76.25.0

What's Changed

• build(deps): bump commons-io:commons-io from 2.14.0 to 2.15.0 by @dependabot in #2579
• build(deps): bump github.com/onsi/gomega from 1.28.1 to 1.29.0 in /k8s by @dependabot in #2578
• build(deps): bump org.apache.commons:commons-text from 1.10.0 to 1.11.0 by @dependabot in #2582
• update dependency middleman to v4.5.1 by @strehle in #2580

Full Changelog: v76.24.0...v76.25.0

76.24.0

What's Changed

Remarks

• The versions 76.22.0 and 76.23.0 contain a regression regarding the empty secret change. If you need to have an empty secret in your clients and you create them later via REST calls, use this version.
• This version was created with Java 17

Regression Fix

• validate secrets only with text by @strehle in #2574

Feature

• feature: add client_auth_method=none into tokens for clients with empty secret by @strehle in #2504

Misc

• fix: java version requirement in README by @peterhaochen47 in #2563
• fix flaky test by @strehle in #2565
• fix: unnecessary method call by @klaus-sap in #2549
• sonar fix by @strehle in #2526
• documentation: update system admin guide by @strehle in #2520
• doc: announcement for private_key_jwt by @strehle in #2551

Dependency Bumps

• Bump: Java version to 17 by @peterhaochen47 in #2562
• build(deps): bump github.com/onsi/gomega from 1.28.0 to 1.28.1 in /k8s by @dependabot in #2568
• build(deps): bump org.apache.directory.server:apacheds-protocol-ldap from 2.0.0.AM26 to 2.0.0.AM27 by @dependabot in #2567

Full Changelog: v76.23.0...v76.24.0

76.23.0

What's Changed

Experimental Feature

Client Authentication with JWT assertions, Howto

Features

• feature: add runtime support for private_key_jwt client authentication by @strehle in #2507
• feature: add change size to pull request by @bruce-ricard in #2546
• feature: enhance well-known and document private_key_jwt parameters in rest API by @strehle in #2509

Fixes

• fix sonar findings by @strehle in #2528
• fix sonar finding: duplicate string literals by @klaus-sap in #2531
• fix sonar issue: Utility classes should not have public constructors by @klaus-sap in #2533
• fix sonar findings by @strehle in #2527
• Bump org.json:json from 20230618 to 20231013 , fixes CVE-2023-5072 by @dependabot in #2544

Misc

• Make it easier to find test failures in CI output by @swalchemist in #2511
• test: Add Client Authentication Integration Tests by @strehle in #2508

Dependency Bumps

• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.35 to 9.36 by @dependabot in #2529
• build(deps): bump versions.guavaVersion from 32.1.2-jre to 32.1.3-jre by @dependabot in #2534
• build(deps): bump org.apache.directory.api:api-ldap-model from 2.1.4 to 2.1.5 by @dependabot in #2536
• build(deps): bump golang.org/x/net from 0.14.0 to 0.17.0 in /k8s by @dependabot in #2538
• build(deps): bump versions.tomcatCargoVersion from 9.0.80 to 9.0.82 by @dependabot in #2540
• Bump jackson version 2.15.2 to 2.15.3, #2541
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.36 to 9.37 by @dependabot in #2548
• build(deps): bump k8s.io/client-go from 0.28.2 to 0.28.3 in /k8s by @dependabot in #2555
• build(deps): bump versions.springBootVersion from 2.7.16 to 2.7.17 by @dependabot in #2553
• build(deps): bump org.apache.santuario:xmlsec from 3.0.2 to 4.0.0 by @dependabot in #2554

Full Changelog: v76.22.0...v76.23.0

76.22.0

What's Changed

Features

• feature: allow setting SameSite on X-Uaa-Csrf cookie by @mikeroda in #2439
• feature: add persistence support for private_key_jwt client authentication by @strehle in #2449

Fixes

• fix: Flaky test by @strehle in #2491
• fix: do not default a missing secret to an empty one by @strehle in #2455
• fix: missing shebang by @bruce-ricard in #2497
• fix: ClientAdminEndpointsValidator should allow authorization_code with empty secret by @strehle in #2461
• fix: json syntax error by @peterhaochen47 in #2521

Misc

• Page object refactoring for two additional tests by @swalchemist in #2490
• Passcode test refactor by @swalchemist in #2501
• test clean-up: switch back to using standard simplesamlPHP server URL by @peterhaochen47 in #2516
• delete unused pom.xml by @swalchemist in #2519
• refactor: use page objects for favicon test by @swalchemist in #2498

Dependency Bumps

• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.32 to 9.34 by @dependabot in #2489
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.34 to 9.35 by @dependabot in #2492
• update module github.com/onsi/ginkgo/v2 to v2.12.1 by @strehle in #2494
• build(deps): bump versions.springBootVersion from 2.7.15 to 2.7.16 by @dependabot in #2495
• build(deps): bump org.passay:passay from 1.6.3 to 1.6.4 by @dependabot in #2499
• build(deps): bump versions.seleniumVersion from 4.12.1 to 4.13.0 by @dependabot in #2502
• build(deps): bump github.com/onsi/gomega from 1.27.10 to 1.28.0 in /k8s by @dependabot in #2510
• build(deps): bump commons-io:commons-io from 2.13.0 to 2.14.0 by @dependabot in #2512
• Upgrade to be compatible with simplesamlphp v2 by @bruce-ricard in #2506
• Bump dependency org.gradle:test-retry-gradle-plugin to v1.5.6 by @strehle in #2518
• build: change sonar runner to java 17 by @strehle in #2513
• build(deps-dev): bump open from 0.0.5 to 6.0.0 in /uaa/slate by @dependabot in #2522
• Bump Gradle to 8.4 by @strehle in #2524
• Bump dependencies in package.json of slate (doc) by @strehle in #2525

Full Changelog: v76.21.0...v76.22.0

76.21.0

What's Changed

Features

• feature: activate PKCE by default in requests to external OIDC providers by @strehle in #2448

Fixes

• Fix: UAA login page breaks when the product logo image is over 100000 characters by @Tallicia in #2453

Misc

• Rearchitect two integration tests to use page objects by @swalchemist in #2468
• Refactor: prepare for private_key_jwt in oauth_client_details by @strehle in #2433
• doc: reason for ignoring library bumps by @swalchemist in #2485
• test: Authorization Grant Flow without Redirect URI by @strehle in #2484

Dependency Bumps

• build(deps): bump versions.springBootVersion from 2.7.14 to 2.7.15 by @dependabot in #2450
• bump activesupport from 6.1.7.3 to 6.1.7.5 in #2451
• build(deps): bump jasmine-core from 5.1.0 to 5.1.1 in /uaa by @dependabot in #2457
• build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1 in /k8s by @dependabot in #2460
• build(deps): bump versions.tomcatCargoVersion from 9.0.79 to 9.0.80 by @dependabot in #2462
• build(deps): bump org.apache.directory.api:api-ldap-model from 2.1.3 to 2.1.4 by @dependabot in #2464
• build(deps): bump versions.seleniumVersion from 4.11.0 to 4.12.0 by @dependabot in #2466
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r by @dependabot in #2469
• build(deps): bump versions.seleniumVersion from 4.12.0 to 4.12.1 by @dependabot in #2471
• build(deps): bump actions/checkout from 3 to 4 by @dependabot in #2473
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 6.6.1.202309021850-r to 6.7.0.202309050840-r by @dependabot in #2475
• Bump Gradle to 8.3 by @strehle in #2476
• update dependency org.gradle:test-retry-gradle-plugin to v1.5.4 by @strehle in #2479
• Bump mariadb from 2.7.9 to 2.7.10 by @strehle in #2478
• Bump gradle plugins by @strehle in #2480
• Bump SnakeYaml from 2.0 to 2.2 by @strehle in #2481
• update dependency org.gradle:test-retry-gradle-plugin to v1.5.5 by @strehle in #2482
• Go 1.21 by @swalchemist in #2483
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.31 to 9.32 by @dependabot in #2487
• k8s updates, k8s.io 0.28.1 to 0.28.2 by @strehle in #2488

Full Changelog: v76.20.0...v76.21.0

76.20.0

What's Changed

Features

• Added log tracing using B3 headers so transactions between TAS components will use the same trace ID, in #2446. Log file parsers might need to be updated to reflect this addition to the logs. In the example below, - [ebf4f18ff75a4cfc64a70c2de8ff493b,64a70c2de8ff493b] is the part that is added:

[2023-08-16T00:56:46.060135Z] uaa - 13 [https-jsse-nio-8443-exec-1] - [ebf4f18ff75a4cfc64a70c2de8ff493b,64a70c2de8ff493b] .... DEBUG --- UaaMetricsFilter: Successfully matched URI: /oauth/token to a group: /oauth-oidc

In some cases, the trace and span IDs will be blank:

[2023-08-17T01:53:42.790149Z] uaa/uaa - 17490 [main] - [,] .... INFO --- SpringSecurityCoreVersion: You are running with Spring Security Core 5.7.10

Fixes

• Move refresh rotate check to refresh flow in #2437

Full Changelog: v76.19.0...v76.20.0

76.19.0

What's Changed

Dependency Bumps

• build(deps): bump com.google.zxing:javase from 3.5.1 to 3.5.2 by @dependabot in #2426
• build(deps): bump versions.bouncyCastleVersion from 1.75 to 1.76 by @dependabot in #2425
• build(deps): bump versions.guavaVersion from 32.1.1-jre to 32.1.2-jre by @dependabot in #2429
• build(deps): bump versions.seleniumVersion from 4.10.0 to 4.11.0 by @dependabot in #2428
• fix: update k8s to go 1.20 by @Tallicia in #2432
• Bump hsqldb version 2.7.1 to 2.7.2 by @strehle in #2436
• build(deps): bump versions.tomcatCargoVersion from 9.0.78 to 9.0.79 by @dependabot in #2442
• build(deps): bump k8s.io/apimachinery from 0.27.4 to 0.28.0 in /k8s by @dependabot in #2443
• build(deps): bump k8s.io/client-go from 0.27.4 to 0.28.0 in /k8s by @dependabot in #2444

Misc

• integrationTest: Add IT for user_token grant variants by @strehle in #2194
• fix: Dependabot can't authenticate to the private package registry ht… by @hsinn0 in #2434

Full Changelog: v76.18.0...v76.19.0

76.18.0

What's Changed

Fixes

• UAA startup if postgresql is used for session store in #2414
• Expired X509 certificates should be ignored for JWT usage in #2423

Features

• Allow refresh flow for public usages in #2402
• Use custom key in private_key_jwt towards OAuth2/OIDC IdP in #2420

Dependency Bumps

• build(deps): bump jasmine-core from 5.0.1 to 5.1.0 in /uaa by @dependabot in #2418
• build(deps): bump github.com/onsi/gomega from 1.27.8 to 1.27.9 in /k8s by @dependabot in #2419
• build(deps): bump jasmine from 4.6.0 to 5.1.0 in /uaa by @dependabot in #2417
• build(deps): bump github.com/onsi/gomega from 1.27.9 to 1.27.10 in /k8s by @dependabot in #2421
• Gradle to 8.2.1

Misc

• Delete unused script & dockerfile by @peterhaochen47 in #2422
• Change default of refresh token format by @strehle in #2406
• uaa-ci: use RS256 key as default by @strehle in #2405

Full Changelog: v76.17.0...v76.18.0

76.17.0

What's Changed

Fixes

• fix: Skip reset password requests with HEAD method (#2381) by @jbilandzija in #2389
• fix: Handle verify user requests with HEAD method by @jbilandzija in #2392
• fix: make kill more reliable by @swalchemist in #2347

Features

• feature: Store client authentication method in JWT by @strehle in #2385
• feature: Allow sending static key/value pairs to the configured IdP by @strehle in #2397

Dependency Bumps

• build(deps): bump versions.guavaVersion from 32.1.0-jre to 32.1.1-jre by @dependabot in #2393
• Bump Gradle to 8.2 by @strehle in #2396
• build(deps): bump versions.tomcatCargoVersion from 9.0.76 to 9.0.78 by @dependabot in #2400
• build(deps): bump versions.springBootVersion from 2.7.13 to 2.7.14 by @dependabot in #2409
• build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4 in /k8s by @dependabot in #2411

Misc

• Extend test coverage in OauthIDPWrapperFactoryBean by @strehle in #2399
• Add Introspection Claims Test by @strehle in #2404
• internal tests only: define more values in uaa.yml by @strehle in #2403
• Refactor: Add Instant to TimeService interface and use TimeService in UaaTokenStore by @strehle in #2315

New Contributors

• @jbilandzija made their first contribution in #2389

Full Changelog: v76.16.0...v76.17.0

76.16.0

Test ONLY

• No need to consume it but created because of pipeline fixes

Full Changelog: v76.15.0...v76.16.0