- Added
trustedClasses
to theJavaSerializationHelper
v3.4.0:
- Added ability to create a composition of authorizers (conjunction or disjunction)
- SAML SLO support with SOAP (ingoing only), HTTP-POST and HTTP-Redirect bindings
- OpenID Connect improvements: supports multiple JWS algorithms from the identity server, retrieves the Keycloak roles
v3.3.0:
- Improve SAML support: always return a default key which is a private one, add a SingleLogoutService URL in the SP metadata, make local and central logouts work together, allow attributes to be mapped to new names
- Default state generation can be overriden by your own
StateGenerator
for the OAuth, OpenID Connect and SAML protocols - Custom OpenSAML bootstrapping in SAML authentication module
- X509 certificate support
v3.2.0:
- Allow to set the
profileId
for theGenericOAuth20Client
- Fixed the
setConfiguration
method name in the OAuth v2.0 support - Optionally sign or specificy requested attributes in the SAML SP metadata
- Update to Scribejava v5.6.0
- Added support for HiOrg-Server (OAuth)
- Revised OAuth error handling for extracting user profiles. Now, an exception is thrown instead of returning an empty profile
- Fix the
Access-Control-Expose-Headers
name and theAccess-Control-Allow-Credentials
header verification
v3.1.0:
- Added attribute merging capabilities for the user profile: multiple attributes with the same name and value of the collection type can be merged into a single attribute
- Added Weibo, QQ and Wechat (OAuth) supports
v3.0.3:
AzureAdClient
uses thePathParameterCallbackUrlResolver
by default
v3.0.2:
- Properly handles all the HTTP codes in the
setResponseStatus
method of theJ2EContext
- Added the
setExcludedPath
andsetExcludedPattern
methods to thePathMatcher
class (for Shiro)
v3.0.1:
- The
ProfileHelper.flatIntoOneProfile
method returns anAnonymousProfile
(instead of empty) if it’s the only profile
v3.0.0:
- Handle AJAX requests in the OpenID Connect logout
- All session interactions are done via the
SessionStore
(retrieved from theWebContext
) - All exceptions (especially
HttpAction
) are unchecked - Upgraded dependencies
- Added “multi-tenancy” capabilities: you can dynamically define multiple callback URLs for the same client, except for SAML for which you need as many
SAML2Client
as the number of different callback URLs you want - The
CallbackUrlResolver
computes the callback URL (using a query parameter or a path parameter to define the client), based on theUrlResolver
which computes a URL - You can define an error (page) URL at the logics’ level to handle unexpected exceptions
- The SAML Keystore alias can be defined via a property; SAML date comparisons are now UTC-based
- The client name is not set at the credential’s level
- The username of the
AzureAdProfile
is the UPN - The issue time is generated and an expiration date can be used for a JWT
- The OpenID Connect user profile can be expired
- In the
J2EContext
, header names are checked in a case-insensitive way - Supports the
javax.faces.partial.ajax
parameter for AJAX requests - If only one client is defined in the configuration, it is used as a fallback on the security and callback endpoints