Skip to content

v2.0.0
Compare
Choose a tag to compare
@mrts mrts released this 21 Jan 14:17
· 183 commits to main since this release
v2.0.0
This tag was signed with the committer’s verified signature.
mrts Mart Sõmermaa
GPG key ID: 86B611CE24492160
Verified
Learn about vigilant mode.
57b3b20

v2.0.0 is a major backwards incompatible release.

In version 1, the generated challenge nonces were stored in a JSR107 compatible cache. However, in case the website had a CSRF vulnerability, this made the solution vulnerable to forged login attacks. In version 2, a session-backed challenge nonce store must be used instead to mitigate this attack.

The Web eID authentication token format changed in version 2. In version 1, the authentication token was in the OpenID X509 ID Token (JWT) format in order to be compatible with the standard OpenID Connect ID Token specification. The JWT format was found out to be undesirable, as it implies that the claims presented in the Web eID authentication token can be trusted and processed, while they actually cannot be trusted. Therefore a custom JSON-based format was adopted for the Web eID authentication token in version 2.

Detailed overview of the changes and upgrade instructions are available here.

Changes

See the list of changes in the v2.0.0 milestone.

Backwards incompatible changes

  • the Maven group ID and package namespace changed from org.webeid to eu.webeid,
  • a session-backed challenge nonce store that implements the ChallengeNonceStore interface is required instead of a JSR107 cache,
  • usages of the withNonceCache() method should be removed,
  • authentication token validation method signature has changed,
  • CertUtil is renamed into CertificateData.

See upgrade instructions for details.

Packages

The v2.0.0 Maven package is available in the GitLab Package Repository.

Assets 2
Loading