Release 2021-11-09

• Improve session handling

• API Add ability to send backchannel logouts to APIs

• Redirect ADFS users to ADFS logout when logging out

• Add AzureAD authentication backend

Backchannel logout, azp&loa claims and several smaller fixes

• Tunnistamo now supports backchannel logout as RP, upstream OPs can now terminate Tunnistamo session
• Tokens now contain "azp"-claim, identifying the client the token was issued to
• Tokens can now contain "loa"-claim, carrying information on how whether user can be traced to national identity
• E-mail address can now be made optional
• backends can now set the global UUID for the user

Release 2020-12-23

• Define default database (local postgres / "tunnistamo") declaratively
• Fix auto-generated API documentation
• Add command to add new client to existing API scope
• Upgrade various dependencies
• Make stagimg deployment from develop (Kuva pipeline)

Add keycloak backend, better logout instructions & fixes

Features:

1. Added a generic OIDC backend. Named 'helusername' as it is targeted towards using Keycloak as an username/password backend.
2. Add support for CSP (Content Security Policy)
3. Add CORS policy support, with dynamic support for post_logout_uris and redirect_uri
4. Add report view for displaying currently configured clients and when they have been used last
5. Additional translations
6. More logging for e-mail matching problems.

Fixes:

1. Verify post logout uri, don't allow arbitrary redirect URIs in logout requests
2. Explicitly specify encryption algorithms as a sanity checks, security
3. Perform some digest comparisons using using specific functions, security
4. Deny frame embeds (X-Frame-Options), security

Maintenance:

1. Several dependencies have been updated
2. Unused ADFS-integration code removed