Skip to content

v2.29.0

Compare
Choose a tag to compare
@jeremad jeremad released this 20 Apr 09:13
· 167 commits to master since this release

OpenID Connect

The identity verification using the OIDC has been revamped to improve security and isolation between Tanker servers and an application server using Tanker:

  • A new mandatory nonce, created through createOidcNonce(), should be used in OIDC authorization code flow. It allows:
    • Application server to deny any request using an IdToken already seen. Preventing Tanker from impersonating end-users
    • Tanker to perform an additional challenge with end-users before accepting an IdToken. Preventing an Application server from impersonating end-users
  • OIDC for provisional identity verification is not available anymore

The OIDC verification guide has been updated accordingly.