Security
- LoginRadius backend now validates callback state to prevent login CSRF.
- Odnoklassniki app backend now ignores untrusted callback API hosts and
validates returned user details. - Partial pipeline resume now requires session ownership or explicit external
resume confirmation to prevent login CSRF. - SAML responses are now validated against the original AuthnRequest when
possible. - Twilio backend now preserves HTTPS callback URLs and validates callback state
to prevent login CSRF.
Fixed
- Auth0 OpenID Connect configuration now uses the correct base URLs.
- Authentication now handles invalid email addresses without crashing.
- Vend OAuth user IDs are now scoped by shop.
- VK app authentication now requires an auth key.
Removed
- Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef,
Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users
(gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist. - Discontinued Google+ Sign-In backend (
google-plus/GooglePlusAuth).