What's Changed
- Allow access to / without authentication and redirect to login by @garaimanoj in #1237
- Add/unset client secret when updating client authn method by @enricovianello in #1248
- Import Scope API, Service, Controller and Repository by @enricovianello in #1246
- Remove web-finger discovery endpoint by @enricovianello in #1247
- Search for the SAML attribute by alias as well by @rmiccoli in #1243
- Enforce client AuthN method validation at token endpoint by @federicaagostini and @enricovianello in #1235
- Minor fix on AarcClaimValueHelper affiliation retrieval by @rmiccoli in #1239
- Add explicit modifying annotation to avoid entity manager errors by @enricovianello in #1254
- Sanitize registration key in error page by @rmiccoli in a97cdc3, thanks to @offset for reporting
- Sanitize PasswordReplacedEvent log message by @rmiccoli in f81a92c, thanks to @offset for reporting
- Strengthen redirect URI validation by @rmiccoli in a910f64, thanks to @offset for reporting
Advisory: https://advisories.egi.eu/Advisory-EGI-SVG-2026-18
Full Changelog: v1.14.0...v1.14.1
Note
Redirect URIs registered for a client MUST satisfy the following requirements:
- The URI scheme MUST be either
httporhttps, except foredu.kit.data.oidc-agent:/redirect, which is allowed for oidc-agent httpredirect URIs MUST use a loopback address, as defined in RFC 8252- Redirect URIs MUST NOT contain a fragment component
Contributors
enricovianello, federicaagostini, and 3 other contributors