uaa

IMPORTANT BACKWARDS INCOMPATIBLE CHANGES

Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and required for proper start-up and functioning of UAA.

These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.

The following required SAML Properties need to be set in login.yml

 serviceProviderKey: |
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
 serviceProviderCertificate: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
serviceProviderKeyPassword:

The following required UAA JWT signing properties need to be set.

Please note that the following properties have been deprecated in UAA. You are advised to use the new format for specifying the JWT Signing key which allows for rotation of keys.

Deprecated format for JWT Signing Key in UAA.yml

jwt:
  token:
    verification-key: |
      -----BEGIN PUBLIC KEY-----
      -----END PUBLIC KEY-----
    signing-key: |
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----  

New format for JWT Signing Key in UAA.yml

jwt:
  policy:
    activeKeyId: key-id-1
    keys:
      key-id-1:
        signingKey: |
          -----BEGIN RSA PRIVATE KEY-----
          -----END RSA PRIVATE KEY-----

Running UAA locally

Please note that starting with this this release, UAA can no longer be started with a ./gradlew run.
You need to pass a default profile to set values for the SAML and UAA Signing keys. Please use the new command as a single execution. Make sure your path to the workspace is set properly in the command below

LOGIN_CONFIG_URL=file://$HOME/workspace/uaa/uaa/src/main/resources/required_configuration.yml ./gradlew -Dspring.profiles.active=default,hsqldb run

This release fixes a backwards compatibility issue with Client Authentication to the /token endpoint.
We have the fixed the endpoint to prompt for basic auth header if client credentials are not provided. Many HTTP Clients rely on this trigger mechanism for passing the credentials for authentication. More details can be found here

New Features

• Add support for Azure as an OpenID Connect Identity Provider
• Added client lockout functionality
• Singular: Create Client Side RP Frame Java Script
• Provide the ability to request an access token from the UAA Java Script SDK
• Ensure that bootstrapped saml skipSslValidation flag works per provider

Bug Fixes

• /oauth/token does not accept client parameters
• Missing client authentication should return Basic WWW-Authenticate header
• Remove the dependency on Login Client from UAA
• Document missing fields for Zone API's
• Add Null check during SAML service provider setup
• Singular expects caller to fetch accessToken only onIdentityChange
• Performance problem when accessing group_membership
• Group membership api's possible optimization
• Auth Code Browser flow throws 403 when login page left idle for >30 mins - Issue 445 follow up
• Remove reference to uaa.restricted_ips_regex in uaa.proxy_ips_regex
• UAA doesn't fail fast if DB credentials are wrong
• Fix on UAA startup failure when inactive service providers are in database.
• LDAP users with spaces in their name are unable to log into UAA because the UAA based username validation kicks in
• Return interaction_required as error parameter when approvals needed
• when authorize using prompt=none, place error parameter in fragment if response is delivering a fragment
• Prevent revocable refresh tokens from filling up the UAA db
• user_token grant issues token for the requesting client
• Receiving Current-User cookie header from failed /authorize does not actually delete cookie
• Unable to access /userinfo endpoint when access token does not contain PII
• Update the CSRF Cookie expiry on Login Page to 30 Days

New Features

• Allow customizable SAML XML Dsig algorithms (SHA-256 and SHA-512)
• Implement AMR claim on OpenID tokens
• Users and Clients with zone.{zoneid}.admin should able to call password_resets endpoint
• API Docs for UAA as SAML IDP
• Remove notion of self for /oauth/token/list
• List user tokens API docs
• Don't return JWT value for /oauth/token/list
• New API for listing the Revocable Tokens for a given User Account
• Add support for SAML NameIDPolicy
• Implement ACR claim on OpenID tokens
• UAA as a SAML IDP: Add attribute inResponseTo to the saml2p:Response
• Update the Authorization Code for the Authorization API flow from 7 to 10 Characters
• Introduce a Prompt Parameter on /oauth/authorize
• Propagate ACR claim for External OpenID Connect provider if present
• Clearly document zone ID/subdomain header for endpoints that support it
• Change select statement for active providers
• Support reading LDAP user memberOf attributes
• Endpoint is provided to delete service provider configuration from UAA IdP
• Support LDAP StartTLS
• Create OP Login Iframe for UAA
• Publish OpenID Connect .wellknown endpoint for discovery purposes.
• Add SCIM Patch Method for Users and Groups
• Add support for response_type=id_token for implicit grant
• Change Default for WantSignedAssertion default to true instead of false.
• Provide the ability to rotate client secrets - Add a new Secret
• Provide the ability to rotate client secrets - Delete Old Secret
• Redundant entityId field is required in the payload to add service provider to UAA IdP
• Add account chooser to IDP discovery page
• Modified UaaHttpRequestUtils to build an HTTP client that uses the system proxy settings.

Bug Fixes

• Clients cannot refresh a token that was generated by a JWT signing key that is no longer active
• Fix /autologin to support application/x-www-form-urlencoded again
• Fix YAML array generation
• Token documentation omits id_token details
• Encoding issue in "/token_keys" - JWKS endpoint
• "sub" claim missing in Userinfo Response
• Missing fields in Client return object
• Fix for startup failure when inactive service providers exist in the database
• Adding duplicate service provider to UAA IdP causes 500 Server Error
• Fix array out of bounds exception in case of wrong email format
• Jackson serialization exception
• Check token message is cryptic when token revoked
• UaaTokenServices.getTokenEndpoint can return null in two spots
• Return current_user cookie on /oauth/authorize
• Fix array out of bounds exception in case of bogus email format

Backport support for SHA256 based Assertion Signatures

Please use this security release to patch the following CVEs on top UAA Release 3.6.0

• CVE-2016-6651 Privilege Escalation in UAA
• CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains
• CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals
• CVE-2016-5016 UAA Accepts Expired Certificates

This release fixes a bug with autologin flow in UAA

Fix /autologin to support application/x-www-form-urlencoded again

This is a security release which addresses

• CVE-2016-6651 Privilege Escalation in UAA

This is a security release which addresses CVE-2016-6651 Privilege Escalation in UAA

This is a security release which addresses

• CVE-2016-6651 Privilege Escalation in UAA

This is a security release which addresses

• CVE-2016-6651 Privilege Escalation in UAA

This is a security release which addresses

• CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains
• CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals

This is a security release which addresses

• CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains
• CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals

This is a security release which addresses

• CVE-2016-6636 UAA Open Redirect Vulnerability for Subdomains
• CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals

New Features

• Support token_format=opaque for refresh token
• Log the Audit Events in a separate log
• Add support for unlocking users
• User should be redirected to UAA to authenticate when accessing client app which does not support their origin IdP
• New Metrics for UAA - Auth Stats
• Allow overriding branding properties for each zone

Bug Fixes

• Token Signing Keys are improperly encoded
• UAA locations should always pass the logout redirect whitelist
• Going to UAA login page when already authenticated in UAA returns the 'UAA' home page regardless if the identity zone homeRedirect is configured
• LDAP Invitations failure on accept
• Zone Specific Reset Password and Create Account Links are not reflected in the Login UI

This is a security release which addresses CVE-2016-5016 UAA Accepts Expired Certificates

Please use UAA 2.7.4.6 instead for CVE-2016-5016 UAA Accepts Expired Certificates

This is a security release which addresses CVE-2016-5016 UAA Accepts Expired Certificates

This is a security release which addresses CVE-2016-5016 UAA Accepts Expired Certificates

IMPORTANT: Deprecation Notice

This releases marks the deprecation of the UAA properties listed here
Please make sure that you have update your UAA & LOGIN YAML configurations accordingly.

New Features

• UI Templates utf-8 support
• Add interface UaaTokenEnhancer
• Introduce new refresh token grant type restriction
• Introduce the mechanism for scope-based user approval of refresh token grant
• Allow disabling shadow user creation at the time of authentication for ldap and oauth/oidc
• Bootstrap UAA system scopes in all identity zones by default
• Allow setting of mail.smtp.auth and mail.smtp.starttls.enable props
• Prohibit ScimUsers from entering more than one email address in the API
• Upgrade to Flyway 4.0
• User account locked error is not propagated to CF CLI
• Allow users to be updated without the need to specify a password in the manifest
• Password endpoints should allow uaa.admin to access them

Bug Fixes

• clients.admin can't change client secret
• Fix refresh of service providers for non-default zones.
• Updating user with empty email puts the account in invalid state
• Setting autoapprove to true with the /check_token endpoint doesn't work with autoapprove list
• External login server users should throw error if origin is uaa
• Inconsistent UAA user experience in case of invalid route and wildcard route mapping
• Entity base url always populated by replacing uaa. with login.
• Erbs populating invalid saml metadata
• Ldap properties not there in yaml file after refactor
• scopes with prefix uaa. do not show up on app approvals page
• Test multiple LDAP Servers with UAA
• UAA fails to start up if there are line breaks in the product logo or the square logo
• Invitations endpoint should return an invalid email in the "failed invites" array
• Where to? page not showing applications for Identity Zones
  -External Identity Providers issuer validation issue
• Setting autoapprove to true via client api does not work
• Suppress the Login Prompts in Info endpoint if Internal Auth and LDAP Auth are disabled.
• Setting phoneNumber to null on ScimUser causes deserialization issues
• 500 error for invalid request