Skip to content

Releases: indigo-iam/iam

INDIGO Identity and Access Management Service v1.8.2p1

04 Jul 11:50
Compare
Choose a tag to compare

INDIGO Identity and Access Management Service v1.8.1p1

04 Jul 11:51
Compare
Choose a tag to compare

INDIGO Identity and Access Management Service v1.8.2

05 Jun 13:03
Compare
Choose a tag to compare

1.8.2 (2023-05-31)

Added

  • Introduced new admin scopes in order to access IAM API endpoints #562
    • Note: From this release, an administrator access token is not enough to have full access to IAM API endpoints. The added scopes (iam:admin.read and iam:admin.write) are now needed.
  • Bump Spring-Boot version to 2.6.14 #593

Fixed

  • Fix refresh token lifetime value in case of client credentials or implicit grant types #582
  • Add missing check on challenge code method for PKCE #583
  • Fix lifecycle end-time for suspended account #585
  • Cosmetic Group Manager dashboard fix #587
  • Properly update OAuth scope list in model after scope policies evaluation #588

INDIGO Identity and Access Management Service v1.8.1

02 Mar 15:17
Compare
Choose a tag to compare

1.8.1 (2023-02-28)

Added

  • Add scope management to IAM dashboard #500
  • Add the groups view for the group managers #536
  • Support for AARC-G069 guideline #553

Fixed

  • Fix /devicecode endpoint in cors endpoint matchers #535
  • Do not raise exception when incorrect scope policy #526
  • Fix bug when updating user fields #512
  • Do not allow IAM to issue RT to users with expired AUP #503
  • Remove orphans from database #547
  • Prevent VOMS aa from issuing ACs when AUP has expired #552
  • Do not allow token refresh for disabled users #570
  • Do not allow disabled users to log in with x509 certificate #571
  • Apply the UsernameValidator whenever a username can be updated (e.g. SCIM API) #572
  • Fix unnamed clients and add missing edit button into clients view #573

Changed

  • Remove health endpoints forward #567
  • Disable register MITREid endpoint for Dynamic Client Registration #567
  • Change default refresh token lifetime from infinity to 30 days #567
  • Add '@' and '.' as allowed characters for a registered username #572

Notes

The /health endpoint and its children have been moved to /actuator/health base path since IAM v1.8.0. Since IAM v1.8.1 the forward to the old endpoints has been removed.

INDIGO Identity and Access Management Service v1.8.0

09 Sep 20:25
Compare
Choose a tag to compare

1.8.0 (2022-09-09)

Added

  • Spring boot migration to version 2.6.6
  • Upgrade flyway to version 7.15.0
  • New clients management page for administrators on IAM dashboard
  • New clients registration page for users on IAM dashboard
  • Support for JWT-based client-authN
  • New Cache-Control to /jwk endpoint
  • Support for AARC G021 guideline
  • Support for AARC G025 guideline
  • Persistence layer migrations for MFA support
  • Group labels in user home page
  • New consent page

Fixed

  • Fix group names according to AARC G002
  • Fix update button bug
  • Fix tokens page failure following a username update
  • Fix tokens page failure due to a client deletion
  • Fix pagination in tokens component in IAM dashboard
  • Fix scope caching on client update
  • Fix validation for user's image URL
  • Fix support for JWK configuration
  • Fix missing wlcg.groups in userinfo response

Changed

  • IAM_USE_FORWARDED_HEADERS configuration variable has been deprecated due to the Spring update and replaced by IAM_FORWARD_HEADERS_STRATEGY. It can be set to native or none. The same for the Test Client application, where IAM_CLIENT_USE_FORWARDED_HEADERS becomes IAM_CLIENT_FORWARD_HEADERS_STRATEGY
  • The value of IAM_CLIENT_SCOPES configuration variable is expressed as a list of space-delimited scopes
  • The /health endpoint and its children have been moved to /actuator/health base path. Requests are still forwarded to the old endpoints, but their support will be removed in the next release.
    Email and external connectivity probes have been disabled by default; to enable them the IAM_HEALTH_MAIL_PROBE_ENABLED and IAM_HEALTH_EXTERNAL_CONNECTIVITY_PROBE_ENABLED environment variables must be set to true
  • Token exchange is not allowed if the actor and the subject are the same client and offline_access is among the requested scopes
  • Client redirect URIs and pre-registered URIs are compared using exact string matching

Deprecated

  • Manage Clients MitreID page for administartors
  • Self-service Client Registration MitreID page for users

Upgrading

  • In case you're upgrading from IAM v1.7.2 please read the Changed section above.
  • In case you're upgrading from a IAM version < 1.7.2, you MUST upgrade to v1.7.2 before. Otherwise it won't work due to a problem described here.

Other notes

February 15th repackaging

On February 15th we built a new v1.8.0 image with tag v1.8.0-2 that solves a vulnerability inside the angular-ui-bootstrap library which was including a hidden '.DS_Store' file which could give to an attacker information on the structure and contents of the website.

docker pull indigoiam/iam-login-service:v1.8.0-2

INDIGO Identity and Access Management Service v1.7.2

03 Dec 12:57
Compare
Choose a tag to compare

1.7.2 (2021-12-03)

This release provides a single dependency change for the IAM login service
application.

Added

  • Upgrade flyway to version 4.2.0. This is needed to enable a smooth transition to
    the flyway version that will come with IAM v1.8.0 (which moves to Spring boot
    2.5.x) (#443)

INDIGO Identity and Access Management Service v1.7.1

11 Sep 13:48
Compare
Choose a tag to compare

1.7.1 (2021-09-13)

This release provides changes and bug fixes to the IAM test client application.

Added

  • The IAM test client application, in its default configuration, no longer exposes tokens, but only the
    claims contained in tokens. It's possible to revert to the previous behavior by setting the IAM_CLIENT_HIDE_TOKENS=false
    environment variable (#414)

Fixed

  • A problem that prevented the correct behaviour of the IAM test client has
    been fixed (#415)

INDIGO Identity and Access Management Service v1.7.0

31 Aug 16:16
Compare
Choose a tag to compare

1.7.0 (2021-09-02)

Added

  • IAM now enforces intermediate group membership (#400)

  • Support for X.509 managed proxies (#356)

  • Characters allowed in username are now restricted to the UNIX valid username
    characters (#347)

  • Support for including custom HTML content at the bottom of the login page has
    been added (#341)

  • Improved token exchange flexibility (#306)

  • CI has been migrated from travis to Github actions (#340)

  • IAM now allows to link ssh keys to an account (#374)

Fixed

  • A problem that prevented the deletion of dynamically registered clients under
    certains conditions has been fixed (#397)

  • Token exchange is no longer allowed for single-client exchanges that involve
    the offline_access scope (#392)

  • More flexibility in populating registration fields from SAML authentication
    assertion attributes (#371)

  • A problem with the userinfo endpoint disclosing too much information has been
    fixed (#348)

  • A problem which allowed to submit multiple group requests for the same group
    has been fixed (#351)

  • A problem with the escaping of certificate subjects in the IAM dashboard has
    been fixed (#373)

  • A problem with the refresh of CRLs on the test client application has been
    fixed (#368)

Documentation

  • The IAM website and documentation has been migrated to a site based on
    Google Docsy, including improved documentation for the SCIM, Scope
    policy and Token exchange IAM APIs (#410)

INDIGO Identity and Access Management Service v1.6.0

31 Jul 13:09
Compare
Choose a tag to compare

Changelog

1.6.0 (2020-07-31)

Added

  • IAM now supports multiple token profiles (#313)

  • IAM now implements basic account lifecycle management (#327)

  • It is now possible to disable local authentication and only rely on brokered
    authentication (#330)

  • The editing of user profile information can now be disabled (#329)

  • IAM can now be configured to require authentication through an external
    identity provider at registration time (#328)

  • IAM now stores and manages a URL pointing to the AUP document instead of
    storing the AUP text in the database (#287)

  • IAM now allows to customize the organization logo size presented in login and
    other pages (#280)

Fixed

  • A race condition that could lead to SAML login being blocked has been fixed
    (#334)

  • The applicant username is now included in the registration confirmation email
    (#325)

  • The "link external account" button is now disabled when no external IdP is
    configured (#323) and the registration page does not mention external IdPs
    when none are configured (#322)

  • A bug in the pagination handling of "Add to group" dialog has been fixed
    (#318)

  • The token management API no longer shows registration tokens (#312)

  • The token management API no longer exposes token values to privileged users
    (#308)

  • IAM no longer requires client authentication for the device code grant (#316)

  • A bug that prevented adding users to an IAM instance from the dashboard when
    registration is disabled has been fixed (#326)

INDIGO Identity and Access Management Service v1.5.0.RELEASE

17 Oct 07:38
Compare
Choose a tag to compare

1.5.0.RELEASE (2019-10-25)

Added

  • It is now possible to configure multiple external OpenID Connect providers
    (#229)

  • IAM now supports group managers (#231). Group managers can approve group
    membership requests.

  • It is now possible to define validation rules on external SAML and OpenID
    Connect authentications, e.g., to limit access to IAM based on entitlements
    (#297 )

  • Real support for login hint on authorization requests: this feature allows a
    relying party to specify a preference on which external SAML IdP should be
    used for authentication (#230)

  • Improved scalability on user and group search APIs (#250)

  • IAM supports serving static local resources (#288); this support can be used,
    for instance, to locally serve custom logo images (#275)

  • Actuator endpoints can now be secured more effectively, by having dedicated
    credentials for IAM service deployers (#244)

  • It is now possible to configure IAM to include the scope claim in issued
    access tokens (#289)

  • Support for custom local SAML metadata configuration (#273)

  • Improved SAML configuration flexibility (#292)

Fixed

  • Stronger validation logic on user-editable account information (#243)

  • EduPersonTargetedID SAML attribute is now correctly resolved (#253)

  • The token management API now supports sorting (#255)

  • Orphaned tokens are now cleaned up from the database (#263)

  • A bug that prevented the deployment of the IAM DB on MySQL 5.7 has been
    resolved (#265)

  • Support for the OAuth Device Code flow is now correctly advertised in the IAM
    OpenID Connect discovery document (#268)

  • The device code default expiration is correctly set for dynamically
    registered clients (#267)

  • The updated_at user info claim is now correctly encoded as an epoch second
    (#272)

  • IAM now defaults to transient NameID in SAML authentication requests (#291)

  • A bug in email validation that prevented the use of certain email addresses
    during registration has been fixed (#302)