Back to releases

Highlights

Main changes since 1.2.0:

  • OpenID Connect 2.0
  • OAuth 2
  • User portal with consent management
  • Authorization plugin support
  • Support for adding an instance to the web root
  • Lots of bugfixes

This version requires schema version bump. For information on upgrading your database, see Upgrading

Important upgrade notes

  • This version introduces authorization plugins. Please make sure to enable one after upgrading.
  • The infosssd plugin has been changed to use DBus to get user information. Please modify /etc/sssd/sssd.conf to allow the ipsilon uid access.

Detailed Changelog

Dan Theisen (2):

  • Allow attributes to be mapped to URL's
  • Modify infosssd plugin to fetch attributes from dbus

Howard Johnson (26):

  • Add font-face for FontAwesome to font.less (and admin.css and ipsilon.css)
  • Don't try to use SAML error strings as HTTPError codes in a ProviderException
  • String-type config options set to empty string shouldn't turn into None
  • Convert stored Condition config options back to booleans
  • Change subprocess.check_output to subprocess.Popen to support Python 2.6
  • Add help buttons to the login stack page
  • Add missing descriptions to infonss and infosssd plugins
  • Add a plugin-based authorization system for SP user sessions
  • Add authorization to the SAML2 provider
  • Add tests for authz code
  • Add authorization support (and tests) to OpenID provider
  • Add authorization support (and tests) to OpenID Connect provider
  • Update main admin page SVG for authorization plugin stack
  • Add ipsilon.authz package to setup.py
  • Add authz code to contrib spec file
  • Rewrite ipsilon.util.policy.Policy class documentation
  • Add openidc installation templates to setup.py and spec file
  • Retain transaction ID through 401 pages
  • Styled the user consent page for openID Connect
  • When saving options, remove options from the db that no longer exist
  • Add consent system
  • Plumb openidc into the consent system
  • Add a user self-service portal for managing consent
  • Add test case for openidc consent
  • Add cli args to ipsilon-upgrade-database to make it nicer to use
  • Don't use cherrypy.url to build the SVG embedded URLs

Marlin Cremers (1):

  • Remove executable bit from fonts

Patrick Uiterwijk (89):

  • Use TLS for test suite
  • Send ProviderException with the correct error code and message
  • install: server-install: abort installation on permission issue
  • Implement WebFinger (RFC7033)
  • Implement OpenID Connect core
  • Add OpenID Connect support to ipsilon-client-install
  • OpenID Connect test suite
  • login: authtest: add unicode character for unicode tests
  • helpers: common: setup postgres server as unicode-capable
  • providers: saml: remove str and unicode conversion
  • Encode session information as unicode
  • Add subpackages for OpenID Connect to the contrib spec file
  • openidc: Use urlencode to generate return URL
  • openidc: Uncomment the autocommit in form response mode
  • Add ssh and gpg key id mappings to authfas
  • Support sending multiple OpenID AX values
  • Error out if requested to send newline via OpenID AX
  • Use class variables for initialization of OpenIDC Extensions
  • Fix naming collissions in OpenIDC token refresh
  • Update location of display_name information
  • Allow OpenIDC extensions to specify additional claims
  • Test for some more dependencies that we also use
  • Use more specific paths to binaries for pre-usrmove compatibility
  • Make apache configs compatible with pre-2.3
  • Use temporary testdir
  • Use new sqlalchemy and jinja2
  • Support mod_auth_kerb
  • Resolve identity problem in ldap test
  • Use version-independent way to pass socket dir to postgres
  • Move the KDC port outside of the privileged range
  • Explicitly default to WSGI Socket Prefix run/wsgi
  • Remove lessc from testdeps
  • Remove references to lesscpy
  • Regenerate css files
  • Bind quickrun to 0.0.0.0
  • openidc: Make it possible to disable dynamic client registration
  • Split OpenID Connect code
  • Fix upgrade-database for configfiles
  • Test upgrade-database with file configuration
  • Bump logging level of dbupgrade process to info
  • Add compatibility with jwcrypto 0.3.0 and higher
  • Fix cleanup type issues with non-sqlite backends
  • Throw new FieldError to indicate which option field is problematic
  • Add Integer configuration field type
  • Disable the cherrypy dispatch method translation for dot and hyphen
  • Implement OpenID Connect Client configuration as ConfigHelper
  • Implement OpenID Connect static clients
  • Test basic OpenIDC administration code
  • Add a test for the SP admin panel when name is a hostname
  • Make sure that openid redirects back to root on no request
  • Make it possible to deploy Ipsilon to the web root
  • Add test case for root bound Ipsilon instance
  • Update quickrun to use root-mounted instance
  • Fix OpenID Connect plugin claims
  • Tell pylint that this is a dictionary rather than a list
  • Make sure that OpenID extensions don't return anything when not requested
  • Log errors when we provide them to OIDC clients
  • Only return an OpenID Connect state when we were asked to provide one
  • Implement cleanup for OpenID Connect tokens and userinfo
  • Fix OpenID Connect client updating
  • Add test helper for general settings updates
  • Test OpenID Connect client updating
  • Store unused OIDC arguments
  • Create an infofas plugin
  • Do not crash if FAS didn't have an SSH key for the user
  • Allow PluginObjects to do something when their configuration is refreshed
  • Let OpenID Connect provider reload its keyset and extensions on reconfigure
  • Update consent revoke test helper to explicitly revoke all consent
  • Do not mark the OpenID submission form as a consent page
  • Plumb the Consent system into OpenID
  • Implement test suite for OpenID consent
  • Use different columns types
  • Add Consent table on upgrade from schema 2
  • Get rid of silly error in openidc code
  • Package infofas in contrib spec file
  • Mark lines as noqa to avoid pep8 E126 on EL7
  • Disable mod_auth_openidc with too old Apache versions
  • Add User Portal code to generated packaging material
  • Do not error out if infosssd gets unconfigure without being configured
  • Enable infosssd with the IPA helper
  • Allow either mod_ssl or mod_nss to mark as SSL being used, regardless of enabled module
  • Bump version for 2.0.0 release
  • Optionally ignore certificate validity with OpenIDC on install
  • Require python-requests for client
  • Drop all path information on redirect to HTTPS
  • Cherrypy does not like getting unicode objects and fails terribly
  • Fix UserInfo signing by adding the field to the SP configuration
  • Re-add request_object_signing_alg client metadata
  • Fix indentation on OIDC signed request objects code

Tom Judge (1):

  • Fix handling attributes with multiple values (e.g. groups)