UAA 2.7.2

Features

• The password_resets endpoint now takes optional client_id and redirect_uri parameters and returns the user id and verification code in the response.
• SAML authentication failures now show error messages instead of losing all context.
• UAA SAML Auth now supports NameIDs other than email.
• LDAP role/group memberships exposed in OpenID Connect JWT.
  • attributeMappings (map UAA scopes to LDAP roles) and externalGroupsWhitelist (external groups allowed to populate token) properties added
• allowUnverifiedUsers flag only affects default zone. Other zones do not allow unverified users and are not affected by the flag.
• Retain client context when user clicks on "Reset password", as long as their browser session remains intact.
• /password_change endpoint now returns an autologin code. This code can be used to hit /autologin which logs the user in and redirects to the saved request (if any).
• Introduced a uaa.jwt.claims.exclude property that allows excluding claims from the JWT obtained via client credentials.
• Users in the default zone can manage other zones using the subdomain, using the X-Identity-Zone-Subdomain header.
• The /check_token endpoint now makes sure that the scopes and authorities in the token are still valid.
• Add support for inviting users whose username is not the same as their email in an external user store.
  • SAML
  • LDAP
• UAA doesn't require SAML cert and key if SAML is not being used.
• Access token and refresh token expiry configurable globally per zone.
  • will be used if client does not have these properties set
• requestsSigned and wantAssertionSigned SAML properties exposed per zone in SamlConfig.

Bug Fixes

• Hitting the /password_change API endpoint with an invalid/expired code now returns an error message instead of a 500.
• If an unverified user tries to log in and unverified users are not allowed, a verification email is not resent. Instead, users are expected to create a new account or reset their password.
• Token permissions are now validated by checking the scopes instead of authorities.
  • Note: uaa.admin or clients.admin scope must be requested if clients wish to be able to change other client's secrets.

Backwards Incompatible

• Disabling self-service links doesn't remove links from /info or /login JSON responses.
  • /info endpoint now returns Map<String,String[]> prompt instead of List<Map<String,String[]>>