Skip to content

v2.3.4
Compare
Choose a tag to compare
@kbeaugrand kbeaugrand released this 29 Jun 14:49
v2.3.4
64d4b07

What's new?

New options are now present on the portal

  • OIDC__ValidateIssuer

    Validation of the issuer mitigates forwarding attacks that can occur when an IdentityProvider represents multiple tenants and signs tokens with the same keys. It is possible that a token issued for the same audience could be from a different tenant. For example an application could accept users from contoso.onmicrosoft.com but not fabrikam.onmicrosoft.com, both valid tenants. An application that accepts tokens from fabrikam could forward them to the application that accepts tokens for contoso. This boolean only applies to default issuer validation. If IssuerValidator is set, it will be called regardless of whether this property is true or false. The default is true.

  • OIDC__ValidateAudience

    Validation of the audience, mitigates forwarding attacks. For example, a site that receives a token, could not replay it to another side. A forwarded token would contain the audience of the original site. This boolean only applies to default audience validation. If AudienceValidator is set, it will be called regardless of whether this property is true or false. The default is true.

  • OIDC__ValidateLifetime

    This boolean only applies to default lifetime validation. If LifetimeValidator is set, it will be called regardless of whether this property is true or false. The default is true.

  • OIDC__ValidateIssuerSigningKey

    It is possible for tokens to contain the public key needed to check the signature. For example, X509Data can be hydrated into an X509Certificate, which can be used to validate the signature. In these cases it is important to validate the SigningKey that was used to validate the signature. This boolean only applies to default signing key validation. If IssuerSigningKeyValidator is set, it will be called regardless of whether this property is true or false. The default is false.

  • OIDC_ValidateActor

    If an actor token is detected, whether it should be validated. The default is false.

  • OIDC_ValidateTokenReplay

    This boolean only applies to default token replay validation. If TokenReplayValidator is set, it will be called regardless of whether this property is true or false. The default is false.

  • UseSecurityHeaders

    This boolean adds the following headers to all responses :
    X-Content-Type-Options: nosniff
    Strict-Transport-Security: max-age=31536000; includeSubDomains - only applied to HTTPS responses
    X-Frame-Options: Deny - only applied to text/html responses
    X-XSS-Protection: 1; mode=block - only applied to text/html responses
    Referrer-Policy: strict-origin-when-cross-origin - only applied to text/html responses
    Content-Security-Policy: object-src 'none'; form-action 'self'; frame-ancestors 'none' - only applied to text/html responses

Fix CSP restrictions

Add OIDC MetadataUrl to authorized frame ancestors.

Full Changelog: v2.3.0...v2.3.4

Assets 2
Loading