Skip to content

Latest commit

 

History

History
3666 lines (1824 loc) · 116 KB

CHANGELOG-v3.adoc

File metadata and controls

3666 lines (1824 loc) · 116 KB

Change Log

AM - 3.18.21 (2023-06-28)

Other

  • Error on ECDSA token exchange #8990

AM - 3.19.14 (2023-06-28)

Other

  • Error on ECDSA token exchange #8990

AM - 3.20.8 (2023-06-27)

Other

  • Error on ECDSA token exchange #8990

AM - 3.21.2 (2023-06-26)

Other

  • Error on ECDSA token exchange #8990

AM - 3.21.1 (2023-06-09)

Gateway

  • [gateway][mfa] Allow OTP factor to handle clock drift issues #9074

  • [gateway][audit] It is impossible to see the user that consented the user consent in the audit log #9049

  • WebAuthn post login flow does not contain webAuthnCredentialId #8918

Other

  • [policies] allow Enrich User Profile policy to accept objects as new claims #9078

  • Column messages in i18n_dictionary_entries table has too little characters #9046

AM - 3.20.7 (2023-06-08)

Gateway

  • [gateway][mfa] Allow OTP factor to handle clock drift issues #9074

  • [gateway][audit] It is impossible to see the user that consented the user consent in the audit log #9049

  • WebAuthn post login flow does not contain webAuthnCredentialId #8918

Other

  • [policies] allow Enrich User Profile policy to accept objects as new claims #9078

  • Column messages in i18n_dictionary_entries table has too little characters #9046

AM - 3.19.13 (2023-06-08)

Gateway

  • [gateway][mfa] Allow OTP factor to handle clock drift issues #9074

  • [gateway][audit] It is impossible to see the user that consented the user consent in the audit log #9049

  • WebAuthn post login flow does not contain webAuthnCredentialId #8918

Other

  • Column messages in i18n_dictionary_entries table has too little characters #9046

AM - 3.18.20 (2023-06-08)

Gateway

  • [gateway][mfa] Allow OTP factor to handle clock drift issues #9074

  • [gateway][audit] It is impossible to see the user that consented the user consent in the audit log #9049

AM - 3.20.6 (2023-05-26)

Management API

  • [jdbc][liquibase] password history character not updated to the correct value

  • Users can’t logged in after inline-idp update

AM - 3.19.12 (2023-05-26)

Management API

  • Users can’t logged in after inline-idp update

AM - 3.18.19 (2023-05-26)

Management API

  • Users can’t logged in after inline-idp update

AM - 3.21.0 (2023-05-25)

What’s new !

  • MFA - manage remember device with external IDP

  • MFA - support Orange Contact Everyone service to send SMS

  • Passwordless - enforce webauthn devices control

  • Passwordless - enforce password usage

  • Manage MFA factors that use username as SEED

  • Management - Change Username

  • CORS configuration on Security Domain level

  • [management-ui] [menu unification] integrate the gio-sub-menu component

Gateway

  • The same DOM element can have a different ID from one template to another #8884

  • AM - POST-login flow not executed when authenticating using WebAuthn #8918

  • SCIM - additionalInformation entries are lost when using PATCH method #8991

Management API

  • Create account with uppercase username #8966

  • [jdbc][liquibase] password history character not updated to the correct value

Console

  • Audit Log sort is broken #8662

Other

  • Mongodb: long running server side queries cause outage #8910

  • AM should audit USER_CREATED when using delegated OIDC authentication #8920

  • MFA : Invalid Factor Preventing User Logon #9019

  • update org.yaml:snakeyaml

  • Upgrade Snakeyaml dependency

  • Merge 3.20.3 to 3.21.x

AM - 3.20.5 (2023-05-02)

Management API

  • Create account with uppercase username #8966

Console

  • Audit Log sort is broken #8662

Other

  • MFA : Invalid Factor Preventing User Logon #9019

AM - 3.19.11 (2023-05-02)

Gateway

  • SCIM - additionalInformation entries are lost when using PATCH method #8991

Management API

  • Create account with uppercase username #8966

Console

  • Audit Log sort is broken #8662

Other

  • MFA : Invalid Factor Preventing User Logon #9019

AM - 3.18.18 (2023-05-02)

Gateway

  • SCIM - additionalInformation entries are lost when using PATCH method #8991

  • Do not display default "Internal Server Error" page #9000

Management API

  • Create account with uppercase username #8966

Console

  • Audit Log sort is broken #8662

Other

  • Mongodb: long running server side queries cause outage #8910

  • MFA: Invalid Factor Preventing User Logon #9019

Bug fixes

General

  • AM - POST-login flow not executed when authenticating using WebAuthn #8918

  • Do not display default "Internal Server Error" page #9000

  • Mongodb - long running server side queries cause outage #8910

  • SCIM - additionalInformation entries are lost when using PATCH method #8991

  • The same DOM element can have a different ID from one template to another #8884

Bug fixes

General

  • AM - POST-login flow not executed when authenticating using WebAuthn #8918

  • Mongodb: long running server side queries cause outage #8910

  • AM should audit USER_CREATED when using delegated OIDC authentication #8920

  • Merge 3.18.7 into 3.19.x #8986

  • The same DOM element can have a different ID from one template to another #8884

Bug fixes

General

  • AM console login fails when 'nbf' claim type is Date #8979

Bug fixes

General

  • Full exception raised as an ERROR in gateway logs when token is expired #8656

  • REST API listIdentityProviders documents mismatch with return JSON object #8881

Mfa

  • [fido2] webAuthnCredentialId is not set in the session #8951

Node

  • License INFO logging arbitrarily enforced #8934

Improvements

General

  • Full exception raised as an ERROR in gateway logs when token is expired #8656

Bug fixes

General

  • Merge 3.19.7 to 3.20.x #8925

  • Merge 3.19.8 to 3.20.x #8950

Bug fixes

General

  • AM - Management - Incorrect locale 'name' displaying in response error message #8943

  • Thymeleaf template engine is ignoring variables #8895

  • AM - Users - User login count reset when we edit the users data #8880

Management

  • Shouldn’t be possible to create dictionary with invalid locale #8885

  • Shouldn’t be possible to create two dictionaries with same locale #8886

Bug fixes

General

  • Merge 3.19.7 to 3.20.x #8908

Bug fixes

General

  • Error while selecting users on AM settings #8873

  • Merge 3.18.16 to 3.19.x #8906

  • When using an internal API for AM no validation of the requests payload it provided. #8865

Bug fixes

General

  • Factor State is not accurate #8766

  • FilterCriteriaParser parse can’t handle apostrophes #8679

  • Pre login exit on error message sent to provider instead of callback #8750

Bug fixes

General

  • Merge 3.19.5 into 3.20.1 #8827

  • Merge 3.19.6 into 3.20.1 #8864

Features

Gateway

  • [saml2] Add option to sign assertion #8868

  • [saml2] HTTP-POST Binding #8869

Bug fixes

General

  • Merge 3.18.15 in 3.19.x #8851

Features

General

  • Store orginal token for Github provider #8852

Bug fixes

AM

  • '#' isn’t URLEncoded when used in an Application or cliend_id of application when Login Flow URL is called. #8808

General

  • GroupNotFoundException exception is thrown when domain notification service try to notify #8667

  • Merge 3.15.17 into 3.18.x #8850

  • Token Exchange and Elliptic Curve public key #8817

Management

  • [ui] Multifactor Auth section does not keep configuration when saving for the first time #8836

Bug fixes

General

  • A disabled user can trigger reset password and successfully reset the password (Backport #8670) #8712

  • Access ManagerEmail validation regex needs updating #8350

  • Improve WebAuthnSettings validation #8622

  • Recovery email does not work if user has signed into another app prior to clicking on recovery link #8812

  • Template can’t be saved twice #8624

  • 'The access token is invalid' message when actually, the refresh_token is expired #8791

MFA

  • Unable to sign in with new user if the self registration email is sent twice. #8806

Management

  • Unable to update a user linked to removed application #8380

Bug fixes

General

  • LoginCallbackOpenIDConnectFlowHandler throws UnsupportedOperationException #8819

  • The name displayed on the user list is not updated when they are changed to the first/last name in the user’s profile (self-service account management API) #8755

  • Add missing error logs when external OpenID IdP authentication fails #8818

  • [Self Account Management] improve reset password endpoint #8723

  • Merge AM 3.18.14 into 3.19.x #8826

Policy

  • Send Email policy requires the "From Name" attribute #8778

Bug fixes

Gateway

  • Improve SAMLRequestFailureHandler #8159

General

  • - Login_sso_post template broken due to CSP rules #8782

  • Internal server error on FIDO2 factor when attestation set to 'none' #7967

  • Merge AM 3.15.16 into 3.18.x #8780

  • Receiving email to reset password for a username which does not exist #8729

  • State parameter isn’t URLEncoded when redirect_uri is called #8761

  • X-Forward-Port impact the iss claim #8807

AM - 3.20.0 (2023-01-04)

Bug fixes

General

  • Merge AM 3.19.1 into 3.20.x PR#2196

  • Merge AM 3.19.2 into 3.20.x PR#2247

  • Merge AM 3.19.3 into 3.20.x PR#2294

  • Merge AM 3.19.4 into 3.30.x PR#2294

Features

General

  • Password history : Enforce my end-users to not re-use a previous password during reset password. PR#2171 & PR#2216

  • MFA security features :

    • The MFA Rate Limit feature enables you to configure and limit the number of challenges a user is allowed to send within a specific time period. PR#2205

    • The Brute Force Detection feature enables you to configure and limit the number of verification requests a user is allowed to send within a specific time period. PR#2220

  • System Certificates : The certificate rotation feature enables you to generate a new system certificate quickly and easily when the previous one is about to expire PR#2217 & PR#2222

  • User interface : uniform user interface accross products PR#2221

Improvements

  • Enable security headers by default PR#2229

Bug fixes

Gateway

  • Make session information consistent #8777

Bug fixes

General

  • LastPasswordReset value is wrong format while calling rest API #8666

  • Merge AM 3.18.13 into 3.19.x #8788

Features

Gateway

  • [management] add SSL options for httpClient connections #8784

  • [oauth2] add an option to not rotate refresh tokens #8787

Improvements

Management-ui

  • Add missing inputs to set jwks and jwks_uri values for an application #8786

Bug fixes

General

  • Manage X-Forwarded-Port on Gateway #8653

  • Null pointer exception while creating file reporter #8651

  • User authentication may fail to grant access to the user #8741

  • When "Complete User Registration" is enabled forgot password doesn’t work #8725

  • Merge 3.15.15 into 3.18.x #8742

Improvements

General

  • Add requested redirect_uri in error page with code redirect_uri_mismatch #7728

Bug fixes

AM-Groups

  • When a group in AM has more than 25 member those members do now show/exist #8708

  • When a group in AM has more than 25 member those members do now show/exist. #8484

Gateway

  • IdentityFirst doesn’t work if BotDetection is enabled #8704

  • Manage time drift on syncManager #8701

General

  • Application name not updated on initial login page when changed within AM console #8706

Features

General

  • Prevent CRUD operation on Mongo and JDBC IDPS #8695

Bug fixes

Gateway

  • [custom-claims] some attributes are missing in the execution context for the current user #8693

  • [scim] impossible to assign custom attributes to the users #8692

  • Provide request parameters to all Thymeleaf templates #8674

  • Propagate parameters after registration #8683

General

  • Merge 3.18.11 & 3.18.2 into 3.19.x #8675

Bug fixes

General

  • A disabled user can trigger reset password and successfully reset the password #8670

Bug fixes

Gateway

  • [self service account] MFA verify method should work with activated factors #8647

  • [self service account] add a MFA sendChallenge method #8648

  • [self service account] factor with moving factor should be updated after the verify step #8650

Bug fixes

Gateway

  • MFA SkipEnrollment should be hidden #8602

General

  • Merge 3.18.10 into 3.19.2 #8597

Bug fixes

Gateway

  • Provide "forgot password" url for IdentityFirstLogin #8608

General

  • IllegalArgumentException seen in logs when using comma in LDAP URL configuration. #8504

  • Merge 3.15.14 into 3.18.x #8596

Improvements

Gateway

  • Provide SocialIDP for register templates #8627

Bug fixes

Gateway

  • Group role are lost after SCIM update #8584

  • Search all matching user for forgot password #8576

General

  • AM sets alternate MFA factor as primary #8544

  • Expiration time for Registration confirmation email #8560

  • Fix Postman Tests #8603

  • Group role are lost after SCIM update #8591

  • JDBC UserProvider doesn’t update the email field #8599

  • Kafka reporternull pointer exception is thrown for unsuccessful user login in app #8609

  • Post logout redirect URI list doesn’t work at Domain level and can allow open redirection #8535

  • Query parameter is not supported in the post_logout_redirect_uri #8610

  • Upgrade dependencies #8594

  • User profile initialization #8572

Improvements

General

  • AM request_uri implementation is vulnerable to Server Side Request Forgery (SSRF) #8532

Bug fixes

General

  • Merge 3.18.9 into 3.19.x #8587

  • Merge AM 3.18.8 into 3.19.x #8586

  • Upgrade apache commons-text #8588

Bug fixes

Gateway

  • Better support OTP factors for the enroll MFA policy #8579

  • Make PAR values accessible #8422

  • [forgot password] filter users search with selected Identity Providers #8577

Management

  • Resources not visible for OTP sender factor #8578

Improvements

Gateway

  • Make PAR values accessible #8422

Bug fixes

General

  • Merge 3.18.6 into master #8476

  • Merge 3.18.7 into 3.19 #8546

  • Merge AM 3.18.1 into 3.19.x #8395

  • Merge AM 3.18.2 into 3.19.x #8396

  • Merge AM 3.18.3 into 3.19.x #8397

  • Merge AM 3.18.4 into 3.19.x #8398

  • Merge AM 3.18.5 into master #8426

  • User locale claims isn’t taking into account #8268

  • Upgrade dependencies #8557

Features

Gateway

  • Implement X-XSS-Protection #8558

  • Provide default languages #8054

  • [emails] internationalization support #8039

  • [emails] use the new default theme #8043

  • [forms] internationalization support #8038

  • [forms] use the new default theme #8042

  • [management] Redesign end user forms and emails #7566

  • [multi-languages] manage languages at domain level #8040

  • [override theme] [forms] theme integration #8125

Management

  • [emails] override default theme #8045

  • [forms] override default theme #8044

  • [multi-languages] UI languages #8289

  • [multi-languages] data structure / API definition #8067

  • [multi-languages] storage at domain level #8071

  • [override theme] CRUD implementation at domain level #8121

  • [override theme] Data model / API Definition #8120

  • [override theme] HTML mode integration #8124

  • [override theme] UI/UX integration at domain level #8122

  • [override theme] [view mode] display default gateway forms if there is no custom ones #8315

  • [override theme] [view mode] forms preview mode #8369

  • [override theme] [view mode] load gateway assets #8316

  • [override theme] view mode integration #8123

Management-api

  • Implement CSP headers #8559

Management-ui

  • [emails] improve Help and Tips section #8051

Features

Management

  • [gateway] add new option for the passwordless login flow #8506

Bug fixes

General

  • Merge 3.15.13 into 3.18 #8542

Bug fixes

Gateway

  • Improve "switch account" behaviour #8236

  • Set focus on password field when login already known #8219

  • SyncManager hang after connection issue #8377

  • Token not retrieved in database (backport GH#8431) #8441

  • [oauth2] basic client authentification failed for some special characters #8501

General

  • Fill the username field in idFirstLogin #8511

Idp

  • [MongoDB] queries are not well parsed for the user management features (Backport #8379) #8383

Management-ui

  • Upgrade nginx base image (backport #8183) #8285

Features

Management

  • [mfa] send same OTP code to multiple devices #8444

Improvements

General

  • Fill the username field in idFirstLogin #8511

Bug fixes

Gateway

  • Authent issue when multiple results match the query #8443

  • Token not retrieved in database #8431

Features

Gateway

  • Implicit consent for audit logs #8448

Bug fixes

Gateway

  • Missing authorizeUrls variable in the webauthn login page #8404

  • Self account management - missing delete method for the webauthn credentials #8415

Idp

  • [MongoDB] cannot reset password if the AM external_id is not the same as the IdP _id field #8407

Improvements

Gateway

  • Self account management - missing delete method for the webauthn credentials #8415

Bug fixes

Gateway

  • [http-callout] When payload in policy contains accents the payload gets truncated #8235

General

  • Merge AM 3.17.5 into 3.18.x #8392

Idp

  • [MongoDB] queries are not well parsed for the user management features #8379

Bug fixes

Gateway

  • Do not expose data in the forgot password template #8391

Bug fixes

AM-Registration

  • User fails to log in after completing registration via confirmation link #8321

Bug fixes

Management-ui

  • White domain list description is wrong #8311

Improvements

Gateway

  • Inject identity provider in the SPEL context during selection rule process #8312

Bug fixes

Gateway

  • Improve metrics monitoring #8116

  • Unable to initialize Extension Grant plugin #8144

General

Improvements

General

  • Merge SAML IdP 1.4.2 into 1.5.x #8231

Bug fixes

General

  • Merge AM 3.15.11 into 3.17.x #8239

Idp

  • [saml2] handle RequestedAuthnContext optional #7997

Management-ui

  • [policy] Enroll MFA policy allows RecoveryCode #8119

Bug fixes

Gateway

  • Unable to sign in a user with JDBC idp #8171

  • Unable to sign in a user with JDBC idp #8172

General

  • Backport #8112 enroll MFA policy can’t be saved if the application has only one factor activated #8113

  • Improve email template sanitization #8091

Management

  • Limit the size of the AM cookie #8092

Repository

  • AdditionalInformation for SCIM search are limited using RDMS #8085

Bug fixes

Gateway

  • Brute force detection does not work when AM username is not the same as the IdP username #7884

  • Factor can’t be registered if device is already known #7971

  • Flow are not loaded - backport 7964 #7966

  • Redirect to RP after POST login error when SelectionRules are used #7958

  • Unable to connect a end user if the IDP whitelist is enabled #7827

  • [auth] wrong error logged whenever tries user to authenticate #7984

  • [policy] Enroll MFA doesn’t restrict on active factor #7950

General

Management-ui

  • [policy] Enroll MFA policy can’t be saved if the application has only one factor activated #8112

Policy

  • Email policy requires FROM-NAME field #7933

Bug fixes

Gateway

  • Email aliases interpretation with identifier first login doesn’t work onto another am domain #7889

  • Email sent for MFA doesn’t use "from" field defined by SMTP resource #7833

  • Factor choice not accurate #7928

  • Improve find user during reset password #7912

  • Insert action should not be triggered after a reset password #7911

  • Login attempts should not be based on the username #7916

  • Missing text description for the HTTP factor in the MFA alternatives default template #7878

  • AM does not URL-decode when using Basic Authentication as specified in RFC 6794 #7803

Idp

  • [jdbc] [mongodb] only update password field during reset password #7800

Management

  • Application description ignored during creation #7222

Improvements

Gateway

  • Add option to client to force S256 challenge method for PKCE #7965

  • Update accountNonLocked on successful connection #7831

Bug fixes

AM

  • Assign roles to user list not getting filtered (auto-complete) #7542

Gateway

  • Flows are not loaded #7964

  • More consent check for IP and User agent #7919

  • NullPointer on MFAChallengeFailureHandler #7954

  • Passwordless flow not fully compatible with mobile applications #7158

  • [mfa] error 500 when application has no factor but endUser has an one #7872

General

  • Merge 3.17.1 into master #7447

  • Merge 3.17.2 into master #7823

Features

Gateway

  • Self account management manage user consent #7680

  • [adaptive access] Implement IP reputation #7637

  • [adaptive access] Make the risk assessment score a context property #7555

  • [adaptive access] Provide the risk assessment data to the risk assessment service #7657

General

  • Create flow chart for MFA #7563

Management

  • [adaptive access] Add feature to use risk assessment for Adaptive MFA #7556

  • [adaptive access] Implement risk assessment score #7554

  • [mfa] FIDO2 factor #7378

  • [mfa] HTTP factor #7374

Management-ui

  • [adaptive access] Frontend implementation #7689

Mfa

  • [sms] HTTP generic implementation #7373

Improvements

Gateway

  • [webauthn] Allow WebAuthn for Social Idp users #5363

Bug fixes

Gateway

  • Confirmation pages don’t use the App template #7744

  • Decorate with initial parameters when handler is failing #7808

  • Identifier first should not be required when using idp selection rule #7678

  • Inline javascript not properly manage with CSP #7724

  • ResetPassword use the wrong template in case of error #7734

  • [idp][auth] handle login attempt failure when the IDP is configure to accept several username input #7797

General

  • Document the breaking change about application update #7623

Idp

  • Include user mappers during reset password #7530

  • [http] display name is not updated when firstName or lastName changes #7531

Management

  • [upgrader] Application identity provider task blocked to ONGOING #7730

Improvements

Gateway

  • [forgot-password] allow forgot password confirmation to display which email the reset password was sent to #7796

Bug fixes

Gateway

  • Adaptive mfa may prevent factor enrollment #7394

General

  • Backport #7542 assign roles to user list not getting filtered (auto-complete) #7757

  • Merge 3.10.19 into 3.15.x #7790

Idp

  • [jdbc] email field is not mapped #7799

Management

  • Not able to update the sharding tags #7759

Features

Gateway

  • [management] automatically enroll user MFA factors #7753

Improvements

Gateway

  • Improve Thymeleaf generateData method #7690

Bug fixes

Gateway

  • Better support for back channel logout with GET method #7679

  • Redirect to RP after POST login error #7708

Bug fixes

Gateway

  • Silent re-authentication flow not followed when user needs consent #7616

Management

  • User activities must use the technical ID of the user instead of the username #7619

Improvements

Plugins

  • Improve sensitive data masking #7482

Bug fixes

Gateway

  • Manage PolicyException on reset password flow #7574

General

  • Merge 3.16.2 into 3.17.x #7446

Improvements

Idp

  • Support SHA-256+MD5 password encoding for JDBC and MongoDB #7404

Management

  • User registration acknowledgment #7470

  • User reset password acknowledgment #7471

Bug fixes

General

  • Merge 3.15.5 into 3.16.x #7445

  • Merge AM 3.15.6 into 3.16.x #7582

  • Merge AM 3.15.7 into 3.16.x #7583

Bug fixes

General

  • Connection leak on mongodb #7599

  • Merge AM 3.10.18 into 3.15.x #7576

Improvements

Gateway

  • Session persistent mode #7526

Bug fixes

Gateway

  • [management] improve session management #7414

Management

  • Make hard coded Jetty configuration configurable #7479

  • Search user in management API may provide duplicates #7439

Oidc

  • [jdbc] NullPointerException when username is not given #7488

Features

Gateway

  • Manage X-Frame-Options headers #7418

Improvements

Gateway

  • Improve OTP token management #7415

  • Provide a legacy mode for the enhanced scopes #7455

Management

  • Improve redirect_uri management #7420

Reporter

  • Improve file reporter input validation #7464

Bug fixes

Gateway

  • Enrich context for adaptative mfa #7393

  • Remove active tokens when a user reset its password #7365

Management

  • Cannot access IdP list if a plugin has been removed #7366

Improvements

Gateway

  • Provide a legacy mode for the openid scope #7413

Management

  • Add the id of the Identity Provider on GET /domains/:domaind/users/:userid #7108

Bug fixes

Management

  • Typo on selection rule modal #7357

Features

Gateway

  • Configure AM as a SAML 2.0 Identity Provider #7011

  • Self account management manage MFA recovery codes #7147

Management

  • Certificates expiration notification - UI notification bar #6881

  • Certificates expiration notification - display certificate expiration date in the UI #7175

  • Certificates expiration notification - notification service #6879

  • Certificates expiration notification - notification timeframe #6882

  • Certificates expiration notification - watcher service #6880

  • Certificates expiration notification #6833

  • Manage identity provider priority #6519

  • [gateway] add RESET_PASSWORD flow #7015

  • [gateway] conditional policies #7016

  • [idp] handle redirection to Identity Provider via Expression language #5167

  • [mfa] Recovery codes #7014

Improvements

Management

  • Improve certificate expiry configuration #7271

Management-ui

  • Improve UX for IdP priority order #7286

Bug fixes

General

Bug fixes

Gateway

  • Enhance scopes should work at least with the openid scope #7290

  • Invalid email with accented characters #7289

General

Bug fixes

Cors

  • Handle allow-credentials CORS configuration #7221

Gateway

  • Invalidate tokens on user logout #7270

General

  • Login with WebAuthn loops when "prompt=login" parameter is present in the login url #7262

Improvements

Cors

  • Handle allow-credentials CORS configuration #7221

Bug fixes

General

  • Execute non regression test on RDBMS backend #7125

  • Merge 3.15.1 #7121

  • Merge 3.15.2 #7122

  • Merge 3.15.3 #7204

Features

Idp

  • [saml] EncryptedAssertion support #6835

Management

  • Password expiration policy #6836

  • [mfa] Skip enrollment options #6188

Bug fixes

General

Plugin

  • [notifier] update notifier plugin version to include "hide sensitive data" feature #7166

Bug fixes

Gateway

  • Assign user login using login_hint #7197

  • Email aliases interpretation after login failure #7200

General

Bug fixes

Gateway

  • User flagged as internal when created by SCIM #7177

Idp

  • Social identity provider with wrong external boolean in payload #7119

  • [oauth2] add client_secret_basic authentication method #7156

Management-ui

  • Logos in social providers aren’t displayed correctly #7124

Reporters

  • [mongodb] index name too long #7136

Bug fixes

Gateway

  • Sub value invalid into user info #7118

Bug fixes

Gateway

  • NPE is raised when TLS is anable without truststore #7107

General

  • Merge 3.14.5 #7076

  • Merge 3.14.6 #7096

  • [OIDC] retry client initialization #7012

  • [ldap] retry client initialization #6207

Management

  • Manage null or empty configuration for plugins #7056

  • Pagination on role page doesn’t work #7103

Improvements

Management-api

  • Do not expose default identity provider and audit reporter #6782

Bug fixes

General

Bug fixes

Management

  • Request to management API blocked #7080

Plugins

  • onActivated and onDeactivated not called when plugin loaded #6942

Bug fixes

Gateway

  • Email aliases interpretation with identifier first login #7030

  • State not managed with Identifier First login #6975

General

Management

  • Upgrade gravitee-node to 1.20 #7020

Bug fixes

Gateway

  • Missing gateway ready status probe #7045

  • SCIM update and delete may report a false negative in AuditLogs #6970

Management

  • Application settings lost after certificate update #7040

  • Create index for mongo reporter #6986

  • Optimize remove users when deleting a domain #6999

  • UserProviderExists method is not working anymore #7035

Management-ui

  • Async load users page #7021

Improvements

Gateway

  • Missing gateway ready status probe #7045

Management-ui

  • Async load users page #7021

Bug fixes

Gateway

  • Nullpointer when IPFiltering reject the request #6927

  • Remember device doesn’t expire #6926

  • [webauthn] include device identifier at webauthn login #6871

General

Management

  • Device Identifier permissions are not set #6925

Management-api

  • Do not expose sensitive information from plugins configuration #6734

Policy

  • [groovy] merge 1.14.2 into master #6843

Features

Gateway

  • [oidc] add CIBA flow #5193

Management

  • Password policy - add password dictionary #6520

  • Password policy - add pattern verification option #6521

Improvements

Gateway

  • [idp] add an option to add id_token and access_token from the OP #6549

  • [oidc] scope openid should not be used to get full profile information #6516

Management

  • Split AM roles and IdP roles #6515

Management-api

  • Do not expose sensitive information from audit logs #6783

  • Lock user account via HTTP call #6785

Bug fixes

Am

  • Java mail properties are not set #6928

Gateway

  • Http provider configuration is not respected #6916

Bug fixes

General

Bug fixes

General

Bug fixes

Gateway

  • [mfa] unable to enroll user with Email or SMS factor #6830

  • [mfa] unable to enroll user with OTP #6822

Bug fixes

General

Bug fixes

General

Bug fixes

Gateway

  • Add missing data for email and HTML templates #6718

  • Logout return an error after user registration #6752

  • [chore] upgrade vertx-auth to 4.1.7.1 #6746

Management

  • [audits] access point info aren’t displayed in organization settings audit logs #6776

Improvements

Management-api

  • Handle metadata when creating an application #6774

Bug fixes

Gateway

  • Manage WebAuthn exception on startup #6744

Bug fixes

Gateway

  • Manage WebAuthn exception on startup #6741

Bug fixes

Gateway

  • Manage WebAuthn exception on startup #6745

Bug fixes

Am

  • Missing parameters after social authentication error #6706

Gateway

  • Inline javascript in default HTML templates should wait for the DOM to load #6714

  • Manage WebAuthn exception on startup #6737

  • Password validation is not triggered if password is set dynamically #6715

Gw

  • Filter technical claims on userinfo endpoint #6725

Management

  • Missing application information for the USER_PASSWORD_RESET audit log #6688

Management-ui

  • Users > Sort by column is broken #6726

Bug fixes

Gateway

  • Manage WebAuthn exception on startup (backport #6737) #6739

Bug fixes

Gateway

  • Remove useless id_token claims #6674

General

Idp

  • [ldap] handle nested groups #6589

Maangement

  • Update audit logs on reset password email sent #6610

Management

  • Missing last_password_reset field for JDBC repository #6664

  • Missing roles during migration #6648

  • Remove event listeners in management part #6590

Improvements

Gateway

  • Support POST method for the end_session_endpoint #6643

Management-ui

  • Select applications component is not very friendly #6644

Bug fixes

General

Features

Alerts

  • Add environment and organization on alert events #6459

Gateway

  • Self account management reset password endpoint #6398

Management

Improvements

Gateway

  • [oauth2] improve wildcard support for allowed redirect_uris #6397

Bug fixes

Management-ui

  • Some searchs on user resources are malformed #6584

Bug fixes

General

Bug fixes

General

Par

  • Unable to authenticate user with new consent #6562

Bug fixes

Gateway

  • Infinite loop with prompt login parameter #6573

  • [webauthn] FaceID/TouchID frame stick in the screen when user comes back to its native iOS application #6545

Management

  • Yaml users are not loaded anymore #6513

Bug fixes

Gateway

  • [par] request_uri should be accepted without scope parameter #6464

General

Bug fixes

Am

  • Major error - 3.10.7 distribution is broken #6504

Bug fixes

Gateway

  • Expression language does not support whitespaces #6463

  • Handle prompt login parameter to the underlying OIDC IdP #6477

  • [identity provider] Consider the userInfo type when testing a mapping condition #6445

Bug fixes

General

Oidc

  • [DCR] some optional parameters are required #5986

Features

Management

  • [mfa] Behavior detection - risk based rules engine #6194

  • [mfa] Behavior detection #6185

  • [mfa] multi-factors challenge step #6189

  • [mfa] remember device #6186

Improvements

Gateway

  • Improve error message when FAPI is enabled #6420

Management

  • Add preferred language for the users #6351

Oidc

  • Improve request object management #6266

Bug fixes

Management

  • When creating inline user, I get "domainWhitelistmust not be null" #6416

Bug fixes

General

Bug fixes

General

Bug fixes

Am

  • Backport remove test dependencies from distribution (#6262) #6346

Gateway

  • CSRF validation error #6389

  • Error on logout for pre registered users #6381

  • Sub claims may change according extension grants configuration #6352

  • [scim] no audit log for user and group provisioning #6348

General

  • Improve user search #6355

  • Unable to validate password on confirm registration #6382

Management

  • Wrong link on audit logs #6356

Bug fixes

Gateway

  • Login flow may never respond #6328

Improvements

Gateway

  • [identity-provider] enhance mapper #6329

  • [scim] specify identity provider for user provisioning #6322

  • [webauthn] upgrading certificates #6324

Bug fixes

Management

  • Use ApplicationService to migrate scopes #6308

Improvements

Gateway

  • [oidc] get client SSL certificate from HTTP proxy #6296

  • [oidc] override mtls_endpoint_aliases #6297

Bug fixes

Fapi

  • [par] request_object not read from the consent endpoint #6214

General

Features

Fapi

  • Brazil Open Banking implementation #5994

Gateway

  • Self account management add webauthn credentials endpoints #6247

  • Self account management factors endpoint #5853

  • Self account management #5492

Management

  • Redirect to internal/external provider depending on the account/username #5388

Improvements

Management

  • [gateway] add request timeout configuration option on IdP #3505

Bug fixes

General

Bug fixes

Gateway

  • [oauth2] add CORS handler to the authorize endpoint #6236

General

Management

  • Filter disabled identity providers during login #6181

Management-ui

  • Not possible to override the password length in the UI #6212

Improvements

Gateway

  • [oidc] unknown (use) is currently not supported. #6184

Bug fixes

Management

  • [gateway] http proxy host exclusion does not work when url contains invalid characters #6032

Improvements

Gateway

  • [jwt] add type header parameter #6239

Bug fixes

Gateway

  • [oauth2] enforce URL redirects when the authorization request format is invalid #6123

  • [oidc] re-introduce supported_subject_type into the wellknown endpoint #6175

Idp

  • [http] escaped double quotes character #6147

Management

  • Add allowed-redirect-urls for both login and logout endpoints #6121

  • Enforce SCIM parser control #6127

  • Handle request rejected exception #6112

  • We should be able to update the user display name #6098

Mfa

  • Manage http proxy for Twilio provider #5905

Bug fixes

Fapi

  • Keep query params of the redirect_uri #5939

  • Oauth2 redirect_uri query parameters are not returned if error has occurred #4045

  • [JARM] Response parameter missing from some error responses #5967

  • [JARM] the Error page doesn’t use the error coming from the JWT #5976

  • [PAR] issues when client auth use private_key_jwt #5990

General

Oidc

  • Always provide auth_time in idToken #5956

Features

Fapi

  • Certificate bound access tokens #4028

  • Response_type code restricted in the authorization request #5955

  • [PAR] Implement PAR specification #5969

Identity-provider

  • [http] encode password #5710

Management

  • Create FAPI option #5951

Oidc

  • Plain FAPI support #3708

Improvements

Fapi

  • 'nbf' and 'aud' claims shall be present in request object #5965

  • Certificate bound access tokens client option #5985

  • Manage 'exp' claim in request object #5940

  • Restrict JWS algorithm #5989

  • Scope & response_type are optional in OAuth parameters #5975

  • Shall require that all parameters are present inside the signed request object passed in the request or request_uri parameter #4052

  • [JARM] make response lifetime configurable #5968

  • [PAR] PKCE required #5973

Gateway

  • Manage TLS Cipher Suites #5929

Bug fixes

Am

  • [ee] wrong CAS plugin version for the 3.10 #6074

  • [ee] wrong SAML plugin version for the 3.10 #6076

Gateway

  • Bump org json dependency to fix EE CAS IdP plugin #6078

  • [mfa] Unable to enroll newly created user with email factor #6067

Idp

  • [jdbc] id column name it’s hard encoded when updating a user #6083

Bug fixes

Management

  • Loss of data when migrating on 3.10.0 for jdbc users #5957

Bug fixes

Gateway

  • Allow enrich authentication context on Registration flow #5676

  • Define user source IDP as custom claims #5914

  • Fix mfa channel type #5918

  • Test if user is not null on MFA #5717

  • Unable to register client with DRC and tls_client_auth #5927

General

  • Merge 3.9.1 #5755

  • Merge 3.9.2 #5794

  • Merge 3.9.3 #5898

  • Unable to register a user or reset a password #5675

Jwks

  • The alg field is wrong #5923

Management

  • Unable to remove certificate from application #5922

Mangement

  • [jdbc] unable to create domain #5759

Userinfo

  • Provide roles grant by groups #5795

Features

Gateway

  • Be able to logout from OIDC provider in addition of AM #5654

  • Handle id_token_hint to sign in users #5840

  • Self account management API configuration #5854

  • [identity-provider] support EL for role mapping #4107

  • [identity-provider] support EL for user mapping #5645

  • [login] be able to skip the login page if client has social/OIDC identity providers #2289

Management

  • Manage organization users #3922

  • [gateway] activate flow condition #5610

  • [gateway] create new flow #5646

Mfa

  • [sms] Infobip implementation #5736

Reporter

  • Kafka implementation #5735

Improvements

Console

  • Add loader on button for long lasting action #5920

Gateway

  • Add more context for the pre-authenticated user flows #5839

Idp

  • [http] use enhance context to load pre-authenticated user #5935

Management

  • Add resource logo #5770

  • Be able to override default admin username and password during first load #3975

  • Manage default requested scopes for an application #5838

  • User logout should be traced #5799

Management-ui

  • Apply new theme #5605

  • Improve UX for advanced users search #5837

  • Use expression language ui component for EL field #5719

Reporter

  • Do not start AuditReporter if diseabled #5813

Bug fixes

Gateway

  • Forgot password - update profile from IdP during forgot password action #5863

  • Forgot password - wrong email sent if same user email is shared across multiple IdP and multiple app #5864

  • Http identity provider is not compatible with the passwordless feature #5889

  • Users are created with brute force detection #5866

General

Bug fixes

General

Bug fixes

Jdbc

  • Define default value for connection pool #5811

Management

  • Manage properly dbname for mongo backend #5836

  • Use mongodb.uri in MongoIDP #5830

Bug fixes

General

Bug fixes

General

Management-ui

  • Page not found when deleting organization user #5772

Bug fixes

Console

  • Search user not working #5788

Gateway

  • [oidc] hybrid flow response types are not well handled #5765

Management

Bug fixes

General

Management

  • Add missing information in the domains resource #5754

Management-ui

  • Cannot collapse custom claims #5750

  • Update an application change its type #5749

Bug fixes

Gateway

  • NPE during forgot password if user does not exist in database #5701

General

Management

  • [idp] default idp configuration must handle MongoDB cluster configuration #2528

  • [reporters] default reporter configuration must handle MongoDB cluster configuration #2527

Bug fixes

Gateway

  • User additional information are not available during login flow #5608

Management-ui

  • The username filter (while adding users in group) is not working in Access Management #5612

Bug fixes

Gateway

  • [oauth2] Enhance scopes returns all user scopes even when not requested #3839

General

Reporter

  • Fix interval unit for MariaDB #5596

Features

Gateway

  • Add CAPTCHA feature #5307

  • Allow to associate a gateway to specific environments #5499

  • Reset password multiple accounts #5361

  • [idp] support new password encoder #5470

  • [login] secondary login #5306

Management

  • [mfa] selection rule #5168

Improvements

Management

  • Improve scope page #5516

  • Roles resource pagination #5514

  • Scopes pagination #5213

  • Security domains pagination #5212

Bug fixes

Management

  • Missing application field for flows with JDBC #5566

Bug fixes

Gateway

  • Redirect_uri with multiple parameters only keeps the first parameter #5508

General

Reporter

  • Audit are not persisted for domain #5510

Improvements

Gateway

  • Allow to configure the size of form attributes (SAMLResponse) #5506

Bug fixes

General

Bug fixes

Gateway

  • Handle RelayState for POST Binding SAML flow #5447

Features

Management

  • Add proxy exclusion in the system proxy configuration of gravitee.yml #5337

Bug fixes

Management-ui

  • Domain is undefined for organization resources #5465

Bug fixes

General

Management

  • MembershipCommandHandler throws a SinglePrimaryOwnerException #5339

Features

Gateway

  • [mfa] SMS support #4101

  • [mfa] email support #5166

  • [scim] support PATCH method #3936

  • [webauthn] force registration of a new credential #5305

Management

  • [cockpit] Report gateway nodes in commands #5058

  • [cockpit] add healthcheck command #5171

Bug fixes

General

Management

  • Password policy missing and inconsistent validation rules #5335

Bug fixes

Management

  • Failed to resolve jwtGenerator #5454

  • Java.lang.IllegalStateExceptionSearch method not implemented for File reporter #5456

Bug fixes

General

  • Reporter Initialization may block infinitly #5420

RegTest

  • Update postman test #5437

Bug fixes

Cockpit

  • Backport #5325 (delete installation) #5429

  • Backport #5339 (SinglePrimaryOwnerException) #5428

General

Bug fixes

Gateway

  • Missing POST_REGISTER flow for registration confirmation #5370

Management

  • Flow duplication #5366

  • [JDBC] Domain creation fails on reporter #5350

Oidc

  • Can not create SPA application through DCR #3934

Features

Gateway

  • [oauth2] form post response mode #5211

Improvements

Gateway

  • Add the ability to customize the user’s fields validation #5262

  • Support for TLS 1.3 #5355

Helm

  • Support jdbc config #5261

Management

  • Dynamic newsletter taglines #5270

Bug fixes

Idp

  • [LDAP] Class not found #5277

Bug fixes

General

Features

Gateway

  • [management] support Kerberos (SPNEGO) #3555

  • [saml] provide SAML SP metadata endpoint #5007

Management

  • Password policy management #5010

  • [certificate] provide PEM format #5005

  • [certificate] set default certificate for application #5006

  • [cockpit] delete installation #5154

  • [gateway] alert engine integration #5004

Bug fixes

General

Management

  • On delete Application we should redirect to applications page #5226

Policies

  • Remove provided dependencies from policies bundle #5205

Bug fixes

Gateway

  • [login] better support for invalid request exception #5153

  • [logout] Lax id_token_hint parameter #5163

General

Management

  • Can define a context path on "/" in virtual host mode #4966

  • Missing media type for members resources #5108

  • Update administrative user roles when using the role mapping #5087

Bug fixes

Idp

  • HttpClient proxy is never used #5048

  • [saml] add missing saml:AuthnContextClassRef #5142

Improvements

Management

  • [oauth2] add full_profile scope #5107

Bug fixes

General

Management

  • Environment permissions must be added to migration script #4529

  • JS error when trying to add application metadata #5065

  • Social authentication user always attached to DEFAULT organization #4528

  • Unable to assign administrative role using sqlserver #4989

Features

Gateway

  • Enrich UserProfile policy #4882

  • [management] Auth Flows for applications #4764

  • [policy] Enrich Authentication Flow Policy #4883

Identity-provider

  • Add SalesForce identity provider #4730

Management

  • Add application analytics #3290

  • Add user analytics #3291

  • Manage Cockpit installation registration #4765

Reporter

  • [file] Add support for a File reporter #4731

Improvements

Gateway

  • Propagate execution context data to the whole authentication flow #4407

  • [reporter] trace login activity for social IdP #4874

Management

  • Cockpit url must be configurable #4947

  • Handle installation events from cockpit #4942

Management-ui

  • Display Object claim values #4916

  • Manage human readable identifier for environment #4311

Bug fixes

Gateway

  • OIDC provider with id_token or id_token token response type not working anymore #5023

General

Repository

  • [jdbc] vhost override entrypoint is not mapped #5003

  • [mongodb] missing index creation #5021

Bug fixes

Gateway

  • [webauthn] AndroidSafetynetAttestation validation failure #4933

  • [webauthn] Apple Attestation verification failed #4921

Improvements

Gateway

  • [webauthn] collect and store attestation statement #4949

  • [webauthn] select Authenticator Transport #4950

Management

  • Add approved logout URL list #4978

Bug fixes

General

Management-ui

  • Error in console when add callout policy to flow #4924

  • Identity provider json encoding issue #4980

Improvements

Management

  • Newsletter improvement #4936

Bug fixes

Gateway

  • [webauthn] AndroidSafetynetAttestation validation failure #4880

  • [webauthn] Username Enumeration #4876

  • [webauthn] relying party ID/name issues #4875

General

Bug fixes

Management

  • Self user registration custom expiresAfter is not set #4911

Snyk

  • Security upgrade org.bouncycastle:bcpkix-jdk15on from 1.66 to 1.68 #4869

Improvements

Gateway

  • [management] reduce information contained in the JWT for reset password and registration email #4451

Improvements

Gateway

  • [passwordless] Split the webauthn.js file to be able to override it #4812

Bug fixes

General

Features

Gateway

  • Add new AUTHENTICATION extension point phase #2603

  • Add new REGISTER extension point phase #3284

  • Policy Studio integration #4593

  • [management] JDBC repository support #3293

Identity-provider

  • Add LinkedIn identity provider #4325

Management

  • Create default JDBC identity provider per security domain #4595

  • Create default JDBC reporter per security domain #4594

  • Policy Studio integration #4592

Improvements

Gateway

  • Be able to override OIDC claim values #4729

Management

  • Gravitee.io AM Admin UI automatically enables implicit grant on SPA applications #3962

Oauth2

  • Force a client to use PKCE #3710

Bug fixes

Gateway

  • Handle CSRF in cluster environment #4736

  • [sso] do not kill the current session when reset password #4754

Identity-provider

  • [inline] add encoding mechanism to store password value. #4695

Bug fixes

Gateway

  • Bad passwordless session #4734

  • Invalidate all sessions on password change #4667

Bug fixes

Gateway

  • Exception on when extensionGrant is empty #4613

General

Features

Gateway

  • Cookie web sessions #2523

  • [webauthn] Greater control over when the webauthn setup prompt is shown #4497

  • [webauthn] support attestation convey #4625

Identity-provider

  • Add Google identity provider #4323

Management

  • Add logo to Identity Provider #4494

Improvements

Gateway

  • [webauthn] Need to confirm that "user verification — required" is being applied #4496

Management

  • [webauthn] Update to list credentials endpoint to provide more information #4498

Repository

  • [mongodb] manage indexes creation #4568

Bug fixes

General

Bug fixes

General

Bug fixes

Gateway

  • Social login infinite failure handling #4621

Management

  • Cannot delete an organization user #4622

  • Use the same user validator for the username and displayName #4623

Bug fixes

Gateway

  • [webauthn] register flow is not well ended if we skip the step #4575

Management

  • Delete attached webauthn credentials when deleting a user #4574

Bug fixes

General

Management

  • Cannot list users at organization level #4553

Features

Gateway

  • Make webauthn credential id and MFA factor id available in the login context so that we can use it in extension points #4495

Bug fixes

General

Management

  • Unable to delete user’s MFA #4503

Bug fixes

Gateway

  • Return url is not set when autologin feature is used #4525

General

Management-ui

  • Unable to force tokenEndpointAuthMethod to "Based on incoming request" #4509

Improvements

Identity-provider

  • [ldap] add a retry limit during pool initialization #4531

Bug fixes

General

Features

Gateway

  • [scim] support search feature #3937

Identity-provider

  • Add FranceConnect identity provider #4075

  • Add Twitter identity provider #4324

  • Add JDBC identity provider #4354

Management

  • Add a search engine for users resource #3227

Bug fixes

General

Bug fixes

General

Management

  • Application tokenEndpointAuthMethod is reset sometimes #4427

  • Audit logs of the global settings are not working #4342

  • Domain roles are not well migrated in v3 #4425

  • Invalid application tokenEndpointAuthMethod value during v2 migration #4428

  • User information return in users resource are invalid #4353

Management-ui

  • Enable custom reset password form even if the SSPR is disabled #4343

Improvements

Identity-provider

  • Add HTTP proxy configuration #4396

Bug fixes

General

Features

Identity-provider

  • Add Azure AD identity provider #4074

  • Add Facebook identity provider #3288

Management

  • [gateway] support passwordless #4073

Improvements

Fapi

  • Ensure request object signature algorithm is not none #4051

Identity-provider

  • Factorize OAuth & Social identity providers #4108

Bug fixes

Gateway

  • [management] verify JWT tokens signature is not well handled #4209

  • [uma2] missing CORS configuration #4237

General

Management-ui

  • [uma2] missing uma-ticket grant type selection #4238

Improvements

Management-ui

  • Add UMA 2 endpoints #4305

Bug fixes

Gateway

  • Skip external identity provider for authentication with credentials #4263

  • [register] Internal Server Error (500) if an user uses the default Gravitee registration form #4284

General

Management-ui

  • User profile fields should be disabled when insufficient permissions #4298

Bug fixes

Gateway

  • CSRFHandler seems not handle proxy context-path #4034

General

Bug fixes

General

Management

  • Delete "external" users #4106

  • Error updating client with metadata #4166

Bug fixes

Gateway

  • [jwt-bearer] sub claim is not mandatory #4135

Management

Bug fixes

General

  • Merge release 3.0.4 #4085

Oidc

  • Prompt login not well handle after consent or mfa steps #4046

Features

Fapi

  • Support ACR claim #4031

  • Support PS256 for the signing algorithm #4029

Gateway

  • Allow empty value for domain path #2921

  • Send en email when the account is blocked #2613

  • Virtual host support #3199

Oauth2

  • Refresh tokens must not be used after user consents revocation #4039

Uma2

  • Access policies #3861

  • Authorization grant #3717

  • Create new type of application #3850

  • Discovery endpoint #3716

Improvements

Fapi

  • Add request_parameter_supported to the OIDC wellknown endpoint #4030

  • Override missing parameters from the request object parameter #4033

Management

  • Add user additionalInformation to the UsersResource #4114

  • Allow users from social provider to subscribe to newsletter #4081

Bug fixes

General

  • Merge release 2.10.16 #4041

  • Merge release 2.10.17 #4071

Management

  • Can’t add OAuth 2.0 extension grant to an application #3969

  • Username should accept '+' character #4032

Bug fixes

General

  • Merge release 2.10.14 #3893

  • Merge release 2.10.15 #3939

Management

  • Application account settings are not saved #3873

  • [migration v3] missing client account settings #3871

Management-ui

  • Brute force options do not active SAVE button #3872

Oidc

  • Unable to save an application when created through DCR #3932

Bug fixes

Management-ui

  • Login and logout callback URLs are wrong behind a HTTP proxy #3827

Bug fixes

Management

  • Failed to load default admin user #3819

Bug fixes

Gateway

  • Bad HTTP response #3450

  • Mutual TLS configuration not handle properly #3161

  • User on application without active IdP should not benefit from SSO of another application #3549

Management

  • Organization social providers for the organization are not updated #3303

Management-ui

  • [Audits] audits search timeout should not block the entire page #2526

Features

AM

  • [Multi-env] Allow access some domain and organization information from domain and application settings #3388

  • [Multi-env] Assign organization roles the same way we assign domain and application roles #3379

  • [Multi-env] Manage permissions per entity type (org, env, app, domain, …​) #3319

Gateway

  • Add support for OAuth 2.0 Mutual-TLS Client Authentication #3563

  • Add support for client_secret_key client authentication method #3536

  • Support for JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) #3601

  • [management] multi-factor authentication (MFA) #3125

Management

  • Add gateway entry points to organizations #3438

  • Allow users to subscribe to newsletters #3666

  • Application management #1973

  • Provide domain analytics #3077

  • [acl] - Create default owner for a security domain #3023

  • [acl] - Create default owner for an application #3022

  • [acl] - Secure REST API with roles and permissions #1893

Management-ui

  • Display gateway protocols endpoints #3437

  • [acl] - Secure Admin Portal with roles and permissions #3021

Multi-env

  • Replace admin domain with default organization #3200

Oauth2

  • Support OAuth "Public" clients #2090

Oidc

  • Request object endpoint #3707

  • Support for s_hash #3702

Improvements

Identity-provider

  • [ldap] StartTLS not available for LDAP Identity Providers #3782

Management

  • Create application with custom client_id / secret #3181

  • [Gateway] improve input validation #3755

  • Generate client secret which supports at least HS256 #3537

  • [gateway] default password policy #3696

Management-ui

  • Provides links to useful OIDC endpoints #3449

  • UI enhancements #3203

  • [acl] - Move global dashboard #3024

Oauth2

  • Token revocation for Public Client #2189