uaa

CloudFoundry User Account and Authentication (UAA) Server

APACHE-2.0 License

Stars
1.5K
Committers
208
View Code on GitHub
Ecosystems: Java

Bot releases are visible (Hide)

uaa - UAA Release 2.7.0.2

Published by sreetummidi about 9 years ago

Backwards Compatibility for ID_Token Response

During the invocation of the /oauth/authorize URL, the normal process is to specify response_type=code
Some libraries have been specifying response_type=code+id_token
This is a OpenID Connect extension. Previously the UAA ignored the id_token response_type, but now we have added support. This changes the response of the /oauth/authorize. The main change is that the Location header will have a Fragment (#) and not a Query String (?)

This is a hot-fix release which addresses the backwards compatibility issue with handling of id_token in response.
The properties is exposed in the UAA YML:
oauth:
id_token:
disable:

uaa - UAA 2.6.2 Release Notes

Published by sreetummidi about 9 years ago

Non-Browser Authorization Code Flow Support

Authorize endpoint now supports token based authentication in addition to the regular web based authentication flow. API Details can be found here

uaa - UAA 2.5.1 Release Notes

Published by sreetummidi about 9 years ago

Features

Bug Fixes

uaa - Hotfix

Published by fhanik over 9 years ago

2.3.1 added in the ability to revoke a token if a client secret changed, or a user password changed.
When the UAA restarts, it was regenerating the hash to bootstrapped (defined in uaa.yml) users and clients, thus a restart automatically revoked tokens. This has been fixed.

uaa - UAA 2.3.1 Release Notes

Published by sreetummidi over 9 years ago

Features

  • Added CSRF checks for form submits in UAA eb40d76d104289cb48931214ace407f722ecc44d
  • Improved unit testing speed for MockMvc tests a6109f14bf945486d38b2c65b956b90da871a881
  • Added DB index to users.email and not using LOWER function for MySQL (introduced the database.caseinsensitive variable) 781fba0fb749617f4354b8a84e48b18a745474b4
  • Updated README to include information on how to run UAA standalone as a CF app 32955a10f2e1bfaa4eade6f09daa3fea79697c7b
  • Implement a revokable, stateless token strategies. Token can be manually revoked for a client or a user, and are automatically revoked if user's email,username or password changes. Tokens for a client are automatically revoked if the client's secret changes. 7b58aacc6e8ffd689f1b894d25fabc23c8ab1a92
  • Upgraded to MariaDB 1.1.8 JDBC driver 574eae09a8de234e90067d8035c888d7b9f2ffdb
  • Sample SAML Sign key has 10 year expiry 7c7a82cfd3b4b164b5d5178aa25492037db63908

Bug Fixes

uaa - UAA 2.3.0 Release Notes

Published by sreetummidi over 9 years ago

Features

uaa - UAA 2.2.5 Release Notes

Published by sreetummidi over 9 years ago

Features

Bug Fixes

uaa - UAA 2.1.0 Release Notes

Published by sreetummidi over 9 years ago

Multi-tenant UAA
This release adds the much awaited support for UAA Multi-tenancy. A Tenant in your System could map to an entire Organization, Business unit or Geographical Location, Employees or Consumers, Development or Production Environments. In UAA multi-tenancy is achieved via the concept of Identity Zones. Each Identity Zone is representative of a Tenant and is accessible via an unique sub-domain.

Multi-Tenancy allows for segregation of User Store, Identity Providers, OAuth Clients etc. Existing UAA End Points for SCIM, OAuth Client Management can now be accessed in a multi-tenant fashion by using the right Identity Zone subdomain as part of the access URI.

This release is fully backwards compatible. All of the bootstrapped configuration from login.yml and uaa.yml becomes part of the Default UAA Zone. Accessing the UAA URL without any subdomain connects to the default UAA Identity Zone.

Documentation
New API end point for managing Identity Zones
Adding Limited Clients in an Identity Zone
New API end point for managing Identity Providers

uaa - UAA 2.0 Release Notes

Published by sreetummidi almost 10 years ago

Login Server and UAA Merger
This release introduces the merger of Login Server and UAA into a single project. The main benefits and impact of this merger are explained below:

Benefits
Simplified Development
The main driver behind the merger is development. The cost of maintaining two separate projects and the HTTP APIs between these two is too high. For each Login Server feature there is usually development required in both projects, implying that a careful version dependency has to be maintained between the two projects.

Flexibility with Test Frameworks
The Spring Framework provides an incredible powerful unit test framework called MockMvc. Allowing a full Spring bean context to be loaded without the need of a Servlet engine. The Login Server is today not enjoying such ability of testing because of its separation from the UAA. The Login Server has to be tested in a running servlet engine in order for HTTP requests to properly propagate. If the login server became a module in the UAA project, MockMvc would become a powerful test driven development tool for the projects team members.

Additional levels of redundancy
In a deployed CF environment, the UAA would enjoy additional levels of redundancy by running the same process in 4 VMs instead of a 2+2 configuration as it is today. For a minimal high availability, we could remove two VMs from the equation thus reducing the footprint of a CF deployment.

Impact
All UAA endpoints (including the endpoints for external login-servers) remain intact.
For time being, the idea is that the UAA would serve both uaa. and login. hostnames to maintain backwards compatibility.

uaa - 1.10 Release Notes

Published by mbhave almost 10 years ago

OpenID Connect Updates
We have improved our OpenID Connect support in this release. This includes support for:

  • Response type id_token
  • Signature verification for id_token

User Sign Up Updates
The user sign up flow (Create Account) has been updated to collect the user's password upfront rather than after the user email verification. This greatly simplifies the user sign up flow. Now post email verification the users are automatically logged in.

Invitations
End users who are authenticated to UAA can now invite others users via email. Invited users are sent an email. After accepting the invitation in the email, the users are allowed to set their password followed by automatically being logged in. This is an optional feature and can be turned on via the invitationsEnabled flag in login.yml

User Verification
The UAA now checks the verified flag when authenticating users if the allowUnverifiedUsers flag is set to false in the uaa.yml. Unverified users are allowed to authenticate successfully by default.

Externalization of Scope Descriptions
The Cloud Foundry specific scope messages can now be controlled via CLOUD_FOUNDRY_CONFIG_PATH/messages in addition to loading them from message.properties of Login Server

uaa - Release Notes

Published by rdgallagher almost 10 years ago

This is a hotfix-only release. It adds a flag to the configuration to let OAuth clients that are not allowed the "implicit" grant type to continue to use the hybrid code+id_token OpenID flow from the Authorization endpoint without receiving an error response. This way they can still receive the authorization code and continue with the authorization_code grant flow.

The flag is called fallbackToAuthcode and defaults to false, meaning clients that do not have the ability to do implicit grants will get an unauthorized exception for the whole request.

This release is necessary to provide a workaround to a breaking change in UAA 1.10, which added the provision of the OpenId id_token but locked out clients without the implicit grant in the process.

uaa - 1.8.3 Release Notes

Published by mbhave about 10 years ago

/ids/Users endpoint protected by a scope

Previously, any valid token was allowed access to translate a username to a id or vice versa. It is now protected by the scim.userids scope. Security is further tightened by checking the scope as well limiting filtering possibilities.

Externalize default scopes

Non UAA scopes, were previously defined in the oauth-endpoints.xml. Client scopes can now be configured in the uaa.yml instead of relying on our XML file.

Refactor /Groups/External APIs

Endpoints that are more RESTful have been added for listing, updating and deleting external group mappings.

Stories Completed
Features
Externalize default scopes
Protect /ids/Users by scope
Refactor API

uaa - 1.8.0 Release Notes

Published by fhanik about 10 years ago

Scope wildcards
In UAA we now support client scopes to have a wildcard. Imagine this scenario

Client Scopes

  • cloud_controller.*

User Joe

  • cloud_controller.read
  • cloud_controller.write

User Mary

  • cloud_controller.read
  • cloud_controller.write
  • cloud_controller.admin

When respective user requests a token, Joe will receive cloud_controller.read/write and Mary will receive cloud_controller.read/write/admin scopes.

To receive these scopes, the token/authorize request

  • may not contain any scopes to receive the default intersection of scopes between client and user
  • can include a wild card scope, cloud_controller.*, but it has to match the scope of the client
  • can include a specific scope, cloud_controller.read, that matches a user assigned scope

The wildcard matching is very simple. An asterisks, *, character represents a wild card. The wild card will never reach beyond a dot, ., that is considered a scope delimiting character.

For matching examples, take a look at the following tests

Limitations

User scopes may not contain wild cards. In a user scope, a wildcard will not be treated as a special character.

Extract Mail Attribute from LDAP user
A very simple feature has been implemented to extract the LDAP mail attribute from a user's record when a user is authenticated against LDAP
This feature simply looks at the LDAP record, extracts the 'mail' field and picks the first address on file. Currently we have not implemented a more advanced feature to select a specific email address if multiple exist. However, from the authentication, we do get all the email addresses and populate them into the Ldap User Details object.
When the user gets converted to a UAA record, it selects the first email address on file.

Ldap Documentation
Read it now

Gradle

UAA now builds with gradle instead of maven. This simplifies the build process, as one can now build from scratch, and run the uaa, app, and api apps with a simple

./gradlew run

Unit tests can be run with ./gradlew test, and integration tests with ./gradlew integrationTest

War and Jar files can be built with ./gradlew assemble

Tigthen security around /token endpoints
We have tightened security in the /oauth/token endpoint. Previously a token with a scope of oauth.<anything>, essentially having audience=oauth, was allowed to issue tokens without requiring user password or client secrets. We believe this scope is too broad to be allowed. Currently the login-server uses a scope of oauth.login for trusted endpoints, and even then, client_secret is required to issue a password grant token.

Stories Completed
Features
Allow client scopes/authorities to have wildcards
Expand oauth_client_details scope and authorities columns
Extract mail attribute from an LDAP user when user stored in UAA
Group memberships are tracked by origin
Email address is updated each time an LDAP user authenticates
Security tightened around token endpoints
External group map endpoint

uaa - UAA 1.7.2 Release - Chained Authentication

Published by fhanik over 10 years ago

Move all LDAP Authentication to UAA
https://github.com/cloudfoundry/uaa/commit/1c400c2eaadb1fb3be54f412ff4a9399feb6a770

Make the UAA multi tenant
Two columns have been added to the UAA.users table

  • origin - the source of the users
  • external_id - if the user has a unique ID in the other repository, like LDAP DN

This means that the user_id should be used as the identifier for a user, not the username
https://github.com/cloudfoundry/uaa/commit/1a63add4b36f9967d7d7cffe0d2f5fd24be402c7

Implement correct SCIM filtering according to the spec
http://www.simplecloud.info/specs/draft-scim-api-01.html#query-resources
https://github.com/cloudfoundry/uaa/commit/af4860a771eb93cfb1ce53f216e504ea31c8f9b1
Backwards compatibility for filters surrounded with single quotes "userName eq 'marissa'" have been retained

Support for LDAP groups
LDAP Groups can be mapped to scopes as

  • group name is the scope name
  • group DN maps to a scope(group_id) in the external_group mapping

Nested LDAP groups are supported
https://github.com/cloudfoundry/uaa/commit/e5345127021ccc5d691ba602b14883dc47cc8258

Stories Completed
Bugs
Remove test classes from src/main/java
SCIM Filter should be backwards compatible, support single quote
Change password link should only be available if the user origin=UAA
Username should not be case sensitive
Fix pagination of the SCIM user endpoint
Proper SCIM parsing to support single quotes

Features
Keystone authentication support
LDAP Authentication in CF is part of the UAA job
Move external authentication is part of the UAA instead of Login server
Support multi tenancy for users

Package Rankings
Top 4.5% on Proxy.golang.org
Top 9.82% on Repo1.maven.org
Badges
Extracted from project README
Quality Gate Status
Related Projects
microtrader

A fictitious stock trading microtrader application

08 Nov 2016 65
spring-boot-web-application-sample

Real World Spring Boot Web Application Example with tons of ready to use features

12 May 2019 291
piggymetrics_K8s

27 Sep 2019 0
kubernetes-for-java-developers

A Day in Java Developer’s Life, with a taste of Kubernetes

21 May 2018 582
jhipster-oidc-example

Example of doing OIDC Login with Keycloak and Okta

08 Sep 2017 5
jh-issue-10610

13 Oct 2019 0
jetty-runtime

Google Cloud Platform Jetty Docker image

18 Aug 2016 44
jhipster-sample-app

This is a sample application created with JHipster

09 Nov 2013 1,339
sun-rise

Sun Rise - The budgeting service system

22 Aug 2024 1