Release notes 10.x versions
10.2.0
Feature
Bug fixes
- Fixed a typo in the OpenID Connect Discovery API for the key
id_token_signing_alg_values
.
- The
openid
scope can no longer be edited or deleted via the Admin console.
10.1.1
Improvement
Bug fix
- Fixed a race condition that could occur during the start up of the Admin console.
10.1.0
Features
Improvement
- App to Web SSO uses the new dedicated App to Web action token in Onegini CIM.
Bug fixes
- Fix compatibility issues with the APNs push library.
- Upgrade third party libraries with known vulnerabilities.
10.0.1
Improvements
Bug fixes
- Fixed configuration issue with in-memory password authentication after Spring Boot 2 upgrade.
10.0.0
Features
Improvements
- Zip archives loaded into the system are checked against most common vulnerabilities.
- SAML signature and encryption can be
configured with PEM encoded PKCS #8 RSA keys.
- Added support for PEM encoded PKCS #8 RSA keys in the certificate configuration of a
SAML Identity provider.
- SAML IdP Metadata URI cache TTL can be configured.
- The Application identifier is added to the response for available authentication options for a user.
- Token Introspection will include updated Person API details if the User Info endpoint is configured.
- Added bulk delete support to the Device API when using a list of device identifiers.
- Templates have been migrated to ThymeLeaf 3.0.
- Locale can be passed to Onegini CIM.
- Upgraded to Spring Boot 2.
- Switched to OpenJDK 11 in Docker images.
- UX improvements in the Admin console.
- Application Property changes via the Admin console no longer require the Onegini Token Server(s) to restart for changes to take effect.
- Some of the caches can be cleared from the Admin console.
- Added support for acr_values with OpenID Connect.
Bug fixes
- Specifying an Identity Provider (IdP) in the Authorization flow now works as expected.
- SAML SP will check with the IdP's capabilities when choosing the binding protocol.
- Admin/Config API list response is aligned with the documentation.
- Authentication Level is properly passed back in user details when using the ROPC grant type.
- Mobile Auth v4 with push allows for SMS fallback when no
device_id
is provided.
- API exceptions will no longer return HTML in some situations.
- Minor JavaScript issues have been fixed in the Admin console.
- Refresh Token exchange is more reliable for mobile applications.