This month marks a significant milestone in the IdentityServer3.Neo4j project with the nuget package being downloaded over 500 times. Congratulations to the teams involved and thanks to our customers for giving our technology the opportunity to be at the heart of your digital enterprise.
Elsewhere, Neo4j’s exposure reached new levels this month as the ICIJ released the Panama Papers documentation in Neo4j graph database format. Hopefully this will invite more people to evaluate and adopt this amazing technology.
Due to a critical security bug found in all previous versions we strongly recommend you upgrade to v0.2.0 of IdentityServer3.Neo4j immediately.
Version 0.2.0 fixes a bug whereby a user could be authenticated by entering a valid username but an invalid password.
All previous versions of the nuget package have been removed from nuget.org.
Root Cause Analysis
At Edgecastle we thoroughly review all bugs for root cause analysis, with particular attention paid to security-related issues.
This bug emerged from a refactoring exercise after IdentityServer moved its properties from return object to the Context objects passed in to each service or store.
Updating our code to reflect this change in behaviour allowed execution to fall through from a rejection to incorrect credentials to an authentication of the user.
We apologise for any inconvenience caused.
In line with many other popular libraries, we are moving to Semantic Versioning as part of this release.
View source on Github | View package on nuget.org
We understand you may already have a node and relationship labeling convention within your graph. This version introduces configurable node and relationship labels across the entire library, controllable from the application configuration file.
The samples have been updated to show how this can be done in an ASP.NET MVC application.
Configuration settings, and their default values, include:
<add key=”UserLabel” value=”User”/>
<add key=”ClaimLabel” value=”Claim”/>
<add key=”ExternalLoginLabel” value=”ExternalLogin”/>
<add key=”RoleLabel” value=”Role”/>
<add key=”ScopeLabel” value=”Scope”/>
<add key=”ClientScopeLabel” value=”ClientScope”/>
<add key=”ClientSecretLabel” value=”ClientSecret”/>
<add key=”ClientLabel” value=”Client”/>
<add key=”HasClaimRelName” value=”HAS_CLAIM” />
<add key=”HasSecretRelName” value=”HAS_SECRET”/>
Roadmap Update (Updated 21 Feb ’16!)
We appreciate it can be annoying keeping up with a fast-moving library so we wanted to share our plans with you for the next releases so you can plan around it.
Next: We will be releasing a patch shortly for v.0.1.3.x which will fix external login providers (such as Facebook, Google, Twitter, etc).
Then: After that patch we will continue to fill the holes in our implementation of the different IdentityServer3 services and stores.
Later: We are continuously looking when to issue a Release Candidate for v1.0.0 (adopting Semantic Versioning – SemVer – in the process). Once v1.0.0 is out, we will jump on bugs and pull requests, but active development will be taking a hiatus while we work on migrating the project to run with IdentityServer4 and ASP.NET Core 1.0 and focus some resource on building out some other tools to help you administrate and interact with your graph database.
February 10th saw the 3rd public release of our Neo4j graph database providers for IdentityServer3 by Dominick Baier and Brock Allen.
In this release:
- BUGFIX: Neo4jClientStore now honours the Flow type of the new client passed to the CreateClient() method.
- ENHANCEMENT: Configurable Neo4j node labels extended to include Scope, ClientScope, ClientSecret, Client, and HAS_SECRET relationship. These are not rolled out across the entire codebase yet.
- ENHANCEMENT: Neo4jClientStore.CreateClient() now supports multiple client secrets per client.
- ENHANCEMENT: Neo4jClientStore.FindClientByIdAsync now also supports returning a collection of client secrets.
- ENHANCEMENT: Neo4jScopeStore now supports multiple scope claims.