Releases: ory/fosite
Releases · ory/fosite
v0.34.1
fix: make redirect URL checking more strict The OAuth 2.0 Client's Redirect URL and the Redirect URL used in the OAuth 2.0 flow do not check if the query string is equal: 1. Registering a client with allowed redirect URL `https://example.com/callback` 2. Performing OAuth2 flow and requesting redirect URL `https://example.com/callback?bar=foo` 3. Instead of an error, the browser is redirected to `https://example.com/callback?bar=foo` with a potentially successful OAuth2 response. Additionally, matching Redirect URLs used `strings.ToLower` normalization: 1. Registering a client with allowed redirect URL `https://example.com/callback` 2. Performing OAuth2 flow and requesting redirect URL `https://example.com/CALLBACK` 3. Instead of an error, the browser is redirected to `https://example.com/CALLBACK ` with a potentially successful OAuth2 response. This patch addresses all of these issues and adds regression tests to keep the implementation secure in future releases.
v0.34.0
v0.33.0
v0.32.4
v0.32.3
v0.32.2
v0.32.1
v0.32.0
v0.31.3
feat(pkce): add EnforcePKCEForPublicClients config flag (#431) Alternative proposal for the issue discussed in #389 and #391, where enforcement of PKCE is wanted only for certain clients. Add a new flag EnforcePKCEForPublicClients which enforces PKCE only for public clients. The error hint is slightly different, as it mentions PKCE is enforced for "this client" rather than "clients". (It intentionally does not mention why it's enforced, as I think basing it on public clients is an implementation detail that servers may want to change without adding to the error hints). Closes #389 Closes #391