- DATE:
- AUTHOR:
- Ory Team
Technical Advisory — updated webhook request context and OpenID Connect flows
Starting August 1st, 2024, Ory Network is updating the context available in Jsonnet payloads and the parameters required for OpenID Connect Flows.
At a glance, the following is changing:
Ory Identities: The allow-list for headers from
ctx.request_headersof the webhook request context is being updated.Ory OAuth2: OpenID Connect Flows now always require the
redirect_uriparameter.
Please take action if you are affected by these changes. If you rely on data that is pending removal or being changed, please reach out to us via Zendesk, Slack, or support@ory.sh.
Removing of internal information from webhook request context
Extending the self-service flows (login, registration, settings, etc.) through webhooks is an easy way to forward the user's data to an external service.
To streamline the data within webhooks we will remove all headers from ctx.request_headers of the webhook request context that do not match the following allow-list:
AcceptAccept-Encoding Accept-LanguageContent-LengthContent-TypeOriginPriorityRefererSec-Ch-UaSec-Ch-Ua-MobileSec-Ch-Ua-PlatformSec-Fetch-DestSec-Fetch-ModeSec-Fetch-SiteSec-Fetch-UserTrue-Client-IpUser-Agent
Action Required by August 1st, 2024: Ensure that all headers from
ctx.request_headersconform with the updated allow-list.
Please refer to our Webhook documentation for the full list of features, guides and strategies.
Mandatory redirect_uri for OpenID Connect Flows
This update addresses an issue where Authorize Requests without the redirect_uri parameter were incorrectly allowed, contrary to the OpenID Connect 1.0 specifications. Moving forward we will enforce the inclusion of the redirect_uri parameter.
This change only affects users of Ory OAuth2. If you're not using Ory OAuth2, your OIDC flows will continue to work as before.
Previous behaviour: you were able to omit the redirect_uri parameter from OpenID Connect flows.
/oauth2/auth?scope=openid&client=1234
New requirement: You must always include the redirect_uri parameter
/oauth2/auth?scope=openid&client=1234&redirect_uri=https://...
Action Required by August 1st, 2024: Update your OpenID Connect flow requests to always include the
redirect_uriparameter.