Bot releases are hidden (Show)
Published by wc22222 over 5 years ago
Stories included in release
Engineering Excellence & Bug Fixes
- Enabled unit tests to run in parallel as well as addressing test pollution, which reduced the test execution time by 400+%
- Fixed login_hint not fully functional on login page bug
- Fixed the deep link with inactive identity provider bug
Published by cf-identity almost 6 years ago
Stories included in release
Bug Fixes
- Addressed the redirect_uri issue introduced in 4.25.0
- login_hint example on UAA API doc is encoded twice instead of once
Published by cf-identity almost 6 years ago
Warning
Do not use.
This release introduced a bug in redirect_uri in OAuth2.
Features
Published by cf-identity almost 6 years ago
Bug fixes
JWT header includes parameter cty with null value
Published by cf-identity almost 6 years ago
This is a security release.
Bug fixes
Published by cf-identity almost 6 years ago
Published by cf-identity about 6 years ago
Stories included in release
Features
Bug Fixes
Published by cf-identity about 6 years ago
Stories included in this release are prepared by @wc22222
Features
- Refer to https://www.pivotaltracker.com/story/show/160211643
- cloudfoundry/uaa #843: SCIM Groups Endpoint: only query members if needed
- Default identity provider redirect configuration on identity zone when discovery enabled
- Add JKU header to token header
- ID Token Refresh Grant Flow
- Refer to https://www.pivotaltracker.com/story/show/159375499
- Refer to https://www.pivotaltracker.com/story/show/159090211
- For password grant, if the default provider does not support password grant, treat this as if no default were configured
- OIDC provider password grant flow should take into account
allowed_providersand default configurations - Default identity provider redirect configuration UAA.yml and release
- Default identity provider redirect configuration on identity zone when discovery disabled
- https://www.pivotaltracker.com/story/show/159174812
- Refer to https://www.pivotaltracker.com/story/show/153566482
- Refer to https://www.pivotaltracker.com/story/show/158846330
- Allow configuring the default provider on the identity zone
- Allow provider
passwordGrantEnabledthrough uaa.yml and uaa-release spec - OIDC provider should forward prompts list
- Document config.prompts[] for provider
Bug Fixes
- Unable to get tokens using authorization code grant flow with stored attributes
- Error message for provider being used for password grant flow single allowed provider should be more explicit instead of returning a generic error.
- Error message for provider being used for password grant flow should distinguish between not allowed provider and provider that can't be used for password grant
- Multiple allowed provider with login hint causes nothing to show up on login page if login hint isn't part of allowed providers for authorization code/implicit flows
- cloudfoundry/uaa #809: Authorization code token response (/oauth/token) is not compliant with OpenID connect 1.0 by not including "id_token"
- Account chooser/IDP discovery forces saved accounts with undiscoverable email domains to only login with internal user store
- External Provider KID signature validation is failing
- Access tokens are not being accepted by CATS
- OIDC External Group Mappings should not require ExternalGroupWhitelist set to take effect
- For chained authentication, chained authentication should only try allowed providers
- cloudfoundry-incubator/uaa-cli #7: Upgrade client lib to
0.0.8 - No example in the API docs of what should go into identity zone
config.defaultIdentityProvider - cloudfoundry/uaa #773: cloudfoundry-identity-client-lib should not depend on org.slf4j:slf4j-log4j12
- OIDC API docs don't show examples of config.prompts[] in request/response
- Document Origin parameter for info endpoint as part of API docs
Known issues
- When performing rolling upgrade of UAA from v4.19.0 to v4.20.0, the refresh token may not being respected when doing
refresh_tokengrant type, a 401 error would be expected during the rolling deployment but not after.
Published by tnwang over 6 years ago
This is a security release addressing the following issues:
Published by tnwang over 6 years ago
This is a security release addressing the following issues:
Published by tnwang over 6 years ago
This is a security release addressing the following issues:
Published by tnwang over 6 years ago
This is a security release addressing the following issues:
Published by tnwang over 6 years ago
This is a security release addressing the following issues:
Published by tnwang over 6 years ago
Do-Not-Use
Published by tnwang over 6 years ago
Added CSRF on unauthenticated registration page.
Published by tnwang over 6 years ago
This is a security release addressing the following issues:
Additional, added CSRF to unauthenticated registration page.
Published by tnwang over 6 years ago
This is a security release addressing the following issues:
Published by cf-identity over 6 years ago
Stories included in release
Features
- Restrict MFA to the
uaaandldapidentity providers configured for the identity zone - Configure OIDC Provider with Password Grant
- Refactor relying_party_grant_types to allowPasswordGrant boolean
- Configure prompts for OIDC Provider
- Return prompts for OIDC Provider from info endpoints
Documentation
Bug Fixes
- Unknown Identity Zone properties should be ignored during version upgrades
- IdP discovery and account chooser are not skipped when passing in
login_hintforuaaandldaporigins - Updated dependencies
- spring to 4.3.17
- spring security to 4.2.6
- spring security oauth to 2.0.15
- guava to 24.1.1-jre
- thymeleaf to 2.3.0 for groovy
Published by cf-identity over 6 years ago
