Release notes 3.x versions

3.17.05

Bug fixes

  • Allow users with the role operator to export application config.

3.17.04

Bug fixes

  • Accept header requires on sms validation endpoint.
  • Upgrading from non tampering protected version to tampering protected version or vise versa not possible.

3.17.03

Bug fixes

  • For MS SQL server installations the authorization properties fallback can not be null.

3.17.02

Bug fixes

  • Potential deadlock in MS SQL server when deleting a device using the end user api.

3.17.01

Bug fixes

  • Issue with loading Oracle DB migration 3.15.01 due to not allowed conversion from BLOB to CLOB.

3.17.00

Features

  • Out of order DB migrations can be applied using flyway when enabled.
  • Endpoint to list the available mobile authentication profiles for a user.
  • Additional Oauth IdP events logged for several error flows.

Bug fixes

  • SDK user agent strings in events are not parsed.
  • Oauth IdP secret visible in event details.
  • Mobile authentication not disabled when revoking user from device with multiple profiles via device end user api.
  • Profile listening for clients with an anonymous access token contains null.

3.16.00

Features

  • Optional mobile authentication callback whitelist
  • Optional basic authentication on mobile authentication callback
  • Accordion in admin console user view replaced by tabs
  • Possibility to see and revoke mobile authentication for a user in admin panel user view
  • User id in events table links to user view in admin panel

Bug fixes

  • Exception shown in log files when no mobile authentication properties set
  • Mobile authentication initialization fails when primary authorization properties not available but fallback is

3.15.00

Features

  • Added new graph representing a trend in unique users enrolled in analytics section
  • Added new identity provider type: OAUTH

3.14.00

Features

  • Device end user api extended with mobile authentication, fingerprint and multi profile support

Bugs

  • Callback performed on exceeding max attempts on mobile authentication via SMS

3.13.00

Features

  • Multiple profile support
  • PGP keys mobile authentication size increased to 2048

Bugs

  • Non unique issue MSSQL on access token table
  • Nullpointer in client credential token validation
  • Unable to delete scope when used as default scope
  • iOS OS validation failure due to invalid property value format

3.12.00

Features

  • Support of custom SMS gateway using REST.

Documentation

  • New documentation setup based on topic guides to help administrators executing common tasks (OS based forced upgrade)

3.11.00

Features

  • Merge client config in client validation endpoint so client will receive config object in the response after successful validation. Usage of the config endpoint is deprecated.
  • Certificate format validation and usage of real certificate date when using certificate store in the admin console.

Bug fixes

  • When client secret has invalid length internal server error with tampering detection enabled.

Documentation

  • New documentation setup based on topic guides to help administrators executing common tasks
  • Automatically generated list of third-party licenses used in Token Server Project included in documentation

3.10.00

Features

  • User disconnected on too many wrong PIN attempts via push with PIN.
  • User disconnected on wrong fingerprint refresh token usage via push with fingerprint.
  • Max allowed attempts of push with PIN aligned with max allowed PIN attempts at login.
  • Possibility to revoke fingerprint via client revoke endpoint.
  • Added max allowed PIN attempts and redirect uri to application version export.

Bug fixes

  • Wrong encoding of event details json in event overview admin console.
  • Removed possibility to reset wrong PIN usage counter via successful fingerprint login.

3.09.00

Features

  • Certificate repository introduce to manage certificates used by an application for certificate pinning
  • Web clients are extended with a public base uri
  • For an application a resource gateway can be selected, the resource gateway is one of the available web clients
  • Application delivery lifecycle support added via application config export

Bug fixes

  • Consent cache replication
  • Default consent screen in Chrome

3.08.00

Features

  • Api version is introduced which prevents a client from using deprecated endpoints.
  • SAML attribute used as user id can be configured.
  • Push with fingerprint support
  • Mobile authentication encryption improvements via new endpoint
  • Mobile authentication message signing
  • Select APNS environment for push instead of setting url
  • When usage limit set on one of the scopes request no refresh token is provided
  • Support for non persistent consent
  • Additional white listed user properties can be set via request params when using header authenticator
  • Token validation response is enriched with user attributes

Bug fixes

  • Exception when no APNS endpoint is specified

3.07.02

Bug fixes

  • Change keystore location used for encryption in a clustered setup

3.07.01

Bug fixes

  • Adding static client config fails
  • Make end user API compatible with multiple refresh tokens

3.07.00

Features

  • Add support for fingerprint authentication.

Bug fixes

  • DCR fails when no openId config is created for used client.
  • Mobile authentication disabled on logout.

3.06.03

Bug fixes

  • Improve the API error codes returned in the payload encryption policy API.

3.06.02

Bug fixes

  • Improve the payload encryption policy API; return the policy also for static aka web clients.

3.06.01

Bug fixes

  • Improve the payload encryption policy API; return the policy regardless of the app version being disabled or access token being expired.

3.06.00

Bug fixes

  • Validate the application signature correctly when updating an application version that has tampering protection enabled.
  • Following OTP flow when 2WAYOTP is configured caused an Internal Server Error
  • Fixed OpenID Connect configuration
  • Cache-Control and Pragma headers were duplicated

Features

  • Added verification of mobile client OS version. (OS based forced upgrade)
  • Make the client validation more efficient with the optional architecture header
  • Extended the API for Payload Encryption Policy to lookup the policy by access token
  • Extended push transaction event log with available user and client details

3.05.00

Bug fixes

  • Make a clear distinction between Onegini WNS messages and generic ones send by others.

Features

  • Improved analytics graphs. Added graphs for: response times and error pages.
  • Improved validation of access and refresh tokens.
  • Added configuration to limit supported OS versions.
  • Improved response for Two Way OTP token validation in case of a missing session.
  • Added development mode to skip all application signature checks. Must not be used in production.

3.04.00

Bug fixes

  • Upgrading from a non tamper detected version to a tamper detected version didn't work

Features

  • Support for combined architecture secrets for iOS
  • Ability to categorize http requests

3.03.00

Bug fixes

  • Starting over the 2-way OTP did not work correctly

Features

  • Automatically update the database schema using Flyway
  • Add Push authentication support for Windows Phone

3.02.01

Bug fixes

  • Mobile Authentication Enrollment failed when requests are directed to different nodes in cluster.
  • 405 Method not found is mapped to a 500 internal server error.
  • Jackson exceptions are returned to the caller.
  • Do not show which application server we use in the Http response header.

3.02.00

Features

  • HTTP requests are stored for use in reporting.
  • SMS authentication can be enforced as the last step of the enrollment process.
  • An end user can be forced to upgrade their version of the app, by marking an application as disabled.
  • I want DCR to be disabled when a mobile platform version is disabled.
  • Support for Dynamic Client Upgrade (DCU) in the Token Server.
  • We now keep track of the application version in use by the dynamic client when the /client/validate endpoint is being called.
    • Deprecated the /validation/client endpoint in favor of /client/validate.
    • The client validation endpoint is able to detect if a device is debugged or jailbroken based on information in the request.
  • You can disable application versions and in the DCR and Client Validation process and upgrade the application version. A few more events are introduced:
    • DYNAMIC_REG_VERSION_DISABLED: when the version has been disabled.
    • DYNAMIC_REG_NEW_REGISTRATIONS_DISABLED: when the version is no longer allowed to accept new registrations.
    • CLIENT_VALIDATION_INVALID_HEADER: when one or more of the headers used in the client validation process are left ou or invalid.
    • CLIENT_VALIDATION_VERSION_DISABLED: when the version used has been disabled.
    • CLIENT_VALIDATION_DEBUGGER_DETECTED: client validation failed because it was detected a debugger was attached to the app.
    • CLIENT_VALIDATION_JAILBREAK_DETECTED: client validation failed because it was detected the device was jailbroken/rooted.
    • CLIENT_VALIDATION_ABUSE_DETECTED: client validation failed because general abuse on the device was detected.
    • CLIENT_VALIDATION_UPGRADE_INITIALIZED: the dynamic client upgrade process is initiated after client validation detected it was required.
    • DYNAMIC_UP_SUCCESS: the client successfully upgraded to a different mobile platform version.
    • DYNAMIC_UP_FAILED: the client failed to upgrade to a different mobile platform version.

Bug fixes

  • You cannot log into the admin console if you do not put a / at the end of the URL.
  • An acceptance of a push message in the iOS demo app is not seen by the Token Server.
  • Required numeric field refreshTokenRetryLimit is not checked in the server side validator.
  • ETCD properties are not set before JGROUPS/INFINISPAN is initialized.

The following 3rd party libraries have been updated:

  • assert-j
  • chosen
  • commons-codec
  • commons-lang3
  • commons-validator
  • httpasyncclient
  • httpclient
  • httpcore-nio
  • jackson
  • MySQL driver
  • Spring Framework
  • Spring LDAP
  • Spring Security
  • Twilio

3.00.03

Bug fixes

  • Cookbook version of the tcp.xml is invalid
  • Title of mobile config is wrong: should be Mobile Config instead of Oauth Config
  • When sending push message fails the stacktrace should be printed
  • Push secret and certificate are shown unencrypted in event log of admin
  • The post form on the consent page has an invalid action

3.00.00

Onegini is proud to present the 3.00 version of the Token Server. This 3.00 branch is not backwards compatible with 2.04 because the support for JBoss has been dropped and it is only possible to deploy the Token Server using a Docker container. This release also requires Java SE 8.

Features

  • Changed from JBoss to Tomcat 8 as Servlet container
  • Onegini Token Server requires Java 8
  • Created more detailed log files
  • Show number of remaining attempts for Two Way OTP after entering an incorrect code
  • Add default sound property to iOS push notification contents
  • Created configuration for an additional authenticator (enrollment step) for an OAuth client
  • Improved the configuration of the SAML certificate and private key for system administrators
  • Basic Authentication on OAuth endpoints is now enforced via HTTP headers