v3.2.0 (2023-07-14)
Added
- [SDK-4410] Support Organization Name in JWT validation #184 (stevehobbsdev)
Fixed
- fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests #165 (stevehobbsdev)
v3.1.1 (2023-03-01)
Fixed
- fix: upgrade to Sinatra 3 and use Rack::Session::Cookie in tests #165 (stevehobbsdev)
v3.1.0 (2022-11-04)
Added
Changed
- Store plain Hash in session['authorize_params'] #150 (santry)
- Redesign readme to match new style #148 (stevehobbsdev)
Fixed
- Fix authentication hash link in code sample #153 (ewanharris)
Security
- [Snyk] Fix for 1 vulnerabilities #149 (snyk-bot)
- Bump addressable from 2.7.0 to 2.8.0 #133 (dependabot[bot])
- [Snyk] Security upgrade webmock from 3.12.2 to 3.12.2 #134 (snyk-bot)
v3.0.0 (2021-04-14)
Version 3.0 introduces Omniauth v2.0 which addresses CVE-2015-9284. Omniauth now defaults to only allow POST as the allowed request_phase method. This was previously handled through the recommended mitigation using the omniauth-rails_csrf_protection v0.x.x gem to provide CSRF protection.
If you are using omniauth-rails_csrf_protection to provide CSRF protection, you will need to be upgrade to 1.x.x.
Now that OmniAuth now defaults to only POST as the allowed request_phase method, if you aren't already, you will need to convert any login links to use form helpers with the POST method.
# OLD -- GET request
<a href='/auth/auth0'>Login</a>
# NEW Example #1 -- POST request
<%= link_to 'Login', 'auth/auth0', method: :post %>
# NEW Example #2 -- POST request
<%= button_to 'Login', 'auth/auth0', method: :post %>
# NEW Example #3 -- POST request
<%= form_tag('/auth/auth0', method: :post) do %>
<button type='submit'></button>
<% end %>In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:
# Allowing GET requests will expose you to CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:get, :post]v2.6.0 (2021-04-01)
Added
- Org Support [SDK-2395] #124 (davidpatrick)
- Add login_hint to permitted params #123 (Roriz)
v2.5.0 (2021-01-21)
Added
- Parsing claims from the id_token #120 (davidpatrick)
Changed
Fixed
- Fixes params passed to authorize #119 (davidpatrick)
v2.4.2 (2021-01-19)
Fixed
- Lock Omniauth to 1.9 in gemspec
v2.4.1 (2020-10-08)
Fixed
- Verify the JWT Signature #109 (jimmyjames)
v2.4.0 (2020-09-22)
Security
- Bump rack from 2.2.2 to 2.2.3 #107 (dependabot)
- Update dependencies #100 (Albalmaceda)
Added
- Add support for screen_hint=signup param #103 (bbean86)
- Add support for
connection_scopein params #99 (felixclack)
v2.3.1 (2020-03-27)
Fixed bugs:
- Fixes dependency issue #97 (davidpatrick)
- Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" #96 (stefanwork)
v2.3.0 (2020-03-06)
Added
- Improved OIDC Compliance #92 (davidpatrick)
v2.2.0 (2018-04-18)
Closed issues
- It supports custom domain? #71
- Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil #70
Added
- Custom issuer #77 (ryan-rosenfeld)
- Add telemetry to token endpoint #74 (joshcanhelp)
Changed
- Remove telemetry from authorize URL #75 (joshcanhelp)
v2.1.0 (2018-10-30)
Closed issues
- URL should be spelled uppercase outside of code #64
- Add prompt=none authorization param handler #58
- Could not find a valid mapping for path "/auth/oauth2/callback" #56
- I had to downgrade my gems to use this strategy :-( #53
- CSRF detected #49
- /auth/:provider route not registered? #47
Added
- Add ID token validation #62 (joshcanhelp)
- Silent authentication #59 (batalla3692)
- Pass connection parameter to auth0 #54 (tomgi)
Changed
Fixed
- Fix Rubocop errors #66 (joshcanhelp)
- Fix minute bug in README.md #63 (rahuldess)
v2.0.0 (2017-01-25)
Updated library to handle OIDC conformant clients and OAuth2 features in Auth0.
This affects how the credentials and info attributes are populated since the payload of /oauth/token and /userinfo are different when using OAuth2/OIDC features.
The credentials hash will always have an access_token and might have a refresh_token (if it's allowed in your API settings in Auth0 dashboard and requested using offline_access scope) and an id_token (scope openid is needed for Auth0 to return it).
The info object will use the OmniAuth schema after calling /userinfo:
- name:
nameattribute in userinfo response orsubif not available. - email:
emailattribute in userinfo response. - nickname:
nicknameattribute in userinfo response. - image:
pictureattribute in userinfo response.
Also in extra will have in raw_info the full /userinfo response.
Fixed
- Use image attribute of omniauth instead of picture #45 (hzalaz)
- Rework strategy to handle OAuth and OIDC #44 (hzalaz)
- lock v10 update, dependencies update #41 (Amialc)
v1.4.2 (2016-06-13)
Added
- Link to OmniAuth site #36 (jghaines)
- add ssl fix to RoR example #31 (Amialc)
- Update LICENSE #17 (aguerere)
Changed
Fixed
- Fix setup #38 (deepak)
- Added missing instruction #30 (Annyv2)
- Fixes undefined Auth0Lock issue #28 (Annyv2)
- Update Readme #27 (Annyv2)
v1.4.1 (2015-11-18)
Merged pull requests:
- Updating the strategy to set the refresh token in the credentials #14 (LindseyB)
- Update README.md #13 (Annyv2)
- Update home.js #12 (Annyv2)
- Add nested module in version.rb #9 (l4u)
v1.4.0 (2015-06-01)
Merged pull requests:
- Client headers #8 (benschwarz)
- Web application seed with Lock #5 (sandrinodimattia)
- Create LICENSE.md #4 (pose)
- Update README.md #3 (pose)
- Fix Markdown typo #2 (dentarg)
* This Change Log was automatically generated by github_changelog_generator