Skip to content

Release Notes#

Notice#

This document, also known as the Gluu Release Note, relates to the Gluu Server Release versioned 4.2. The work is licensed under “The MIT License” allowing the use, copy, modify, merge, publish, distribute, sub-license and sale without limitation and liability. This document extends only to the aforementioned release version in the heading.

UNLESS IT HAS BEEN EXPRESSLY AGREED UPON BY ANY WRITTEN AGREEMENT BEFOREHAND, THE WORK/RELEASE IS PROVIDED “AS IS”, WITHOUT ANY WARRANTY OR GUARANTEE OF ANY KIND EXPRESS OR IMPLIED. UNDER NO CIRCUMSTANCE, THE AUTHOR, OR GLUU SHALL BE LIABLE FOR ANY CLAIMS OR DAMAGES CAUSED DIRECTLY OR INDIRECTLY TO ANY PROPERTY OR LIFE WHILE INSTALLING OR USING THE RELEASE.

Lifecycle#

Status: In Development

Released Community EOL Enterprise EOL
July 2020 December 2021 December 2022

Purpose#

The document is released with the Version 4.2 of the Gluu Software. The purpose of this document is to provide the changes made/new features included in this release of the Gluu Software. The list is not exhaustive and there might be some omission of negligible issues, but the noteworthy features, enhancements and fixes are covered.

Background#

The Gluu Server is a free open source identity and access management (IAM) platform. The Gluu Server is a container distribution composed of software written by Gluu and incorporated from other open source projects.

The most common use cases for the Gluu Server include single sign-on (SSO), mobile authentication, API access management, two-factor authentication, customer identity and access management (CIAM) and identity federation.

Documentation#

Please visit the Gluu Documentation Page for the complete documentation and administrative guide.

Available components in Gluu Server 4.2#

  • oxAuth, oxTrust, oxCore v4.2
  • Gluu OpenDJ v3.0.1
  • Shibboleth v3.4.4
  • Passport v4.1
  • Java v1.8.0_112
  • Node.js v9.9.0
  • Jetty-distribution-9.4.12.v20180830
  • Jython v2.7.2a
  • Weld 3.0.0
  • FluentD 3.5
  • Redis

New features#

Fixes / Enhancements#

GluuFederation/oxAuth#

  • #1410 Failed to start redisProvider

  • #1408 BUG : Introspection script is not identified by client which was used during obtaining access_token

  • #1406 oxauth slows down in 4 times when CIBA is turned on.

  • #1397 Add 'RPT Claims' script to add/modify RPT claims.

  • #1396 Add support to use any client authentication for revoke token endpoint (currently it works only with basic client authentication)

  • #1391 oxAuth fail to prepare JMS

  • #1385 Check and possibly remove oxInvolvedClients attribute from session

  • #1379 Correct security alert in test depedency

  • #1373 Fido to Fido2 enrollment migration

  • #1371 Add property to allow keep authenticator parameters on ACR change

  • #1370 Control visibility of OAuth Scopes in configuration endpoint

  • #1362 NotImplementedError in oxauth_script.log for person authentication scripts

  • #1361 CIBA: Return an expired_token error when the auth_req_id has expired

  • #1358 Security: Block "none" and not signed tokens

  • #1356 Instead of redirect from authorize.htm to login.htm render login.htm page

  • #1354 Associate consent script with client.

  • #1353 Session : interception script should be informed about state change and when session ended by expiration

  • #1350 OPENID Connect : Request for Permission page only shown on second login attempt after 40s interval.

  • #1344 We should not return reason field in error response because it expose too much information outside

  • #1342 CIBA: QA doc

  • #1341 Front channel logout fails to logout all session participants after a re-authentication

  • #1335 AuthenticationService.authenticate(String, String) throws exception if password is wrong

  • #1327 CIBA: Securely store configuration keys.

  • #1326 Add support to store session in htmlLocalStorage as an alternative to cookies

  • #1325 Remove sub from Userinfo response for password grant clients

  • #1319 CIBA: Load FCM config values from database configuration

  • #1316 CIBA: Conformance Testing for FAPI-CIBA

  • #1315 CIBA: Interception script for User Notification

  • #1311 end_session : return error in post_logout_redirect_uri (configurable)

  • #1309 Authorization header: "Bearer" should not be case sensitive

  • #1308 Add oxAuth JSON properties to set logging format

  • #1306 Mitigate replay of modified JWT from Passport-JS

  • #1302 Blocker for RP conformance test : response_types during registration must be array of space separated string

  • #1300 Use exp instead of oxAuthExpiration all over the code

  • #1299 keyRegenerationInterval does not work if value is more then 595 (due to type overflow?)

  • #1298 Fido2: Add option to not fail on device attestation which not have registerd metadata

  • #1297 Password-less authentication with Fido2

  • #1296 Client tests stops to work due to bootfaces remove

  • #1292 Add JSON Configuration properties to control JWKS endpoint algorithms

  • #1291 Logout : conformance suite fail because it can't find sid claim in id_token.

  • #1290 Support OpenID Connect prompt=select_account Authn request

  • #1289 Introduce swagger spec file to oxauth

  • #1288 Remove i18n oxauth_en.properties

  • #1286 Logout : conformance tests expect successful page if session was ended but post_logout_redirect_uri not provided

  • #1280 Client authentication : handle Bearer prefix when authenticate by access_token

  • #1279 Logout Test - RP Initiated should validate id_token_hint is present

  • #1278 Use browser locale if there is no AuthZ ui_locales parameter

  • #1277 UMA : resource registration endpoint doesn't use passed resources iat, exp

  • #1275 Use ui_locales_supported from confguration instead of JSF locales list

  • #1274 Logout test - RP-Initiated - Unexcepted error

  • #1272 Logout test observed because we don't show success logout message to the user

  • #1271 Write SCIM Changelog for social login and password update

  • #1270 FIDO2 : Support username-less authentication workflow

  • #1269 We got redundant keys references in persistence oxAuthConfWebKeys

  • #1268 CIBA: Super Gluu Integration

  • #1265 Error 404 when calling to the FCM: unsubscribe endpoint

  • #1261 OpenID Connect Client: Add client claim to specify introspection scripts to execute

  • #1260 FAPI test (private key jwt) is failing because we don't consider client_assertion and client_assertion_type params

  • #1256 FAPI test fail because conformance suite is sending a list of auds

  • #1255 FAPI test fail because we don't check aud field correctly

  • #1253 Change behavior of default scope

  • #1252 Dynamic registration: do not add fallback response_type or grant_type.

  • #1250 FAPI test fail because we are using state query param but we shouldn't

  • #1249 FAPI test is not passing because refresh token issued to a client can be used with another client

  • #1248 FAPI : swap clients - test fail because we are sending an unexpected kind of error

  • #1247 Gather geolocation data from client instead of server side

  • #1244 FAPI tests fail because we are not validating that exp and scope must be present in the request.

  • #1242 Change session_id after user authentication

  • #1241 FAPI complains that oxauth does not return error in fragment only and that that state in error response does not match

  • #1240 samesite cookie handling in upcoming Chrome 80

  • #1239 FAPI : during test we noticed that c_hash and s_hash is not always present in id_token

  • #1238 FAPI test fail because we are including headers that shouldn't be sent

  • #1230 FAPI : acr requested claim is not returned in id_token

  • #1228 FAPI test fail because oxAuth should reject when response_type is only code

  • #1227 FAPI : one of FAPI tests fail because oxauth does not handle request as JWT correctly.

  • #1226 Test automation

  • #1224 fido2 authentication not working in chrome

  • #1220 Write script to facilitate multiple test email address against one valid address

  • #1219 Introduce separate server-side session lifetime configuration property

  • #1213 Pass Logout Conformance Tests

  • #1212 Persist sessions in persistence layer

  • #1211 Key expiration messages should be logged only if auto re-new is not enabled or re-generation interval is too big for key lifetime

  • #1202 oxAuth should autconfigure tokens clean size based on server load

  • #1198 Add JSON configuration property to control removal of offline access refresh tokens

  • #1197 Support "prompt=consent" parameter

  • #1196 Session cookies should support domain parameter

  • #1195 Authorization endpoint should not use session_id unless admin allowed to use it

  • #1191 Super Gluu should support communtiction with web application on desktop

  • #1187 Don't allow to issue openid scope in password grant unless admin approve this

  • #1186 Make password grant type configurable for dynamic clients

  • #1182 Don't issue openid scope without authorization

  • #1181 Set session state to unathenticated if application session script prohibit it creation

  • #1178 Invalidate access tokens after refresh token revocation

  • #1175 Parameterize OCs that passport scripts can use for user profile manipulation

  • #1174 Add method to Person Authn Script to send context to proposed Post-Authn Interception Script

  • #1172 Implement OpenID Connect offline access

  • #1171 Support custom parameters in request object

  • #1166 refresh_ token is automatically added to registered client in CE using oxd

  • #1157 Make active scripts more visible on "Manage custom scripts" page

  • #1150 oxauth code should use new cacheService.getWithPut() method

  • #1149 Review Fido2 implementation to confrom latest spec and conformance tools

  • #1136 Make front-channel logout page customizable

  • #1134 Make it easy to support new locale without unpacking oxauth war

  • #1133 Support Spontaneous Scopes for UMA 2

  • #1130 Restrict scopes in dynamic registration request for clients with password grant

  • #1129 Add Interception Script: Post-Authn Authorize

  • #1125 CIBA: End-User Device Registration and Authentication

  • #1113 Add OpenID Connect front channel logout custom interception script

  • #1104 Allow 'passcode' along with QR code in OTP script

  • #1102 Introspection interception script: add to ExternalIntrospectionContext user and grant object

  • #1079 Discovery - Use jackson on both server and client side (and oxd) for consistency during json construction instead of manual parsing (OpenIdConfigurationResponse)

  • #1073 Move tokens, RPT, (authorization grants) to ou=client_token (outside client entry)

  • #1062 Configure Supported algorithms

  • #1060 Prevent OTP replay attack

  • #1053 Do not return client_secret on client read

  • #1038 Userinfo response is not as expected as describe in spec

  • #1036 Introduce oxauth-persistence-model maven module to be re-used by oxTrust API

  • #1032 Add new property for BasicLockAccount authentication script

  • #1024 On session expiration show "Login" button on OP page directly which should re-initiate login process (instead of "Go back" button)

  • #1019 CIBA: Polling protection by interval

  • #1018 CIBA: Signed Authentication Request

  • #1017 CIBA: Push Mode with Pairwise Identifiers

  • #1016 CIBA: Poll and Ping Modes with Pairwise Identifiers

  • #1015 CIBA: Authentication result for Push Mode

  • #1014 CIBA: Update Token Endpoint for request with Poll Mode

  • #1013 CIBA: Update Token Endpoint for request with Ping Mode

  • #1012 CIBA: Obtain End-User Consent/Authorization

  • #1011 CIBA: Authentication Request with user code

  • #1010 CIBA: Authentication Request with binding message

  • #1009 CIBA: Implement Backchannel Authentication Endpoint

  • #1008 CIBA: Update Dynamic Client Registration

  • #1007 CIBA: Update Discovery Metadata

  • #1003 Allow to refresh ID Token with grant_type refresh_token

  • #961 FAPI Conformance Suite

  • #958 More flexibilty to set audience on a per client basis

  • #936 FIDO 2: Add support for multi facet app IDs for impl

  • #935 Improve error page for Super Gluu denied authentication

  • #931 Return client_name in response of dynamic client registration

  • #928 Allow users to edit list of released scopes on the fly on the authorization page

  • #922 Encrypt oxAuth login information which are showing in HAR file

  • #921 Session Revocation

  • #895 Values for javax.faces.converter.XXX strings in messages.properties not overriding default messages

  • #861 Request objects should have iat and expiration

  • #853 CAS logout with oxAuth-session script ( application_session )

  • #839 Support for spontaneous scopes

  • #823 Authenitcator should not use "@!" to distingusih use/client credentials.

  • #800 Userinfo can't be contacted with access_token issued during resource owner creds grant flow if redirect_uri is not specified for the client

  • #795 Allow to set the pairwiseIdType (algorithmic/persistent) on a client basis

  • #789 Add support for id token upon token refresh

  • #782 Import clients with existing client_ids

  • #759 Scopes from request object get compared to reduced list of scopes during authorization

  • #751 Update Saml script to allow sign request

  • #750 Add CIBA support to oxAuth

  • #719 Allow to update oxDisabled attribute using Dynamic Client Registration endpoint

  • #697 Performance : ˜40% of time is blocked by weld synchronization during high load (>800 threads).

  • #694 Support redis failover in standalone

  • #667 Custom interception authorization script for Connect.

  • #657 Synchronize CAS logout with OpenID Connect logout

  • #637 Create reusable login template

  • #586 UMA 2 : Add Selenium user emulation for Claims-Gathering test pages (country.xhtml and city.xhml)

  • #535 Provide customization of front-channel generated html from /end_session

  • #498 Strip querystring from logout redirect URI comparison

  • #469 Extend Session Endpoint

  • #460 Performance : go over oxauth threads blocks that appears after 140req/s

  • #447 Federation: Publish metadata_statement_uris

  • #446 Federation: add signed_jwks_uri

  • #445 Federation: add signing_keys_uri

  • #437 Implement better HTTP Header Security

  • #393 Collect performance stats in oxAuth

  • #302 Client Registration: Validation user facing values

  • #233 New iFrame implicit flow

  • #223 Add postLogin method for authentication script

  • #218 Implement U2F attestation certificate validation

  • #208 New .well-known endpoint to publish acr configuration

  • #160 U2F: Add TLS Channel ID Binding

  • #89 Support for Software Statement Protected Client Registration

  • #70 Back-Channel Logout

  • #68 Add metric to store CPU/memory usage

  • #9 oxAuth client should support HTTP proxy

GluuFederation/oxTrust#

  • #1991 Add ability to add RPT Claims script to client

  • #1987 Gluu 4.1.1 and 4.2: getting same Pairwise ID ( first generated one ) for rest of the users

  • #1973 Can u2f and fido2 dates be shown using the same format?

  • #1967 Use JSON Property to allow extra attributes for person status

  • #1959 Issue when securely store CIBA configuration keys

  • #1958 CIBA configuration UI

  • #1946 Cust script not reloading when properties change and script location is file

  • #1930 Break out SCIM into a separate service

  • #1927 SAML TR / "Attributes Published" column buggy

  • #1924 FAPI compatibility

  • #1923 Fix error form too large for custom scripts page

  • #1922 Use ui_locales_supported from confguration instead of JSF locales list

  • #1907 Ehanced management for redirect_uri lists

  • #1891 Re-visit differences between single-SP and federation types of SAML TR

  • #1890 Add spontaneous scope script to UI

  • #1889 Add oxAttributes JSON value support to Scopes (UI and API)

  • #1886 Always show "Edit Type" and "View Type" in attribute form

  • #1873 Deactivate "default acr" field in oxTrust OIDC client

  • #1868 Add note on top of Cache Provider Configuration that oxauth restart is required if cache connection settings are changed.

  • #1867 Log viewing from the UI allows to display of any sensitive file

  • #1865 Configuration / Add Script: Pre-populate class and method according to interface

  • #1862 Do we still need web UI representation of nameids?

  • #1861 Optimize Cache Refresh to better handle really huge userbases

  • #1808 Allow administrator to add libraries and plugins to oxAuth via GUI

  • #1750 Detect OS security updates and allow to run upgrade

  • #1749 Show notification about released upgrades

  • #1682 Improve Error Reporting In oxTrust API

  • #1663 Allow special char "underscore" in attribute name

  • #1641 Contact Email field validation in Config > Org Config

  • #1636 Performance degrade for /person/view, person/viewProfile.htm (potentially other pages)

  • #1626 Configure supported algorithms

  • #1602 Remove the finishlogout page

  • #1583 Invalid Birthdate Format

  • #1551 Disallow the use of a user's username in their password