Release notes older versions

5.8.0

Improvements

  • Change from HTTP-POST binding to HTTP-Redirect binding in SAML Authentication requests.
  • Update MariaDB driver from 1.5.9 to 2.0.3.

5.7.4

Improvements

  • Security improvements

5.7.3

Improvements

  • Security improvements

5.7.2

Bug fixes

  • Fixed building redirect uri when only the X-Forwarded-Proto header is set in the request

5.7.1

Bug fixes

  • Fingerprint authentication was allowed even though the functionality was disabled in the admin. Only affected users that had fingerprint authentication enabled.

5.7.0

Improvements

  • Added ability to set scope verification service settings via environment variables.
  • Moved "API" tab to the "Systems" page in the admin console.
  • Improved UX for the admin console events table by moving details to an expandable view.
  • Test client now supports the new mobile authentication enrollment flows.
  • Restructured and cleaned up the end user API documentation.
  • Removed support for Windows devices.
  • Added Device API V3 to distinguish between mobile auth and mobile auth with push enrollments.

Bug fixes

  • Several bugfixes in the admin events log.
  • Fix labels on app installations page.
  • Set admin cookies to secure.
  • Fixed base64 parsing bug in the key enrollment endpoint.
  • Disable AJAX request caching in two-way OTP template.
  • Added application/xml content type to SAML metadata endpoint.
  • Fixed device API bug that did not distinguish between mobile auth and mobile auth with push (breaking change, requires new V3 API).
  • Fixed bug where user was not completely deregistered in some scenarios.

5.6.0

Improvements

  • Improve OAuth client configuration in admin panel.
  • Move cache TTL values from etcd to be configurable via the admin panel.

Bug fixes

  • Added database migration to remove lingering OTP IdPs (support was discontinued in 5.01.00).
  • Fixed bug in mobile authentication API when checking availability for a user, when the user had multiple devices enrolled.
  • Restrict admin mobile authentication request TTL to be equal to or smaller than the cache TTL.
  • Fixed default etcd property generation bug.

5.5.2

Bug fixes

  • Fixed SAML response validation for SSO responses

5.5.1

Improvements

  • Shorten the OTP which makes a QR easier to scan.
  • Hide the Mobile authentication section when configuring an app version and the mobile authentication feature is disabled.

Bug fixes

  • Fixed the Oracle database migration for version 5.5.0.

5.5.0

Features

  • Added OTP authentication as a new mobile authentication method, in addition to push and SMS.
  • The test client UI now works on mobile devices.

Improvements

  • Restructured and improved the mobile authentication documentation.
  • Improved admin console user experience for the mobile platform version configuration.
  • Added link to documentation in admin console.
  • Updated the MariaDB driver from 1.4.6 to 1.5.9.

Bug fixes

  • Fixed bug when being redirected back from the IdP in certain cases.

5.4.0

Features

  • Added support for IdP-initiated SAML Single Logout.
  • Display a numeric keyboard for Android users in the default templates when entering the code for 2WAYOTP or SMS.

Bug fixes

  • Fixed bug where an unnecessary thread was created for every SAML login.

5.3.0

Note: from this version we removed the leading zeros from our versioning scheme.

Features

  • API client support for the two way otp, payload encryption and end user apis.
  • Transaction signing support for mobile authentication with push.

Bug fixes

Please refer to 4.04.10

5.02.00

Features

  • CORS support can be enabled for a set of configurable endpoints and domains.

5.01.00

Features

  • Added experimental Custom Authenticator support using the Onegini Extension Engine.
  • Proxy support for Google Cloud Messaging with and without preemptive authentication.

Bug fixes

  • Event details stored in client id field in client validation.
  • Some redirects performed by some of the supported IdPs redirect from https to http.
  • Invalid attempts for SMS are not properly counted in a stateless cluster setup.

Changes

  • Discontinued support for the OTP IdP.

5.00.00

Features

  • Authentication method and attempt count included in mobile authentication result.
  • Optional single user default admin login.

Bug fixes

4.05.00

Improvements

  • Change from HTTP-POST binding to HTTP-Redirect binding in SAML Authentication requests.

4.04.17

Improvements

  • Security improvements

4.04.16

Improvements

  • Security improvements

4.04.15

Bug fixes

  • Fixed building redirect uri when only the X-Forwarded-Proto header is set in the request

4.04.14

Bug fixes

  • Fixed SAML response validation for SSO responses

4.04.13

Bug fixes

  • Fixed persisting redirect bugs for specific scenarios

4.04.12

Bug fixes

  • Removed duplicated context root in request url for some scenarios

4.04.11

Bug fixes

  • Removed double context path in redirects for some scenarios

4.04.10

Bug fixes

  • UTF-8 BOM stripped from template files to prevent database storage issues.
  • Correct client id set for client credential events.
  • PGP invalid signature length error resolved.
  • Https to http redirect issues in IdP communication resolved.
  • Only allow mobile authentication message data to be fetched once.
  • Properly remove all data related to an application for a user when using the application end user api.

4.04.09

Improvements

  • Added preemptive authentication support for the external REST services proxy configuration

4.04.08

Improvements

  • Switched to Docker Compose variables for configuration instead of ETCD properties.
  • Added proxy support for GCM.

Bug fixes

  • Remove FIDO user authenticators on delete consent.
  • Invalid attempts during SMS abuse now properly stored in cache.
  • FIDO deregistration now only deregisters one authenticator instead of all of them.

4.04.07

Bug fixes

  • Improved FIDO error handling.

4.04.06

Bug fixes

  • Unique constraint issue with multiple IdP attribute mappings on Oracle and MSSQL.
  • Display max resend value for Mobile authentication via SMS in read only view.

4.04.05

Bug fixes

  • Use of semicolon as user dns separator instead of space.
  • Mobile authentication via SMS exception in stateless cluster setup.

4.04.04

Improvements

  • Dummy user IdP shows a page to provide a userId if no userId was provided as request parameter.

Bug fixes

  • Mobile authentication transaction marked as unanswered when result fetched before callback is answered in stateless cluster setup.
  • Acknowledged mobile authentication transactions resend in stateless cluster setup.

4.04.03

Improvements

  • Integrated custom implementation of two way OTP authentication into core code base, transparent change.

4.04.02

Bug fixes

  • Send the callback after a mobile authentication answer asynchronous.
  • Make REST communication with other services stateless.
  • Don't fully rely on FIDO server to validate registration during authentication.
  • Validate the user identifier not empty in SAML response.
  • Mobile authentication disabled when device disconnection via Token end user api.

4.04.01

Bug fixes

  • Users with operator role not able to download app config and template set exports.
  • Unable to find user details when clicking on user id in events overview for case sensitive user identifiers.
  • Performance improvements user search admin console.

4.04.00

Features

  • Allow fallback on PIN for mobile authentication via FIDO.
  • More detailed events for FIDO success and failure responses.
  • SSL/TLS ciphers are made configurable.

Bug fixes

  • Mobile authentication via FIDO fixes.
  • Add check for duplicate name for Mobile authentication types.
  • No longer allow to send a mobile authentication answer multiple times until callback is handled by portal.
  • Potential concurrent modification exception during push resend for iOS.

4.03.00

Features

  • FIDO moved from experimental feature to supported feature
  • FIDO configuration via admin console
  • Mobile authentication via FIDO
  • Use of sha256 in RSA keys for mobile authentication

Bug fixes

  • Database exception on iOS push resend

4.02.02

Bug fixes

  • Oauth identify provider endpoints return page not found

4.02.01

Bug fixes

  • Mobile authentication initialization doesn't work with email address as user id.
  • Non UTF-8 characters in device name can't be stored in MySQL.
  • Scope verification rest api json does not use snake case parameters.
  • Event list in admin console does not perform well in MySQL.
  • Error for missing Log4j2.xml printed at application startup.
  • Switching default identity provider in admin console raises exception.
  • Event filter date fields in admin console ignored.
  • Menu items admin console renamed.
  • Identity provider and pin policy of application config can not be unset.
  • Adding API client doesn't work on Oracle.
  • Renamed authorization properties to mobile authentication types.
  • Updating mobile authentication types in Oracle can lead to exception.
  • FIDO integration fails to initiate due to class not found exception.
  • Spaces and special characters no longer allowed in certificate names.

4.02.00

Features

  • Updated logging framework
  • Option to exclude token validation events via event log filter in admin console.
  • Application secret renamed to application signature in the admin console.
  • Import and export functionality for translations in the admin console.
  • Statistics dashboard is the homepage for admin console users with the role admin or operator.
  • User section is the homepage for admin console users with role helpdesk.
  • All configuration in admin console is moved to a configuration tab.
  • Copy paste functionality in admin console without flash requirement.
  • Removed event statistics from statistics dashboard.

Bug fixes

  • Disabled logging of SAML metadata reloading by default.
  • Unable to handle email address as user id in mobile authentication init request.

4.01.01

Bug fixes

  • Removal of mapping table from db template entities.
  • MSSQL migrations needing the db user to be Onegini.
  • Invalid redirect uri used during authorization for custom app schemas when consent and authorization complete page disabled.
  • Profile picture not loaded by test resource gateway.
  • DCU fails from non tampering protected version to tampering protected version or the other way around.
  • Database migration for push message configuration fails on MariaDB.

4.01.00

Features

  • Resending of non handled iOS push messages on client validation.
  • Statistics:
    • Trend in unique user logins.
    • A summary of used OS versions.
    • Total of unique users enrolled.
    • Total of application installations per platform.
    • Overview between failed and passed login attempts per login method.
  • Possibility to explicitly disable the consent notification service.
  • Rest/JSON extension point for scope validation service.
  • Custom i18n message translations can be managed via the Admin panel.
  • Custom templates sets can be uploaded and managed via the Admin panel.
  • Mobile authentication API protected with the use of API clients.
  • Redesign admin panel user interface.
  • Separate dockers for Admin, Engine and Test client.
  • Push message config can be reused for multiple mobile application versions.
  • Configurable pin length.
  • SMS code used for mobile authentication can be resend.
  • Optionally allow enrollment of mobile authentication on a different device.
  • Improved error handling for json and html responses.
  • Discontinue the support for custom platforms.
  • New white label templates using Thymeleaf layout dialect.

Bug fixes

  • Improve the performance of the user event search for MySQL.
  • Remove oauth client when last user is disconnected via the admin panel.
  • Exception when client not found when using FIDO.

3.17.05

Bug fixes

  • Allow users with the role operator to export application config.

3.17.04

Bug fixes

  • Accept header requires on sms validation endpoint.
  • Upgrading from non tampering protected version to tampering protected version or vise versa not possible.

3.17.03

Bug fixes

  • For MS SQL server installations the authorization properties fallback can not be null.

3.17.02

Bug fixes

  • Potential deadlock in MS SQL server when deleting a device using the end user api.

3.17.01

Bug fixes

  • Issue with loading Oracle DB migration 3.15.01 due to not allowed conversion from BLOB to CLOB.

3.17.00

Features

  • Out of order DB migrations can be applied using flyway when enabled.
  • Endpoint to list the available mobile authentication profiles for a user.
  • Additional Oauth IdP events logged for several error flows.

Bug fixes

  • SDK user agent strings in events are not parsed.
  • Oauth IdP secret visible in event details.
  • Mobile authentication not disabled when revoking user from device with multiple profiles via device end user api.
  • Profile listening for clients with an anonymous access token contains null.

3.16.00

Features

  • Optional mobile authentication callback whitelist
  • Optional basic authentication on mobile authentication callback
  • Accordion in admin console user view replaced by tabs
  • Possibility to see and revoke mobile authentication for a user in admin panel user view
  • User id in events table links to user view in admin panel

Bug fixes

  • Exception shown in log files when no mobile authentication properties set
  • Mobile authentication initialization fails when primary authorization properties not available but fallback is

3.15.00

Features

  • Added new graph representing a trend in unique users enrolled in analytics section
  • Added new identity provider type: OAUTH

3.14.00

Features

  • Device end user api extended with mobile authentication, fingerprint and multi profile support

Bugs

  • Callback performed on exceeding max attempts on mobile authentication via SMS

3.13.00

Features

  • Multiple profile support
  • PGP keys mobile authentication size increased to 2048

Bugs

  • Non unique issue MSSQL on access token table
  • Nullpointer in client credential token validation
  • Unable to delete scope when used as default scope
  • iOS OS validation failure due to invalid property value format

3.12.00

Features

  • Support of custom SMS gateway using REST.

Documentation

  • New documentation setup based on topic guides to help administrators executing common tasks (OS based forced upgrade)

3.11.00

Features

  • Merge client config in client validation endpoint so client will receive config object in the response after successful validation. Usage of the config endpoint is deprecated.
  • Certificate format validation and usage of real certificate date when using certificate store in the admin console.

Bug fixes

  • When client secret has invalid length internal server error with tampering detection enabled.

Documentation

  • New documentation setup based on topic guides to help administrators executing common tasks
  • Automatically generated list of third-party licenses used in Token Server Project included in documentation

3.10.00

Features

  • User disconnected on too many wrong PIN attempts via push with PIN.
  • User disconnected on wrong fingerprint refresh token usage via push with fingerprint.
  • Max allowed attempts of push with PIN aligned with max allowed PIN attempts at login.
  • Possibility to revoke fingerprint via client revoke endpoint.
  • Added max allowed PIN attempts and redirect uri to application version export.

Bug fixes

  • Wrong encoding of event details json in event overview admin console.
  • Removed possibility to reset wrong PIN usage counter via successful fingerprint login.

3.09.00

Features

  • Certificate repository introduce to manage certificates used by an application for certificate pinning
  • Web clients are extended with a public base uri
  • For an application a resource gateway can be selected, the resource gateway is one of the available web clients
  • Application delivery lifecycle support added via application config export

Bug fixes

  • Consent cache replication
  • Default consent screen in Chrome

3.08.00

Features

  • Api version is introduced which prevents a client from using deprecated endpoints.
  • SAML attribute used as user id can be configured.
  • Push with fingerprint support
  • Mobile authentication encryption improvements via new endpoint
  • Mobile authentication message signing
  • Select APNs environment for push instead of setting url
  • When usage limit set on one of the scopes request no refresh token is provided
  • Support for non persistent consent
  • Additional white listed user properties can be set via request params when using header authenticator
  • Token validation response is enriched with user attributes

Bug fixes

  • Exception when no APNs endpoint is specified

3.07.02

Bug fixes

  • Change keystore location used for encryption in a clustered setup

3.07.01

Bug fixes

  • Adding static client config fails
  • Make end user API compatible with multiple refresh tokens

3.07.00

Features

  • Add support for fingerprint authentication.

Bug fixes

  • DCR fails when no openId config is created for used client.
  • Mobile authentication disabled on logout.

3.06.03

Bug fixes

  • Improve the API error codes returned in the payload encryption policy API.

3.06.02

Bug fixes

  • Improve the payload encryption policy API; return the policy also for static aka web clients.

3.06.01

Bug fixes

  • Improve the payload encryption policy API; return the policy regardless of the app version being disabled or access token being expired.

3.06.00

Bug fixes

  • Validate the application signature correctly when updating an application version that has tampering protection enabled.
  • Following OTP flow when 2WAYOTP is configured caused an Internal Server Error
  • Fixed OpenID Connect configuration
  • Cache-Control and Pragma headers were duplicated

Features

  • Added verification of mobile client OS version. (OS based forced upgrade)
  • Make the client validation more efficient with the optional architecture header
  • Extended the API for Payload Encryption Policy to lookup the policy by access token
  • Extended push transaction event log with available user and client details

3.05.00

Bug fixes

  • Make a clear distinction between Onegini WNS messages and generic ones send by others.

Features

  • Improved analytics graphs. Added graphs for: response times and error pages.
  • Improved validation of access and refresh tokens.
  • Added configuration to limit supported OS versions.
  • Improved response for Two Way OTP token validation in case of a missing session.
  • Added development mode to skip all application signature checks. Must not be used in production.

3.04.00

Bug fixes

  • Upgrading from a non tamper detected version to a tamper detected version didn't work

Features

  • Support for combined architecture secrets for iOS
  • Ability to categorize http requests

3.03.00

Bug fixes

  • Starting over the 2-way OTP did not work correctly

Features

  • Automatically update the database schema using Flyway
  • Add Push authentication support for Windows Phone

3.02.01

Bug fixes

  • Mobile Authentication Enrollment failed when requests are directed to different nodes in cluster.
  • 405 Method not found is mapped to a 500 internal server error.
  • Jackson exceptions are returned to the caller.
  • Do not show which application server we use in the Http response header.

3.02.00

Features

  • HTTP requests are stored for use in reporting.
  • SMS authentication can be enforced as the last step of the enrollment process.
  • An end user can be forced to upgrade their version of the app, by marking an application as disabled.
  • I want DCR to be disabled when an App version is disabled.
  • Support for Dynamic Client Upgrade (DCU) in the Token Server.
  • We now keep track of the application version in use by the dynamic client when the /client/validate endpoint is being called.
    • Deprecated the /validation/client endpoint in favor of /client/validate.
    • The client validation endpoint is able to detect if a device is debugged or jailbroken based on information in the request.
  • You can disable application versions and in the DCR and Client Validation process and upgrade the application version. A few more events are introduced:
    • DYNAMIC_REG_VERSION_DISABLED: when the version has been disabled.
    • DYNAMIC_REG_NEW_REGISTRATIONS_DISABLED: when the version is no longer allowed to accept new registrations.
    • CLIENT_VALIDATION_INVALID_HEADER: when one or more of the headers used in the client validation process are left ou or invalid.
    • CLIENT_VALIDATION_VERSION_DISABLED: when the version used has been disabled.
    • CLIENT_VALIDATION_DEBUGGER_DETECTED: client validation failed because it was detected a debugger was attached to the app.
    • CLIENT_VALIDATION_JAILBREAK_DETECTED: client validation failed because it was detected the device was jailbroken/rooted.
    • CLIENT_VALIDATION_ABUSE_DETECTED: client validation failed because general abuse on the device was detected.
    • CLIENT_VALIDATION_UPGRADE_INITIALIZED: the dynamic client upgrade process is initiated after client validation detected it was required.
    • DYNAMIC_UP_SUCCESS: the client successfully upgraded to a different App version.
    • DYNAMIC_UP_FAILED: the client failed to upgrade to a different App version.

Bug fixes

  • You cannot log into the admin console if you do not put a / at the end of the URL.
  • An acceptance of a push message in the iOS demo app is not seen by the Token Server.
  • Required numeric field refreshTokenRetryLimit is not checked in the server side validator.
  • ETCD properties are not set before JGROUPS/INFINISPAN is initialized.

The following 3rd party libraries have been updated:

  • assert-j
  • chosen
  • commons-codec
  • commons-lang3
  • commons-validator
  • httpasyncclient
  • httpclient
  • httpcore-nio
  • jackson
  • MySQL driver
  • Spring Framework
  • Spring LDAP
  • Spring Security
  • Twilio

3.00.03

Bug fixes

  • Cookbook version of the tcp.xml is invalid
  • Title of mobile config is wrong: should be Mobile Config instead of Oauth Config
  • When sending push message fails the stacktrace should be printed
  • Push secret and certificate are shown unencrypted in event log of admin
  • The post form on the consent page has an invalid action

3.00.00

Onegini is proud to present the 3.00 version of the Token Server. This 3.00 branch is not backwards compatible with 2.04 because the support for JBoss has been dropped and it is only possible to deploy the Token Server using a Docker container. This release also requires Java SE 8.

Features

  • Changed from JBoss to Tomcat 8 as Servlet container
  • Onegini Token Server requires Java 8
  • Created more detailed log files
  • Show number of remaining attempts for Two Way OTP after entering an incorrect code
  • Add default sound property to iOS push notification contents
  • Created configuration for an additional authenticator (enrollment step) for an OAuth client
  • Improved the configuration of the SAML certificate and private key for system administrators
  • Basic Authentication on OAuth endpoints is now enforced via HTTP headers

2.04.07

Bug fixes

  • Fixed bug where the mobile authentication enrollment failed in cluster mode

2.04.06

Features

  • to improve the UX of the enrollment flow, scope verification is added before the one time password is sent
  • Basic authentication is enforced on OAuth endpoints
  • A rest endpoint is added to check if a user has entered his device code on the login portal
  • Check for scope verification service in two way OTP and call scope verification service before generating the response code
  • The language of the user can be selected based on a Cookie value
  • Added a new optional header authenticator configuration option: header.auth.languageCode.cookieName Cookie name used to determine the language for the user, if set and cookie is available this is preferred over the header value.

Bug fixes

  • iOS: Demo App Push message no longer shows the full message
  • Deleting an application sometimes results in an exception
  • In test env user redirected to http after successful saml auth
  • APNs SSL certificate is being overridden during App version edit when no changes are being done
  • NN Enrollment Token update is not propagated between cluster nodes
  • As a client I should not be able to use the transaction cookie of another client
  • As Harry I want to enable revoking of devices via admin for operators and helpdesk
  • Push secret and certificate are shown unencrypted in event log of admin
  • The post form on the consent page has an invalid action
  • As Johan I want the dead-end page to use the correct styling also without the transaction cookie
  • As Lisa I want a numeric keyboard when entering a code for two way OTP

2.04.00

  • displays Authorization Complete page after finishing authorization flow on mobile clients
  • adds unique device id to distinguish user devices
  • adds support of SAML Identity Providers which doesn't have an accessible metadata URL
  • introduces default Identity Provider flag
  • adds support for OpenID Connect scopes
  • adds support for OpenId Connect signed id_tokens
  • allows administrators to create custom attribute mappings between Identity Provider and id_token
  • introduces new Identity Provider type (OTP) which requires One Time Password during enrollment process
  • creates a relation between authentication apps and user devices
  • increases security of mobile authentication callback mechanism
  • enriches initial authentication response with "expires_in" property to allow Portal clients with different time/date settings to properly handle timeout
  • adds platform property (ex. android) to device object returned by the public API
  • allows administrators to remove Identity Providers
  • enables clients to override default text messages displayed by the Token Server
  • introduces PIN Policies to prevent the usage of a weak PIN
  • push secret and certificate must be hidden in event log (OAUTH-755)

2.03.06.00

  • Added a new optional header authenticator configuration option: header.auth.languageCode.cookieName
Property Example Value Description
header.auth.languageCode.cookieName Language Cookie name used to determine the language for the user, if set and cookie is available this is preferred over the header value.

2.03.00

  • allows to serve client specific templates to mobile clients
  • changes the session timeout to 15 minutes
  • allows to use server time during Dynamic Client Registration process
  • allows administrators to explicitly define push server endpoint
  • allows helpdesk users to detach devices