Skip to content

v7.1.8
Compare
Choose a tag to compare
@axeloradmin axeloradmin released this 17 Oct 13:43
· 311 commits to master since this release
v7.1.8
d6cdda5
This commit was signed with the committer’s verified signature.
pbe-axelor
GPG key ID: EB0DB1193960BB60
Learn about vigilant mode.

7.1.8 (2024-10-17)

Security

  • Always rely on codes when fetching user from profile

    Any extends of com.axelor.auth.pac4j.AuthPac4jUserService.getUser should takes
    care to rely on fetch users by code only (instead of fetching by code and email).

    In case your application use SSO authentication, a carefully review is needed.
    As we now rely on users codes to retrieve users, make sure the users codes match
    the user profile username or email provided by the identity provider (we rely on
    pac4j user profile mapping for this). For example, OpenID Connect providers commonly
    use preferred_username claim as username,but for others such as Azure OpenID Connect
    provider, it will use the upn claim as username. As fallback is will use the email
    claim as email. In case of existing users codes not matching identity providers username
    or email, it will not retrieve them and users will not be able to log in. Manually change
    will be needed, by updating users codes with their email for example.

Assets 2
Loading