All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Use
version_compareandIConfig::getSystemValueStringinstead of$OC_Version@julien-nc #1425
- Add debug log when storing state in PHP session during code flow @julien-nc #1412
- Optimize user counting @CarlSchwan @solracsf #1418
- Modernize user backend @CarlSchwan @solracsf #1419
- Harden UserBackend::provisionUser and UserBackend::checkFirstLogin @CarlSchwan @solracsf #1420
- Only redirect to login flow when request comes from a navigation context, add support for storing multiple states and clean up flow session values on failure @julien-nc #1410
- Use new IAlternativeLoginProvider interface when available for alternative login methods @CarlSchwan @julien-nc #1413
- Optimize LDAP user deleted check to avoid unnecessary LDAP lookups @CarlSchwan #1414
- Remove ServerVersion usage @CarlSchwan #1407
- Trigger UserFirstTimeLoggedInEvent on first login @CarlSchwan #1401
- Refresh stored login tokens during active user sessions so IdP SSO sessions stay alive while users keep working @solracsf #1391
- Move time handling to
ITimeFactoryacross token, discovery, login, ID4ME, and backend flows to align with newer platform APIs @solracsf #1392 - Add explicit return types to provider management
occcommands for cleaner command API compatibility @CarlSchwan #1400 - Remove the duplicate legacy API controller and keep the OCS API controller as the single implementation for provisioning endpoints @julien-nc #1403
- Add Microsoft Graph support and an
occoption to resolve Entra ID group GUIDs to group names @small1 @julien-nc #1379
- Hide provider secrets by default in
occ providersoutput @julien-nc #1385 - Replace deprecated backend APIs and adjust Psalm coverage for newer Nextcloud methods @CarlSchwan @julien-nc #1372
- Update tests for PHPUnit deprecations and refresh composer dependencies @julien-nc #1382
- Avoid validating non-Bearer
Authorizationheader values in the user backend @julien-nc #1386 - Stop logging sensitive data during OIDC processing @julien-nc #1380
- Set the user session after successful bearer token validation so injected user IDs stay available @hangerrits @solracsf #1376
- Improve single logout JWT decode error reporting for too-short GSS secrets @nfebe #1374
- Support dotted claim names when resolving nested OIDC claims @strobelpierre #1375
- Stop using removed
OC\Server::getAppManager()accessors and update related logout tests @julien-nc #1371
- Fix UserCreatedEvent dispatch crashing when user is null (disable_account_creation is enabled) @solracsf #1367
- Emit UserCreatedEvent when creating a user in our backend @julien-nc #1353
- Add appconfig setting to allow login over unencrypted HTTP @mejo- #1347
- Add group whitelist check when authenticating with bearer token @julien-nc #1359
- More debug logs when enriching the id token with the userinfo endpoint @julien-nc #1346
- Allow disabling the userinfo claim @carlottostromstedt #1348
- Make the settings controller an OCS one @julien-nc #1356
- feat(upsert): new options to read client secret from env var or file @julien-nc #1324
- Add documentation for the different types of group claims @s3n-w6i #1339
- Handle string Content-Type headers during avatar provisioning @mod242 #1302
- fix(discovery): do not cache the discovery response if it can't be decoded @julien-nc #1304
- fix(jwks): filter unsupported key types to prevent Firebase JWT crash @strobelpierre #1333
- canonicalize locale string @alejo7797 #1336
- fix(id4me): use mozart to move id4me/id4me-rp in lib/Vendor and adjust its namespace so it is not imported by other files in Nextcloud @julien-nc #1337
- fix(ldap-service): in LdapService::isLdapDeletedUser, make an early return to false if the user_ldap app is NOT enabled @julien-nc #1340
- Add UI warning explaining the consequence of disabling unique user IDs @julien-nc #1284
- Make db entity attribute names camel case, use OCP\DB\Types constants @julien-nc #1278
- Implement locking for token refresh @solracsf #1277
- Validate signature of id4me login tokens @julien-nc #1285
- More checks when getting an avatar from a URL @julien-nc #1286
- Avoid using methods that went from private to public in the last release @julien-nc
- Remove classmap-authoritative that produces an upgrade bug @julien-nc
- Add EdDSA to the algorithm mapping in DiscoveryService @solracsf #1236
- Add key strength validation for cryptographic keys @solracsf @julien-nc #1237 #1272
- Command to list all providers and their configuration @julien-nc #1271
- Use lazy loading for all config values @julien-nc #1262
- Use controller method attributes instead of doc annotations
- Modernize settings @julien-nc #1266
- Use IAccountManager constants in provisioning service @julien-nc #1269
- Reduce log level of non-critical messages in TokenInvalidatedListener @julien-nc #1270
- Improve check on redirect URL @julien-nc #1273
- Stricter typing in query builder method calls @julien-nc #1251
- Update EdDSA mapping to OKP in DiscoveryService @joshtrichards #1254
- Add locale mapping @julien-nc #1213
- Explain jwks cache invalidation in the README @julien-nc #1225
- Add more debug log when a group does not match the whitelist regex @julien-nc #1228
- Handle missing KID in JWT token @solracsf #1220
- Handle AppConfigTypeConflictException when getting/setting allow_multiple_user_backends @julien-nc #1209
- Add pronouns and birthdate mapping, factorize simple mapping attributes handling when provisioning @julien-nc #1102
- Add optional provider-specific post_logout_uri setting, pass it as a GET param to the end_session_endpoint @julien-nc #1120
- Add support for Nextcloud 33
- Allow setting the default token endpoint auth method in config.php (if
token_endpoint_auth_methods_supportedis not set in the discovery payload) @julien-nc #1199
- Adjust testing matrix for Nextcloud 32 on main @nickvergessen #1196
- Drop support for Nextcloud 28, remove deprecated IConfig::setAppValue usages @julien-nc #1200
⚠️ Use client_secret_basic as token endpoint auth by default, use client_secret_post if supported @julien-nc #1199
- React to a user session being revoked, end the IdP session @julien-nc #1181
- Only check oidc login token if logged in via user_oidc @julien-nc #1162
- fix(backchannel-logout): handle those logout token cases: sid, sid+sub, sub. If only sub is set: kill all sessions for this sub @julien-nc #1184
- fix(bearer-validation): fix mistake in soft auto provisioning logic, same as #1170 @julien-nc #1192
- fix(backend-registration): use OC_User::useBackend before 32 @julien-nc #1193
- Update dependencies, adjust GH actions, adjust tests to phpunit 10 @julien-nc #1177
- Use OCP InvalidTokenException instead of the OC one @julien-nc #1179
- Replace deprecated OC_User::useBackend with OCP\IUserManager::registerBackend @julien-nc #1168
- Only use the prompt param for the authorization and token endpoints if defined in NC config, drop 'consent' as the default @julien-nc #1176
- Fix broken soft-auto-provisioning @julien-nc @jonas2515 #1170
- Call userinfo on login to enrich the login ID token @julien-nc #1041
- feat(settings): ask for a confirmation before deleting a provider @julien-nc #1144
- Allow nested claim mapping for groups @andreblanke #1149
- Optionally allow self-signed SSL verification and support for oidc prompt @elyerr #1151
- chore(tests): Cleanup bootstrap.php to be forward-compatible @come-nc #1122
- Use Psalm 6.7 @julien-nc #1131
- Improve the NC error page when the IdP auth fails @julien-nc #1138
- Migrate to vue 3, nc/vue 9, stick with webpack @julien-nc #1141
- Use outlined icons @julien-nc #1146
- Add warning log with more data when there is a code state mismatch @julien-nc #1157
- Use custom error/403 template that includes a 'back to nextcloud' button @julien-nc #1156
- Add debug logs including the session ID when setting and getting the login token @julien-nc #1134
- Add debug logs when getting the JWKs @julien-nc #1135
- fix(gss): set the gss session data in the controller rather than in the service @julien-nc #1123
- In single-logout, if the provider is not found and we are in SSO mode, use the one and only provider to make sure we logout in the IdP and avoid being immediately logged in NC again @julien-nc #1155
- Provider-specific setting to enable support for nested claims and fallback attribute mapping @dragonpil #1103
- Allow requesting scopes when using ExchangedTokenRequestedEvent event @saw-jan #1099
- Allow requesting scopes when using InternalTokenRequestedEvent event @saw-jan #1098
- Make settings form footer sticky @julien-nc #1107
- Fix serialization of requested claims to avoid empty arrays resulting in JSON arrays instead of objects @julien-nc #1093
- Fix grammar @rakekniven #1104
- Clarify token request events @julien-nc #1082
- Add ability to set a custom login button label @julien-nc #1070
- Add support for bearer token validation and generation by the OIDC Identity Provider app via events @julien-nc #1040
- Prepare for transifex sync @julien-nc #1071
- Remove AZP check when validating a bearer ID token @julien-nc #1039
- Bump min NC version to 28 to make sure we have
OCP\Authentication\Token\IToken@julien-nc #1061
- Properly avoid password confirmation with user_oidc by adding the SCOPE_SKIP_PASSWORD_VALIDATION scope to the session tokens @julien-nc #1061
- Fix scope for the role account property @julien-nc #1069
- Add missing group-provisioning options in upsert command @bjalbor #1063
- Dispatch prelogin event before login event @ArtificialOwl #1065
- Support NC 32 @nickvergessen #1029
- Map the user language @julien-nc #1046
- Adjustment for GSS @julien-nc #1053
- Replace broken jumpstart docs link @joshtrichards #1045
- Fetch default privacy scopes and set properties appropriate @bjalbor #1048
- Backchannel logout token may not contain "sub" @prigaux #1049
- Fix '"kid" invalid, unable to lookup correct key' when keys are rotated @Adphi #1035
- Fix(ProvisioningService): Handle
InvalidArgumentExceptionwhen updating account @susnux #1058
- Fix crash when storing a token without refresh_expires_in or refresh_token @julien-nc #1025
- Disable token exchange mechanism by default @julien-nc #1025
- Support for Global Scale (globalsiteselector app) @julien-nc #1011
- Add whitelist regular expression for group provisioning @bergerar #884
- Optionally restrict login to users matching a certain group @bergerar #884
- Token exchange mechanism for other apps @julien-nc #974
- Password confirmation in admin settings @janepie #991
- Add option to configure bearer provisioning via occ @janepie #1003
- Add config value to make the email match optional when searching for a user or a display name @julien-nc #1014
- Make the app Reuse compliant @AndyScherzinger #975
- Add support for comma-separated groups in group mapping attribute @julien-nc #1006
- Update cache when discovery endpoint is changed @janepie #1002
- Set fallback redirect URL for login if already logged in @janepie #1001
- Fix redirect URI when Nextcloud is accessed at a sub path @bdovaz #990
- Handle redirect URL containing a ':' @artonge #1008
- Avoid slow queries in scenarios where we do not need a search @juliusknorr #1019
- Adjust provisioning service to correctly update the display name on login @julien-nc #979
- Fix state token missing while trying to login using Nextcloud Desktop (login flow) @joselameira #971
- Ensure providerClientId is declared when validating bearer tokens @artonge #969
- feat(provisioning): New system config flag to disable user creation in soft auto provisioning @julien-nc #954
- feat(ApiController): Add endpoint to de-provision user @edward-ly #960
- Add an OCS API controller for pre-provisioning and de-provisioning @julien-nc #963
- Make aud and azp checks optional when logging in or validating a bearer token @julien-nc #921
- Bump max NC version to 31
- Fix provisioning mistake when setting role @julien-nc #930
- Fix LoginController: revert default
token_endpoint_auth_methodvalue @edward-ly #946 - Fix integration tests sometimes not finding docker-compose but 'docker compose' @julien-nc #953
- Backchannel logout endpoint should only return 200 or 400 @julien-nc #955
- Use correct userId when getting user folder in provisioning endpoint if unique-uid is enabled @julien-nc #958
- Re-enable PKCE by default (if supported by the IdP) @edward-ly #956
- Prevent redirecting to an absolute URL after login @julien-nc #961
- Fix provisioning: If address attr is an object but can't be parsed to an array, give null to the 'attr mapped' event @julien-nc #948
- Many fixes in ProvisioningServer @julien-nc #905
- Update npm pkgs
- Use nextcloud/vue 8.15.0
- Support more token endpoint authentication methods @xataxxx #897
- Set avatar on login @julien-nc #838
- Fix small accessibility issue with NcModal @julien-nc
- Support search by email in the user backend @tcoupin #815
- Improve the stub so it's not confusing IDEs @nickvergessen @julien-nc #862 #863
- Set group displayname when provisioning @towo @julien-nc #880
- Add issuer, audience and azp checks in bearer token validator @julien-nc #864
- Allow to disable default quota, displayName, groups and email claims @julien-nc #883
- Fix, improve and refactor the upsert occ command @julien-nc #860
- Fix biography attr being used to set the account gender @julien-nc #888
- Update npm packages
- Stop using missing OC::->getEventDispatcher method (dropped in NC 28) @julien-nc #818
- Soft auto-provisioning @julien-nc #730
- Prevent using ID4ME routes if ID4ME is disabled @julien-nc
- Fix(login): user get null check @skjnldsv #789
- Customizeable end session endpoint @nc-fkl #724
- Implement ICountUsersBackend to give a user count in 'occ user:report' @julien-nc #733
- Many additional user attribute mapping @nc-fkl #729
- Psalm checks @julien-nc #765
- Ensure the discovery endpoint result is valid @nc-fkl #750
- Bump max NC version to 29 @julien-nc #717
- Bump min NC version to 25 @julien-nc #765
- Increased database column length for client id and secret @nc-fkl #711
- Make PKCE optional @julien-nc #740
- Update nextcloud/vue to v8 @julien-nc #763
- Avoid a lot of error log on token validation failure @aro-lew #721
- Avoid identifier edition when editing a provider @nc-fkl #714
- PKCE support #697 @rullzer @nc-fkl
- improve id4me token validation #715 @julien-nc
- fix potentially missing alg in jwks #713 @julien-nc
- Disable password confirmation for SSO @juliushaertl #668
- Add issuer and azp validation, improve audience validation @julien-nc #642
- Encrypt stored oidc provider client secrets and id4me client secrets @julien-nc #636
- fix Oracle database support by avoiding empty strings that are replaced with null @julien-nc #563
- use more recent Ubuntu image for PhpUnit tests as the old ones are not picked up by runners @julien-nc #619
- better error handling and throttling in Id4Me and login controllers @julien-nc #615 #618
- show redirect URI to help configuring the client on the provider side @julien-nc #598
- add Nextcloud 27 support @julien-nc #616
- fix id4me/id4me-rp imports @julien-nc #585
- don't include .nextcloudignore in app releases @julien-nc #595
- avoid using IUserManager::getDisplayName that was introduced in NC 25 @julien-nc #594
- Group provisioning @MarvinOehlerkingCap #502
- Group mapping @MarvinOehlerkingCap #502
- Prefix user ID with provider ID @MarvinOehlerkingCap #502
- User provisioning on API requests authenticated with a Bearer token @MarvinOehlerkingCap #502
- DiscoveryService tests @julien-nc #518
- Expected code being exposed when the received one does not match @julien-nc #580
- Non-unique database indexes @julien-nc #541
- User display name change propagation @julien-nc #530
- Fix discovery URL generation with GET parameters @julien-nc #518
- Safer user sync with LDAP user provisioning @julien-nc #535
- Support for Nextcloud 26 @nickvergessen #504
- Support backchannel logout @julien-nc #464
- New endpoint to pre-provision users @julien-nc #450
- Create and populate user storage if necessary on bearer token validation @julien-nc #443
- Fix crash on bearer token validation before first login @julien-nc #498
- Potential XSS with Safari @julien-nc #496
- Fix single logout when using Keycloak >= 18 @ubipo #493
- Enforce HTTPS @julien-nc #495
- Check if user was deleted in LDAP if necessary @julien-nc #451
- Perform a user search before login to make sure LDAP users are synced @julien-nc #436
- Make sure the user avatar is generated on login @julien-nc #437
- Fix upsert command resetting the scope if none provided @julien-nc #433
- Fix upsert command not printing the provider when no parameter given @julien-nc #431
- Fix single logout with non-auto provisioned users @julien-nc #429
- Modernize settings frontend (use
@nextcloud/vue, bump js libs...) @julien-nc #497
- Fix and polish upsert and delete commands @eneiluj #338
- Remove redundant and time consuming userinfo validation @eneiluj #334
- Cache provider public keys @eneiluj #337
- Move to IBootstrap @juliushaertl #385
- New system config to disable SelfEncodedValidator bearer token validator @eneiluj #372
- Dispatch new event when a bearer token is validated @eneiluj #381
- Add new provider setting to request extra claims @eneiluj #407
- Implement single logout @eneiluj #373
- Avoid claiming 'sub', display code response error @eneiluj #329
- Optionally keep userinfo validator for api calls only, use all providers @eneiluj #335
- Let .nextcloudignore skip defined paths only in root @juliushaertl #353
- Avoid empty session on certain redirect situations in Safari @juliushaertl #358
- Cache discovery endpoint results @juliushaertl #367
- Fix a small php 8 compatibility issue @CarlSchwan #406
- Cache user object when checking existance @CarlSchwan #412
- Ensure that a remember me cookie is created @juliushaertl #425
- #304 Allow to disable other login methods
- #306 Add integration tests with keycloak
- #317 Claim handling and complex mapping rules @tsdicloud
- #320 Bearer token validation
- #303 Properly handle redirect after login
- #319 Fix typo in quota attribute @rgfernandes
- #316 Fix provider edition
- #314 Fix header/column label missmatch @alerque
- Dependency updates
v1.0.0 (2021-08-03)
Implemented enhancements:
- Add provider admin commands #292 (tsdicloud)
- Move to npm7 and update actions #286 (skjnldsv)
- Custom attribute mappings #268 (juliushaertl)
- Implement missing user backend methods #267 (juliushaertl)
- Update webpack config and add settings icon #259 (skjnldsv)
Fixed bugs:
- Move mozart out of regular dependencies #296 (juliushaertl)
- Make column explitly nullable
- NC 21 support
- Installing on NC20
- Basic implementation of OIDC client
- Expirimental support for ID4ME