Skip to content

Release notes 12.x versions

12.20.8

Bug fixes

  • Cascade events removal migration introduced in version 12.20.4 was retracted due to its extensive execution time.

12.20.7

Improvement

  • We added the optional azp claim to the ID Token.

12.20.6

Bug fixes

  • Log levels were not being respected by configuration. This is now fixed.
  • Removed some details from specific events

12.20.5

Improvement

  • Updated refresh token validity labels in the Admin UI.

Bug fix

  • Staring in version 12.20.4, Authentication requests that specified prompt=none (also used by the mobile SDK) did not succeed. This is now fixed.

12.20.4

Improvements

  • Removed internal task scheduler.
  • Allow cascade events removal.

Bug fix

  • Resolved an issue where the auth_time was not updated after re-authentication based on the max_age parameter.

12.20.3

Bug fix

  • We have fixed an periodical connectivity issue that was causing the SAML ECP binding to fail.

12.20.2

Bug fix

  • We have fixed a regression issue in the Mobile Authentication functionality for iOS devices.

12.20.1

Improvement

  • Extended application logging around UserInfo API endpoint.

12.20.0

Improvement

  • Removed support for the deprecated algorithms RSA1_5 and RSA_OAEP.
  • We introduced a v2 of the token introspection endpoint to comply with RFP7662 for the exp attribute.
  • We introduced a new event type TOKEN REQUEST INVALID PKCE VERIFIER that is triggered if the PKCE validation fails.
  • The client_id is now added to all Custom registration events.

Bug fixes

  • The UI blocked the combination of Private key JWT authentication for clients with the client_credentials grant type, we fixed that bug.
  • Mobile push message capabilities will now be removed when a user removes their last mobile device.

12.19.3

Bug fix

  • We fixed an issue with Token Server allowing an DCR response without a challenge response.

12.19.2

Bug fix

  • Token Server failed to start on Redis Sentinel due to missing configuration.

12.19.1

Bug fix

  • The Token Server test client failed to execute requests because of some missing dependencies.

12.19.0

Improvements

  • Added a new database index on the clients table. Please refer to the upgrade instructions for more information.
  • Improved the caching performance of the application_properties table.

12.18.2

Improvement

  • The admin panel can now filter events on the activity tab down to seconds instead of minutes.

12.18.1

Bug fix

  • Respect the specified clock skew of 5 minutes when parsing the software statement given by the client.

12.18.0

Improvement

  • Upgrade to newest version of crypto-js library, which is used in the check-session.html template. More information in upgrade instructions.

Bug fix

  • The {book.productName} will gracefully handle client requests attempting to execute the migration flow multiple times.

12.17.7

Improvement

  • We added possibility to set the X-Frame-Options header in the response with the property token.server.engine.security.xFrameOptions or environment variable TOKEN_SERVER_ENGINE_SECURITY_X_FRAME_OPTIONS. More information can be found in the documentation.

Bugfix

  • We have fixed the problem with crashing the application when reading unexisting data from Redis.

12.17.6

Bug fix

  • The application version shown in the admin panel corresponds to the current version of the application.
  • We have fixed the JWT Access Token consumption in KeyEnrollment v3 and PushEnrollment v3 APIs. In some situations, the access token of type JWT was treated as invalid.

12.17.5

Improvement

  • Improved the performance of loading the data for the Activity tab.
  • Made the integration with Redis cache more resilient.

Bug fix

  • The Onegini Token Server read the connection timeouts for the API client incorrectly which caused an unexpected resource drain.
  • When performing API calls towards /api/v1/configuration/applications/{app_id}/platforms/{platform}/versions using GET or PATCH methods it is not required anymore to add "/" at the end of the URL.

12.17.4

Bug fix

  • We have fixed the issue with updating a signature of the mobile application platform via the Rest API endpoint.

12.17.3

Bug fix

  • We have fixed the issue with updating a signature to the mobile application platform via the Rest API endpoint.

12.17.2

Security Issue Fix

  • Fixed CVE-2021-44228 by removing Log4J in favour of default Logback.

12.17.1

Improvement

  • Some of the properties related to communication resiliency have been renamed. More information in upgrade instructions.
  • Improved resiliency of the APNs client.

12.17.0

Improvement

  • Extended the supported Redis Cache integrations.

Bug fix

  • Fixed an issue preventing the OPENID_TOKEN_ENCRYPTION_BAD_JWKS_URI event from being sent when when JWKS URI configuration was invalid.

12.16.4

Bug fix

  • Mobile applications that use Payload Encryption, could not update to a newer version. This has been fixed.

12.16.1

Feature

  • Improved the integrity check for mobile apps. This improved integrity check is required for new mobile apps introduced to the Google Play Store after August 1st, 2021. The existing apps, both running on Android and iOS, will continue to work without any changes. Still, it is recommended to plan an update of the Onegini SDK and use the improved integrity check.

12.15.0

Feature

12.14.1

Bug fix

  • Some users could face an issue in the first phase of the authorization process related to how the state was preserved on the client-side (cookies). The problem is fixed. For more information, please refer to the upgrade instructions.

12.13.0

Feature

Improvement

  • The process of registering a new mobile application requires both parties, the device, and the server, to have their time/date settings set correctly. Some users are explicitly modifying their time which prevents them from successfully finishing the onboarding process. To improve the user experience Onegini Token Server will handle such situations more gracefully by detecting clock skew and informing the client about the root cause of the rejection.

12.12.1

Bug fixes

  • API client configurations could not be saved in a Microsoft SQL Server database. This has been fixed.
  • When Cross-Origin Resource Sharing (CORS) was enabled without specifying allowed origins, requests were rejected by some browsers. This has been fixed.

12.12.0

Improvement

  • When sending a push message to an iOS device fails, the underlying cause is now logged with events.

Bug fixes

  • Mobile apps could not upgrade from Security Controls v1 to v2 when tampering protection was enabled for the old version. This has been fixed.
  • After passing custom registration, no ID Token was issued to OpenID Connect clients. This has been fixed.

12.11.0

Features

  • Mobile applications can now configure additional redirect urls.
  • The Onegini Token Server application will enclose more information about the reason for rejecting the Access Token.

12.10.0

Features

  • OpenID Connect session management has been updated to be compliant with draft version 30 of its specification
  • The events API now returns the name of the Application or Web client with new events.
  • Cordova apps on Android that use cordova-plugin-push to receive push notifications require the push message in a specific format. The Onegini Token Server will now send push notifications in this format when the app version configuration indicates that the app is built with Cordova.

12.9.0

Feature

  • Within Onegini CIM the user data can be stored in different partitions. When the Onegini Token Server requests user data, it can pass the specific partition with the request.

Bug fix

  • When incorrect credentials were provided with the Resource Owner Password Credentials flow, the Onegini Token Server returned an incorrect error response with internal_server_error. This has been fixed to return an error response with invalid_grant.

12.8.0

Feature

  • Relying Parties can now request the Identity Assurance Level (IAL) from the Onegini Token Server when initiating the authorization. The IAL conveys the degree of confidence (Assurance) that the user's claimed identity is their real identity.
  • As of now, the Payload Encryption functionality could only be set during the Application Version configuration phase (prior to any actual mobile application registrations). The Onegini Token Server is now allowing the administrators to manipulate this property value at any time given the mobile applications that are referring to it are using PrivateKeyJWT client authentication method.

Bug fixes

  • The Onegini Token Server was incorrectly attempting to decrypt the incoming SAML Assertion in case the encryption credentials were available, but the Assertion was not actually encrypted.

12.7.0

Feature

Bug fix

  • JSON Web Keys API calls made by the Onegini Token Server could cause the Onegini Token Server to become less responsive when the endpoints are unavailable or take a long time to respond. These API calls are made when using private key JWT authentication. This has been fixed by adding read and connection timeouts.

12.6.0

Bug fixes

  • The nonce value was being lost when the consent page was shown during OpenID Connect flows. It should now be returned in the id_token as expected. Please review the upgrade instructions related to the changes in templates.
  • Users using separate clients will no longer be logged out from all Identity Providers in the session when logging out from one.

Improvement

12.5.0

Bug fixes

  • Push messages for mobile authentication could not be sent to iOS devices. This has been fixed. Android devices were not affected.
  • Mobile app version configurations could not be saved when using an Oracle database. This has been fixed.

Improvements

  • Private key JWT has been added as authentication method for OAuth and API endpoints.
  • A new version of the Device API returns more information about the devices of an end-user. The response now contains the model of the device and its version of the operating system.

12.4.1

Bugfixes

  • Event log in admin console shows only data on a need to know basis. The existing configuration has been updated to prevent use of earlier shown data.

12.4.0

Improvements

  • It is now possible to configure an alphanumeric SMS Sender ID when sending SMS messages during mobile authentication. Not all countries support alphanumeric sender IDs, for example, Belgium does not support this, but it is supported in the Netherlands. You can now configure the Token Server in such a way that Belgium customers get an SMS from a Belgium phone number while your Dutch customers get an SMS message with an alphanumeric sender ID, e.g "Onegini".
  • The documentation now explains how you can lower the risk your end-users get phished while entering an SMS code on your website and improve the usability at the same time.

Bug fixes

  • The Onegini Security Proxy blocked requests to some Onegini Token Server endpoints because the Payload Encryption policy status could not be resolved for all clients. The OIDC User info endpoint was one of the affected endpoints.

12.3.0

Features

  • Onegini CIM can store custom attributes and return them in the Person API or as part of SAML claims. The Onegini Token Server is consuming these custom attributes and returning them in the ID token and token introspection response. This release adds support for custom attributes with type object. Previously, a custom attribute could only contain a single string value. Now, a custom attribute can contain a multivalue attribute in JSON. This is helpful when you want to have a (simple) group setup or a collection of values.

Improvements

  • Extended the OIDC session management documentation by documenting the restrictions.

Bugfixes

  • If you wanted to use the “staat der Nederlanden Root CA-G3” TLS certificate, you had to make it work by creating a custom keystore. We are now basing our Docker images on the official library/openjdk images, which do include this root CA in the default truststore. So, there is no need to create the custom keystore anymore.

12.2.0

Features

  • Introduced a new Security Controls protocol. This makes client registration and authentication for mobile applications that use the Onegini SDK faster, easier and more secure. It also improved the Payload Encryption mechanism by using the latest technologies. The new Security Controls will be used after upgrading to the latest mobile SDK, which will be available soon!

Improvements

  • Added support for the Azure AD IdP using the SAML protocol.

Bug fixes

  • When an exception occurred in the SAML login flow, and the user was redirected back to the client with an error, the exception was not logged.
  • Loading the error template caused a Hibernate lazy initialization exception in some cases.

12.1.2

Improvements

  • The Onegini Token Server sets cookies for the authorization flow when it redirects to a SAML or OAuth identity provider to sign in. Some browsers do not store these cookies during the redirect. Without cookies the customer cannot sign in. The Onegini Token Server can now show a page to set the cookies. This page will send the customer automatically to the login page, but it can and probably will be visible for a short period. This step was introduced to ensure that the cookies for the Onegini Token Server will be set correctly. This page is optional and is disabled by default. Enable this page with the environment variable AUTHENTICATION_FLOW_RENDER_PAGE_BEFORE_REDIRECT_TO_IDP=true.
  • With some SAML identity providers login could fail, because there was no support for the element NameIDPolicy. This has been improved. From now on, the optional element NamedIDPolicy will be included in authentication requests towards SAML identity providers depending on conditions in the SAML identity provider configuration.

Bug fixes

  • Logout could fail when multiple SAML identity providers were configured in the Onegini Token Server. This has been fixed.

12.1.0

Features

  • In Onegini Token Server version 11.0.0, the support for Microsoft SQL Server and Oracle databases had been removed. This support has been restored: the Onegini Token Server can use Microsoft SQL Server or Oracle for storage again. Refer to the upgrade instructions.

Bug fixes

  • The Onegini Token Server could return an error. This has been fixed and may require an upgrade of Redis. The error occurred under the following conditions:
    1. a mobile app had obtained an access token via a previously issued refresh token
    2. the mobile app fetched data via multiple calls to its resource gateway within a very short time frame
    3. the resource gateway requested token introspection for each of these data again within a very short time frame
  • In authentication requests towards SAML identity providers, the element NameIDPolicy contained an attribute SPNameQualifier. Login failed with some SAML identity providers because this attribute should not be present for requests from the Onegini Token Server. This problem has been solved: the attribute SPNameQualifier is no longer sent with SAML authentication requests.
  • When the authentication failed at a SAML identity provider, the Onegini Token Server did not return the underlying error cause to the OAuth client. This has been solved: the underlying error cause is now returned to the client.
  • When Bearer authentication was used with an invalid or expired token, the response header WWW-Authenticate did not contain error information as specified in RFC 6750, section 3. This has been fixed by adding the error information to the WWW-Authenticate header.

12.0.0

Improvements

  • Added backwards compatibility support for the browsers that are not handling the SameSite cookies (e.g. Safari running on iOS 12). Refer to the upgrade instructions for the OpenID Connect session iframe.
  • Users get an improved single sign on experience when multiple OpenID Connect Relying Parties connect to a single Onegini CIM or other kind of SAML identity provider via the Onegini Token Server.
  • The test client now fetches resources directly via the browser. This is a more realistic test scenario for single page apps.

Bug fixes

  • When the person API of Onegini CIM was called and it returned an attribute without a value, the Onegini Token Server would throw an error. This has been fixed.
  • The test client could expose arbitrary endpoints of an internal network to the outside world. The test client is now restricted to access preconfigured endpoints only.
  • When an OpenID Connect relying party performed an authentication request with prompt=none, the Onegini Token Server did not always comply to the OpenID Connect specification. This has been fixed. Refer to the upgrade instructions for the impact on error handling.