Release notes
This section contains release notes for OneWelcome Access.
We are releasing OneWelcome Access on a 1-3 weekly basis. A release does not require downtime and will occur during European business hours.
The releases are backward compatible. However, we will extend the API contract (adding new fields to a JSON object). If breaking changes are required in the API, a new API version is created, and the old version will be deprecated. Customers will have six months to migrate to the new API version.
In the release notes we mention new features and bug fixes. If anything is unclear, feel free to contact OneWelcome Support.
Release date 2023-05-10
Improvements
- We now allow
HEAD
requests to the authorization URL.
Bugs
- Fixed a bug where some cache values did not expire on time.
Release date 2023-05-05
Bugs
- Fixed an issue where a request to a SAML IDP timed-out before the web session expired. This can happen when users have to go through an registration process at the IDP.
Release date 2023-05-03
Features
- Performance improvements
- Added experimental support for a new way to connect to the
Tulip
type of IDP.
Improvements
- Removed support for
RSA1_5
andRSA_OAEP
as encryption algrithms.
Release date 2023-04-25
Bugs
- Fixed a bug that prevented updating the SAML SP configuration.
Release date 2023-04-18
Bugs
- Fixed a bug where the SAML SP configuration was sometimes resolved incorrectly.
Release date 2023-03-31
Improvement
- We now support the
client_id
parameter combined with thepost-logout-url
for the OIDC logout endpoint. - We improved the error handling for all
OAuth
andTulip
type IDPs.
Bugs
- Not all claims in the ID token were forwarded for Identity Providers of the type
Tulip
. This has been fixed. - We solved an issue where a
null
value in the Hook response caused an error.
Release date 2023-03-08
Features
- Added support for
client_secret_post
authentication on calls to the/token
endpoint for IDPs of the type Tulip or OAuth.
Improvement
- Mapped user attributes are now also accessible in the Access Token Webhook.
- Improved the caching of the default templates and messages.
Bugs
- When a Web client requests scopes in an authentication request which are not known in the connected IDP of the type Tulip, we now forward the error to the requesting client.
Release date 2023-02-27
Improvement
- Added support for setting AMR when using custom registration
- Requires the Extension Engine
2.5.0
and above.
Release date: 2023-02-21
Improvement
- All available user-related claims are now accessible in the Access Token Webhook
Bugs
- Cloning a mobile app via the Application version API works again
- The User Details Customization hook is no longer cleared when editing a web client configuration in the Admin console UI
Release date: 2023-02-16
Bugs
- Fixed an issue where a user was not always logged out when they had two sessions, one based on Cookie based authentication, and a 'regular' authentication.
Release date: 2023-02-08
Bugs
- Fixed an issue where requests towards a configured SAML IDP (e.g.
CIM
) failed when a single user-agent initiated multiple authentication requests for the same client.
Release date: 2023-02-06
Features
- Added support for custom parameters in the Customize User Details Web Hook.
- Custom Registration scripts now can also access custom parameters, this makes it possible for the script to execute different logic based on the provided params.
Improvements
- For the IDP type
Tulip
, we now send all the requested scopes (default, optional, and the scopes in the IDP config) to the IDP in the authentication request. - We improved the performance of Silent authentication requests (
prompt=none
) towards an IDP of the typeTulip
.
Release date: 2023-01-24
Features
- The end-user is now redirected to a whitelisted
post-logout-url
after a OIDC logout request, even when the provided ID token is recently expired or there is no active session for that client.
Bugs
- The Device API now returns a timestamp for
lastLogin
. - The
removeScopes
feature in the Customize Access Token Web Hook will now be respected when used together with Custom registration.
Release date: 2023-01-18
Improvements
- For Custom registration events, we now log the
Client id
to make it easier to correlate the events to a client or mobile device.
Bugs
- While adding a mobile authentication type "SMS", the
SMS sender id
always returned a validation error in the UI. This is now fixed.
Release date: 2023-01-11
Features
- We introduced a new
Tulip
Identity Provider Type.
Release date: 2022-12-15
Bug fixes
- Fixed a bug where the introspection endpoint returned a
rpSet
claim instead of user attributes. - We now also remove the Mobile push message capabilities for users that remove their last mobile device.
Release date: 2022-12-01
Features
- Next to an instance in the EU, we also released an instance in the US.
Release date: 2022-11-30
Improvements
- We improved the performance and stability of the application.
Release date: 2022-11-11
Improvements
- We improved the performance caused by clients with multiple redirectUris.
- We improved the performance of the Events page for customers with mobile devices.
Release date: 2022-11-01
Bug fixes
- Fixed a bug where Access tokens were not revoked after a logout request if the session was created based on a cookie.
Release date: 2022-10-11
Features
- Added an API to delete all tokens for a specific user per type.
Bug fixes
- Fixed an issue where token introspection showed claims with the value
null
. These are now hidden.
Release date: 2022-08-29
Features
- Support for custom registration for Web clients.
Improvements
- Reduced the number of calls to our caching database for templates.
Release date: 2022-08-16
Improvements
- We introduced a
v2
of the token introspection endpoint to comply with RFP7662 for theexp
attribute. - We now make a SAML SLO request succeed even without a session, based on SpNameQualifier in the SAML metadata.
Release date: 2022-07-06
Improvement
- Removed support for the deprecated algorithms
RSA1_5
andRSA_OAEP
. - The generated
Server Public Key
is now visible as text on the mobile app's configuration page.
Improvement
- Fixed an issue that caused exceptions when making calls to our caching database.
Release date: 2022-06-29
Features
- It is now possible to add an extra param
hook_context_custom_param.*
to the authorization endpoint. This param is then available in the Onegini Customize Access Token Web Hook as context.
Release date: 2022-06-09
Features
- In the authentication response, we now indicate which external IDP was used by the end-user to authenticate. E.g. when a user uses Digid, we fill the
acr
withurn:com:onegini:saml:idp-alias:digid
.
Improvement
- It's now impossible to configure an API based custom authenticator with the PCKE grant type.
Bug fixes
- We aligned the
exp
value in our token introspection endpoint with the RFC 7662. It now is an integer timestamp, measured in the number of seconds since January 1 1970 UTC. To use this new value, please switch to the v2 of our token introspection endpoint.
Release date: 2021-09-14
Features
- Added the ability to delete access and refresh tokens when using the End-session endpoint for OpenID
Connect. This is enabled by default for clients with the authentication method
PKCE
. Refer to the
OpenID Connect configuration for more information - Added the token revocation endpoint to the OpenID Connect discovery endpoint.
- Improved the integrity check for mobile apps. This improved integrity check is required for new mobile apps introduced to the Google Play Store after August 1st, 2021. The existing apps, both running on Android and iOS, will continue to work without any changes. Still, it is recommended to plan an update of the Onegini SDK and use the improved integrity check.
Bug fixes
- The OpenID End-session endpoint did not properly handle encoded parameters when it was called via HTTP POST. This prevented users from being redirected back to the website after logout. This has been fixed.
- Several endpoints for Mobile Authentication returned responses in a different format than documented. These responses have been fixed.
Release date: 2021-05-10
Features
- It is now possible to configure multiple redirect URLs for mobile apps. This makes it possible to change the app scheme of the mobile app in a new version while the existing app installations use the old app scheme.
- Relying Parties (RP) can resolve user attributes from Access by calling the User Info endpoint or by requesting an ID Token. Both means are defined by OpenID Connect (OIDC) standard. The returned set of identity related claims couldn't be modified, extended or filtered other than by using scopes. With the new User Details Customization Web Hook serves these purposes.
- When the user device domain state changes, Access will publish a corresponding event to the event bus notifying all interested parties about the change. Device domain state changes are: a new user device registration, deregistration, user logging in with the device, or mobile authentication enrollment changes.
- The process of registering a new mobile application requires both parties, the device, and the server, to have their time/date settings set correctly. Some users are explicitly modifying their time which prevents them from successfully finishing the onboarding process. To improve the user experience Access will handle such situations more gracefully by detecting clock skew and informing the client about the root cause of the rejection.
Improvement
- When Access failed to successfully send a PUSH notification via Apple Push Notification Service (APNS), it returned a generic error to the client. To help diagnose the root cause of the issue, Access will log more detailed information about why the notification got rejected in the corresponding event.
Bug fixes
- The mobile applications that were using the Custom Registration feature had to send additional request in order to obtain an ID Token. This will no longer be required as the ID Token will be returned to the client along with the Access Token when configured.
- Users who are either members of many Delegated Administration for Business Partners (DABP) groups or are having many DABP policies assigned, could experience issues when logging out from DABP or Onegini Console applications. The logout request in such scenarios will no longer be rejected.
Release date: 2021-03-09
- First official release of the access components.