...
Some search values, such as
<script>alert('I'm testing it')</script>
, did not return a validation error instead of a empty result when searching for.It was possible to add the same linked resource twice, if the the resource group was different.
...
It’s now possible to decide which claims are issued in which token (
id_token
oraccess_token
). For that, a new configuration user interface has been created. By default, all claims are assigned to theid_token
token, but you can use that new configuration user interface to make any necessary changes.The AVH / AHV (ZAS) identity validation method now asks the user for explicit consent to store the AHV / SSN number.
The user has now the option to validate and edit his personal data before any validation methods. Additionally, he can validate and edit the data after a failed validation attempt.
A forgot username process has been implemented. If the user can provide a unique communication channel, the username will be sent to that channel.
All JavaScript libraries have been updated to the latest possible versions.
Bug Fixes
In some cases, the ordering of the available Quality of Authentication (QoA) was not calculated correctly.
It was possible to perform redos attacks to an a validation endpoint. The issue has been resolved.
...
The handling of
dates
in the CoreOne API has been unified and improved in regards regard to filters such asge
andle
.
...
When the user selected the “Close” on the prolong user session popup, the popup simply reappeared. The button has been renamed to “Logout” and, when selected, initiates the logout.
...
Provisioning of empty values to an OpenLDAP could cause errors which have been resolved.
Multi value support in the EntraID Entra ID connector has been improved.
...