Skip to content

Releases: indico/flask-multipass

v0.11.2

Choose a tag to compare

@github-actions github-actions released this 06 Feb 16:35
v0.11.2
8cd915b
  • Fix an open redirect in the next URL validation

v0.11.1

Choose a tag to compare

@github-actions github-actions released this 15 Dec 16:37
v0.11.1
8fd8acb
  • shibboleth: Fix error when cleaning up data from the WSGI environment

v0.11

Choose a tag to compare

@github-actions github-actions released this 08 Dec 13:05
v0.11
  • Drop support for Python 3.9 (3.9 is EOL since Oct 2025)
  • Add support for Python 3.14
  • shibboleth: Fix encoding of UTF-8 values incorrectly decoded as Latin-1
  • Fix open redirect caused by browsers accepting certain invalid URLs such as ////example.com and treating them like //example.com

v0.10

Choose a tag to compare

@github-actions github-actions released this 17 Mar 17:01
v0.10
e44bab0
  • Allow overriding the message of NoSuchUser and InvalidCredentials, and make its other arguments keyword-only

v0.9

Choose a tag to compare

@github-actions github-actions released this 10 Mar 15:54
v0.9
d34007c
  • Include the username in the identifier attribute of the NoSuchUser exception so applications can apply e.g. per-username rate limiting
  • Fail silently when there's no objectSid for an AD-style LDAP group

v0.8

Choose a tag to compare

@github-actions github-actions released this 09 Feb 11:59
v0.8
eb623a8
  • Reject next URLs containing linebreaks gracefully
  • Look for logout_uri in top-level authlib provider config instead of the authlib_args dict (the latter is still checked as a fallback)
  • Include id_token_hint in authlib logout URL
  • Add logout_args setting to authlib provider which allows removing some of the query string arguments that are included by default

v0.7

Choose a tag to compare

@github-actions github-actions released this 04 Feb 12:23
v0.7
  • Support multiple id fields in SAML identity provider
  • Include client_id in authlib logout URL since some OIDC providers mayrequire this
  • Allow setting timeout for authlib token requests (default: 10 seconds)
  • Add new MULTIPASS_HIDE_NO_SUCH_USER config setting to convert NoSuchUser exceptions to InvalidCredentials to avoid disclosing whether a username is valid
  • Include the username in the identifier attribute of the InvalidCredentials exception so applications can apply e.g. per-username rate limiting

v0.6

Choose a tag to compare

@github-actions github-actions released this 27 Nov 15:48
v0.6
  • Drop support for Python 3.8 (3.8 is EOL since Oct 2024)
  • Remove upper version pins of dependencies
  • Support friendly names for SAML assertions (set 'saml_friendly_names': True in the auth provider settings)
  • Include more verbose authentication data in IdentityRetrievalFailed exception details

v0.5.6

Choose a tag to compare

@github-actions github-actions released this 29 Oct 16:44
v0.5.6
9b56208
  • Reject invalid next URLs with backslashes that could be used to trick browsers into redirecting to an otherwise disallowed host when doing client-side redirects

v0.5.5

Choose a tag to compare

@github-actions github-actions released this 23 Aug 00:36
v0.5.5
  • Ensure only valid schemas (http and https) can be used when validating the next URL
  • Deprecate the flask_multipass.__version__ attribute