Releases: indigo-iam/iam
INDIGO Identity and Access Management Service v1.8.2p1
Fixes
This release fixes an XSS vulnerability in 1.8.2. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-20.
INDIGO Identity and Access Management Service v1.8.1p1
Fixes
This release fixes an XSS vulnerability in 1.8.1. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-20.
INDIGO Identity and Access Management Service v1.8.2
1.8.2 (2023-05-31)
Added
- Introduced new admin scopes in order to access IAM API endpoints #562
- Note: From this release, an administrator access token is not enough to have full access to IAM API endpoints. The added scopes (
iam:admin.read
andiam:admin.write
) are now needed.
- Note: From this release, an administrator access token is not enough to have full access to IAM API endpoints. The added scopes (
- Bump Spring-Boot version to 2.6.14 #593
Fixed
- Fix refresh token lifetime value in case of client credentials or implicit grant types #582
- Add missing check on challenge code method for PKCE #583
- Fix lifecycle end-time for suspended account #585
- Cosmetic Group Manager dashboard fix #587
- Properly update OAuth scope list in model after scope policies evaluation #588
INDIGO Identity and Access Management Service v1.8.1
1.8.1 (2023-02-28)
Added
- Add scope management to IAM dashboard #500
- Add the groups view for the group managers #536
- Support for AARC-G069 guideline #553
Fixed
- Fix /devicecode endpoint in cors endpoint matchers #535
- Do not raise exception when incorrect scope policy #526
- Fix bug when updating user fields #512
- Do not allow IAM to issue RT to users with expired AUP #503
- Remove orphans from database #547
- Prevent VOMS aa from issuing ACs when AUP has expired #552
- Do not allow token refresh for disabled users #570
- Do not allow disabled users to log in with x509 certificate #571
- Apply the UsernameValidator whenever a username can be updated (e.g. SCIM API) #572
- Fix unnamed clients and add missing edit button into clients view #573
Changed
- Remove health endpoints forward #567
- Disable register MITREid endpoint for Dynamic Client Registration #567
- Change default refresh token lifetime from infinity to 30 days #567
- Add '@' and '.' as allowed characters for a registered username #572
Notes
The /health
endpoint and its children have been moved to /actuator/health
base path since IAM v1.8.0. Since IAM v1.8.1 the forward to the old endpoints has been removed.
INDIGO Identity and Access Management Service v1.8.0
1.8.0 (2022-09-09)
Added
- Spring boot migration to version 2.6.6
- Upgrade flyway to version 7.15.0
- New clients management page for administrators on IAM dashboard
- New clients registration page for users on IAM dashboard
- Support for JWT-based client-authN
- New Cache-Control to
/jwk
endpoint - Support for AARC G021 guideline
- Support for AARC G025 guideline
- Persistence layer migrations for MFA support
- Group labels in user home page
- New consent page
Fixed
- Fix group names according to AARC G002
- Fix update button bug
- Fix tokens page failure following a username update
- Fix tokens page failure due to a client deletion
- Fix pagination in tokens component in IAM dashboard
- Fix scope caching on client update
- Fix validation for user's image URL
- Fix support for JWK configuration
- Fix missing
wlcg.groups
in userinfo response
Changed
IAM_USE_FORWARDED_HEADERS
configuration variable has been deprecated due to the Spring update and replaced byIAM_FORWARD_HEADERS_STRATEGY
. It can be set tonative
ornone
. The same for the Test Client application, whereIAM_CLIENT_USE_FORWARDED_HEADERS
becomesIAM_CLIENT_FORWARD_HEADERS_STRATEGY
- The value of
IAM_CLIENT_SCOPES
configuration variable is expressed as a list of space-delimited scopes - The
/health
endpoint and its children have been moved to/actuator/health
base path. Requests are still forwarded to the old endpoints, but their support will be removed in the next release.
Email and external connectivity probes have been disabled by default; to enable them theIAM_HEALTH_MAIL_PROBE_ENABLED
andIAM_HEALTH_EXTERNAL_CONNECTIVITY_PROBE_ENABLED
environment variables must be set totrue
- Token exchange is not allowed if the actor and the subject are the same client and
offline_access
is among the requested scopes - Client redirect URIs and pre-registered URIs are compared using exact string matching
Deprecated
- Manage Clients MitreID page for administartors
- Self-service Client Registration MitreID page for users
Upgrading
- In case you're upgrading from IAM v1.7.2 please read the Changed section above.
- In case you're upgrading from a IAM version < 1.7.2, you MUST upgrade to v1.7.2 before. Otherwise it won't work due to a problem described here.
Other notes
February 15th repackaging
On February 15th we built a new v1.8.0 image with tag v1.8.0-2
that solves a vulnerability inside the angular-ui-bootstrap library which was including a hidden '.DS_Store' file which could give to an attacker information on the structure and contents of the website.
docker pull indigoiam/iam-login-service:v1.8.0-2
INDIGO Identity and Access Management Service v1.7.2
1.7.2 (2021-12-03)
This release provides a single dependency change for the IAM login service
application.
Added
- Upgrade flyway to version 4.2.0. This is needed to enable a smooth transition to
the flyway version that will come with IAM v1.8.0 (which moves to Spring boot
2.5.x) (#443)
INDIGO Identity and Access Management Service v1.7.1
1.7.1 (2021-09-13)
This release provides changes and bug fixes to the IAM test client application.
Added
- The IAM test client application, in its default configuration, no longer exposes tokens, but only the
claims contained in tokens. It's possible to revert to the previous behavior by setting theIAM_CLIENT_HIDE_TOKENS=false
environment variable (#414)
Fixed
- A problem that prevented the correct behaviour of the IAM test client has
been fixed (#415)
INDIGO Identity and Access Management Service v1.7.0
1.7.0 (2021-09-02)
Added
-
IAM now enforces intermediate group membership (#400)
-
Support for X.509 managed proxies (#356)
-
Characters allowed in username are now restricted to the UNIX valid username
characters (#347) -
Support for including custom HTML content at the bottom of the login page has
been added (#341) -
Improved token exchange flexibility (#306)
-
CI has been migrated from travis to Github actions (#340)
-
IAM now allows to link ssh keys to an account (#374)
Fixed
-
A problem that prevented the deletion of dynamically registered clients under
certains conditions has been fixed (#397) -
Token exchange is no longer allowed for single-client exchanges that involve
theoffline_access
scope (#392) -
More flexibility in populating registration fields from SAML authentication
assertion attributes (#371) -
A problem with the userinfo endpoint disclosing too much information has been
fixed (#348) -
A problem which allowed to submit multiple group requests for the same group
has been fixed (#351) -
A problem with the escaping of certificate subjects in the IAM dashboard has
been fixed (#373) -
A problem with the refresh of CRLs on the test client application has been
fixed (#368)
Documentation
- The IAM website and documentation has been migrated to a site based on
Google Docsy, including improved documentation for the SCIM, Scope
policy and Token exchange IAM APIs (#410)
INDIGO Identity and Access Management Service v1.6.0
Changelog
1.6.0 (2020-07-31)
Added
-
IAM now supports multiple token profiles (#313)
-
IAM now implements basic account lifecycle management (#327)
-
It is now possible to disable local authentication and only rely on brokered
authentication (#330) -
The editing of user profile information can now be disabled (#329)
-
IAM can now be configured to require authentication through an external
identity provider at registration time (#328) -
IAM now stores and manages a URL pointing to the AUP document instead of
storing the AUP text in the database (#287) -
IAM now allows to customize the organization logo size presented in login and
other pages (#280)
Fixed
-
A race condition that could lead to SAML login being blocked has been fixed
(#334) -
The applicant username is now included in the registration confirmation email
(#325) -
The "link external account" button is now disabled when no external IdP is
configured (#323) and the registration page does not mention external IdPs
when none are configured (#322) -
A bug in the pagination handling of "Add to group" dialog has been fixed
(#318) -
The token management API no longer shows registration tokens (#312)
-
The token management API no longer exposes token values to privileged users
(#308) -
IAM no longer requires client authentication for the device code grant (#316)
-
A bug that prevented adding users to an IAM instance from the dashboard when
registration is disabled has been fixed (#326)
INDIGO Identity and Access Management Service v1.5.0.RELEASE
1.5.0.RELEASE (2019-10-25)
Added
-
It is now possible to configure multiple external OpenID Connect providers
(#229) -
IAM now supports group managers (#231). Group managers can approve group
membership requests. -
It is now possible to define validation rules on external SAML and OpenID
Connect authentications, e.g., to limit access to IAM based on entitlements
(#297 ) -
Real support for login hint on authorization requests: this feature allows a
relying party to specify a preference on which external SAML IdP should be
used for authentication (#230) -
Improved scalability on user and group search APIs (#250)
-
IAM supports serving static local resources (#288); this support can be used,
for instance, to locally serve custom logo images (#275) -
Actuator endpoints can now be secured more effectively, by having dedicated
credentials for IAM service deployers (#244) -
It is now possible to configure IAM to include the scope claim in issued
access tokens (#289) -
Support for custom local SAML metadata configuration (#273)
-
Improved SAML configuration flexibility (#292)
Fixed
-
Stronger validation logic on user-editable account information (#243)
-
EduPersonTargetedID SAML attribute is now correctly resolved (#253)
-
The token management API now supports sorting (#255)
-
Orphaned tokens are now cleaned up from the database (#263)
-
A bug that prevented the deployment of the IAM DB on MySQL 5.7 has been
resolved (#265) -
Support for the OAuth Device Code flow is now correctly advertised in the IAM
OpenID Connect discovery document (#268) -
The device code default expiration is correctly set for dynamically
registered clients (#267) -
The
updated_at
user info claim is now correctly encoded as an epoch second
(#272) -
IAM now defaults to transient NameID in SAML authentication requests (#291)
-
A bug in email validation that prevented the use of certain email addresses
during registration has been fixed (#302)