This section contains release notes for OneWelcome Access.
We are releasing OneWelcome Access on a 1-3 weekly basis. A release does not require downtime and will occur during European business hours.
The releases are backward compatible. However, we will extend the API contract (adding new fields to a JSON object). If breaking changes are required in the API, a new API version is created, and the old version will be deprecated. Customers will have six months to migrate to the new API version.
In the release notes, we mention new features and bug fixes. If anything is unclear, feel free to contact OneWelcome Support.
Release date 2023-11-22
- We added an API to view all active sessions for a user. User Sessions API
- We adjusted the communication resiliency properties for Access to better handle issues with the external services.
- The version of the backend for the mobile app config was fixed.
- Standard ID Token claims are now filtered from the custom registration user object.
- We ensured that the tenant context is always set when handling OneEx events.
Release date 2023-11-03
- We enabled Custom Registration scripts to return user attributes in the ID Token and UserInfo Endpoint response.
- We have introduced a feature that allows for the removal of a user's Access Tokens and grants whenever they change their password. This enhancement ensures that a user's security and access control are maintained by revoking their existing access privileges and requiring them to reauthenticate with their new password.
Release date 2023-10-30
- We now support more
acr_valuesare also exposed in the Discovery Endpoint
- We added configuration to configure the SSO Session on a tenant level. This allows customers to set the default length and the maximum length of an SSO session.
- The user details cache (used for the ID Token and the userinfo endpoint) can now be cleared automatically if the connected IdP sends Events.
- Extended the token revocation events with a
- Improved error logging in web hooks
- Ensure the
acrvalue is not lost when a specific attribute mapping is configured for an IdP.
- Removed some details from specific events.
Release date 2023-10-09
- We added a new configuration item to Web clients. Specifying the Refresh Token validity from when the token is issued is now possible. We also clarified that the old config referred to the max lifetime, calculated from when the first access token was issued. Now, both validities can be configured.
- If an account gets blocked or deleted from an IdP of the type CIM, we now clear all active tokens and remove all registered devices.
Release date 2023-09-28
- The new
Map assertion attributesfeature for SAML IDPs, now also maps the attributes in the SAML assertion from the external IDP to claims in the UserInfo endpoint.
Release date 2023-09-27
- We added a new
experimental featureto connect to a new IDP type: ID Broker. This is a new component that supports federated authentication towards external identity schemes.
- We added a new
Map assertion attributesfeature for SAML IDPs. This feature enables mapping all attributes in the SAML assertion from the external IDP to claims in the ID Token. Via Attribute mapping, you can limit this mapping to only include specific claims. If you have enabled the User Info integration, the assertion attributes will be overwritten if they have the same name.
- We improved the mapping of "expected error responses" from OAuth/OIDC IdP types, e.g. the
login_requirederror is now mapped to this event
AUTHN REQUEST LOGIN REQUIREDand no longer to
IDP OAUTH RECEIVED ERROR.
- We improved our production roll-out process.
- We now also support a
.character in the name of a scope.
- The length was limited to 20 characters when managing scopes via the API. We now aligned this to 255, which was already possible via the UI.
- We now support the new
urn:onewelcome:oauth2:grant_type:stateless_authenticationgrant during the registration of a Mobile device.
Release date 2023-09-13
token_endpoint_auth_methods_supportedin the Discovery URL.
- Added a new event type,
TOKEN REQUEST EXPIRED REFRESH TOKEN, which replaces the
TOKEN REQUEST INVALID REFRESH TOKENevent when a refresh token is expired.
- Added a new event type,
TOKEN REQUEST FINGER PRINT EXPIRED REFRESH TOKEN, which replaces the
TOKEN REQUEST FINGER PRINT INVALID REFRESH TOKENevent when a refresh token is expired.
- We started logging the length of a refresh token in the details of the
TOKEN REQUEST INVALID REFRESH TOKENevent.
Release date 2023-09-08
- We added a new attribute:
baseUrlto the modelmap of the
- Resolved an issue where the
auth_timewas not updated after re-authentication based on the
Release date 2023-09-05
- Resolved an issue where clearing caches via the Admin UI did not work.
- Resolved an issue where message keys were always cleared after 5 minutes. The TTL now follows the configured duration for static resources.
Release date 2023-08-31
Respond to silent authentication requests based on current session statefeature now redirects to the upstream IDP in case additional
scopesare requested, a specific
acr_valueis requested, or when
max_ageindicates that the
auth_timeneeds to be refreshed.
- Resolved an issue where a Logout request failed if the
id_token_hintcontained a token with multiple audiences.
Release date 2023-08-07
- We have optimized how we handle our Single sign-on (SSO) experience when multiple clients use the same IdP. We decided to use the existing OneWelcome session when new clients initiate an authentication request with
Respond to silent authentication requests based on current session statefeature is enabled for that client. Before, the request was forwarded to the configured IdP for that web client.
Release date 2023-08-03
- We added an additional setting for the App2Web integration for the Tulip type idp that allows setting the "Used authentication methods". This is required for setups where 2FA is required on the Tulip side.
Release date 2023-08-02
- We resolved another bug in the SLO request towards a Tulip type idp.
Release date 2023-07-27
- It is now possible to remove Identity Providers via API.
- We resolved a bug in the SLO request towards a Tulip type idp.
- We resolved a bug where missing templates uploaded via self-styling caused the app the fail.
PATCHcall the the Web Client API resulted in the
session_based_silent_authvalue to be overwritten with
Release date 2023-07-14
- We simplified the App2Web integration between Access and Tulip.
Release date 2023-07-11
- We extended the ConfigAPI with the option to create IDPs of the type
- We introduced caching for Tulip's JWKS endpoint, so the certificates are no longer fetched during every authentication.
- Fixed a bug that caused calls to the ConfigAPI to fail when the Authenication Method was set to PrivateKeyJWT.
Release date: 2023-06-30
- We fixed the support for key rotation for clients authenticating with PrivateKeyJWT.
Release date: 2023-06-29
- We have expanded the details of the log events published by Access when handling OIDC/OAuth callbacks fails.
Release date 2023-06-22
- We now support forwarding a logout request, initiated in Onewelcome Access, towards an IDP of the type Tulip.
- We fixed an issue where the admin panel showed different values for a configured client for a limited time after an update of the configuration
- We added the
subclaim to the Token Introspection response for Client Credentials grants to become compliant with RFC7523.
Release date 2023-06-05
- We now filter disabled external IDPs when the mobile SDK requests the client configuration.
Release date 2023-06-02
- We now allow a scope name to be 255 characters.
- We introduced a new configuration to set the minimum time frame for allowing multiple
Access Tokensfor a given user and client to coexist.
Release date 2023-05-30
- Added support for privateKeyJWT client authentication for the
- Added support for the App2Web feature for the
Release date 2023-05-18
- We now also support colons
:in the name of scopes.
Release date 2023-05-10
- We now allow
HEADrequests to the authorization URL.
- Fixed a bug where some cache values did not expire on time.
Release date 2023-05-05
- Fixed an issue where a request to a SAML IDP timed-out before the web session expired. This can happen when users have to go through an registration process at the IDP.
Release date 2023-05-03
- Performance improvements
- Added experimental support for a new way to connect to the
Tuliptype of IDP.
- Removed support for
RSA_OAEPas encryption algrithms.
Release date 2023-04-25
- Fixed a bug that prevented updating the SAML SP configuration.
Release date 2023-04-18
- Fixed a bug where the SAML SP configuration was sometimes resolved incorrectly.
Release date 2023-03-31
- We now support the
client_idparameter combined with the
post-logout-urlfor the OIDC logout endpoint.
- We improved the error handling for all
- Not all claims in the ID token were forwarded for Identity Providers of the type
Tulip. This has been fixed.
- We solved an issue where a
nullvalue in the Hook response caused an error.
Release date 2023-03-08
- Added support for
client_secret_postauthentication on calls to the
/tokenendpoint for IDPs of the type Tulip or OAuth.
- Mapped user attributes are now also accessible in the Access Token Webhook.
- Improved the caching of the default templates and messages.
- When a Web client requests scopes in an authentication request which are not known in the connected IDP of the type Tulip, we now forward the error to the requesting client.
Release date 2023-02-27
- Added support for setting AMR when using custom registration
- Requires the Extension Engine
Release date: 2023-02-21
- All available user-related claims are now accessible in the Access Token Webhook
- Cloning a mobile app via the Application version API works again
- The User Details Customization hook is no longer cleared when editing a web client configuration in the Admin console UI
Release date: 2023-02-16
- Fixed an issue where a user was not always logged out when they had two sessions, one based on Cookie based authentication, and a 'regular' authentication.
Release date: 2023-02-08
- Fixed an issue where requests towards a configured SAML IDP (e.g.
CIM) failed when a single user-agent initiated multiple authentication requests for the same client.
Release date: 2023-02-06
- Added support for custom parameters in the Customize User Details Web Hook.
- Custom Registration scripts now can also access custom parameters, this makes it possible for the script to execute different logic based on the provided params.
- For the IDP type
Tulip, we now send all the requested scopes (default, optional, and the scopes in the IDP config) to the IDP in the authentication request.
- We improved the performance of Silent authentication requests (
prompt=none) towards an IDP of the type
Release date: 2023-01-24
- The end-user is now redirected to a whitelisted
post-logout-urlafter a OIDC logout request, even when the provided ID token is recently expired or there is no active session for that client.
- The Device API now returns a timestamp for
removeScopesfeature in the Customize Access Token Web Hook will now be respected when used together with Custom registration.
Release date: 2023-01-18
- For Custom registration events, we now log the
Client idto make it easier to correlate the events to a client or mobile device.
- While adding a mobile authentication type "SMS", the
SMS sender idalways returned a validation error in the UI. This is now fixed.
Release date: 2023-01-11
- We introduced a new
TulipIdentity Provider Type.
Release date: 2022-12-15
- Fixed a bug where the introspection endpoint returned a
rpSetclaim instead of user attributes.
- We now also remove the Mobile push message capabilities for users that remove their last mobile device.
Release date: 2022-12-01
- Next to an instance in the EU, we also released an instance in the US.
Release date: 2022-11-30
- We improved the performance and stability of the application.
Release date: 2022-11-11
- We improved the performance caused by clients with multiple redirectUris.
- We improved the performance of the Events page for customers with mobile devices.
Release date: 2022-11-01
- Fixed a bug where Access tokens were not revoked after a logout request if the session was created based on a cookie.
Release date: 2022-10-11
- Added an API to delete all tokens for a specific user per type.
- Fixed an issue where token introspection showed claims with the value
null. These are now hidden.
Release date: 2022-08-29
- Support for custom registration for Web clients.
- Reduced the number of calls to our caching database for templates.
Release date: 2022-08-16
- We introduced a
v2of the token introspection endpoint to comply with RFP7662 for the
- We now make a SAML SLO request succeed even without a session, based on SpNameQualifier in the SAML metadata.
Release date: 2022-07-06
- Removed support for the deprecated algorithms
- The generated
Server Public Keyis now visible as text on the mobile app's configuration page.
- Fixed an issue that caused exceptions when making calls to our caching database.
Release date: 2022-06-29
- It is now possible to add an extra param
hook_context_custom_param.*to the authorization endpoint. This param is then available in the Onegini Customize Access Token Web Hook as context.
Release date: 2022-06-09
- In the authentication response, we now indicate which external IDP was used by the end-user to authenticate. E.g. when a user uses Digid, we fill the
- It's now impossible to configure an API based custom authenticator with the PCKE grant type.
- We aligned the
expvalue in our token introspection endpoint with the RFC 7662. It now is an integer timestamp, measured in the number of seconds since January 1 1970 UTC. To use this new value, please switch to the v2 of our token introspection endpoint.
Release date: 2021-09-14
- Added the ability to delete access and refresh tokens when using the End-session endpoint for OpenID
Connect. This is enabled by default for clients with the authentication method
PKCE. Refer to the
OpenID Connect configuration for more information
- Added the token revocation endpoint to the OpenID Connect discovery endpoint.
- Improved the integrity check for mobile apps. This improved integrity check is required for new mobile apps introduced to the Google Play Store after August 1st, 2021. The existing apps, both running on Android and iOS, will continue to work without any changes. Still, it is recommended to plan an update of the Onegini SDK and use the improved integrity check.
- The OpenID End-session endpoint did not properly handle encoded parameters when it was called via HTTP POST. This prevented users from being redirected back to the website after logout. This has been fixed.
- Several endpoints for Mobile Authentication returned responses in a different format than documented. These responses have been fixed.
Release date: 2021-05-10
- It is now possible to configure multiple redirect URLs for mobile apps. This makes it possible to change the app scheme of the mobile app in a new version while the existing app installations use the old app scheme.
- Relying Parties (RP) can resolve user attributes from Access by calling the User Info endpoint or by requesting an ID Token. Both means are defined by OpenID Connect (OIDC) standard. The returned set of identity related claims couldn't be modified, extended or filtered other than by using scopes. With the new User Details Customization Web Hook serves these purposes.
- When the user device domain state changes, Access will publish a corresponding event to the event bus notifying all interested parties about the change. Device domain state changes are: a new user device registration, deregistration, user logging in with the device, or mobile authentication enrollment changes.
- The process of registering a new mobile application requires both parties, the device, and the server, to have their time/date settings set correctly. Some users are explicitly modifying their time which prevents them from successfully finishing the onboarding process. To improve the user experience Access will handle such situations more gracefully by detecting clock skew and informing the client about the root cause of the rejection.
- When Access failed to successfully send a PUSH notification via Apple Push Notification Service (APNS), it returned a generic error to the client. To help diagnose the root cause of the issue, Access will log more detailed information about why the notification got rejected in the corresponding event.
- The mobile applications that were using the Custom Registration feature had to send additional request in order to obtain an ID Token. This will no longer be required as the ID Token will be returned to the client along with the Access Token when configured.
- Users who are either members of many Delegated Administration for Business Partners (DABP) groups or are having many DABP policies assigned, could experience issues when logging out from DABP or Onegini Console applications. The logout request in such scenarios will no longer be rejected.
Release date: 2021-03-09
- First official release of the access components.