UAA 4.5.0 Release Notes

Stories included in release

Breaking Changes

Starting with UAA bosh release v43 the following Default Authorities will be set by default for all new identity zones:

• openid
• password.write
• uaa.user
• approvals.me
• profile
• roles
• user_attributes
• uaa.offline_token

The following Default Authorities will be set by default for the system zone:

• scim.me
• cloud_controller.read
• cloud_controller.write
• cloud_controller_service_permissions.read
• oauth.approvals
• notification_preferences.read
• notification_preferences.write

These values can be changed via the UAA Bosh release manifest or UAA identity zone APIs.

Features

• Make User Default Authorities Zone Specific and allow setting them via API
• Page that documents prop mapping
• Better default for storeCustomAttributes
• Update the API docs for required_user_groups
• JWT Bearer Token Exchange support external OIDC
• Provide the ability to register a client with jwt-bearer grant type
• Support for UAA id_token to be exchanged for Access Token via JWT Bearer
• All password changes should throw audit events
• Validation for Clients of Type jwt-bearer
• JWT token authentication - username allowed to be null and fail
• Refactor DAO objects to always take zone-id parameter
• Fix example for getting token from local UAA on the Github UAA readme
• support id_token exchange for an access token within the same identity zone
• Enable audience check for JWT Bearer Token Exchange
• cloudfoundry/uaa #639: When acting as a SAML SP allow configuration of RequestedAuthnContext

Bug Fixes

• cloudfoundry/uaa #611: Update approvals in profile deletes approvals for other client ids
• Passing in ID token for check token endpoint returns 500 error
• Handle null app launch URL causing NullPointerException on UAA home page
• Race condition on OIDC/Oauth authentication
• Documentation update for /password endpoint
• cloudfoundry/uaa #628: UserInfo endpoint under .well-known/openid-configuration not correct
• idp_discovery not working for OIDC with only discoveryUrl
• password_resets documentation bug
• cloudfoundry/uaa #640: Nullpointer exception in UAA
• Missing documentation for GET /Users
• Client secret can't be set to empty via yml
• UAA incorrectly parses private keys created with openssl req

Other Updates

The following dependencies have been updated:

• Updated hibernate-validator to 4.3.2
• Updated thymeleaf to 3.0.6 and ognl to 3.1.12
• Updated owasp-esapi-java to 2.1.0.1
• Updated spring-security-jwt to 1.0.8
• Updated commons-collections to 3.2.2
• Updated not-yet-commons-ssl to 0.3.17