Changes
Upstream Identity Providers
To provide additional compatibility for some upstream providers like Active Directory Federation Severices, some changes have been applied to Rauthy's behavior.
The first thing is that the HTTP client used for upstream Logins does not force TLS v1.3 anymore, but also allows TLS v1.2. Both v1.2 and v1.3 are considered being secure by current standards. This is necessary, because some OSes like Windows Server 2019 do not support TLS 1.3.
The second change is for the way upstream providers are configured. The behavior until now was, that Rauthy added the client redentials as both Basic Authentication in headers, and in the body for maximum compatibility. However, some IdP'S (like ADFS for nstance) complain about this and only expect it in one place. To make this happen, there are 2 new fields for the upstream IdP onfiguration:
client_secret_basic: bool
client_secret_post: bool
These are available as switches in the Admin UI for each upstream provider. To not introduce breaking changes, all possibly existing configurations will have both options enabled like it has been up until now.
Note
Even though this changes the request and response objects on the API, this change is NOT being handled as a breaking change. API clients are forbidden to modify upstream IdPs for security reasons, which means this change should only affect the Rauthy Admin UI.
Gitlab as Upstream IdP
Gitlab is special and does its own, annoying thing to make it usable as an upstream IdP. An issue has been found when someone tries to log in with no publicly shown email address. In this worst case scenario, a successful login via Github while retrieving all necessary information (email is mandatory for Rauthy), you need to do 3 different API requests.
This version also makes it possible to log in via Github IdP with an account with only private email addresses. A different scope
for the login is necessary to make this possible. The template in the UI has been updated, but this will not affect existing Github IdP Providers. If you are currently using Github as upstream IdP, please change the scope
manually from read:user
to user:email
.
Bugfix
- During the deletion of a custom scope, that has been mapped to only a clients default scopes, but not the free ones, the mapping would be skipped during the whole client cleanup and end up being left-over after the deletion, which needed a manual cleanup afterward.
#663