76.21.0

What's Changed

Features

• feature: activate PKCE by default in requests to external OIDC providers by @strehle in #2448

Fixes

• Fix: UAA login page breaks when the product logo image is over 100000 characters by @Tallicia in #2453

Misc

• Rearchitect two integration tests to use page objects by @swalchemist in #2468
• Refactor: prepare for private_key_jwt in oauth_client_details by @strehle in #2433
• doc: reason for ignoring library bumps by @swalchemist in #2485
• test: Authorization Grant Flow without Redirect URI by @strehle in #2484

Dependency Bumps

• build(deps): bump versions.springBootVersion from 2.7.14 to 2.7.15 by @dependabot in #2450
• bump activesupport from 6.1.7.3 to 6.1.7.5 in #2451
• build(deps): bump jasmine-core from 5.1.0 to 5.1.1 in /uaa by @dependabot in #2457
• build(deps): bump k8s.io/client-go from 0.28.0 to 0.28.1 in /k8s by @dependabot in #2460
• build(deps): bump versions.tomcatCargoVersion from 9.0.79 to 9.0.80 by @dependabot in #2462
• build(deps): bump org.apache.directory.api:api-ldap-model from 2.1.3 to 2.1.4 by @dependabot in #2464
• build(deps): bump versions.seleniumVersion from 4.11.0 to 4.12.0 by @dependabot in #2466
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 6.6.0.202305301015-r to 6.6.1.202309021850-r by @dependabot in #2469
• build(deps): bump versions.seleniumVersion from 4.12.0 to 4.12.1 by @dependabot in #2471
• build(deps): bump actions/checkout from 3 to 4 by @dependabot in #2473
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 6.6.1.202309021850-r to 6.7.0.202309050840-r by @dependabot in #2475
• Bump Gradle to 8.3 by @strehle in #2476
• update dependency org.gradle:test-retry-gradle-plugin to v1.5.4 by @strehle in #2479
• Bump mariadb from 2.7.9 to 2.7.10 by @strehle in #2478
• Bump gradle plugins by @strehle in #2480
• Bump SnakeYaml from 2.0 to 2.2 by @strehle in #2481
• update dependency org.gradle:test-retry-gradle-plugin to v1.5.5 by @strehle in #2482
• Go 1.21 by @swalchemist in #2483
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.31 to 9.32 by @dependabot in #2487
• k8s updates, k8s.io 0.28.1 to 0.28.2 by @strehle in #2488

Full Changelog: v76.20.0...v76.21.0

76.20.0

What's Changed

Features

• Added log tracing using B3 headers so transactions between TAS components will use the same trace ID, in #2446. Log file parsers might need to be updated to reflect this addition to the logs. In the example below, - [ebf4f18ff75a4cfc64a70c2de8ff493b,64a70c2de8ff493b] is the part that is added:

[2023-08-16T00:56:46.060135Z] uaa - 13 [https-jsse-nio-8443-exec-1] - [ebf4f18ff75a4cfc64a70c2de8ff493b,64a70c2de8ff493b] .... DEBUG --- UaaMetricsFilter: Successfully matched URI: /oauth/token to a group: /oauth-oidc

In some cases, the trace and span IDs will be blank:

[2023-08-17T01:53:42.790149Z] uaa/uaa - 17490 [main] - [,] .... INFO --- SpringSecurityCoreVersion: You are running with Spring Security Core 5.7.10

Fixes

• Move refresh rotate check to refresh flow in #2437

Full Changelog: v76.19.0...v76.20.0

76.19.0

What's Changed

Dependency Bumps

• build(deps): bump com.google.zxing:javase from 3.5.1 to 3.5.2 by @dependabot in #2426
• build(deps): bump versions.bouncyCastleVersion from 1.75 to 1.76 by @dependabot in #2425
• build(deps): bump versions.guavaVersion from 32.1.1-jre to 32.1.2-jre by @dependabot in #2429
• build(deps): bump versions.seleniumVersion from 4.10.0 to 4.11.0 by @dependabot in #2428
• fix: update k8s to go 1.20 by @Tallicia in #2432
• Bump hsqldb version 2.7.1 to 2.7.2 by @strehle in #2436
• build(deps): bump versions.tomcatCargoVersion from 9.0.78 to 9.0.79 by @dependabot in #2442
• build(deps): bump k8s.io/apimachinery from 0.27.4 to 0.28.0 in /k8s by @dependabot in #2443
• build(deps): bump k8s.io/client-go from 0.27.4 to 0.28.0 in /k8s by @dependabot in #2444

Misc

• integrationTest: Add IT for user_token grant variants by @strehle in #2194
• fix: Dependabot can't authenticate to the private package registry ht… by @hsinn0 in #2434

Full Changelog: v76.18.0...v76.19.0

76.18.0

What's Changed

Fixes

• UAA startup if postgresql is used for session store in #2414
• Expired X509 certificates should be ignored for JWT usage in #2423

Features

• Allow refresh flow for public usages in #2402
• Use custom key in private_key_jwt towards OAuth2/OIDC IdP in #2420

Dependency Bumps

• build(deps): bump jasmine-core from 5.0.1 to 5.1.0 in /uaa by @dependabot in #2418
• build(deps): bump github.com/onsi/gomega from 1.27.8 to 1.27.9 in /k8s by @dependabot in #2419
• build(deps): bump jasmine from 4.6.0 to 5.1.0 in /uaa by @dependabot in #2417
• build(deps): bump github.com/onsi/gomega from 1.27.9 to 1.27.10 in /k8s by @dependabot in #2421
• Gradle to 8.2.1

Misc

• Delete unused script & dockerfile by @peterhaochen47 in #2422
• Change default of refresh token format by @strehle in #2406
• uaa-ci: use RS256 key as default by @strehle in #2405

Full Changelog: v76.17.0...v76.18.0

76.17.0

What's Changed

Fixes

• fix: Skip reset password requests with HEAD method (#2381) by @jbilandzija in #2389
• fix: Handle verify user requests with HEAD method by @jbilandzija in #2392
• fix: make kill more reliable by @swalchemist in #2347

Features

• feature: Store client authentication method in JWT by @strehle in #2385
• feature: Allow sending static key/value pairs to the configured IdP by @strehle in #2397

Dependency Bumps

• build(deps): bump versions.guavaVersion from 32.1.0-jre to 32.1.1-jre by @dependabot in #2393
• Bump Gradle to 8.2 by @strehle in #2396
• build(deps): bump versions.tomcatCargoVersion from 9.0.76 to 9.0.78 by @dependabot in #2400
• build(deps): bump versions.springBootVersion from 2.7.13 to 2.7.14 by @dependabot in #2409
• build(deps): bump k8s.io/client-go from 0.27.3 to 0.27.4 in /k8s by @dependabot in #2411

Misc

• Extend test coverage in OauthIDPWrapperFactoryBean by @strehle in #2399
• Add Introspection Claims Test by @strehle in #2404
• internal tests only: define more values in uaa.yml by @strehle in #2403
• Refactor: Add Instant to TimeService interface and use TimeService in UaaTokenStore by @strehle in #2315

New Contributors

• @jbilandzija made their first contribution in #2389

Full Changelog: v76.16.0...v76.17.0

76.16.0

Test ONLY

• No need to consume it but created because of pipeline fixes

Full Changelog: v76.15.0...v76.16.0

76.15.0

What's Changed

Fixes

• Fixes from version bump versions.bouncyCastleVersion from 1.73 to 1.75 by @dependabot in #2374 and #2382
• Fixes from version bump versions.springBootVersion from 2.7.12 to 2.7.13 by @dependabot in #2383
• Delete all user group members if user is deleted by @strehle in #2372

Features

• Credential Rotation: Support json key set in tokenKey by @strehle in #2343

Dependency Bumps

• build(deps): bump github.com/onsi/gomega from 1.27.7 to 1.27.8 in /k8s by @dependabot in #2350
• build(deps): bump commons-io:commons-io from 2.12.0 to 2.13.0 by @dependabot in #2352
• build(deps): bump versions.guavaVersion from 32.0.0-jre to 32.0.1-jre by @dependabot in #2357
• Upgrade Tomcat cargo version 9.0.76 by @strehle in #2361
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 6.5.0.202303070854-r to 6.6.0.202305301015-r by @dependabot in #2369
• build(deps): bump versions.seleniumVersion from 4.9.1 to 4.10.0 by @dependabot in #2351
• build(deps): bump jasmine-core from 5.0.0 to 5.0.1 in /uaa by @dependabot in #2365
• build(deps): bump k8s.io/client-go from 0.27.2 to 0.27.3 in /k8s by @dependabot in #2373
• Bump jackson version 2.14.3 to 2.15.2 in #2377
• build(deps): bump org.json:json from 20230227 to 20230618 by @dependabot in #2379

Misc

• Dependency refactoring by @strehle in #2362
• Remove deprecated code for performance logs by @strehle in #2363

Full Changelog: v76.14.0...v76.15.0

76.14.0

What's Changed

• build(deps): bump versions.guavaVersion from 31.1-jre to 32.0.0-jre by @dependabot in #2345

Full Changelog: v76.13.0...v76.14.0

76.13.0

What's Changed

Fixes

• Fix regression from 76.12.0 in #2340
• Exclude unsupported response types in exception by @mikeroda in #2329
• CVE-2023-20883: Spring-Boot bump from 2.7.11 to 2.7.12 by @dependabot in #2332

Dependency Bumps

• build(deps): bump commons-io:commons-io from 2.11.0 to 2.12.0 by @dependabot in #2327
• build(deps): bump k8s.io/apimachinery from 0.27.1 to 0.27.2 in /k8s by @dependabot in #2330
• build(deps): bump k8s.io/api from 0.27.1 to 0.27.2 in /k8s by @dependabot in #2331
• build(deps): bump k8s.io/client-go from 0.27.1 to 0.27.2 in /k8s by @dependabot in #2333
• build(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.7 in /k8s by @dependabot in #2337
• Bump jackson 2.14.2 to 2.14.3 by @strehle in #2336

Misc

• Rrefactor while condition by @bruce-ricard in #2341

Full Changelog: v76.12.0...v76.13.0

DO NOT USE 76.12.0

DO NOT USE

Contains a regression with regards to OIDC IdPs. A fix has been included in release 76.13.0

What's Changed

Fixes

• KeyInfo fixes by @strehle in #2284
• fix: mysql 5 to mysql 8 back-and-restore by aligning collation shared in both mysql 5 and 8. by @Tallicia in #2326

Dependency Bumps

• build(deps): bump versions.seleniumVersion from 4.9.0 to 4.9.1 by @dependabot in #2319
• Upgrade Tomcat cargo version 9.0.75 by @strehle in #2321
• build(deps): bump jasmine-core from 4.6.0 to 5.0.0 in /uaa by @dependabot in #2323

Misc

• Fix flaky test by @strehle in #2314

Full Changelog: v76.11.0...v76.12.0