Gluu 4.4.1 Release Notes

Updates for stability, the introduction of an allowlist and blocklist for redirect_uris (which enhances security if this optional parameter is used) and more secure email handling for MFA (and other email services)

request_uri blocklist and allowlist implemented to enhance security

The request_uri Authorization Request parameter enables OpenID Connect requests to be passed by reference, rather than by value (see the spec). However, when implemented as written in the spec, the request_uri could be used to launch an SSRF (Server-Side Request Forgery) attack against the IDP. To mitigate this risk, we’ve implemented both a request_uri blocklist and a request_uri allowlist that are configurable in the Gluu Server OpenID Provider JSON configuration.