SECURITY NOTICE:
As fork of louketo-proxy we inherited IMPERSONATION type security vulnerability. There are 2 levels of impact: 1. Unaffected 2. Affected (High Risk)
- Unaffected - if you use one of these options, you are not susceptible to this attack:
--enable-encrypted-token=true--store-url=<redis-url>--enable-idp-session-check=true
- High Risk - if you don't use one of above options
Quick migitation: Enable at least one of above mentioned options
Recommended migitation: Upgrade to latest version 2.9.3 and enable at least one of above options (--enable-idp-session-check=true, is in 2.9.3 enabled by default)
Short Description of vulnerability: existing user in your userbase might impersonate other user in your userbase
Detailed description will be provided in 1-2 months (from security reasons)
What's Changed
- Update HMAC description docu by @p53
- Refactor handlers by @p53, Pierre Bogossian bogossian@mail.com, Nikifor Georgiev
- Generate UMA ticket when invalid UMA token but valid resource accessed by @p53
- Enable to use openid-provider-proxy settings in all requests to keycloak by @p53
- Update docu for 2.9.1 by @p53
- Turn off issuer, client id check for refresh token by @p53
- Turn off tok verif refresh by @p53
- Update docu for 2.9.2 by @p53
- Remove refresh token validation, add e2e tests by @p53
- Add tests for skipopenidtlsverify by @p53
- Fix resources-stringslice parsing after urfavecli to v2 upgrade by @p53
- Update docs 2.9.3 by @p53