UAA Release 2.7.0.2

Backwards Compatibility for ID_Token Response

During the invocation of the /oauth/authorize URL, the normal process is to specify response_type=code
Some libraries have been specifying response_type=code+id_token
This is a OpenID Connect extension. Previously the UAA ignored the id_token response_type, but now we have added support. This changes the response of the /oauth/authorize. The main change is that the Location header will have a Fragment (#) and not a Query String (?)

This is a hot-fix release which addresses the backwards compatibility issue with handling of id_token in response.
The properties is exposed in the UAA YML:
oauth:
id_token:
disable:

UAA 2.7.0 Release Notes

Features

• Support for OpenID hybrid flow code + id_token response type
• Add the ability to disable authenticating against internal user store
• Filter the user results from the ids/users endpoint based on active identity providers
• Expose Logout Redirect URI per client

Bug Fixes

• CORS filter blocks same origin requests

UAA 2.6.2 Release Notes

Non-Browser Authorization Code Flow Support

Authorize endpoint now supports token based authentication in addition to the regular web based authentication flow. API Details can be found here

UAA 2.6.1 Release Notes

Features

• Moved UAA to Java 8 only support
• Work in Progress - Support for Allowed Domains on Identity Providers to enable discovery
  • Associate an Identity Provider with One or More allowed domains via YML/Manifest
  • Allow one or more email domains to be associated with an Identity provider via API
• Enable log rotation for UAA Logs via Bosh
• Respect nonce authorization
• Added origin in JWT token and refresh token.
• New "token_keys" endpoint (JWKS Set Format)

Bug Fixes

• Users who haven't modified their password see the sad cloud page after login.
• Inviting an existing user causes "Uh oh Something went amiss"
• Zone users can't see the groups they create
• Reject duplicate entityID when creating SAML providers
• Migration logic to zonefied groups

UAA 2.5.1 Release Notes

Features

• Added multi-tenant support for scim groups, group memberships and external group mappings
  • SCIM Groups should be zone aware
• Enable scopes for finer grained administration of Identity Providers, Users, Groups & Clients in an Identity Zone
  • Expose new scope for reading identity providers in a zone
  • Add finer grained scope for reading a single identity zone
  • Extend /Groups/zones endpoint to allow zone management scopes
  • Add an endpoint for deleting members from zone management groups.
• Support for email notifications to be sent out via the notification service for user creation, password management & account management for users in an identity zone.
  • Use the emails endpoint for sending all UAA email notifications
• Modified CORS filter so that allowed headers for XHR requests is configurable

Bug Fixes

• When creating a Zone specific User Account, Pivotal ID Branding is being displayed
• Email for Zone Specific Create Account shows Pivotal ID wording and branding
• Invitations flow requires a user to be logged in when accepting invite

UAA 2.4.1 Release Notes

Features

• Update the Identity Provider End Point to save and retrieve Lockout policy per zone
• Show relevant message after user lockout
• Updated SAML identity provider configuration to accept an addShadowUser property to govern shadow account creating during SAML Authentication
• Expose Managing /Users & /Groups to a Zone Admin
• New Scope for Creating Clients in a Zone
• Allow to build uaa with Java 8

Bug Fixes

• UAADB Housekeeping: Clean up unused/expired oauth_codes and one time passcodes
• Querying users with pagination will return duplicate users
• Serialization/deserialization issues of Java Objects stored in UAADB

UAA 2.4.0 Release Notes

Features

• Bootstrap password policy under default UAA Zone
• Enforce password policy for default zone on a reset password and change password request
• Expire User password after X months
• Expose Managing (Add/Update/Read) password policy for the Identity Zone
• Revert default password policies to lenient for UAA Zone and other Identity Zones
• Password History: New Password should not be the same as Old Password
• Adjust cf-release password policy config

Bug Fixes

• Restarting the UAA invalidates all tokens
• New Account created for an exiting user logging in via Passcode into CF CLI
• Create Account (both default and identity zone)not functional when Require_HTPS is turned on
• uaac client is not able to set "autoapprove true" for client ids
• Remove Pivotal references from OSS login server style
• uaac target results "invalid status response: 404"
• Turning on password validation breaks shadow user creation
• Zone Specific Self Service Links not functional if custom create account /reset password link is specified in the YML file
• Leading & Trailing Whitespace Characters in Group DN should be truncated during mapping/unmapping of Groups()
• SAML SP metadata generation produces incorrect ID attribute in multi-tenant scenarios
• Missing indexes for lower(id) on users table on postgresql

Hotfix

2.3.1 added in the ability to revoke a token if a client secret changed, or a user password changed.
When the UAA restarts, it was regenerating the hash to bootstrapped (defined in uaa.yml) users and clients, thus a restart automatically revoked tokens. This has been fixed.

UAA 2.3.1 Release Notes

Features

• Added CSRF checks for form submits in UAA eb40d76
• Improved unit testing speed for MockMvc tests a6109f1
• Added DB index to users.email and not using LOWER function for MySQL (introduced the database.caseinsensitive variable) 781fba0
• Updated README to include information on how to run UAA standalone as a CF app 32955a1
• Implement a revokable, stateless token strategies. Token can be manually revoked for a client or a user, and are automatically revoked if user's email,username or password changes. Tokens for a client are automatically revoked if the client's secret changes. 7b58aac
• Upgraded to MariaDB 1.1.8 JDBC driver 574eae0
• Sample SAML Sign key has 10 year expiry 7c7a82c

Bug Fixes

• uaa doesn't update the correct client ee06e1e

UAA 2.3.0 Release Notes

Features

• Updated Spring Versions:
  Spring 4.1.6.RELEASE,
  Spring Security 4.0.1.RELEASE,
  Spring Security OAuth 2.0.7.RELEASE,
  Apache Tomcat tomcat-jdbc artifact 7.0.61
• Both LDAP and internal user store authentication should be allowed to be set in an enabled state in an Identity Zone
• Hide Create Account and Reset Password link if client is not associated with internal user store authentication