Release notes older versions

3.17.05

Bug fixes

  • Allow users with the role operator to export application config.

3.17.04

Bug fixes

  • Accept header requires on sms validation endpoint.
  • Upgrading from non tampering protected version to tampering protected version or vise versa not possible.

3.17.03

Bug fixes

  • For MS SQL server installations the authorization properties fallback can not be null.

3.17.02

Bug fixes

  • Potential deadlock in MS SQL server when deleting a device using the end user api.

3.17.01

Bug fixes

  • Issue with loading Oracle DB migration 3.15.01 due to not allowed conversion from BLOB to CLOB.

3.17.00

Features

  • Out of order DB migrations can be applied using flyway when enabled.
  • Endpoint to list the available mobile authentication profiles for a user.
  • Additional Oauth IdP events logged for several error flows.

Bug fixes

  • SDK user agent strings in events are not parsed.
  • Oauth IdP secret visible in event details.
  • Mobile authentication not disabled when revoking user from device with multiple profiles via device end user api.
  • Profile listening for clients with an anonymous access token contains null.

3.16.00

Features

  • Optional mobile authentication callback whitelist
  • Optional basic authentication on mobile authentication callback
  • Accordion in admin console user view replaced by tabs
  • Possibility to see and revoke mobile authentication for a user in admin panel user view
  • User id in events table links to user view in admin panel

Bug fixes

  • Exception shown in log files when no mobile authentication properties set
  • Mobile authentication initialization fails when primary authorization properties not available but fallback is

3.15.00

Features

  • Added new graph representing a trend in unique users enrolled in analytics section
  • Added new identity provider type: OAUTH

3.14.00

Features

  • Device end user api extended with mobile authentication, fingerprint and multi profile support

Bugs

  • Callback performed on exceeding max attempts on mobile authentication via SMS

3.13.00

Features

  • Multiple profile support
  • PGP keys mobile authentication size increased to 2048

Bugs

  • Non unique issue MSSQL on access token table
  • Nullpointer in client credential token validation
  • Unable to delete scope when used as default scope
  • iOS OS validation failure due to invalid property value format

3.12.00

Features

  • Support of custom SMS gateway using REST.

Documentation

  • New documentation setup based on topic guides to help administrators executing common tasks (OS based forced upgrade)

3.11.00

Features

  • Merge client config in client validation endpoint so client will receive config object in the response after successful validation. Usage of the config endpoint is deprecated.
  • Certificate format validation and usage of real certificate date when using certificate store in the admin console.

Bug fixes

  • When client secret has invalid length internal server error with tampering detection enabled.

Documentation

  • New documentation setup based on topic guides to help administrators executing common tasks
  • Automatically generated list of third-party licenses used in Token Server Project included in documentation

3.10.00

Features

  • User disconnected on too many wrong PIN attempts via push with PIN.
  • User disconnected on wrong fingerprint refresh token usage via push with fingerprint.
  • Max allowed attempts of push with PIN aligned with max allowed PIN attempts at login.
  • Possibility to revoke fingerprint via client revoke endpoint.
  • Added max allowed PIN attempts and redirect uri to application version export.

Bug fixes

  • Wrong encoding of event details json in event overview admin console.
  • Removed possibility to reset wrong PIN usage counter via successful fingerprint login.

3.09.00

Features

  • Certificate repository introduce to manage certificates used by an application for certificate pinning
  • Web clients are extended with a public base uri
  • For an application a resource gateway can be selected, the resource gateway is one of the available web clients
  • Application delivery lifecycle support added via application config export

Bug fixes

  • Consent cache replication
  • Default consent screen in Chrome

3.08.00

Features

  • Api version is introduced which prevents a client from using deprecated endpoints.
  • SAML attribute used as user id can be configured.
  • Push with fingerprint support
  • Mobile authentication encryption improvements via new endpoint
  • Mobile authentication message signing
  • Select APNs environment for push instead of setting url
  • When usage limit set on one of the scopes request no refresh token is provided
  • Support for non persistent consent
  • Additional white listed user properties can be set via request params when using header authenticator
  • Token validation response is enriched with user attributes

Bug fixes

  • Exception when no APNs endpoint is specified

3.07.02

Bug fixes

  • Change keystore location used for encryption in a clustered setup

3.07.01

Bug fixes

  • Adding static client config fails
  • Make end user API compatible with multiple refresh tokens

3.07.00

Features

  • Add support for fingerprint authentication.

Bug fixes

  • DCR fails when no openId config is created for used client.
  • Mobile authentication disabled on logout.

3.06.03

Bug fixes

  • Improve the API error codes returned in the payload encryption policy API.

3.06.02

Bug fixes

  • Improve the payload encryption policy API; return the policy also for static aka web clients.

3.06.01

Bug fixes

  • Improve the payload encryption policy API; return the policy regardless of the app version being disabled or access token being expired.

3.06.00

Bug fixes

  • Validate the application signature correctly when updating an application version that has tampering protection enabled.
  • Following OTP flow when 2WAYOTP is configured caused an Internal Server Error
  • Fixed OpenID Connect configuration
  • Cache-Control and Pragma headers were duplicated

Features

  • Added verification of mobile client OS version. (OS based forced upgrade)
  • Make the client validation more efficient with the optional architecture header
  • Extended the API for Payload Encryption Policy to lookup the policy by access token
  • Extended push transaction event log with available user and client details

3.05.00

Bug fixes

  • Make a clear distinction between Onegini WNS messages and generic ones send by others.

Features

  • Improved analytics graphs. Added graphs for: response times and error pages.
  • Improved validation of access and refresh tokens.
  • Added configuration to limit supported OS versions.
  • Improved response for Two Way OTP token validation in case of a missing session.
  • Added development mode to skip all application signature checks. Must not be used in production.

3.04.00

Bug fixes

  • Upgrading from a non tamper detected version to a tamper detected version didn't work

Features

  • Support for combined architecture secrets for iOS
  • Ability to categorize http requests

3.03.00

Bug fixes

  • Starting over the 2-way OTP did not work correctly

Features

  • Automatically update the database schema using Flyway
  • Add Push authentication support for Windows Phone

3.02.01

Bug fixes

  • Mobile Authentication Enrollment failed when requests are directed to different nodes in cluster.
  • 405 Method not found is mapped to a 500 internal server error.
  • Jackson exceptions are returned to the caller.
  • Do not show which application server we use in the Http response header.

3.02.00

Features

  • HTTP requests are stored for use in reporting.
  • SMS authentication can be enforced as the last step of the enrollment process.
  • An end user can be forced to upgrade their version of the app, by marking an application as disabled.
  • I want DCR to be disabled when an App version is disabled.
  • Support for Dynamic Client Upgrade (DCU) in the Token Server.
  • We now keep track of the application version in use by the dynamic client when the /client/validate endpoint is being called.
    • Deprecated the /validation/client endpoint in favor of /client/validate.
    • The client validation endpoint is able to detect if a device is debugged or jailbroken based on information in the request.
  • You can disable application versions and in the DCR and Client Validation process and upgrade the application version. A few more events are introduced:
    • DYNAMIC_REG_VERSION_DISABLED: when the version has been disabled.
    • DYNAMIC_REG_NEW_REGISTRATIONS_DISABLED: when the version is no longer allowed to accept new registrations.
    • CLIENT_VALIDATION_INVALID_HEADER: when one or more of the headers used in the client validation process are left ou or invalid.
    • CLIENT_VALIDATION_VERSION_DISABLED: when the version used has been disabled.
    • CLIENT_VALIDATION_DEBUGGER_DETECTED: client validation failed because it was detected a debugger was attached to the app.
    • CLIENT_VALIDATION_JAILBREAK_DETECTED: client validation failed because it was detected the device was jailbroken/rooted.
    • CLIENT_VALIDATION_ABUSE_DETECTED: client validation failed because general abuse on the device was detected.
    • CLIENT_VALIDATION_UPGRADE_INITIALIZED: the dynamic client upgrade process is initiated after client validation detected it was required.
    • DYNAMIC_UP_SUCCESS: the client successfully upgraded to a different App version.
    • DYNAMIC_UP_FAILED: the client failed to upgrade to a different App version.

Bug fixes

  • You cannot log into the admin console if you do not put a / at the end of the URL.
  • An acceptance of a push message in the iOS demo app is not seen by the Token Server.
  • Required numeric field refreshTokenRetryLimit is not checked in the server side validator.
  • ETCD properties are not set before JGROUPS/INFINISPAN is initialized.

The following 3rd party libraries have been updated:

  • assert-j
  • chosen
  • commons-codec
  • commons-lang3
  • commons-validator
  • httpasyncclient
  • httpclient
  • httpcore-nio
  • jackson
  • MySQL driver
  • Spring Framework
  • Spring LDAP
  • Spring Security
  • Twilio

3.00.03

Bug fixes

  • Cookbook version of the tcp.xml is invalid
  • Title of mobile config is wrong: should be Mobile Config instead of Oauth Config
  • When sending push message fails the stacktrace should be printed
  • Push secret and certificate are shown unencrypted in event log of admin
  • The post form on the consent page has an invalid action

3.00.00

Onegini is proud to present the 3.00 version of the Token Server. This 3.00 branch is not backwards compatible with 2.04 because the support for JBoss has been dropped and it is only possible to deploy the Token Server using a Docker container. This release also requires Java SE 8.

Features

  • Changed from JBoss to Tomcat 8 as Servlet container
  • Onegini Token Server requires Java 8
  • Created more detailed log files
  • Show number of remaining attempts for Two Way OTP after entering an incorrect code
  • Add default sound property to iOS push notification contents
  • Created configuration for an additional authenticator (enrollment step) for an OAuth client
  • Improved the configuration of the SAML certificate and private key for system administrators
  • Basic Authentication on OAuth endpoints is now enforced via HTTP headers

2.04.07

Bug fixes

  • Fixed bug where the mobile authentication enrollment failed in cluster mode

2.04.06

Features

  • to improve the UX of the enrollment flow, scope verification is added before the one time password is sent
  • Basic authentication is enforced on OAuth endpoints
  • A rest endpoint is added to check if a user has entered his device code on the login portal
  • Check for scope verification service in two way OTP and call scope verification service before generating the response code
  • The language of the user can be selected based on a Cookie value
  • Added a new optional header authenticator configuration option: header.auth.languageCode.cookieName Cookie name used to determine the language for the user, if set and cookie is available this is preferred over the header value.

Bug fixes

  • iOS: Demo App Push message no longer shows the full message
  • Deleting an application sometimes results in an exception
  • In test env user redirected to http after successful saml auth
  • APNs SSL certificate is being overridden during App version edit when no changes are being done
  • NN Enrollment Token update is not propagated between cluster nodes
  • As a client I should not be able to use the transaction cookie of another client
  • As Harry I want to enable revoking of devices via admin for operators and helpdesk
  • Push secret and certificate are shown unencrypted in event log of admin
  • The post form on the consent page has an invalid action
  • As Johan I want the dead-end page to use the correct styling also without the transaction cookie
  • As Lisa I want a numeric keyboard when entering a code for two way OTP

2.04.00

  • displays Authorization Complete page after finishing authorization flow on mobile clients
  • adds unique device id to distinguish user devices
  • adds support of SAML Identity Providers which doesn't have an accessible metadata URL
  • introduces default Identity Provider flag
  • adds support for OpenID Connect scopes
  • adds support for OpenId Connect signed id_tokens
  • allows administrators to create custom attribute mappings between Identity Provider and id_token
  • introduces new Identity Provider type (OTP) which requires One Time Password during enrollment process
  • creates a relation between authentication apps and user devices
  • increases security of mobile authentication callback mechanism
  • enriches initial authentication response with "expires_in" property to allow Portal clients with different time/date settings to properly handle timeout
  • adds platform property (ex. android) to device object returned by the public API
  • allows administrators to remove Identity Providers
  • enables clients to override default text messages displayed by the Token Server
  • introduces PIN Policies to prevent the usage of a weak PIN
  • push secret and certificate must be hidden in event log (OAUTH-755)

2.03.06.00

  • Added a new optional header authenticator configuration option: header.auth.languageCode.cookieName
Property Example Value Description
header.auth.languageCode.cookieName Language Cookie name used to determine the language for the user, if set and cookie is available this is preferred over the header value.

2.03.00

  • allows to serve client specific templates to mobile clients
  • changes the session timeout to 15 minutes
  • allows to use server time during Dynamic Client Registration process
  • allows administrators to explicitly define push server endpoint
  • allows helpdesk users to detach devices