This is a patch release that
- Hardens the default configuration of the sensitive values filters and
- Fixes mTLS binding so that port numbers can be used as part of
Sensitive Values Filter Defaults
hardens the security of the default configuration that controls the redaction in logs of parameters passed to the Pushed Authorization (PAR) and Authorize endpoint, ensuring that client secrets and client assertions are not logged by default.
In particular, the default value of AuthorizeRequestSensitiveValuesFilter and PushedAuthorizationSensitiveValuesFilter have been changed to both be ["client_secret", "client_assertion", "id_token_hint"].
PAR requests sometimes are handled by the same code path as authorize requests, so this makes both filters the same by default.
mTLS port number
The MtlsOptions.DomainName can now include a port number.
Detailed Changelog
- Harden default logging filters for PAR and Authorize endpoints (7.2) by @josephdecock in #1978
- Respect port number in mTLS configuration by @josephdecock in #1990
Full Changelog: is-7.2.1...is-7.2.2