Bot releases are hidden (Show)
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency
This following dependencies have been updated
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency
This following dependencies have been updated
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency
This following dependencies have been updated
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-4468 UAA SQL Injection
Published by sreetummidi over 8 years ago
This is a security release which addresses CVE-2016-4468 UAA SQL Injection
Published by sreetummidi over 8 years ago
This is a security release which addresses CVE-2016-4468 UAA SQL Injection
Published by sreetummidi over 8 years ago
Permanent home for API Docs @ http://docs.cloudfoundry.org/api/uaa/
UAA now supports Identity Provider discovery when multiple SAML or OpenID Connect Identity Providers are enabled for any given Identity Zone. The right identity provider is discovered based on the email domain associated with the provider. The login experience has been updated to prompt the user for the email based on which the right identity provider is discovered and the user is redirected to the same.
The discovery flow can also be used for OAuth Clients which are associated with more than one allowed providers. The OAuth enabled application can also send a login hint containing the email domain so that the right Identity Provider can be discovered without the user having to enter the email address on the login page.
In order to enable IDP discovery for the default zone , you can set the property below.
login.idpDiscoveryEnabled:
description: "IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider"
default: false
For other identity zones, this property can be updated via the Identity Zone API. The property is config.idpDiscoveryEnabled
and the default is false.
Published by sreetummidi over 8 years ago
This is a security release which addresses CVE-2016-3084 UAA Password Reset Vulnerability
Published by sreetummidi over 8 years ago
UAA now supports federating to an OpenID Connect 1.0 compliant Identity Provider in addition to SAML 2.0 providers.
The OpenID Connect IDP can be bootstrapped from the manifest by setting the properties below. The Identity Provider API can also be used to manage the provider. Please refer to the docs here
login.oauth.providers:
description: "Contains a hash of OpenID Connect/Oauth Identity Providers, the key will be used as the origin key for that provider, followed by key/value pairs. Presence of the userInfoUrl will mark it as an OpenID provider instead of OAuth."
example:
my-oauth-provider:
type: oidc1.0
authUrl: <URL to the authorize endpoint of the provider>
tokenUrl: <URL to the token endpoint of the provider>
tokenKey: <Token verification key>
tokenKeyUrl: <URL for token verification. Will be used if tokenKey is not specified.>
scopes:
- openid
- <other scope>
linkText: My Oauth Provider
showLinkText: true
addShadowUserOnLogin: true
relyingPartyId: <OIDC Client ID>
relyingPartySecret: <OIDC Client secret>
skipSslValidation: false
attributeMappings:
given_name: <Attribute holding given name in the OIDC ID Token>
family_name: <Attribute holding family name in the OIDC ID Token>
user_name: <Attribute holding username in the OIDC ID Token>
external_groups:
- <attribute holding roles or group memberships in the OIDC id_token>
- <other attribute holding roles or group memberships in the OIDC id_token>
user:
attribute:
name-of-attribute-in-uaa-id-token: name-of-attribute-in-provider-token
name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-provider-token
UAA now supports revocable tokens. A new token type of opaque has been added in addition to JWT tokens.
Both JWT and Opaque tokens are revocable. The revocability of the JWT tokens is configurable per Identity Zone and is turned off by default.
uaa.jwt.revocable:
default: false
UAA now supports specifying multiple signing and verification keys as part of the Identity Zone configuration. We have introduced the mechanism to pass Key ID in the JWT Token Header. The token_key endpoint reflects the active signing key and the token_keys end-point reflects all the verification keys. Please refer to the corresponding APIs here
We have begun the work to migrate the UAA API docs to Spring REST docs. The new documentation can be found here
uaa.admin
should be allowed to manage clientsuaa.scim.external_groups
should support origin keyPublished by sreetummidi over 8 years ago
This is a security release which addresses CVE-2016-0781 UAA Persistent XSS Vulnerability
Published by sreetummidi over 8 years ago
autocomplete=false
does not work, it needs to be autocomplete=off
Published by sreetummidi over 8 years ago
We have introduced properties for branding the UAA UI Pages. The default branding is Cloud Foundry. We have also updated the Cloud Foundry brand to the latest. All Pivotal specific assets & stylesheets have been removed from the UAA repository.
Below is the branding snippet from UAA.yml for setting the branding properties. These properties can be bootstrapped from UAA.yml & UAA Release Manifest (if using the UAA Bosh Release)
branding:
companyName: <Company Name>
productLogo: <Enter base64 Encoded Image>
squareLogo: <Enter base64 Encoded Image>
footerLegalText: <This legal text will show up in the footer.>
footerLinks:
Terms: /exampleTerms
Privacy Agreement: privacy_example.html
Licensing: http://example.com/
This release drops support for login.tile
property which has a static list of tiles displayed under the "Where To"page.
We have added the ability for the "Where To" Page in UAA to be created dynamically based on OAuth Clients registered with UAA and configured to be displayed on the home page. This serves as a dynamic SSO Dashboard for all Identity Zones.
New end-points (oauth/clients/meta) have been introduced to set Launch URL, Display Icon and Show On Home Page property. These properties can be bootstrapped from the UAA.yml file & UAA Release Manifest (if using the UAA Bosh Release)
# Clients
uaa.clients:
description: "List of OAuth2 clients that the UAA will be bootstrapped with"
example:
login:
id: <test-client>
name: <display_name>
override: true
secret: some-secret
authorized-grant-types: authorization_code,client_credentials,refresh_token
authorities: test_resource.test_action
scope: test_resource.test_action
redirect-uri: http://myapp.com/oauth
app-launch-url: http://myapp.com
show-on-homepage: true
app-icon: <Enter base64 encoded image>
We have added support for setting user friendly display names for SCIM groups & Identity Providers. The API's have been updated to support this operation. The behavior earlier was to set the description for SCIM groups aka OAuth Scopes in message.properties file. This can now be bootstrapped from UAA.yml & UAA-Release Manifest (if using the UAA Bosh Release)
Below is a snippet from UAA.yml
scim:
groups:
zones.read: Read identity zones
zones.write: Create and update identity zones
idps.read: Retrieve identity providers
idps.write: Create and update identity providers
clients.admin: Create, modify and delete OAuth clients
clients.write: Create and modify OAuth clients
clients.read: Read information about OAuth clients
clients.secret: Change the password of an OAuth client
Published by sreetummidi over 8 years ago
This release addresses a UAA startup issue for customers using the LDAP user store when they upgrade from UAA 2.X.X to 2.7.4
Published by sreetummidi over 8 years ago
This is a security release which addresses CVE-2016-0732 Privilege Escalation
Published by sreetummidi over 8 years ago
This is a security release which addresses CVE-2016-0732 Privilege Escalation
Published by fhanik over 8 years ago
UAA 3.0.0 introduces breaking changes in form of restructuring of the code base, updating dependencies producing new module libraries.
Objects that are payload entities for rest controllers have been moved to the cloudfoundry-identity-model
module.
The server side modules have been combined into cloudfoundry-identity-server
.
common/src/main/java/org/cloudfoundry/identity/uaa/error/JsonAwareAccessDeniedHandler.java
common/src/main/java/org/cloudfoundry/identity/uaa/error/JsonAwareAuthenticationEntryPoint.java
common/src/main/java/org/cloudfoundry/identity/uaa/login/util/FileLocator.java
common/src/main/java/org/cloudfoundry/identity/uaa/oauth/JitClientDetailsService.java
common/src/main/java/org/cloudfoundry/identity/uaa/oauth/NoSuchTokenException.java
common/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthenticationKeyGenerator.java
common/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaUserTokenConverter.java
common/src/main/java/org/cloudfoundry/identity/uaa/oauth/UserTokenConverter.java
common/src/test/java/org/cloudfoundry/identity/uaa/authentication/login/PromptEditorTests.java
common/src/test/java/org/cloudfoundry/identity/uaa/authentication/login/PromptTests.java
common/src/test/java/org/cloudfoundry/identity/uaa/error/JsonAwareAccessDeniedHandlerTests.java
common/src/test/java/org/cloudfoundry/identity/uaa/error/JsonAwareAuthenticationEntryPointTests.java
common/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaAuthenticationKeyGeneratorTests.java
common/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaUserTokenConverterTests.java
login/src/main/java/org/cloudfoundry/identity/uaa/login/AbstractControllerInfo.java
login/src/main/java/org/cloudfoundry/identity/uaa/login/AnalyticsInterceptor.java
login/src/main/java/org/cloudfoundry/identity/uaa/login/ClientInfoAuthenticationFilter.java
login/src/main/java/org/cloudfoundry/identity/uaa/login/LinkedMaskingMultiValueMap.java
login/src/main/java/org/cloudfoundry/identity/uaa/login/util/IndirectBeanCreator.java
login/src/main/java/org/cloudfoundry/identity/web/Prompt.java
login/src/test/java/org/cloudfoundry/identity/uaa/login/LinkedMaskingMultiValueMapTests.java
login/src/test/java/org/cloudfoundry/identity/web/PromptTest.java
/Groups
end points to manage membershipslocalhost
or on hostnames derived from the configuration option zones.internal.hostnames
. This made it a bit tricky to get started when trying to access the fresh, non configured UAA instance by IP address or other hostname, If the zones.internal.hostnames
is configured, only those will be used as base hostnames./passcode
previously issued passcodes will be invalidated./Groups
endpoint no longer filters groups for the logged in user. More intuitive results when retrieving groups. [Supplement story(https://www.pivotaltracker.com/story/show/109107468)Published by paulcwarren almost 9 years ago
This release fixes a backwards incompatibility issue with the allowUnverifiedUsers
flag. As part of the previous release, unverified users in any zone other than the default (uaa) zone would not be allowed to log in irrespective of what the flag was set to. This change has now been reverted and the allowUnverifiedUsers
applies to all zones again.
Published by jlo almost 9 years ago
password_resets
endpoint now takes optional client_id
and redirect_uri
parameters and returns the user id and verification code in the response.allowUnverifiedUsers
flag only affects default zone. Other zones do not allow unverified users and are not affected by the flag./password_change
endpoint now returns an autologin code. This code can be used to hit /autologin
which logs the user in and redirects to the saved request (if any).uaa.jwt.claims.exclude
property that allows excluding claims from the JWT obtained via client credentials.X-Identity-Zone-Subdomain
header./check_token
endpoint now makes sure that the scopes and authorities in the token are still valid.requestsSigned
and wantAssertionSigned
SAML properties exposed per zone in SamlConfig
./password_change
API endpoint with an invalid/expired code now returns an error message instead of a 500.scopes
instead of authorities
.
uaa.admin
or clients.admin
scope must be requested if clients wish to be able to change other client's secrets./info
or /login
JSON responses.
/info
endpoint now returns Map<String,String[]>
prompt instead of List<Map<String,String[]>>
Published by fhanik almost 9 years ago
Features
roles
scopeBug Fixes
Misc
Published by sreetummidi about 9 years ago
This release adds support for Client IDs longer than 36 Characters.
UaaTokenStore doesn't support client_ids longer than 36 chars