Announcing the release of IdentityServer3.Neo4j v0.2.0

Due to a critical security bug found in all previous versions we strongly recommend you upgrade to v0.2.0 of IdentityServer3.Neo4j immediately.

Version 0.2.0 fixes a bug whereby a user could be authenticated by entering a valid username but an invalid password.

All previous versions of the nuget package have been removed from nuget.org.

Root Cause Analysis

At Edgecastle we thoroughly review all bugs for root cause analysis, with particular attention paid to security-related issues.

This bug emerged from a refactoring exercise after IdentityServer moved its properties from return object to the Context objects passed in to each service or store.

Updating our code to reflect this change in behaviour allowed execution to fall through from a rejection to incorrect credentials to an authentication of the user.

We apologise for any inconvenience caused.

SemVer

In line with many other popular libraries, we are moving to Semantic Versioning as part of this release.