Skip to main content
Version: 7.2402.x.x RR

Release notes

nevisAuth 7.2402.1.2 - 28.03.2024

Changes and new features

General Changes

  • FIXED: OAuth2 JWT Bearer Authorization Grant and JWT Client authentication not working correctly. (NEVISAUTH-4596)

nevisAuth 7.2402.0.6 - 21.02.2024

Changes and new features

Breaking changes

  • CHANGED: The transferId initiated by nevisProxy is replaced by the traceparent which consists of the trace_id and span_id. (OpenTelemetry terminology) In nevisAuth interfaces the TransferId is renamed to TraceId, in log patterns you can reference it via %X{trace_id}. The jcan.Op logging category is replaced by OpTrace - INFO for regular tracing, DEBUG for more detailed information. See OpenTelemetry monitoring setup (NEVISAUTH-4508)
  • CHANGED: Change the way nevisAuth communicate to nevisMeta for Persisted Consent and Refresh Token from XML to JSON. (NEVISAUTH-4555)
  • CHANGED: The scope in request parameter for OAuth 2.0/OpenID Connect can only separate by space " ". This is directly related to a breaking change in the Nimbus 3rd party library and you are only affected if you combine scopes manually with a "," separator. (NEVISAUTH-4535)

General Changes

  • FIXED: A deadlock occurring in scenarios where several clients are using the same session attempt to authenticate at the same time. (NEVISAUTH-4525)
  • FIXED: We fixed the error response for missing response type in Authorization requests. (NEVISAUTH-4494)
  • UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.16. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.2.0. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the Bouncy castle third-party dependency to version 1.77. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the checker-qual third-party dependency to version 3.42.0. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the commons-cli third-party dependency to version 1.16.0. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the commons-lang3 third-party dependency to version 3.14.0. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the commons-text third-party dependency to version 1.11.0. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the jackson third-party dependencies to version 2.16.1. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.5. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the jaxws-rt third-party dependency to version 4.0.2. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the jetty third-party dependencies to version 11.0.19. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the HikarCP third-party dependency to version 5.1.0. (NEVISAUTH-4535)
  • UPGRADED: We updated the Groovy third-party dependency to version 4.0.17. (NEVISAUTH-4535)
  • UPGRADED: We updated the Guava third-party dependency to version 33.0.0-jre. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.27. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the kerb4j third-party dependency to version 0.2.0. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.2. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.9. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 6.0.11. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.1. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the xmlbeans third-party dependency to version 5.2.0. (NEVISAUTH-4535)
  • UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.2. (NEVISAUTH-4535)
  • FIXED: The JWTToken and AccessTokenConsumer auth states now support private keys with elliptic curve algorithm when using PKCS11 integration. (Typically this is HSM) Note that in this case the keycurve parameter must be specified as the algorithm cannot be exctracted from the key itself. (NEVISAUTH-4449)
  • FIXED: Initialization failure when using key material from HSM via PKCS11. (NEVISAUTH-4085)
  • NEW: The X509Login auth state has a new configuration option loadFileSystemFirst, which allows to switch the load order of the key material when the cryptoMaterialSupplier is configured to ldapwithfilesystem. By default, LDAP is loaded first and the filesystem afterwards, configuring loadFileSystemFirst=true will first load the key material from the file system. (NEVISAUTH-4439)
  • NEW: We added OpenTelemetry metrics listing the configured auth state classes for analytical purposes. (NEVISAUTH-4503)
  • NEW: Supporting PostgreSQL version 15.4. (NEVISAUTH-4564)
  • NEW: We added support for using JWT Bearer Token for Client Authentication in Authorization Server. (NEVISAUTH-4397)
  • NEW: We added support for JWT Bearer Grant. (NEVISAUTH-4512)
  • NEW: We introduced the property relayState.transformation to disable automatic RelayState encoding for ServiceProviderState. (NEVISAUTH-3972)

nevisAuth 7.2311.0.6 - 15.11.2023

Changes and new features

Breaking changes

  • REMOVED: The FileSystemOOCDService is removed. For testing purposes use the LocalOutOfContextDataStore configuration (in-memory). For production purposes use the RemoteOutOfContextDataStore configuration (SQL-based). By default there is no OOCD configured as it is only required for certain use-cases. In case the use of OOCD is attempted when not configured it will throw an error at runtime. SAML and OAuth2 / OIDC flows both require OOCD. Also in any case if you used the OOCD in your esauth4.xml EL expressions or ScriptStates or custom java AuthStates. Visit Appendix K for additional information. (NEVISAUTH-4329)
  • REMOVED: The El expression variables AuthDateUtils, DateFormatUtils, DateUtils, DateTimeZone, DateTime are removed. Use the following java.time classes instead: Duration, DateTimeFormatter, Instant, LocalDate, LocalDateTime, ZonedDateTime, ZoneOffset, ZoneId, ChronoUnit. Visit Appendix J For more see: tutorial and specification. (NEVISAUTH-4128)
  • REMOVED: We removed the deprecated SapTicketValidator auth state. (NEVISAUTH-4126)
  • REMOVED: We removed the deprecated FrontendKerberosAuthState and BackendKerberosAuthState auth states. The replacement for the FrontendKerberosAuthState is the KerberosLoginAuthState. The BackendKerberosAuthState has no replacement. (NEVISAUTH-3823)
  • REMOVED: We removed the deprecated auth states ch.nevis.esauth.auth.states.standard.Dispatcher and ch.nevis.esauth.auth.states.jndi.DomainDispatcher. For dispatching purposes use the ConditionalDispatcherState instead. (NEVISAUTH-4131)
  • REMOVED: We removed the deprecated demo auth states ClientCertInfo and ClientCertFingerprint. (NEVISAUTH-4213)
  • REMOVED: We removed the deprecated AuthHandoverState. (NEVISAUTH-4214)
  • REMOVED: We removed the undocumented AuthDispatcher auth state. (NEVISAUTH-4445)
  • REMOVED: We removed the deprecated aspsmssoap chanel in the Tan auth state, use the http channel instead. (NEVISAUTH-4135)
  • REMOVED: We removed the third-party dependencies commons-collections, commons-lang, commons-digester, commons-beanutils which are optional dependencies of Jradius. In case if those would be required for your use-case, add those manually to the AuthState classpath. (NEVISAUTH-4164)
  • REMOVED: We removed the joda-time third-party dependency. (NEVISAUTH-4128)
  • REMOVED: We removed the commons-io third-party dependency. (NEVISAUTH-3887)
  • REMOVED: We removed the bcprov-jdk15on and bcpkix-jdk15on third-party dependencies (replaced by jdk18on). (NEVISAUTH-4115)
  • REMOVED: We removed the jcan-log and jcan-optrace third-party dependencies. OpTrace logging is replaced by OpenTelemetry. (NEVISAUTH-4089)
  • REMOVED: We removed the backwards compatibility system property ch.nevis.esauth.wstrust.SecurityTokenService.SecTokenHackURI. (NEVISAUTH-2098)
  • REMOVED: We removed the deprecated configuration option crlExpirationTolerance in the X509Login auth state, use the replacement revocationCheckExpirationTolerance instead. (NEVISAUTH-3931)
  • REMOVED: Breaking changes in nevisAuth API and internal classes. Visit Appendix L (NEVISAUTH-3931)
  • REMOVED: The configuration option connectionMaxRetry of the remote session store was removed, no longer used with the new HikariCP based connection pooling. (NEVISAUTH-4097)
  • REMOVED: The configuration and notes property smtpHost and smtpPort of the SendMail and the Tan auth states are removed. Use mail.smtp.host and mail.smtp.port instead. (NEVISAUTH-4201)
  • REMOVED: The deprecated http://www.adnovum.ch/schema/nevis_sectoken.xsd TokenType in the RequestSecurityToken object for the SecurityTokenService is removed, use http://nevis.ch/nevisauth/xsd/secToken#CSSO-1.0 instead. We no longer guess a default TokenType if none specified, clients must send the TokenType. (NEVISAUTH-4239)
  • REMOVED: jcan-saml is now streamlined to it's sole purpose: verify SAML Assertions. Generation, signing and command line utilities are removed and jcan-saml-tools is discontinued. (NEVISAUTH-4134)
  • REMOVED: Deprecated methods and command line utilities in jcan-sectoken are removed. (NEVISAUTH-3856)
  • REMOVED: Custom SessionId generation by configuring your custom class using "file://..." in the sessionIdRandomBytes is removed. (NEVISAUTH-4381)
  • REMOVED: The deprecated securityLevel attribute of the esauth-server element in the esauth4.xml is removed. (NEVISAUTH-4387)
  • REMOVED: The syncDelay, syncRefreshInterval attributes of the RemoteSessionStore are removed. (NEVISAUTH-4387)
  • REMOVED: The session option of the service.binding configuration option was removed. The session bound web service client was not saved in the database therefore rendering the option useless in most setups. This option could be configured in the SecurityTokenServiceClient, RadiusAuthState, MobileSignatureState. The default value remains thread. (NEVISAUTH-4424)
  • REMOVED: The legacyjdbc provider option for the RemoteSessionStore is removed. (NEVISAUTH-4279)
  • REMOVED: JavaScript support for the ScriptState is removed. Use groovy scripts instead. (NEVISAUTH-4369)
  • CHANGED: OOCD, Session and SecToken related interfaces are changed to use Instant and Duration types instead of Date and long. The useGmt configuration option is removed from the TokenSpec in the TokenAssembler (default was useGmt=true). Note that in case you used useGmt=false in the TokenAssembler the system will be switched to use UTC and all currently valid sectokens in your system will become invalid as the issue date is part of the signature. (NEVISAUTH-4173)
  • CHANGED: We now set the java.io.tmpdir system property by default to /var/opt/nevisauth/<instance>/tmp. When nevisAuth is started, Jetty unpacks the nevisauth .war file there and requires it at runtime. Originally the system /tmp folder was used for this purpose, however at some cases it can happen that a system cleanup job deletes the Jetty prefixed directories which causes nevisAuth to return errors. (NEVISAUTH-4461)
  • CHANGED: The default mail.transport.protocol is now stmps. In case you didn't specify this, properties defined as mail.smtp will not work anymore. Change those to mail.smtps. (NEVISAUTH-4201)
  • CHANGED: The nevisAuth session API only accepts String attribute values. Previously it was possible to add any value. If it was not a String, a warning was logged and it was not saved to the database. This change can be tricky with ScriptStates as groovy does not do type-safe checks for the session Map used in the scripts. It is possible to add and retrieve a non String value inside the script, but a java.lang.ClassCastException happens in Java, to make finding errors easier nevisAuth will actively check for such cases after the execution of the script and throw an error detailing what is wrong. In your scripts you might have to change the behaviour to store a String value, by either changing your logic, or serialising your object to a String. (NEVISAUTH-4424)
  • CHANGED: New Jetty version used in nevisAuth performs more strict validation for TLS connections. The SNI will be checked for matching the hostname in the configured certificate. (NEVISAUTH-4089)
  • CHANGED: The SQL based OOCD and remote session store user and password configuration fallback for the attributes are also applied if they are set to be empty. Schema user password now falls back together with the schema user, not independently. An empty user or password for the data user is no longer accepted. (NEVISAUTH-4480)
  • UPGRADED: We upgraded the groovy third-party dependencies to version 4.0.15. See groovy 4 release notes for changes. (NEVISAUTH-4252)
  • UPGRADED: We upgraded from EL-API 2.0 to EL-API 5.0. You should check your existing EL statements used for compatibility. (NEVISAUTH-4109)
  • UPGRADED: We upgraded Servlet API to version 5. Migration from javax.servlet packages to jakarta.servlet. (NEVISAUTH-4089)
  • NEW: ScriptStates now automatically imports the following three nevisAuth classes: HttpClient, Http and HttpClients HttpClients is made available via binding, see the new way to create and use http clients below. Additionally, some of the most common classes from the java.time API. In case this causes a problem, this behaviour can be disabled by setting the addAutoImports configuration property to false.
  • NEW: ScriptStates can create an HTTP client using the new HttpClients.create() method which will take the configuration properties automatically from the ScriptState configuration. Note that this method will cache the HTTP Client per ScriptState instance (So each ScriptState have it's own HTTP Client), therefore it will not be recreated at every request. (In case this is not desired, you can resort to the previously available creation methods.) This feature is only available for the ScriptStates and it is not available in other places. For the same reason, you should not import HttpClients when using the new method. (That will result in a groovy exception that this method is not found.)
  • FIXED: We fixed the incorrect issue_date for refresh token. (NEVISAUTH-4469)

General Changes

  • FIXED: We fixed NPE when Authorization Request to Authorization Server without client_id. (NEVISAUTH-4403)
  • FIXED: Content Type header (cty) with value JWT is added for Access Tokens and ID Tokens that contain JWT tokens in the payload. (NEVISAUTH-4426).
  • FIXED: Type header (typ) with value JWT is added for the nested tokens within the payload of Access Tokens and ID Tokens. (NEVISAUTH-4426).
  • FIXED: auth_time claim is added to ID Tokens. (NEVISAUTH-4436).
  • FIXED: OAuth2 authorization request doesn't throw error from OOCD, the maximum length of the Client ID is limited to 500 characters. (NEVISAUTH-4401)
  • FIXED: The SessionCoordinator accidentally releasing the writelock on the session when calling getSession in case the session was already writelocked from the same thread. This should only concern you if you directly use the SessionCoordinator in a custom auth state. Or if in a unit test you acquired the session for asserting some properties, in case the session was not released these test will possibly fail now (depending on what they are doing exactly). (NEVISAUTH-4442)
  • FIXED: The session object sometimes incorrectly returns the creation and last access time. This should only concern you if you built any logic on those fields. (NEVISAUTH-4382)
  • FIXED: The JWTToken and AccessTokenConsumer auth states now support private keys with elliptic curve algorithm when using PKCS11 integration. (Typically this is HSM) Note that in this case the keycurve parameter must be specified as the algorithm cannot be exctracted from the key itself. (NEVISAUTH-4449)
  • FIXED: The killSessions method of SessionCoordinator stopped killing sessions when an invalid session was found in the list of sessions to be killed. (NEVISAUTH-4382)
  • CHANGED: Sessions are now actively removed from the local session store on invalidation. Previous fix allowing the session reaper to remove invalid sessions remains in place as a safety mechanism. Session invalidation is issued by ThottleSessionState and SAML logout (via the logout nevisAuth operation). (NEVISAUTH-4405).
  • CHANGED: The MobileSignatureState is now using the CMS implementation from BouncyCastle instead of PKCS7. (NEVISAUTH-3814)
  • CHANGED: The SapTicketIssuer is now using the CMS implementation from BouncyCastle instead of PKCS7. The auth state is no longer deprecated. (NEVISAUTH-4376)
  • CHANGED: Method lookup in the EL expressions in esauth4.xml changed to prefer method matches with exact arguments than varargs. Previously the result of an expression could become unpredictable in case of using a method which also had a vararg variant. The result was randomly changing based on the order the methods were returned by reflection. Example expression method call susceptible to this error: StringUtils.join. (NEVISAUTH-4180)
  • CHANGED: The deprecated Java X509Certificate.getSubjectDN() and X509Certificate.getIssuerDN() method calls were replaced in the nevisAuth codebase. nevisAuth used the non standard Java formatting getSubjectDN().getName() for getting the String DN representation. To remain backwards compatible we use X509Certificate.getSubjectX500Principal().toString() which executes the same formatting as the old one. Note that X509Certificate.getSubjectX500Principal().getName() will use RFC-2253 formatting, which is different than the non standard format - in case if you have to change this in custom auth states. The following auth states are affected: X509Login, MobileSignatureState, WSSHeaderValidation, SAML. Additionally certificate handling in general and the SecurityTokenService. Furthermore non standard RDN attribute separator / is no longer supported in the X509Login. (NEVISAUTH-4132)
  • CHANGED: We now set the java.io.tmpdir system property by default to /var/opt/nevisauth/<instance>/tmp. When nevisAuth is started Jetty unpacks the nevisauth .war file there and requires it at runtime. Originally the system /tmp folder was used for this purpose, however at some cases it can happen that a system cleanup job deletes the Jetty prefixed directories which causes nevisAuth to return errors. (NEVISAUTH-4461)
  • CHANGED: Added back the connectionMaxLifeTime for the remote session store and default value is now 1800000 (30 minutes). (NEVISAUTH-4473)
  • NEW: Added RHEL 9 support. (NEVISAUTH-4421)
  • UPGRADED: We upgraded the Bouncy castle third-party dependency to version 1.76. (NEVISAUTH-4115)
  • UPGRADED: We upgraded the checker-qual third-party dependency to version 3.39.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the commons-lang3 third-party dependency to version 3.13.0. (NEVISAUTH-4420)
  • UPGRADED: We upgraded the jhlabs filters third-party dependency used in the CaptchaState to version 2.0.235-1. (NEVISAUTH-4124)
  • UPGRADED: We upgraded the FastInfoset third-party dependency to version 2.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jackson third-party dependencies to version 2.15.3. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta-activation-api, jakarta-annotation-api, jakarta-inject, jakarta-json-api third-party dependencies to version 2.1.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta-json-bind third-party dependency to version 3.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta-validation third-party dependency to version 3.0.2. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta.ws.rs.api third-party dependency to version 3.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta.xml.bind-api, jakarta.xml.ws-api third-party dependency to version 4.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta.xml.soap-api third-party dependencies to version 3.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the javassist third-party dependency to version 3.29.0-GA. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jaxws-rt third-party dependency to version 4.0.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jersey third-party dependencies to version 3.1.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jetty third-party dependencies to version 11.0.17. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the json-smart third-party dependency to version 2.4.10. (NEVISAUTH-4163)
  • UPGRADED: We upgraded the HikarCP third-party dependency to version 5.0.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the hk2-api third-party dependency to version 3.0.3. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the hk2-locator third-party dependency to version 3.0.3. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the hk2-utils third-party dependency to version 3.0.3. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the guava third-party dependency to version 32.1.3-jre. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.23. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the log4j third-party dependencies to version 2.20.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.2.0. (NEVISAUTH-4420)
  • UPGRADED: We upgraded the mimepull third-party dependency to version 1.10.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.2. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 6.0.10. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the opensaml third-party dependencies to version 4.3.0. (NEVISAUTH-4075)
  • UPGRADED: We upgraded the org.eclipse.persistence.asm third-party dependency to version 9.4.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the org.eclipse.persistence.core, org.eclipse.persistence.moxy third-party dependencies to version 4.0.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the saaj-impl third-party dependency to version 3.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.9. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the stax-ex third-party dependency to version 2.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the streambuffer third-party dependency to version 2.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the xmlbeans third-party dependency to version 5.1.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the yasson third-party dependency to version 3.0.2. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.0. (NEVISAUTH-4075)
  • UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4393)
  • DEPRECATED: Third party library commons-codec is deprecated, now only used as a transitive dependency while it is needed. (NEVISAUTH-4169)

nevisAuth 4.40.3.0 - 06.10.2023

Changes and new features

General Changes

  • FIXED: SAML SP-initiated SOAP logout doesn't fail with a NullPointerException anymore. (NEVISAUTH-4444)
  • FIXED: Access tokens are now signed with ES256 algorithm instead of RS256 in case using Elliptic Curve keys. (NEVISAUTH-4427)

nevisAuth 4.40.2.2 - 25.09.2023

Changes and new features

General Changes

  • FIXED: We fixed parallel requests producing a StaleSessionException when using the same nevisAuth session. The issue happened in the case when one of them killed the session. (NEVISAUTH-4422).
  • FIXED: The local session reaper now removes invalid sessions from memory to avoid filling it up. The issue can raise when using ThottleSessionState or SAML logout (via the logout nevisAuth operation). (NEVISAUTH-4405).
  • FIXED: We fixed an error in the state handling of the session which caused the initial session state information to be lost when synchronizing to the database. This could cause that the pre genereated session id was not used despite printing the warning "Keeping existing session to honor sessionIdPreGenerate". The fix is only applicable to new sessions, existing sessions cannot be fixed. (NEVISAUTH-4017)
  • FIXED: Content Type header (cty) with value JWT is added for Access Tokens and ID Tokens that contain JWT tokens in the payload. (NEVISAUTH-4426).
  • FIXED: Type header (typ) with value JWT is added for the nested tokens within the payload of Access Tokens and ID Tokens. (NEVISAUTH-4426).
  • FIXED: auth_time claim is added to ID Tokens. (NEVISAUTH-4436).
  • FIXED: The incorrect default file path was corrected to "/opt/nevisauth/plugin" which was producing the error Skipping unreadable file or directory on classPath: /opt/nevisauth/plugin/lib. This happens in the case when the auth state classPath is set together with a classLoadStrategy="PARENT_LAST". In this case the path "/opt/nevisauth/plugin" is automatically added to the auth state classPath as the last entry. (NEVISAUTH-4433).

nevisAuth 4.40.1.0 - 30.08.2023

Changes and new features

General Changes

  • FIXED: We have removed the validation between client_id in the token and client_id in AuthorizationHeader for token introspection endpoint. (NEVISAUTH-4402).

nevisAuth 4.40.0.10 - 16.08.2023

Changes and new features

Manual DB patching required for OOCD

This release requires manually patching the SQL-based OOCD - if it is in use. Refer to the breaking changes section below.

Breaking changes

  • FIXED: The SQL OOCD incorrectly storing system default timezone timestamps in the reap_timestamp column. (The remote session store is not affected) After the fix always UTC timestamps will be stored. Existing data can be migrated with the following script if required. (in case your nevisFIDO instance was NOT running in UTC, or existing sessions are required to keep consistent) UPDATE nevisauth_out_of_context_data_service SET reap_timestamp = CONVERT_TZ(reap_timestamp, 'Europe/Zurich', 'UTC'); Replace the proper timezone information in the script where nevisAuth was running! When you check the data, note that mysql or any other client will convert timestamps to the timezone of the session. So in order to see the UTC timestamp values in your sql client you have to change your client's session timezone to UTC in the current session: SET @@session.time_zone = '+00:00';. (NEVISAUTH-4265)
  • CHANGED: The default remote session connector is replaced with a HikariCP based implementation which is now matching the OOCD implementation. The old behaviour is available via configuring provider="legacyjdbc". This fallback option will be removed in the November release. The new implementation also brings new properties: connectionSchemaUser, connectionSchemaPassword which are used when connectionAutomaticDbSchemaSetup is enabled (by default it is) to create the tables. In case of existing setups you might have to create a schema user or set the connectionAutomaticDbSchemaSetup to false. (if no schema user is provided nevisAuth will fall back on the regular connection user and if that has no table creation priviledges it will fail) Other new property is the connectionTimeout. Also note that since the MySQL support was removed in the May release this new implementation will throw an error if a MySQL jdbc url is configured. (The old implementation did not forbid that) (NEVISAUTH-4279)
  • CHANGED: Align default timestamp behaviour on database level to avoid having the MariaDB behaviour defined here for update operations. nevisAuth at this point is not affected. For non docker based setups the following script should be manually run. (NEVISAUTH-4285)
ALTER TABLE `TNSSA_AUTH_SESSION_CACHE` MODIFY COLUMN `ABSTO` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE `nevisauth_out_of_context_data_service` MODIFY COLUMN `reap_timestamp` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);

General Changes

  • FIXED: There is no NullPointerException printed into the log when an unauthenticated request calls the PAR endpoint. (NEVISAUTH-4248)
  • FIXED: We added a validation for Token Revocation service between client_id of the token and client_id that belong to authenticated call. (NEVISAUTH-3997)
  • FIXED: The RelyingPartyState is now correctly using the nevisAuth HttpClient and adheres to the httpclient.* configuration options. It was using the HttpUrlConnection to access jwks_uri. (NEVISAUTH-4295)
  • FIXED: Excessive stacktraces printing java.lang.NoSuchMethodException on DEBUG level in EL expression evaluations is removed. (NEVISAUTH-4298)
  • FIXED: The getHttpHeader method in the request object is now also properly accessible from EL expressions in the esauth4.xml. (NEVISAUTH-4331)
  • FIXED: The SwissPhone TAN channel incorrectly sent UTF-8 encoded payload to the SMS provider. We now use ISO-8859-1 as stated by the provider specification. This fixes weird characters showing instead of umlauts in the text message for example. (NEVISAUTH-4321)
  • FIXED: The AuthorizationServer transition with invalid-redirect-uri now displays an error message on the UI instead of redirecting to the invalid uri. (NEVISAUTH-4362)
  • NEW: The AuthorizationServer and AccessTokenConsumer auth states now support Elliptic Curve (EC) keys besides RSA keys for Access Tokens. (NEVISAUTH-4358)
  • NEW: The AuthorizationServer auth state now supports ID Token encryption using keys from JWKS. You can either configure this inline, or in nevisMeta using the following properties for clients: jwks, jwksUri, idTokenEncryptedResponseAlg, idTokenEncryptedResponseEnc. As per specification, the encryption will be done when the idTokenEncryptedResponseAlg property is set and the keys will be taken from the jwks / jwksUri. Additionally we also added the property idTokenSignedResponseAlg which allows you to configure the ID Token signature algorithm. Further new properties are the openid.jwks.httpclient.* which will be used when downloading keys from the jwksUri. The changes above have no effect on the Access Token encryption / signing. (NEVISAUTH-4269)
  • NEW: The AuthorizationServer auth state now supports Refresh Token rotation. It can be enabled by setting the rotateRefreshToken property to true. (NEVISAUTH-4320)
  • NEW: We added support for the acr claim in the ID Token. To achieve this, we added a new property openid.acr_values_supported to the AuthorizationServer and acr_values to the RelyingPartyState. DiscoveryService returns the supported acr values in the acr_values_supported property. (NEVISAUTH-4341)
  • NEW: The AuthorizationServer auth state now supports mapping between custom scope(s) and custom claim(s). (NEVISAUTH-4352)
  • UPGRADED: We updated the checker-qual third-party dependency to version 3.36.0. (NEVISAUTH-4324)
  • UPGRADED: We updated the commons-codec third-party dependency to version 1.16.0. (NEVISAUTH-4324)
  • UPGRADED: We updated the commons-fileupload third-party dependency to version 1.5. (NEVISAUTH-4324)
  • UPGRADED: We updated the commons-io third-party dependency to version 2.13.0. (NEVISAUTH-4324)
  • UPGRADED: We updated the eclipse moxy third-party dependency to version 2.7.12. (NEVISAUTH-4280)
  • UPGRADED: We updated the Groovy third-party dependency to version 3.0.18. (NEVISAUTH-4324)
  • UPGRADED: We updated the Guava third-party dependency to version 32.1.1-jre. (NEVISAUTH-4324)
  • UPGRADED: We updated the Jackson third-party dependency to version 2.15.2. (NEVISAUTH-4280)
  • UPGRADED: We updated the Jaxb & Jaxws-rt third-party dependency to version 2.3.6. (NEVISAUTH-4280)
  • UPGRADED: We updated the Jaxrs third-party dependency to version 2.39.1. (NEVISAUTH-4280)
  • UPGRADED: We updated the Jetty third-party dependency to version 9.4.51.v20230217. (NEVISAUTH-4280)
  • UPGRADED: We updated the Joda time third-party dependency to version 2.12.5. (NEVISAUTH-4280)
  • UPGRADED: We updated the json-smart third-party dependency to version 2.5.0. (NEVISAUTH-4280)
  • UPGRADED: We updated the libphonenumber third-party dependency to version 8.13.17. (NEVISAUTH-4324)
  • UPGRADED: We updated the ldap unboundid third-party dependency to version 6.0.9. (NEVISAUTH-4324)
  • UPGRADED: We updated the log4j third-party dependency to version 2.20.0. (NEVISAUTH-4324)
  • UPGRADED: We updated the Nimbus OAut2 SDK third-party dependency to version 10.11. (NEVISAUTH-4324)
  • UPGRADED: We updated the MariaDB jdbc driver third-party dependency to version 3.1.4. (NEVISAUTH-4324)
  • UPGRADED: We updated the slf4j third-party dependency to version 2.0.7. (NEVISAUTH-4324)
  • UPGRADED: We updated the woodstock third-party dependency to version 6.5.1. (NEVISAUTH-4324)
  • DEPRECATED: The remote session store property connectionMaxRetry is deprecated and will be removed without a replacement as it belongs to the old connector implementation. Similar behaviour can be controlled by the new connectionTimeout property. (NEVISAUTH-4279)
  • NEW: A new experimental KerberosLoginAuthState is now available and will replace the functionality of the deprecated FrontendKerberosAuthState in the November 2023 release. For further details see the updated Kerberos Integration chapter and the description of the KerberosLoginAuthState. (NEVISAUTH-4193)
  • DEPRECATED: JavaScript support for the ScriptState is deprecated and will be removed in the November 2023 rolling release. (NEVISAUTH-4369)
  • DEPRECATED: Custom SessionId generation by configuring your custom class using "file://..." in the sessionIdRandomBytes is deprecated and will be removed in the November 2023 release. (NEVISAUTH-4381)
  • DEPRECATED: The securityLevel attribute of the esauth-server element in the esauth4.xml is deprecated and will be removed in the November 2023 release. (NEVISAUTH-4387)
  • EXPERIMENTAL: Introduced support for PostgreSQL 15.0-15.3 databases for the Remote Session Store and the OutOfContextDataService. (NEVISAUTH-4390)
  • NEW: The Http Clients supplied by nevisAuth can now be configured programatically. (NEVISAUTH-4350)

nevisAuth 4.39.3.1 - 07.08.2023

Changes and new features

  • FIXED: We fixed nevisAuth cannot understand some data from nevisMeta. (NEVISAUTH-4291)

nevisAuth 4.39.2.0 - 10.07.2023

Changes and new features

  • FIXED: We fixed NPE for IdentityProviderState when SP is not configured. (NEVISAUTH-4304)
  • FIXED: We fixed the expired SecToken causing HTTP 500 error when trying to acquire the sessionId. This case is handled the same if the session is not found, or if it is already removed. (NEVISAUTH-4297)
  • FIXED: We fixed the concurrency issue where that SAML message sign and signature verification threads sometimes used wrong keys in case HSM was configured. (NEVISAUTH-3952)

nevisAuth 4.39.1.0 - 05.06.2023

Changes and new features

  • FIXED: We fixed the incorrect calculation of the absolute timeout (absto), when the reaperTimeoutTolerance was not set. It's default value, 10% of the sessionMaxLifetime, was improperly calculated. This bug was introduced in the 2023 February release. (NEVISAUTH-4272)
  • FIXED: We fixed a concurrency issue in the DocumentProcessor and ConditionalDocumentProcessor auth states, which caused errors when the documents were refreshed. These errors occurred, because the document object was constructed using lazy initialization. This is no longer the case, which might increase memory usage when dealing with big xml documents. In case you experience a problem with this change, you can use the parser.lazyLoading backwards compatibility flag to restore the old behaviour. (NEVISAUTH-4268)

nevisAuth 4.39.0.6 - 17.05.2023

Changes and new features

Breaking changes

  • CHANGED: The nevisauth-test-authstateharness testing framework and the nevisAuth SDK examples now use JUnit 5. (NEVISAUTH-3865)
  • CHANGED: We simplified the JSON event logging in nevisAuth. The nevisevents-1.1.6.2.jar has been removed, the system property -Dch.nevis.events.config is no longer used and nevisevents.xml is not used. To enable the JSON event logging configure the ch.nevis.esauth.events logging category in the logging.yml to INFO. To disable it configure the ch.nevis.esauth.events logging category to FATAL. The previous logging category nevis.events is no longer effective, replace that with ch.nevis.esauth.events. Note that previously this logging category did not exists, therefore the logging level of the root logger will be applied to older nevisAuth instances. (NEVISAUTH-3937)
  • CHANGED: We added a validation for the token endpoint request. From now on the AuthorizationServer will not accept requests of a confidential client using an authentication method that doesn't match the one specified in the configuration of this client. If the authentication method for a confidential client is not set in the configuration, it's assumed to be client_secret_basic, as the standard mandates. (NEVISMETA-1859)
  • REMOVED: We removed the nevis-common-commons-1.0.10.0.jar library from nevisAuth, what was required from those for nevisAuth are now part of the nevisAuth code. (NEVISAUTH-3937)
  • REMOVED: We removed the UsernameToken auth state. Use the WSSHeaderValidation instead with the transition untoken. (NEVISAUTH-4056)
  • REMOVED: We removed the custom database driver setting mechanism using Class.forName() for the remote session store. In kubernetes environments this sporadically caused nevisAuth to hang on startup, which was caused by a static intializer block deadlock between java.sql.DriverManager and org.mariadb.jdbc.Driver. Now the determination of which database driver should be used is entirely decided by the JDBC drivers on the classpath based on the supplied JDBC url. In case you use MySql, the database driver is determined by the implementation details of the driver. (NEVISAUTH-4076)
  • REMOVED: Deprecated sectoken formats 0.9, 1.0, ASN1-1.0 are removed. Recommended format is CSSO-1.0. (NEVISAUTH-4011)
  • REMOVED: We removed the vmargs legacy command in administrative cli. Use the nevisauth <instance> config env to configure the JAVA_OPTS. (NEVISAUTH-3134)
  • REMOVED: We removed the deprecated MySQL support in the remote session store. (NEVISAUTH-4078)

General Changes

  • UPGRADED: We updated the Jackson third-party dependency to version 2.15.0. (NEVISAUTH-3964)
  • UPGRADED: We upgraded the json-smart third-party dependency to version 2.4.10. (NEVISAUTH-4163)
  • UPGRADED: We upgraded Snakeyaml third-party dependencies to version 2.0. (NEVISAUTH-3964)
  • NEW: AuthRequest now have a method getHttpHeader(String headerFieldName) to allow getting HTTP headers case insensitively in the esauth4.xml, custom auth states and groovy script states. (NEVISAUTH-4059)
  • NEW: We introduced Force Pushed Authorization Requests configuration for Authorization Server. (NEVISMETA-1857)
  • NEW: We added setting for Force Pushed Authorization Requests Endpoint configuration for OAuth2 Server Metadata/OIDC Discovery endpoint. (NEVISMETA-1857)
  • NEW: We added REST service for Force Pushed Authorization Requests Endpoint. (NEVISMETA-1857)
  • NEW: We added option client_secret_post for tokenEndpointAuthMethod in AuthorizationServer. (NEVISMETA-1858)
  • CHANGED: ConsentState now creates HttpClient per auth state, not per request. (NEVISAUTH-3596)
  • CHANGED: The excessive warning message renderElement evaluated to 'null' is now only logged on debug level. (NEVISAUTH-4096)
  • CHANGED: Logging of the OAuth2 metadata that was newly fetched from nevisMeta is moved to DEBUG from INFO in OAuth2 logger. (NEVISAUTH-4185)
  • CHANGED: The excessive warning message AuthState '<AuthState>' did not specify a GUI descriptor for GUI 'null'. HINT: if this AuthState displays a GUI, check the configuration is now only logged on debug level. (NEVISAUTH-3757)
  • CHANGED: Some startup related log messages from EsAuthSv and AuthEngine are moved to EsAuthStart. (NEVISAUTH-4225)
  • FIXED: The httpclient.connection.timeout was handled incorrectly causing the value set to be ignored and defaulting to a 3minute timeout. This property now properly commands the connection & socket timeout together. New default value is a more reasonable 30 seconds. (NEVISAUTH-4063)
  • FIXED: We fixed the issue where special characters in the input validation triggered an error: org.mozilla.javascript.EvaluatorException: missing ; before statement. (NEVISAUTH-3222)
  • FIXED: We removed the excessive stacktrace printing on DEBUG log level in case of the message No resource found for. (NEVISAUTH-4111)
  • FIXED: We fixed the incorrectly calculated x5t#S256 value by the JWTToken auth state. (NEVISAUTH-4198)
  • FIXED: We fixed the issue that the OAuth 2.0 Authorization Server Metadata endpoint sometimes showed outdated information. (NEVISAUTH-4242)
  • FIXED: We fixed the error handling of the StaleSessionException, which incorrectly caused authentication call failure. Normally some events should be only logged on info level. (NEVISAUTH-4256)
  • DEPRECATED: The SAPTicketIssuer and SAPTicketValidator auth states are deprecated, they will be removed in one of the the upcoming releases. (NEVISAUTH-4126)
  • DEPRECATED: Previously deprecated auth states ch.nevis.esauth.auth.states.standard.Dispatcher and ch.nevis.esauth.auth.states.jndi.DomainDispatcher will be removed in the upcoming releases. For dispatching purposes use the ConditionalDispatcherState instead. (NEVISAUTH-4131)
  • DEPRECATED: The method getHttpHeaderFromRequest in the AuthState base class is deprecated and will be removed in one of the upcoming releases. Use the new request.getHttpHeader instead. (NEVISAUTH-4059)
  • DEPRECATED: The verifySignature, verifyTrust, ignoreDataEncryption, ignoreKeyEncryption, extractX509SignerCertOnly and allowNamespaceQualifiedPasswordTypes configuration options in the WSSHeaderValidation auth state are deprecated and planned to be removed without replacement. (NEVISAUTH-3522)
  • DEPRECATED: The configuration and notes property smtpHost and smtpPort of the SendMail and the Tan auth states are deprecated and will be removed in one of the upcoming releases. Use mail.smtp.host and mail.smtp.port (or mail.smtps.host and mail.smtps.port if you defined smtps, more about smtps here) instead. (NEVISAUTH-4201)
  • DEPRECATED: The demo auth states ClientCertInfo and ClientCertFingerprint are deprecated and will be removed in one of the upcoming releases. (NEVISAUTH-4213)
  • DEPRECATED: The locale property of the SecurityTokenServiceClient is deprecated and will be removed without a replacement in one of the upcoming releases. By deault UTC is used. (NEVISAUTH-4173)
  • DEPRECATED: The useGmt property of the TokenSpec configuration in the esauth4.xml is deprecated and will be removed without a replacement in the future. The default value is true. (NEVISAUTH-4173)
  • DEPRECATED: In the ScriptStates the oocd has been deprecated before and we described that it will be replaced by the dataPersistenceService. We realized this might be not ideal, therefore we going to keep the oocd and remove the dataPersistenceService in the 2023 November release. Note that deprecated methods in the oocd will be removed. (NEVISAUTH-4150)
  • DEPRECATED: The default file based OOCD is deprecated and will be removed in the 2023 November release. For production setups SQL based implementation is recommended. For testing purposes an in memory replacement will be introduced. (NEVISAUTH-4150)
  • DEPRECATED: All deprecated nevisAuth API will be consolidated in the 2023 November release. Most of these will be removed and migration to recommended alternatives will be required. Some will be un-deprecated. (NEVISAUTH-4150)

nevisAuth 4.38.4.0 - 18.04.2023

Changes and new features

  • FIXED: We fixed the incorrectly calculated x5t#S256 value by the JWTToken auth state. (NEVISAUTH-4198)
  • FIXED: We fixed the issue that in some cases nevisAuth could not parse the OAuth2 metadata fetched from nevisMeta. (NEVISAUTH-4210)
  • FIXED: We added missing required property id_token_signing_alg_values_supported of OpenID Connect Discovery service. (NEVISAUTH-4238)

nevisAuth 4.38.3.0 - 27.03.2023

Changes and new features

  • CHANGED: To protect better against XML Signature Wrapping Attacks, we count the number of Response and Assertion elements in SAML responses. (NEVISAUTH-4152)

nevisAuth 4.38.0.12 - 15.02.2023

Changes and new features

Breaking changes

  • CHANGED: All HTTP client implementations of nevisAuth and the corresponding auth states have been replaced with a new implementation, visit Appendix H for more details. (NEVISAUTH-3513)
  • CHANGED: We did a major cleanup in the session handling, which has 2 implications for custom AuthStates: the LocalSession type was merged into the Session type, the SessionCoordinator interface now contains all operations accessed by AuthStates therefore the LocalSessionCoordinator was deleted. (NEVISAUTH-3902)
  • CHANGED: Breaking changes in the session configuration. The SessionCache element is removed, configuration attributes are redistributed to the SessionCoordinator, SessionIndexing, LocalSessionStore and RemoteSessionStore elements. Most of the default values changed. Documented in more details in the migration guide. (NEVISAUTH-3902)
  • REMOVED: We renamed the Store logging category to LocalSessionStore and Syncer to RemoteSessionStore. (NEVISAUTH-3902)
  • REMOVED: We removed the name, mode, proxyTarget, proxyProvider, sessionCheckAccessOnly, sessionEstablishedAccessOnly, joinPolicy attributes and the AccessController, HandoverPolicy, Monitor child elements from the SessionCoordinator section of the esauth4.xml. (NEVISAUTH-3902)
  • REMOVED: We removed the name, notifierThreads attributes and the StaticSessionMember child element from the SessionCache section of the esauth4.xml. (NEVISAUTH-3902)
  • REMOVED: We removed the AccessController child element from the AuthEngine section of the esauth4.xml. (NEVISAUTH-3902)
  • REMOVED: The deprecated AdfsTokenRequester auth state has been removed without replacement. (NEVISAUTH-3654)
  • REMOVED: The deprecated SwissPhoneXml TAN channel has been removed, use the SwissPhone TAN channel instead. (NEVISAUTH-3645)
  • REMOVED: The deprecated EMI/UCP TAN channel is removed without a replacement. (NEVISAUTH-3472)
  • REMOVED: The ch.nevis.esauth.auth.states.saml.AuthnRequestProvider is removed without a replacement. (NEVISAUTH-3945)
  • REMOVED: The ch.nevis.esauth.auth.states.saml.ProviderCommon is removed without a replacement. (NEVISAUTH-3945)
  • REMOVED: The ch.nevis.esauth.auth.states.saml.SAMLProtocolDispatcher is removed without a replacement. (NEVISAUTH-3945)
  • REMOVED: The deprecated AssembleInArgs, CreateSessionState, SetIntoSession, AddEncodedOutArgs, AddSecurityRole, OutArgsToSession auth states are removed and superseeded by the TransformAttributes. Note that the TransformAttributes does not keep the order of the property elements in the esauth4.xml, so do not rely on the order of how the variables are defined. Additionally, the syntax =~ is no longer supported in the condition of the property name. (NEVISAUTH-3971)
  • REMOVED: The http support in DocumentProcessor and ConditionalDocumentProcessor AuthStates property parser.schema is removed. (NEVISAUTH-3658)
  • REMOVED: The dependency jcan-sec is removed. In case you used packages ch.nevis.jcan.sec.tools.* in your AuthState, you can replace that functionality with standard Java features or Bouncy Castle. (NEVISAUTH-3862)
  • REMOVED: Configuration file esauth4.management.xml used only for v1 and v2 nevisAdmin is removed. (NEVISAUTH-2520)
  • REMOVED: The backwards compatibility flag useStaticIv is removed. You can no longer enable insecure encryption in ReadFromCacheState, ConditionalDocumentProcessor, and TransformAttributes. (NEVISAUTH-2695)
  • REMOVED: We removed the Groovy test libraries groovy-test, groovy-test-junit5, groovy-testng and their dependencies from /opt/nevisauth/plugin/. As Groovy is used in ScriptStates, it cannot use test classes in production code. (NEVISAUTH-3938)
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.6, which has a breaking change in custom AuthStates testing setups. Instead of log4j-slf4j-impl, use the new log4j implementation log4j-slf4j2-impl. (NEVISAUTH-3956)
  • UPGRADED: We upgraded the mariadb-java-client third-party dependency to version 3.1.2. In case you used configuration parameters in the JDBC url check the removed options here. Other notable difference is that the driver no longer sets certain properties including the autocommit check your database configuration and add the ?autocommit=true to your connection url if needed. The new driver also allows better logging options, see here. (NEVISAUTH-3977)

General Changes

  • NEW: AuthorizationServer now supports response_mode=form_post for the authorization code flow. (NEVISAUTH-3596)
  • NEW: AuthorizationServer with dataSource=nevismeta can now skip for a while the metadata updates triggered by an unknown client. (NEVISAUTH-3918)
  • NEW: acsUrlWhitelist.uris in IdentityProviderState supports Asterisk wildcard at the beginning and end of the URIs. (NEVISAUTH-3949)
  • NEW: Experimental feature: Configure acsUrlWhitelist.uris.refresh.period in IdentityProviderState to automatically refresh the value of acsUrlWhitelist.uris. The feature works with classic VM deployments only. (NEVISAUTH-3949)
  • NEW: For the JWTToken auth state, you can now configure the Key Identifier kid header parameter. (NEVISAUTH-3839)
  • NEW: The JWTToken auth state now automatically generates the X.509 certificate SHA-256 thumbprint header parameter x5t#S256 when a private key is supplied as part of the auth state configuration. (NEVISAUTH-3839)
  • NEW: Gui element labels now support the usage of expression language (EL), for example: <Gui name="account" label="#{something == 'someting' ? 'title.no_account' : 'title.account'}"> (NEVISAUTH-3675)
  • NEW: Gui element has an additional optional attribute renderElement with expression language (EL) support. This attribute defines whether the gui element will be sent to nevisLogRend to be rendered. (NEVISAUTH-3675)
  • NEW: AuthorizationServer now supports response_mode=form_post for the authorization code flow. (NEVISAUTH-3596)
  • CHANGED: StringUtils, StringEscapeUtils, DateFormatUtils, DateUtils used in esauth4.xml expressions now uses commons-lang3, which is backwards compatible. (NEVISAUTH-1864)
  • CHANGED: HttpClients in AuthStates are now created at AuthState initialization and not per request processing. Connection pooling can be properly configured now. (NEVISAUTH-4010)
  • CHANGED: Communication between nevisAuth and nevisMeta configured in the AuthorizationServer uses the ETag and the If-None-Match headers. You have to upgrade nevisMeta to 1.18.x.y before upgrading nevisAuth to 4.38.x.y. (NEVISAUTH-3918)
  • FIXED: RadiusFacade was filling up the memory with diagnostic messages in ThreadLocal of the worker thread. The issue is now fixed. (NEVISAUTH-3891)
  • FIXED: Java Util Logging messages were incorrectly logged in /var/log/messages due to previous log4j2 upgrade causing the JUL bridging to not work correctly. The proper configuration is now added automatically at runtime. In case you relied on checking the message "JAX-WS servlet initializing" to see if nevisAuth is started, you have to enable com.sun.xml.ws on INFO level to still see this message. (NEVISAUTH-3826)
  • FIXED: Too long errorDetail triggering IOException in OperationFailedEvent and OperationOngoingEvent. The errorDetail is now trimmed in case if it is exceeding the limit. (NEVISAUTH-3933)
  • FIXED: Access token generated by refresh token and client credential grant missing issuer. We now added issuer to the access token. (NEVISAUTH-3922)
  • FIXED: AuthorizationServer initiated excessive requests towards nevisMeta when multiple requests arrived having client was not found. We introduced several improvements in this area. (NEVISAUTH-3840)
  • FIXED: Invalid negative Token TTL values are set to 0 (zero). If this occurs, a debug message is generated Session already expired because notAfter has passed. Setting ttl=0". (NEVISAUTH-3999)
  • FIXED: Fixed a locking failure in the process of upgrading sessions to the authenticated state when idPreGenerate is enabled and the session has been already authenticated once. A warning is also introduced telling that this state is a likely missconfiguration in the system. (NEVISAUTH-4014)
  • FIXED: Fixed failure to create SecTokens using Securosys HSM key material. Sideaffect of NEVISAUTH-3838 introduced in the November release. (NEVISAUTH-4018)
  • NEW: AuthorizationServer now supports response_mode=form_post for the authorization code flow. (NEVISAUTH-3596)
  • UPGRADED: We upgraded the checker-qual third-party dependency to version 3.29.0. (NEVISAUTH-3985)
  • UPGRADED: We upgraded the eclipse moxy third-party dependency to version 2.7.11. (NEVISAUTH-3925)
  • UPGRADED: We upgraded the Groovy third-party dependency to version 3.0.14. (NEVISAUTH-3985)
  • UPGRADED: We upgraded the jackson third-party dependency to version 2.14.1. (NEVISAUTH-3925)
  • UPGRADED: We upgraded the Jaxen third-party dependency to version 2.0.0. (NEVISAUTH-4021)
  • UPGRADED: We upgraded the Jetty third-party dependency to version 9.4.50.v20221201. (NEVISAUTH-3985)
  • UPGRADED: We upgraded the joda-time third-party dependency to version 2.12.2. (NEVISAUTH-3925)
  • UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.5. (NEVISAUTH-3985)
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.6. (NEVISAUTH-3953)
  • UPGRADED: We upgraded the snakeyaml third-party dependency to version 1.33. (NEVISAUTH-3925)
  • UPGRADED: We upgraded the ldap unboundid third-party dependency to version 6.0.7. (NEVISAUTH-3953)
  • UPGRADED: We upgraded the woodstox-core third-party dependency to version 6.5.0. (NEVISAUTH-3953)
  • DEPRECATED: commons-lang version 2 is replaced with commons-lang3 in the nevisAuth codebase. We recommend to replace commons-lang version 2 in your custom AuthState. Version 2 is planned to be removed once it is not required by third-party dependencies. (NEVISAUTH-1864)
  • DEPRECATED: In the future, nevisAuth will upgrade the internal jcan-sectoken library to version 2.x. This will remove support for ASN1 tokens. This step is necessary from a maintenance and security aspect as the ASN1 token support relies on proprietary libraries Nevis has no control over. (NEVISAUTH-3984)
  • DEPRECATED: The syncDelay, syncRefreshInterval and syncThreads attributes of the RemoteSessionStore are deprecated. (NEVISAUTH-3936)
  • DEPRECATED: The AuthHandoverState auth state is deprecated. (NEVISAUTH-3934)
  • DEPRECATED: The UsernameToken auth state is deprecated, use the WSSHeaderValidation instead. (NEVISAUTH-3940)

nevisAuth 4.37.1.1 - 30.11.2022

Changes and new features

General Changes

  • FIXED: AuthorizationServer initiated excessive requests towards nevisMeta when multiple requests arrived having client was not found. We introduced several improvements in this area. (NEVISAUTH-3840)
  • FIXED: Too long errorDetail triggering IOException in OperationFailedEvent and OperationOngoingEvent. The errorDetail is now trimmed in case if it is exceeding the limit. (NEVISAUTH-3933)
  • FIXED: RadiusFacade was filling up the memory with diagnostic messages in ThreadLocal of the worker thread. The issue is now fixed. (NEVISAUTH-3891)
  • NEW: AuthorizationServer AuthState now uses pooled connections towards nevisMeta. Maximum size of the connection pool can be configured via nevismeta.http.connection-manager.max-total. (NEVISAUTH-3840)

nevisAuth 4.37.0.2 - 16.11.2022

Changes and new features

Breaking changes

  • REMOVED: The deprecated ch.nevis.esauth.auth.states.jndi.ConditionalDispatcherState is removed, use the ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState instead. Package rename only. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.mtan.MTANMailAuthState is removed, use the ch.nevis.esauth.auth.states.tan.TANState instead. AuthState rename only. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.sectoken.SecTokenAssembler is removed, use the ch.nevis.esauth.auth.states.sectoken.TokenAssemblerState instead. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.standard.AuthCheckSingleSession is removed, use the ch.nevis.esauth.auth.states.standard.ThrottleSessionsState instead. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.standard.SOAPDispatcher is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.standard.SendMailis removed, use the ch.nevis.esauth.auth.states.mail.SendMail instead. Package rename only. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.saml.Consumeris removed, use the ch.nevis.esauth.auth.states.saml.ServiceProviderState instead. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.saml.Provider is removed, use the ch.nevis.esauth.auth.states.saml.IdentityProviderState instead. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.saml.RequestProcessor is removed, use the ch.nevis.esauth.auth.states.saml.IdentityProviderState instead. (NEVISAUTH-3822)
  • REMOVED: The deprecated SAML 1.1 ch.nevis.esauth.auth.states.saml.SAMLAssertion is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: The deprecated SAML 1.1 ch.nevis.esauth.auth.states.saml.SAMLResponse is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: The deprecated SAML 1.1 ch.nevis.esauth.auth.states.saml.SAMLResponse_WLS is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.wsTrustClient.WsTrustClientState is removed, use the ch.nevis.esauth.auth.states.wstrust.SecurityTokenServiceClient instead. (NEVISAUTH-3822)
  • REMOVED: The deprecated ch.nevis.esauth.auth.states.xml.SecTokenSecuredUrlDomProvider is removed, use the ch.nevis.esauth.auth.states.xml.DynamicIntervalUrlDomProvider instead. This is a utility class. (NEVISAUTH-3822)

General Changes

  • DEPRECATED: The ch.nevis.esauth.auth.states.saml.AuthnRequestProvider is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3822)
  • DEPRECATED: The ch.nevis.esauth.auth.states.saml.ProviderCommon is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3822)
  • DEPRECATED: The ch.nevis.esauth.auth.states.saml.SAMLProtocolDispatcher is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3822)
  • DEPRECATED: The Kerberos AuthStates are deprecated and is planned to be replaced with a new implementation in a future release. (NEVISAUTH-3823)
  • DEPRECATED: The http support in DocumentProcessor and ConditionalDocumentProcessor AuthStates property parser.schema is deprecated. (NEVISAUTH-3658)
  • DEPRECATED: The AdfsTokenRequester auth state is deprecated without replacement, is planned to be removed in the next release. (NEVISAUTH-3654)
  • DEPRECATED: The old SwissPhoneXml TAN channel is deprecated, use the SwissPhone TAN channel instead. (NEVISAUTH-3645)
  • DEPRECATED: Resource pools are deprecated and is planned to be removed without a replacement in a future release. (NEVISAUTH-3657)
  • DEPRECATED: Configuration section Monitor in the esauth4.xml is deprecated. (NEVISAUTH-2700)
  • DEPRECATED: Configuration file esauth4.management.xml is deprecated, and used only for v1 and v2 nevisAdmin. (NEVISAUTH-2520)
  • DEPRECATED: The EMI/UCP channel in the TANState AuthState is deprecated. (NEVISAUTH-3472)
  • DEPRECATED: Supplying custom SessionCoordinator implementation via the system property ch.nevis.esauth.sess.SessionCoordinator is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3902)
  • DEPRECATED: SessionCoordinator attribute mode is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3902)
  • DEPRECATED: SessionCoordinator property AccessController mode is deprecated and is planned to be removed without a replacement in the next release. (NEVISAUTH-3902)
  • CHANGED: Discovery endpoint shows subject_type_support when AuthorizationServer set openid.support to true. (NEVISAUTH-3779)
  • CHANGED: JWKs Service or JWKs URI must set when AuthorizationServer set openid.support to true. (NEVISAUTH-3779)
  • CHANGED: We now validate upon nevisAuth startup that the SecToken signer privateKey and certificate are matching key material pairs. (NEVISAUTH-3838)
  • FIXED: Fixed a png string comparison issue in the CaptchaState. (NEVISAUTH-3765)
  • FIXED: Fixed a session flag string comparison issue in the MobileSignatureState. (NEVISAUTH-3765)
  • FIXED: Fixed locking related performance issue in the session cache which caused general response time spikes when the session reaper run and the EnablePollTerminatedCalls was set to true in the esauth4Connector in nevisProxy. (NEVISAUTH-3781)
  • FIXED: Improved exception handling of invalid sessions to reduce the number of error logs and stacktraces in scenarios where this is to be expected. (NEVISAUTH-3727)
  • FIXED: Inconsistent remote and local session cache leading to a StackOverflowError. (NEVISAUTH-3726)
  • FIXED: All certificates are now correctly parsed from KeyObjects into SecToken trust. (NEVISAUTH-3291)
  • UPGRADED: jetty third party dependency is upgraded to version 9.4.49.v20220914. (NEVISAUTH-3804)
  • UPGRADED: checker-qual third party dependency is upgraded to version 3.25.0. (NEVISAUTH-3804)
  • UPGRADED: groovy-all third party dependency is upgraded to version 3.0.13. (NEVISAUTH-3804)
  • UPGRADED: jackson third party dependency is upgraded to version 2.13.4. (NEVISAUTH-3804)
  • UPGRADED: joda-time third party dependency is upgraded to version 2.11.1. (NEVISAUTH-3804)
  • UPGRADED: libphonenumber third party dependency is upgraded to version 8.12.55. (NEVISAUTH-3804)
  • UPGRADED: log4j2 third party dependency is upgraded to version 2.19.0. (NEVISAUTH-3804)
  • UPGRADED: snakeyaml third party dependency is upgraded to version 1.32. (NEVISAUTH-3788)
  • UPGRADED: unboundid-ldapsdk third party dependency is upgraded to version 6.0.6. (NEVISAUTH-3804)
  • UPGRADED: oauth2-oidc-sdk third party dependency is upgraded to version 9.43.1. (NEVISAUTH-3805)
  • NEW: client.[clientId].secret in AuthorizationServer supports resolving configuration value from external variables. See chapter Passwords in the configuration in the reference guide for more details. (NEVISAUTH-3791)
  • NEW: clientSecret in RelyingPartyState supports resolving configuration value from external variables. See chapter Passwords in the configuration in the reference guide for more details. (NEVISAUTH-3791)
  • NEW: We introduced the property out.post.relayStateEncoding for encode post binding RelayState for IdentityProviderState. (NEVISAUTH-3800)

nevisAuth 4.36.1.1 - 31.08.2022

Changes and new features

General Changes

  • FIXED: After upgrading oauth2-oidc-sdk library, the client_id in Access Token was wrapped wrongly as { "value": "<client_id>" }. Now the wrapping is fixed. (NEVISAUTH-3766)

nevisAuth 4.36.0.4 - 17.08.2022

Changes and new features

Breaking changes

  • REMOVED: The deprecated HttpAuthState is removed. Refer to the ScriptState [documentation] for replacement options.

General Changes

  • FIXED: We fixed the bug where the Long Access token TTL resulted in incorrect backlisting time. (NEVISAUTH-3627)
  • FIXED: SAML AuthStates are now able to handle AuthNRequests without issuer. (NEVISAUTH-3635)
  • FIXED: We fixed the duplicated key index definition in SqlOOCDService implementation. The change affects the automatic table creation in the nevisAuth component. No automatic migration is provided. The side-effect of the current behaviour is increased disk space usage, as the key index values are stored twice. (NEVISAUTH-3626)

To fix or migrate existing systems, delete the duplicate index, assuming that the table definition from the reference guide or by the nevisAuth component are used:

DROP INDEX IF EXISTS key_idx ON nevisauth_out_of_context_data_service;

If a custom SQL script was used to create the database table, or it is not clear which index should be deleted, the following statement can be used to list indexes:

SHOW indexes FROM nevisauth_out_of_context_data_service;

If docker-based DB images are used, no changes are required.

  • FIXED: OIDC Introspection now uses proper URI for refresh tokens stored in nevisMeta. (NEVISAUTH-3688)
  • FIXED: We fixed the java.lang.NoSuchMethodException: com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl in the WS-Trust 1.4 SecurityTokenService. (NEVISAUTH-3699)
  • FIXED: The admin CLI now correctly lists instances located in a symlink directory. (NEVISAUTH-3718)
  • FIXED: We fixed the exception "Could not initialize SSL context: TLSV1_2 SSLContext not available" in AuthStates using the AuthHttpClient when specifying SslContextType TLSV1.2. (NEVISAUTH-3740)
  • NEW: We introduced the property nevismeta.http.protocol.content-charset for AuthorizationServer to understand UTF-8 response body from nevisMeta. (NEVISAUTH-3630)
  • NEW: OAuth 2 server metadata/OIDC discovery endpoint can now be set to userinfo endpoint. (NEVISMETA-1744)
  • NEW: TANState configuration option autoRegenerate now allows the automatic regeneration of a new TAN to be disabled, if the maximum number of retries is exhausted. (NEVISAUTH-3420)
  • NEW: AuthorizationServer can now be set to Terms of Service, Policy, jwks and token_endpoint_auth_method for each client. (NEVISMETA-1749)
  • NEW: OAuth 2 server metadata/OIDC discovery endpoint now shows the correct token_endpoint_auth_method by combining data from clients. (NEVISMETA-1744)
  • NEW: SELinux policy templates are now available at /opt/nevisauth/selinux. (NEVISAPPLIANCE-567)
  • CHANGED: OAuth Token Introspection Endpoint always returns Bearer as the token_type in the response. (NEVISAUTH-3674)
  • UPGRADED: oauth2-oidc-sdk third-party dependency is upgraded to version 9.37.2. (NEVISAUTH-3669)
  • UPGRADED: Jackson third party dependencies are upgraded to version 2.13.3 (NEVISAUTH-3738).
  • UPGRADED: Jetty third party dependencies are upgraded to version 9.4.48.v20220622 (NEVISAUTH-3738)
  • UPGRADED: Log4j third party dependencies are upgraded to version 2.18.0 (NEVISAUTH-3738)
  • UPGRADED: Groovy-all third party dependency is upgraded to 3.0.11 (NEVISAUTH-3738)
  • UPGRADED: Checker-qual third-party dependency is upgraded to version 3.22.2. (NEVISAUTH-3738)
  • UPGRADED: Libphonenumber third-party dependency is upgraded to version 8.12.51. (NEVISAUTH-3738)
  • UPGRADED: Unboundid-ldapsdk third-party dependency is upgraded to version 6.0.5. (NEVISAUTH-3738)

nevisAuth 4.35.1.1 - 07.05.2022

Changes and new features

General

  • FIXED: We fixed the inappropriate handling for DeferredResponse in SAMLContext. (NEVISAUTH-3697)
  • FIXED: java.lang.NoSuchMethodException: com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl in the WS-Trust 1.4 SecurityTokenService. (NEVISAUTH-3699)
  • FIXED: OIDC Introspection uses proper URI for refresh tokens stored in nevisMeta. (NEVISAUTH-3688)

nevisAuth 4.35.0.8 - 18.05.2022

Changes and new features

Breaking changes

  • CHANGED: The previous bc and jcan-log logging using log4j1 is replaced by slf4j using log4j2. Jcan-log is now only used by the jcan-optrace, which relies on the slf4j implementation of jcan-log (NEVISAUTH-3519)

Log4j1 / Log4j2 incompatibility

Log4j2 uses different a configuration structure than log4j1, and they are not compatible. If you are not using nevisAdmin4, you have to migrate the logging configuration manually. Check the default template supplied in the RPM: /opt/nevisauth/template/conf/logging.yml.

NevisAuth requires a logging.yml file in the instance config directory. If it is missing, or the file is incorrectly formatted, a default configuration logs into the stdout which can be viewed in the systemd journal.

nevisAuth now uses log4j2 via Slf4j. In case of custom-developed Java AuthStates, delivering the Slf4j jar together with your custom AuthState can cause issues. The general recommendation is to define every dependency with a scope that is already provided by nevisAuth.

  • CHANGED: The logging interface from bc is changed to slf4j in Java AuthStates and ScriptStates. IF you use any of the methods marked with red, your AuthState breaks, as these methods are not available in slf4j. Note that this only covers regular logging methods, not the exotic utility methods available in the bc interface.
bcslf4j
enter(Object self, String method)enter(Object self, String method, Object params)Possible replacement: trace(String msg)trace(String format, Object arg)
leave()leave(Object result)Possible replacement: trace(String msg)trace(String format, Object arg)
error(String text)error(String text, Throwable exc)error(Throwable exc)error(String msg)error(String format, Object arg)…
warning(String text)warn(String msg)warn(String format, Object arg)…
info(String text)info(String msg)info(String format, Object arg)…
debug_low(String text)debug_med(String text)debug_high(String text)debug(String text)debug(String msg)debug(String format, Object arg)trace(String msg)trace(String format, Object arg)…
emergency(String text)alert(String text)critical(String text)msg(Severity severity, String text)msg(Severity severity, String text, Throwable exc)notice(String text)
  • CHANGED: The automatic reload of logging configuration is supported by using the monitorInterval property of log4j2. The previous configuration option ch.nevis.tracing.refresh is removed. (NEVISAUTH-3519)
  • CHANGED: When processing an empty key, such as the default value of a GUI label, against the LitDict, an exception is no longer thrown, but an empty result is generated instead. (NEVISAUTH-3536)
  • CHANGED: There is a minor change in the RPM structure. The content of the server directory is now in lib. The original lib directory contained duplicated entries compared to the WAR file. Sub-folders under the plugin directory are exploded, all sub-directories are removed. This only has an effect if you extract internal artifacts (not recommended) from the RPM for third-party AuthState development. (NEVISAUTH-3546)
  • CHANGED: The path attribute of the JWKs REST service has changed its meaning and its default value. The parameter is now the whole path of the service instead of only the base part. This means that we do not add anything automatically to the value of the parameter for building the path of the service. We also changed its default value according to this new approach. (NEVISAUTH-3453)
  • REMOVED: The NevisSyslogAppenderis no longer available. As a replacement we suggest SocketAppender. You can find the reasons and an example in the Logging configuration / Syslog section in the reference guide. (NEVISAUTH-3519)
  • REMOVED: The Oracle JDBC and MSSQL JDBC jar are no longer bundled into the application, download them manually from Oracle and Microsoft. This only affects the JDBCAuthState. See the updated description on how to add the manually downloaded jars. (NEVISAUTH-3086)
  • REMOVED: The eCH SAML extensions called eCH-0113 is no longer supported. The ch.glue.suisseid:sdk:1.1.0 dependency is removed to improve security, as it is no longer in active use. (NEVISAUTH-3598)
  • UPGRADED: Jradius third-party dependency is upgraded to version 1.1.5. It is now downloaded from maven central as net.jradius:jradius-coreinstead of the previous org.coova.jradius:jradius-core. Additionally, net.jradius:jradius-extended is no longer shipped as it is not required for the SecuridAuthenticateState.Note that some third-party extensions in the protocol might still require the library, and that can cause issues in your setup. In such a case, open a support ticket. (NEVISAUTH-3546)
  • REMOVED: The deprecated server [TLS configuration property] require-client-auth is removed. Use the successor client-auth instead. (NEVISAUTH-3610)
  • UPGRADED: Groovy-all dependency is upgraded to 3.0.10. This can break ScriptStates if you use any syntax that changed between version 2.4.21 and 3.0.10. See the following sections in the Groovy release notes for breaking changes: Split package changes (from beta-2), Other breaking changes. Note, that the groovy-all artifact is now a "meta" artifact, which depends on all other groovy artifacts. The groovy-all-<version>.jar no longer exists, there is a separate jar for each artifact. (NEVISAUTH-3576)
  • UPGRADED: Jdom third-party dependency is upgraded to version 2.0.6.1. Note that this can break custom Java and Groovy AuthStates, if you use the package org.jdom. Version 2.x provides org.jdom2 package naming, so org.jdom no longer works. (NEVISAUTH-3473)

General

  • NEW: We introduce the Oauth2 Authorization Server Metadata/OIDC discovery endpoint. Now nevisAuth returns the metadata of the AuthorizationServer AuthStates specified in the configuration. For more information, see [REST service implementations]
  • NEW: We introduce integration testing support for Custom Java and Groovy AuthState development through existing artifacts. The AuthStateHarness is now part of nevisAuth SDK, containing examples for both Java and Groovy AuthState testing. Note, that this is a medium term solution only. The long term solution is under discussion. For more details, see the new testing chapter in the SDK documentation shipped as part of the SDK in the nevisAuth RPM, or separately on the [documentation home]
  • NEW: We introduce an Experimental REST endpoint to manage sessions. It supports terminating multiple sessions belonging to the same user. For more information, see the [REST service implementations section] in the Reference guide. (NEVISAUTH-3558)
  • FIXED: We fixed the inappropriate separator handling for DeferredResponse in SAMLContext. (NEVISAUTH-3426)
  • FIXED: We fixed the bug where nvluser, nvbuser and members of the nevisadmin group could not use the nevisAuth Admin CLI commands. (NEVISAUTH-3560)
  • FIXED: You can now verify ArtifactResponse by setting in.verify with ArtifactResponse. (NEVISAUTH-3530)
  • CHANGED: The AuthState#getHttpHeaderFromRequest() method visibility is upgraded to public. This allows custom auth states to obtain HTTP headers case-insensitively. (NEVISAUTH-3587)
  • CHANGED: The TransformAttributes auth state now supports AES encryption additionally with the modes CBC and GCM. (NEVISAUTH-3597)
  • UPGRADED: Auto-value third-party dependency is upgraded to version 1.9. (NEVISAUTH-3568)
  • UPGRADED: Checker-qual third-party dependency is upgraded to version 3.21.3. (NEVISAUTH-3568)
  • UPGRADED: Commons-cli third-party dependency is upgraded to version 1.5.0. (NEVISAUTH-3568)
  • UPGRADED: Commons-io third-party dependency tis upgraded o version 2.11. (NEVISAUTH-3470)
  • UPGRADED: Commons-lang3 third-party dependency is upgraded to version 3.12.0. (NEVISAUTH-3568)
  • UPGRADED: Commons-pool third-party dependency is upgraded to version 1.6. (NEVISAUTH-3568)
  • UPGRADED: Jackson third-party dependencies are upgraded to version 2.13.2. and jackson-dababind to 2.13.2.2 (NEVISAUTH-3568)
  • UPGRADED: Jaxb third-party dependency is upgraded to version 2.3.6. (NEVISAUTH-3568)
  • UPGRADED: Jaxrs-ri third-party dependency is upgraded to version 2.3.5. (NEVISAUTH-3471)
  • UPGRADED: Jetty third-party dependency is upgraded to version 9.4.45.v20220203. (NEVISAUTH-3568)
  • UPGRADED: Joda-time third-party dependency is upgraded to version 2.10.1. (NEVISAUTH-3568)
  • UPGRADED: Json-smart third-party dependency is upgraded to version 2.4.8. (NEVISAUTH-3468)
  • UPGRADED: Guava third-party dependency is upgraded to version 31.1-jre. (NEVISAUTH-3568)
  • UPGRADED: HikariCP third-party dependency is upgraded to version 4.0.3. (NEVISAUTH-3568)
  • UPGRADED: Libphonenumber third-party dependency is upgraded to version 8.12.45. (NEVISAUTH-3568)
  • UPGRADED: Mariadb-java-client third-party dependency is upgraded to version 2.7.5. (NEVISAUTH-3568)
  • UPGRADED: Rhino third-party dependency is upgraded to version 1.7.14. (NEVISAUTH-3568)
  • UPGRADED: Tinyradius third-party dependency is upgraded to version 1.1.3. (NEVISAUTH-3568)
  • UPGRADED: Unboundid-ldapsdk third-party dependency is upgraded to version 6.0.4. (NEVISAUTH-3568)
  • REMOVED: We removed default heapdump and GC settings from default env.conf configuration template. (NEVISAUTH-3600)

nevisAuth 4.34.0.4 - 16.02.2022

Changes and new features

Breaking changes

  • NEW: Introduced a new parameter nestedJWSAccessTokenfor AuthorizationServer to define how JWS Access Token is generated (nested or not). By default, the JWS Access Token is generated in a non-nested form. (NEVISAUTH-3464)
  • CHANGED: LitDict files are loaded as UTF-8 character encoded files by default, instead of ISO-8859-1. There is no automatic migration for existing LitDict files. The configuration option to control the character encoding during LitDict file loading still exists but was deprecated. For more information, see Language support. (NEVISAUTH-3477)

General

  • NEW: Introduced singleLogoutURL configuration properties in the IdentityProviderState to use endpoints for logout different to the assertion consumer service endpoints of the ServiceProvider. For more information, see IdentityProviderState. (NEVISAUTH-3230)
  • NEW: Introduced Token Revocation REST Endpoint to revoke access token and refresh token. For more information, see REST service implementations. (NEVISAUTH-3434)
  • UPDATE: Token Introspection Service now checks whether the requested token was revoked in advance. (NEVISAUTH-3433)
  • UPDATE: New property introspectionService for AccessTokenConsumer to call to TokenIntrospection Endpoint and check the token still active or not before continue validation. For more information, see AccessTokenConsumer. (NEVISAUTH-3433)
  • NEW: RelyingPartyState and OAuth2ClientState now support variable substitution in the property clientSecret. (NEVISAUTH-3411)
  • NEW: Introduced in.max_issue_age for [ServiceProviderState] to verify IssueInstant issued time. It allows to verify max age of AuthnInstant and IssueInstant separately. (NEVISAUTH-3315)
  • NEW: Introduced the JSON Web Key Set (JWKS) endpoint. Now nevisAuth returns the key set of the AuthorizationServer AuthStates specified in the configuration. For more information, see REST service implementations. (NEVISAUTH-3371)
  • NEW: Token Introspection Service and AccessTokenConsumer AuthState now can validate against JWS access token. (NEVISAUTH-3451)
  • NEW: Encode original URL of RelayState in ServiceProviderState before sent to IdentityProviderState. For more information, see ServiceProviderState. (NEVISAUTH-3341)
  • FIXED: nevisAuth did not start up when the truststore configuration was not provided for disabled client-auth. The issue is now fixed. (NEVISAUTH-3460)
  • FIXED: The ScriptStates could not access the actor certificate in the request due to a NullPointerException. The issue is now fixed. (NEVISAUTH-3505)
  • FIXED: Incorrect absolute timeout of unauthentic sessions (authentication flows not yet reached AUTH_DONE) synchronized into the Remote session cache. The incorrect behavior also caused excessive warning messages before. (NEVISAUTH-3033)

So far the absolute timeout for the Remote session cache was always 24h + syncRemoteSessionAbsToTolerance. From now on, the absolute timeout for unauthentic sessions is properly set based on the initialMaxLifetime configuration option. Therefore you might have to set a different value for the initialMaxLifetime to experience the same behavior as before.

Your setup is involved if the syncUnauthenticSessions SessionCache property is set to true in the esauth4.xml. By default, it is false, and it is a not documented flag intended to be used in Kubernetes setups. It is officially not supported in on-premise installations.

  • NEW: Added database index to the documentation for the Remote session cache. It can help with response time spikes when caused by a slower remote session store reaper (therefore blocking other database operations). There is no automatic database migration. (NEVISAUTH-3416)
ALTER TABLE TNSSA_AUTH_SESSION_CACHE ADD INDEX (ABSTO);
  • DEPRECATED: The system property ch.nevis.esauth.litdict.charset.encoding to control the character encoding during LitDict file loading was deprecated. For more information, see Language support. (NEVISAUTH-3477)
  • REMOVED: The supplied log4j version 1.2.17 is patched to remove vulnerable classes org/apache/log4j/net/JMSAppender.class and org/apache/log4j/net/SocketServer.class. (NEVISAUTH-3491)
  • REMOVED: The previously deprecated Couchbase support of the out-of-context data service is removed completely. (NEVISAUTH-3466)

nevisAuth 4.33.0.8 - 17.11.2021

Changes and new features

Using the update installation option of package managers corrupts the installed files under /opt/nevisauth. To fix this issue, do the following:

  1. Uninstall the nevisAuth package.
  2. Reinstall the nevisAuth package.

This issue is caused by the package manager update running the post-uninstall script in the old package after the installation of the new package. The post-uninstall script assumes a different directory structure under /opt/nevisauth from what the new package has, which causes it to remove files from the new installation. Manually uninstalling and reinstalling the package solves this issue.

  • UPGRADED: javax.mail:mail 1.4.7 to com.sun.mail:jakarta.mail 2.0.1

  • NEW: We introduced the new property allowRedirect for the RelyingPartyState and OAuth2ClientState AuthStates. Using this attribute, you can enable or disable redirecting to the original request link after authentication by the OpenID Connect identity provider. For more information see RelyingPartyState or OAuth2ClientState.

  • NEW: We introduced SAML Single Logout Flow with SOAP binding as an option for IdentityProviderState and ServiceProviderState. For more information see IdentityProviderState or ServiceProviderState.

  • NEW: A TokenIntrospectionService configured with only one AuthorizationServer AuthState can now be accessed without the AuthorizationServer AuthState name. For more information see REST service implementations.

  • NEW: We introduced the new encryptAccessToken property for AuthorizationServer that allows returning an AccessToken in JWS format. For more information see AuthorizationServer.

  • NEW: We introduced the new property nevismeta.updateMetadataWhenClientNotFound for AuthorizationServer that can control the cache update mechanism of nevisAuth from nevisMeta if a client is not found in its current cache.

  • NEW: The TokenIntrospectionService can now be protected with Basic Authentication. For more information see REST service implementations.

  • NEW: IdentityProviderState is now able to handle assertionConsumerServiceIndex in AuthnRequest. For more information see IdentityProviderState

  • NEW: We introduced the syncRemoteSessionIndexFormat property in session synchronization to control the format of the session index value used in the remote session cache. For more information, see "Session synchronization" in "Session management".

  • NEW: We introduced a new logger, DbPerformance. On INFO level, it logs the response time of the queries to the Remote session store and the Out of context data store. On DEBUG, it also logs the SQL statement and the parameters.

  • CHANGED: TokenIntrospectionService now returns all the claims that are available in the token.

  • FIXED: We fixed an issue that caused TokenIntrospectionService to crash with the error message "java.lang.IllegalStateException: The output stream has already been closed". The issue occurred with an incorrect AuthorizationServer name request parameter.

  • FIXED: RelyingPartyState can now understand the callback from IdP without a query string while using ResponseMode="form_post".

  • FIXED: We fixed a possible JDBC error which could break the retry mechanism of Session synchronization.

  • FIXED: We fixed the unknown login application issue when using compatLevel="none". The issue was caused by a missing domain attribute in the GuiDescriptor sent to nevisLogRend**.

  • REMOVED: Some Admin CLI commands are deprecated and will be removed with the November Rolling Release. For more information, see Appendix I - Admin CLI and RPM installation changes introduced with 4.33.0.8.

    • AUTH_SIGNER_TRUSTSTORE and AUTH_SIGNER_KEYSTORE were mixed up in the default esauth4.xml configuration template in the KeyStore section, switch the values for these if you use them.
    • AUTH_SIGNER_PKCS11_TOKENLABEL is no longer supported
    • The encSecret command is removed, use the pipe:// syntax instead in the esauth4.xml.

nevisAuth 4.32.1.1 - 25.10.2021

Changes and new features

  • NEW: Introduced a new logger DbPerformance. On INFO level, it logs response the time of the queries to the Remote session store and the Out of context data store. On DEBUG level, it also logs the SQL statements and the parameters.
  • FIXED: The retry mechanism of Session synchronization was broken because of a possible JDBC error. The issue is now fixed.
  • NEW: Introduced a new property syncRemoteSessionIndexFormat in session synchronization, to control the format of the session index value used in the remote session cache. For more information, see "Session synchronization" in "Session management".

nevisAuth 4.32.0.3 - 05.08.2021

Changes and new features

  • NEW: The Access Token now includes the iss field when OpenID Support is enabled. The value of the field is extracted from the configuration property openid.issuerId. For more information, see the section "Configuration of the AuthorizationServer" in the chapter "AuthorizationServer" of the nevisAuth reference guide.
  • NEW: nevisAuth now includes a new AuthState: OAuth2ClientState. This new AuthState acts as a client for authorization requests with an OAuth2 identity provider. For more information, see the chapter "OAuth2ClientState" in the nevisAuth reference guide.
  • FIXED: The error message Unknown variable source 'litdict' erroneously appeared when you configured useLiteralDictionary="false" in the AuthEngine. This bug is fixed.
  • FIXED: No truststore information was returned in the case of SAML truststore validation errors. This bug is fixed.
  • FIXED: The hostname verification in a TLS server setting triggered misleading warning messages. Additionally, the description of the relevant hostname verification property server.tls.verify-hostname in the nevisAuth Reference Guide was incorrect. These issues are now fixed.
  • FIXED: When the AuthorizationServer received a token, it also checked for a secret even if the public client did not have a secret. This bug is fixed. From now on, the AuthorizationServer no longer checks for a secret if the public client does not have a secret.
  • UPGRADED: The following vulnerable dependencies have been upgraded: Jetty, Jackson, XMLBeans, Guava, and Groovy.

Groovy is upgraded from version 2.4.12 to 2.4.21. This can affect Groovy scripts used in ScriptStates. If this upgrade poses a problem that you cannot fix in the Groovy scripts, supply the desired Groovy version as described in the section "Installing a specific Groovy version" of the chapter "Writing scripts in Groovy" in the nevisAuth reference guide.

For more information on the available Groovy versions, see http://mvnrepository.com/artifact/org.codehaus.groovy/groovy-all.

  • DEPRECATED: Some Admin CLI commands are deprecated and will be removed with the November Rolling Release. For more information, see Admin CLI and RPM Installation Changes in 11.2021 RR Release.

nevisAuth 4.31.1.0 - 19.07.2021

Changes and new features

  • FIXED: The RelyingPartyState can handle the errors during the cancellation of the authentication process.

nevisAuth 4.31.0.1 - 05.05.2021

Changes and new features

  • NEW: All the data under the SCOPE field of SAML AuthnRequest is now propagated to notes.
  • NEW: The RelyingPartyState now has two more configuration properties for responseMode and clientAuthMethod.
  • FIXED: OAuth public client previously needed a client secret for login. OAuth public client now can log in without a client secret.
  • FIXED: The bug regarding URLs with commas has been fixed. It is now possible to store URLs that include commas in the SAMLContext.
  • FIXED: The RelyingPartyState can now use metadata from `http://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration for the providerConfiguration.
  • FIXED: Excessive warning logs in case the translation of LitDict messages were turned off in nevisAuth. The messages have been moved to the debug logging category.

nevisAuth 4.30.0.2 - 17.02.2021

Changes and new features

  • NEW: All data in the SCOPE field of a SAML AuthnRequest is now propagated to notes.
  • NEW: The AuthState TANState contains the following new configuration properties for the Swissphone channel:

For further details, see the chapter "TAN authentication plug-ins" of the nevisAuth Reference Guide.NEW: The debug logs can now list the sessions that will be removed by the remote session reaper. To enable this new feature, set the logging categorySyncer* to "DEBUG".

  • FIXED: The issue regarding the nevisMeta clients with the client resource attribute pkce_mode set to "s256-required". These clients are now enforced with code challenge.
  • FIXED: The bug regarding URLs with commas has been fixed. It is now possible to store URLs that include commas in the SAMLContext.
  • UPDATED: The HTTP client library used by the AuthState TANState (Swissphone channel) is updated.

nevisAuth 4.29.0.249 - 18.11.2020

Support for standalone deployment only

From this release on, only standalone deployment is supported, as mentioned in the "Nevis Product Lifetime and Platform Support Matrix".### Changes and new features

  • NEW: There is a new property available for client authentication in TLS settings: server.tls.client-auth. This property is the successor of the property server.tls.require-client-auth. It provides the options "required", "requested", and "disabled". The "old" property server.tls.require-client-auth is deprecated but remains backwards compatible. If you use the new property server.tls.client-auth, the system will ignore the property server.tls.require-client-auth and logs a warning.
  • FIXED: The bug where shutting down a nevisAuth standalone deployment caused interruptions of ongoing connections. When you now execute a stop command, nevisAuth waits with shutting down until all connections have finished, or until 30 seconds have passed (what comes first).
  • FIXED: The bug where the property delegateMode of the AttributeDelegater AuthState was not working properly.
  • UPDATED: The standalone container/HTTP server.
  • UPDATED: Log4j, to the latest minor version.

nevisAuth 4.28.0.230 - 24.07.2020

Changes and new features

  • NEW: nevisAuth now supports variable resolution for the arbitraryAuthRequestParam property of the RelyingPartyState. For more information see the description of the RelyingPartyStateAuthState.
  • NEW: The kid JOSE header value of the issued access and ID tokens can be configured by the new keyID property of the AuthorizationServer AuthState.
  • FIXED: The incorrect handling of "?" in the redirect URI of the AuthorizationServer AuthState has been fixed. The bug was fixed in the Nimbus oauth2-oidc-sdk library, which in certain cases incorrectly created "??" in the URI on redirect.

The content of /opt/nevisauth/plugin/thirdparty/oauth/ is changed due to the library upgrade. If you use the contents of that library in custom AuthStates, you may need to change the classPath setting of that specific AuthState and include the old libraries.

nevisAuth 4.27.0.210 - 20.05.2020

Changes and new features

  • NEW: nevisAuth now supports enabling hostname verification when client authentication is required in a standalone deployment. See the new verify-hostname attribute in the [Deployment Types]( section of the reference guide for additional information.
  • CHANGED: For security reasons, the [IdentityProviderState] now requires the property acsUrlWhitelist.urisand refuses to start without it. This breaking change was introduced to prevent opening the infrastructure to XSS attacks.
  • CHANGED: Form encryption is enforced in the server if it is configured in the GUI descriptor. In this case, nevisAuth does not accept non-encrypted information sent by the client and the authentication fails. This makes it easier for administrators to spot misconfiguration or potential manipulation attempts. Previous releases accepted unencrypted information in form encryption scenarios. For more information, see Form encryption.
  • FIXED: The bug where spaces inside JVM arguments in JAVA_OPTS environment variables in the env.conf configuration file for standalone deployments caused the following error: "Error: Could not find or load main class". This prevented nevisAuth from starting. As a solution, a new definition syntax as array has been introduced for JAVA_OPTS. Now it also allows comments to be used between new lines. The old string type definition is still supported, but to fix the previously mentioned error, you need to change the definition to the array type. For more information, see the section "Standalone" in the chapter "Deployment Types".

When directly using the server CLI to start nevisAuth, the manual sourcing of the env.conf configuration file is no longer necessary. See the example in the section "Example usage of the standalone CLI" in the chapter "Deployment Types".

nevisAuth 4.26.0.192 - 30.01.2020

Changes and new features

  • NEW: nevisAuth now supports variable resolution for the ttl attribute of the SubjectConfirmationExtender. For more information on the SubjectConfirmationExtender, see the description of the out.extension property of the [IdentityProviderState] AuthState.
  • NEW: The [CaptchaState]( AuthState contains the new property userInputCaptcha. This property specifies how the user input is provided.
  • CHANGED: nevisAuth now provides the SQL out-of-context data service [SqlOOCDService]( Couchbase-based out-of-context data service CouchbaseOOCDService.
  • CHANGED: SHA256 is now the default and recommended sign algorithm for SAML AuthStates.

There is an unlikely possibility that this change breaks existing environments. This may happen if no sign algorithm has been defined in the AuthState.

In the rare event that the upgrade to SHA256 does break your environment, downgrading back to SHA1 is not recommended. Rather, investigate how you can upgrade your environment to support SHA256.

  • FIXED: The bug that caused the nevisauth status command to write warning messages of type "lsof: WARNING: can't stat() ..." in the standard output (standalone deployment type).
  • FIXED: The SAML logout issue that occurred in a setup with multiple nevisAuth instances using a remote SQL session DB.
  • FIXED: The problem with the session binding returned by the [ScriptState](when the session was not defined.
  • DEPRECATED: The SessionCoordinator has been deprecated. There is no guarantee that custom AuthStates or ScriptStates using it will work in future releases.
  • DEPRECATED: The JBoss and WildFly deployments have been deprecated. They will be removed in the planned November 2020 release. It is recommended using standalone deployment instead.

nevisAuth 4.25.0.2 - 05.11.2019

Changes and new features

  • NEW: Variable expression resolution is now available for

  • NEW: nevisAuth now provides the [SQL out-of-context data service](.

  • NEW: It is now possible to configure the maximum HTTP header size in standalone mode. See Server Configuration Properties in the nevisAuth Reference Guide.

  • NEW: You can now specify that an OAuth 2.0 client requires the use of PKCE (to provide a code challenge) in the authorization flow. For more information, see PKCE: https://tools.ietf.org/html/rfc7636#section-4.4.1.

  • NEW: nevisAuth now offers support for OAuth 2.0 token introspection as defined in the RFC 7662 with nevisMeta. For more information, see [OAuth 2.0 Token Introspection](.

  • NEW: EL expression support is now available for the following properties:

    - out.ttl- in.audience.checkrequired- limitSessionLifetime**- out.sign.hashAlgorithm

  • CHANGED: nevisAuth does not require the OAuth 2.0 client to provide the client secret if the client is public. If you want to enforce the client to provide the secret, define the client as confidential.

  • CHANGED: For security reasons, the number of TLS protocols and ciphers supported by default by the standalone server has been reduced. See Server Configuration Properties in the nevisAuth Reference Guide for the updated list of supported ciphers and protocols.

This change might break existing deployments. If you use the protocols and ciphers supported by default and your clients do not support them, it is recommended updating your HTTP clients. If this is not possible, then:

  • CHANGED: For security reasons, nevisAuth will now use SHA256withRSA as a signing algorithm in case no algorithm is specified in the DynCert AuthState configuration.

In the unlikely case where this change will break your deployment, it is recommended upgrading the consumers of the certificate to support SHA256withRSA. If this is not possible, specify the use of SHA1withRSA in the configuration of the DynCert AuthState. For more information about the DynCert AuthState, see Dynamic Certificate Generation AuthState.

  • CHANGED: For security reasons, nevisAuth will now use SHA256withRSA to sign the SecTokens in case no algorithm is specified in the token assembler configuration.

In the unlikely case where this change will break your deployment, it is recommended upgrading the consumers of the SecToken to support SHA256withRSA. If this is not possible, specify the use of SHA1withRSA in the configuration of the token assembler. For more information about the token assembler configuration, see Token assembler.

  • CHANGED: When obtaining bearer tokens from the Token Endpoint in case of OAuth2 Authorization Code Grant or OpenID Connent Hybrid Flow, nevisAuth now calculates the issue and expiration time of the tokens based on the Token Request time. Previously, these calculations were based on the Authorization Request time.

The OAuth2 authorization codes issued with a previous version of nevisAuth cannot be exchanged after upgrading nevisAuth to this version. As a consequence, ongoing OAuth2 authentications might be interrupted after the upgrade.

  • FIXED: The issue regarding the default value of the validityPeriod attribute in the DynCertAuthState.
  • FIXED: The contention issue regarding the TANService when using the Swissphone channel.
  • FIXED: The issue regarding the use of initialization vectors *AuthState. Now, the use of randomly generated initialization vectors, instead of static initialization vectors, is recommended.

This change might break existing deployments for external clients relying on the encrypted content of the [TransformAttributes] AuthState.

Running in "Backwards Compatibility Mode"

It is recommended updating the external clients that are impacted by this change - see chapter TransformAttributes]* AuthState to "true". This will generate static initialization vectors as used in previous nevisAuth versions. Note that this backwards compatibility mode might be removed in future releases.

  • REMOVED: The backwards compatibility system property flag ch.nevis.session.jdbc.connector.store.absTo has been removed. This flag was introduced in nevisAuth 4.15.1.0.

This removal can break old setups where the ABSTO column is not available in the remote session cache database table TNSSA_AUTH_SESSION_CACHE.

In these cases, manually patch the database with the following SQL command:

ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD ABSTO TIMESTAMP NOT NULL;

If the ABSTOcolumn is not available, most probably the SESSION_INDEX column is missing as well. The column SESSION_INDEXwas introduced in nevisAuth 4.19.0.0. In the case of a missing SESSION_INDEX column, you can manually patch the database with the following SQL commands:

ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD SESSION_INDEX VARCHAR(255);
ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD INDEX (SESSION_INDEX);
  • REMOVED (breaking change): The binary /opt/nevisauth/bin/keystorepwget is no longer part of nevisAuth. In case this binary is used in configuration files, use the binary provided with nevisKeybox instead: /opt/neviskeybox/bin/keystorepwget.
  • REMOVED (breaking change): The undocumented system property ch.nevis.esauth.defaultpassphrasegetters.enable has been removed. This property is related to the removed binary /opt/nevisauth/bin/keystorepwget.
  • DEPRECATED: The CouchBase out-of-context data service has been deprecated. For more information about this service, see CouchBase out-of-context data service.