This month marks a significant milestone in the IdentityServer3.Neo4j project with the nuget package being downloaded over 500 times. Congratulations to the teams involved and thanks to our customers for giving our technology the opportunity to be at the heart of your digital enterprise.
Elsewhere, Neo4j’s exposure reached new levels this month as the ICIJ released the Panama Papers documentation in Neo4j graph database format. Hopefully this will invite more people to evaluate and adopt this amazing technology.
Due to a critical security bug found in all previous versions we strongly recommend you upgrade to v0.2.0 of IdentityServer3.Neo4j immediately.
Version 0.2.0 fixes a bug whereby a user could be authenticated by entering a valid username but an invalid password.
All previous versions of the nuget package have been removed from nuget.org.
Root Cause Analysis
At Edgecastle we thoroughly review all bugs for root cause analysis, with particular attention paid to security-related issues.
This bug emerged from a refactoring exercise after IdentityServer moved its properties from return object to the Context objects passed in to each service or store.
Updating our code to reflect this change in behaviour allowed execution to fall through from a rejection to incorrect credentials to an authentication of the user.
We apologise for any inconvenience caused.
In line with many other popular libraries, we are moving to Semantic Versioning as part of this release.
February 10th saw the 3rd public release of our Neo4j graph database providers for IdentityServer3 by Dominick Baier and Brock Allen.
In this release:
- BUGFIX: Neo4jClientStore now honours the Flow type of the new client passed to the CreateClient() method.
- ENHANCEMENT: Configurable Neo4j node labels extended to include Scope, ClientScope, ClientSecret, Client, and HAS_SECRET relationship. These are not rolled out across the entire codebase yet.
- ENHANCEMENT: Neo4jClientStore.CreateClient() now supports multiple client secrets per client.
- ENHANCEMENT: Neo4jClientStore.FindClientByIdAsync now also supports returning a collection of client secrets.
- ENHANCEMENT: Neo4jScopeStore now supports multiple scope claims.