Add changelog and upgrade readme (#152)

* Add changelog and upgrade readme

Require admin authentication to initiate DB migration

* Add fiew things to the list

Co-authored-by: Marko Ivančić <[email protected]>

Author: pradtke

CHANGELOG.md

@@ -5,7 +5,41 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [2.0.0-rc.1] - 2021-10-08
+### Added
+- Implicit flow support
+- Back-channel logout
+- RP initiated logout
+- Support for 'sid' claim in ID and logout token
+- Support for claim types
+- Allow users with specific entitlements to add clients
+- Support for ACR
+- Support for requesting individual claims
+- Support for allowed CORS origins for public clients
+- Support for 'at_hash' claim in ID token
+- Support for 'max_age' parameter
+- List of supported grant types in OP configuration document
+- List of supported auth methods for token endpoint in OP configuration document
+- Support for 'prompt' parameter, for example using 'prompt=login' to require authentication
+even if user has active SSO session
+- Works with SSP new UI templating enabled
+- Pagination for client list
+- Support for basic authentication processing filters, for example for f-ticks logging, attribute
+manipulation or similar, definable in oidc_config.php
+- Support for 'nonce' claim in ID token
+- Config options to add prefix to private scope claims and to enable multi-valued claims
+### Changed
+- Basic flow is now conformant
+- Admin client configuration path has moved
+- 'token_endpoint' renamed form '.../access_token.php' to '.../token.php' 
+- Requires php > 7.4
+- Auth. source is now optional when defining clients. If auth. source is not set for particular 
+client, a default one from the configuration will be used during authn.
+### Fixed
+- When authorization code is reused corresponding tokens are now immediately revoked
+- Returning or displaying proper error messages is now more in line to specification
+- Expired access tokens are now only deleted if corresponding refresh tokens are also expired
+- JWT header parameter 'kid' is now generated dynamically based on public certificate fingerprint
 
 ## [1.0.0-rc.2] - 2020-05-17
 ### Added

README.md

@@ -19,6 +19,10 @@ Installation can be as easy as executing:
 
 Once you install and configure the module checkout the [FAQ](FAQ.md)
 
+## Upgrading?
+
+If you are upgrading versions checkout the [upgrade guide](UPGRADE.md)
+
 ### Configure the database
 
 Edit your `config/config.php` and check you configured at least the next parameters from the _database_ section:

UPGRADE.md

@@ -0,0 +1,25 @@
+
+# Version 1 to 2
+
+There are numerous DB changes that need to be applied. Perform the migration by logging in as an SSP admin to
+https://server/simplesaml/module.php/oidc/install.php
+
+An SSP admin should now use https://server/simplesaml/module.php/oidc/admin-clients/ to manage clients. 
+The previous `/clients/` path is for authorized users.
+
+Review the changes to `config-templates/module_oidc.php` and apply relevant changes to your configuration. 
+For example claim types are now supported. 
+
+In version 1, in authorization code flow, user claims were always included in ID token, instead of only
+including them if access token was not released, as per specification. Since changing this behavior is a 
+potential breaking change for Relying Parties, in version 2 a config option 'alwaysAddClaimsToIdToken' is 
+introduced to enable OpenID Providers to keep the behavior from version 1 by setting it to 'true'.
+If 'alwaysAddClaimsToIdToken' is set to 'false', user claims will only be added to ID token if access token was
+not released. If access token was released, user claims will have to be fetched from 'userinfo' endpoint.
+Note that this option only applies to authorization code flow since implicit flow was not available in version 1.
+If you are to use the spec compliant behavior, make sure to warn existing Relying Parties about the change.
+
+Token endpoint was renamed from '.../access_token.php' to '.../token.php'. This is a potential breaking change
+for clients that do not fetch OP configuration from the /.well-known/openid-configuration URI dynamically, but
+instead hardcode endpoints in their configuration. You should probably warn existing Relying Parties about this 
+change.

www/install.php

@@ -15,4 +15,4 @@
 use SimpleSAML\Module\oidc\Controller\OpenIdConnectInstallerController;
 use SimpleSAML\Module\oidc\Services\RoutingService;
 
-RoutingService::call(OpenIdConnectInstallerController::class, false);
+RoutingService::call(OpenIdConnectInstallerController::class, true);