DATE:
AUTHOR:
Ory Team
Ory Network

Technical Advisory — updated webhook request context and OpenID Connect flows

DATE:
AUTHOR: Ory Team

Starting August 1st, 2024, Ory Network is updating the context available in Jsonnet payloads and the parameters required for OpenID Connect Flows.

At a glance, the following is changing:

  • Ory Identities: The allow-list for headers from ctx.request_headers of the webhook request context is being updated. 

  • Ory OAuth2: OpenID Connect Flows now always require the redirect_uri parameter.

Please take action if you are affected by these changes. If you rely on data that is pending removal or being changed, please reach out to us via Zendesk, Slack, or support@ory.sh.

Removing of internal information from webhook request context

Extending the self-service flows (login, registration, settings, etc.) through webhooks is an easy way to forward the user's data to an external service.

To streamline the data within webhooks we will remove all headers from ctx.request_headers of the webhook request context that do not match the following allow-list:

Accept
Accept-Encoding
Accept-Language
Content-Length
Content-Type
Origin
Priority
Referer
Sec-Ch-Ua
Sec-Ch-Ua-Mobile
Sec-Ch-Ua-Platform
Sec-Fetch-Dest
Sec-Fetch-Mode
Sec-Fetch-Site
Sec-Fetch-User
True-Client-Ip
User-Agent

Action Required by August 1st, 2024: Ensure that all headers from ctx.request_headers conform with the updated allow-list.

Please refer to our Webhook documentation for the full list of features, guides and strategies.

Mandatory redirect_uri for OpenID Connect Flows

This update addresses an issue where Authorize Requests without the redirect_uri parameter were incorrectly allowed, contrary to the OpenID Connect 1.0 specifications. Moving forward we will enforce the inclusion of the redirect_uri parameter.

This change only affects users of Ory OAuth2. If you're not using Ory OAuth2, your OIDC flows will continue to work as before.

Previous behaviour: you were able to omit the redirect_uri parameter from OpenID Connect flows.

/oauth2/auth?scope=openid&client=1234

New requirement: You must always include the redirect_uri parameter

/oauth2/auth?scope=openid&client=1234&redirect_uri=https://...

Action Required by August 1st, 2024: Update your OpenID Connect flow requests to always include the redirect_uri parameter.

Powered by LaunchNotes