File rubygem-omniauth-auth0.changes of Package rubygem-omniauth-auth0
-------------------------------------------------------------------
Tue Nov 14 15:19:40 UTC 2023 - Dan Čermák <dan.cermak@posteo.net>
- New upstream release 3.1.1, see bundled CHANGELOG.md
-------------------------------------------------------------------
Thu Jun 24 17:41:44 UTC 2021 - Stephan Kulow <coolo@suse.com>
updated to version 3.0.0
see installed CHANGELOG.md
## [v3.0.0](https://github.com/auth0/omniauth-auth0/tree/v3.0.0) (2021-04-14)
Version 3.0 introduces [Omniauth v2.0](https://github.com/omniauth/omniauth/releases/tag/v2.0.0) which addresses [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284). Omniauth now defaults to only allow `POST` as the allowed request_phase method. This was previously handled through the recommended [mitigation](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284) using the `omniauth-rails_csrf_protection v0.x.x` gem to provide CSRF protection.
### Upgrading to omniauth-rails_csrf_protection v1.0.0
If you are using `omniauth-rails_csrf_protection` to provide CSRF protection, you will need to be upgrade to `1.x.x`.
### BREAKING CHANGES
Now that OmniAuth now defaults to only `POST` as the allowed request_phase method, if you aren't already, you will need to convert any login links to use [form helpers](https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for) with the `POST` method.
```html+ruby
# OLD -- GET request
<a href='/auth/auth0'>Login</a>
# NEW Example #1 -- POST request
<%= link_to 'Login', 'auth/auth0', method: :post %>
# NEW Example #2 -- POST request
<%= button_to 'Login', 'auth/auth0', method: :post %>
# NEW Example #3 -- POST request
<%= form_tag('/auth/auth0', method: :post) do %>
<button type='submit'></button>
<% end %>
```
### Allowing GET Requests
In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:
```ruby
# Allowing GET requests will expose you to CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:get, :post]
```
## [v2.6.0](https://github.com/auth0/omniauth-auth0/tree/v2.6.0) (2021-04-01)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.5.0...v2.6.0)
**Added**
- Org Support [SDK-2395] [\#124](https://github.com/auth0/omniauth-auth0/pull/124) ([davidpatrick](https://github.com/davidpatrick))
- Add login_hint to permitted params [\#123](https://github.com/auth0/omniauth-auth0/pull/123) ([Roriz](https://github.com/Roriz))
## [v2.5.0](https://github.com/auth0/omniauth-auth0/tree/v2.5.0) (2021-01-21)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.2...v2.5.0)
**Added**
- Parsing claims from the id_token [\#120](https://github.com/auth0/omniauth-auth0/pull/120) ([davidpatrick](https://github.com/davidpatrick))
**Changed**
- Setup build matrix in CI [\#116](https://github.com/auth0/omniauth-auth0/pull/116) ([dmathieu](https://github.com/dmathieu))
**Fixed**
- Fixes params passed to authorize [\#119](https://github.com/auth0/omniauth-auth0/pull/119) ([davidpatrick](https://github.com/davidpatrick))
-------------------------------------------------------------------
Wed Jan 20 13:01:30 UTC 2021 - Stephan Kulow <coolo@suse.com>
updated to version 2.4.2
see installed CHANGELOG.md
## [v2.4.2](https://github.com/auth0/omniauth-auth0/tree/v2.4.2) (2021-01-19)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.1...v2.4.2)
**Fixed**
- Lock Omniauth to 1.9 in gemspec
## [v2.4.1](https://github.com/auth0/omniauth-auth0/tree/v2.4.1) (2020-10-08)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.4.0...v2.4.1)
**Fixed**
- Verify the JWT Signature [\#109](https://github.com/auth0/omniauth-auth0/pull/109) ([jimmyjames](https://github.com/jimmyjames))
-------------------------------------------------------------------
Fri Sep 25 14:28:57 UTC 2020 - Stephan Kulow <coolo@suse.com>
updated to version 2.4.0
see installed CHANGELOG.md
## [v2.4.0](https://github.com/auth0/omniauth-auth0/tree/v2.4.0) (2020-09-22)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.1...v2.4.0)
**Security**
- Bump rack from 2.2.2 to 2.2.3 [\#107](https://github.com/auth0/omniauth-auth0/pull/107) ([dependabot](https://github.com/dependabot))
- Update dependencies [\#100](https://github.com/auth0/omniauth-auth0/pull/100) ([Albalmaceda](https://github.com/Albalmaceda))
**Added**
- Add support for screen_hint=signup param [\#103](https://github.com/auth0/omniauth-auth0/pull/103) ([bbean86](https://github.com/bbean86))
- Add support for `connection_scope` in params [\#99](https://github.com/auth0/omniauth-auth0/pull/99) ([felixclack](https://github.com/felixclack))
-------------------------------------------------------------------
Thu May 7 21:10:30 UTC 2020 - Stephan Kulow <coolo@suse.com>
- updated to version 2.3.1
see installed CHANGELOG.md
## [v2.3.1](https://github.com/auth0/omniauth-auth0/tree/v2.3.1) (2020-03-27)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.3.0...v2.3.1)
**Fixed bugs:**
- Fixes dependency issue [\#97](https://github.com/auth0/omniauth-auth0/pull/97) ([davidpatrick](https://github.com/davidpatrick))
- Fix "NameError: uninitialized constant OmniAuth::Auth0::TokenValidationError" [\#96](https://github.com/auth0/omniauth-auth0/pull/96) ([stefanwork](https://github.com/stefanwork))
## [v2.3.0](https://github.com/auth0/omniauth-auth0/tree/v2.3.0) (2020-03-06)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.2.0...v2.3.0)
**Added**
- Improved OIDC Compliance [\#92](https://github.com/auth0/omniauth-auth0/pull/92) ([davidpatrick](https://github.com/davidpatrick))
-------------------------------------------------------------------
Sun May 5 09:37:29 UTC 2019 - Stephan Kulow <coolo@suse.com>
- updated to version 2.2.0
see installed CHANGELOG.md
## [v2.2.0](https://github.com/auth0/omniauth-auth0/tree/v2.2.0) (2018-04-18)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.1.0...v2.2.0)
**Closed issues**
- It supports custom domain? [\#71](https://github.com/auth0/omniauth-auth0/issues/71)
- Valid Login, No Details: email=nil image=nil name="github|38257089" nickname=nil [\#70](https://github.com/auth0/omniauth-auth0/issues/70)
**Added**
- Custom issuer [\#77](https://github.com/auth0/omniauth-auth0/pull/77) ([ryan-rosenfeld](https://github.com/ryan-rosenfeld))
- Add telemetry to token endpoint [\#74](https://github.com/auth0/omniauth-auth0/pull/74) ([joshcanhelp](https://github.com/joshcanhelp))
**Changed**
- Remove telemetry from authorize URL [\#75](https://github.com/auth0/omniauth-auth0/pull/75) ([joshcanhelp](https://github.com/joshcanhelp))
-------------------------------------------------------------------
Thu Nov 22 05:24:43 UTC 2018 - Stephan Kulow <coolo@suse.com>
- updated to version 2.1.0
see installed CHANGELOG.md
## [v2.1.0](https://github.com/auth0/omniauth-auth0/tree/v2.1.0) (2018-10-30)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v2.0.0...v2.1.0)
**Closed issues**
- URL should be spelled uppercase outside of code [\#64](https://github.com/auth0/omniauth-auth0/issues/64)
- Add prompt=none authorization param handler [\#58](https://github.com/auth0/omniauth-auth0/issues/58)
- Could not find a valid mapping for path "/auth/oauth2/callback" [\#56](https://github.com/auth0/omniauth-auth0/issues/56)
- I had to downgrade my gems to use this strategy :-( [\#53](https://github.com/auth0/omniauth-auth0/issues/53)
- CSRF detected [\#49](https://github.com/auth0/omniauth-auth0/issues/49)
- /auth/:provider route not registered? [\#47](https://github.com/auth0/omniauth-auth0/issues/47)
**Added**
- Add ID token validation [\#62](https://github.com/auth0/omniauth-auth0/pull/62) ([joshcanhelp](https://github.com/joshcanhelp))
- Silent authentication [\#59](https://github.com/auth0/omniauth-auth0/pull/59) ([batalla3692](https://github.com/batalla3692))
- Pass connection parameter to auth0 [\#54](https://github.com/auth0/omniauth-auth0/pull/54) ([tomgi](https://github.com/tomgi))
**Changed**
- Update to omniauth-oauth2 [\#55](https://github.com/auth0/omniauth-auth0/pull/55) ([chills42](https://github.com/chills42))
**Fixed**
- Fix Rubocop errors [\#66](https://github.com/auth0/omniauth-auth0/pull/66) ([joshcanhelp](https://github.com/joshcanhelp))
- Fix minute bug in README.md [\#63](https://github.com/auth0/omniauth-auth0/pull/63) ([rahuldess](https://github.com/rahuldess))
-------------------------------------------------------------------
Thu Jan 26 05:38:53 UTC 2017 - coolo@suse.com
- updated to version 2.0.0
see installed CHANGELOG.md
## [v2.0.0](https://github.com/auth0/omniauth-auth0/tree/v2.0.0) (2017-01-25)
[Full Changelog](https://github.com/auth0/omniauth-auth0/compare/v1.4.1...v2.0.0)
Updated library to handle OIDC conformant clients and OAuth2 features in Auth0.
This affects how the `credentials` and `info` attributes are populated since the payload of /oauth/token and /userinfo are differnt when using OAuth2/OIDC features.
The `credentials` hash will always have an `access_token` and might have a `refresh_token` (if it's allowed in your API settings in Auth0 dashboard and requested using `offline_access` scope) and an `id_token` (scope `openid` is needed for Auth0 to return it).
The `info` object will use the [OmniAuth schema](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later) after calling /userinfo:
- name: `name` attribute in userinfo response or `sub` if not available.
- email: `email` attribute in userinfo response.
- nickname: `nickname` attribute in userinfo response.
- image: `picture` attribute in userinfo response.
Also in `extra` will have in `raw_info` the full /userinfo response.
-------------------------------------------------------------------
Sun Oct 9 04:33:36 UTC 2016 - coolo@suse.com
- updated to version 1.4.2
see installed CHANGELOG.md
-------------------------------------------------------------------
Thu Mar 17 00:19:42 UTC 2016 - mrueckert@suse.de
- initial package
