INDIGO Identity and Access Management Service v1.8.2

1.8.2 (2023-05-31)

Added

• Introduced new admin scopes in order to access IAM API endpoints #562
  • Note: From this release, an administrator access token is not enough to have full access to IAM API endpoints. The added scopes (iam:admin.read and iam:admin.write) are now needed.
• Bump Spring-Boot version to 2.6.14 #593

Fixed

• Fix refresh token lifetime value in case of client credentials or implicit grant types #582
• Add missing check on challenge code method for PKCE #583
• Fix lifecycle end-time for suspended account #585
• Cosmetic Group Manager dashboard fix #587
• Properly update OAuth scope list in model after scope policies evaluation #588

INDIGO Identity and Access Management Service v1.8.1

1.8.1 (2023-02-28)

Added

• Add scope management to IAM dashboard #500
• Add the groups view for the group managers #536
• Support for AARC-G069 guideline #553

Fixed

• Fix /devicecode endpoint in cors endpoint matchers #535
• Do not raise exception when incorrect scope policy #526
• Fix bug when updating user fields #512
• Do not allow IAM to issue RT to users with expired AUP #503
• Remove orphans from database #547
• Prevent VOMS aa from issuing ACs when AUP has expired #552
• Do not allow token refresh for disabled users #570
• Do not allow disabled users to log in with x509 certificate #571
• Apply the UsernameValidator whenever a username can be updated (e.g. SCIM API) #572
• Fix unnamed clients and add missing edit button into clients view #573

Changed

• Remove health endpoints forward #567
• Disable register MITREid endpoint for Dynamic Client Registration #567
• Change default refresh token lifetime from infinity to 30 days #567
• Add '@' and '.' as allowed characters for a registered username #572

Notes

The /health endpoint and its children have been moved to /actuator/health base path since IAM v1.8.0. Since IAM v1.8.1 the forward to the old endpoints has been removed.

INDIGO Identity and Access Management Service v1.8.0

1.8.0 (2022-09-09)

Added

• Spring boot migration to version 2.6.6
• Upgrade flyway to version 7.15.0
• New clients management page for administrators on IAM dashboard
• New clients registration page for users on IAM dashboard
• Support for JWT-based client-authN
• New Cache-Control to /jwk endpoint
• Support for AARC G021 guideline
• Support for AARC G025 guideline
• Persistence layer migrations for MFA support
• Group labels in user home page
• New consent page

Fixed

• Fix group names according to AARC G002
• Fix update button bug
• Fix tokens page failure following a username update
• Fix tokens page failure due to a client deletion
• Fix pagination in tokens component in IAM dashboard
• Fix scope caching on client update
• Fix validation for user's image URL
• Fix support for JWK configuration
• Fix missing wlcg.groups in userinfo response

Changed

• IAM_USE_FORWARDED_HEADERS configuration variable has been deprecated due to the Spring update and replaced by IAM_FORWARD_HEADERS_STRATEGY. It can be set to native or none. The same for the Test Client application, where IAM_CLIENT_USE_FORWARDED_HEADERS becomes IAM_CLIENT_FORWARD_HEADERS_STRATEGY
• The value of IAM_CLIENT_SCOPES configuration variable is expressed as a list of space-delimited scopes
• The /health endpoint and its children have been moved to /actuator/health base path. Requests are still forwarded to the old endpoints, but their support will be removed in the next release.
  Email and external connectivity probes have been disabled by default; to enable them the IAM_HEALTH_MAIL_PROBE_ENABLED and IAM_HEALTH_EXTERNAL_CONNECTIVITY_PROBE_ENABLED environment variables must be set to true
• Token exchange is not allowed if the actor and the subject are the same client and offline_access is among the requested scopes
• Client redirect URIs and pre-registered URIs are compared using exact string matching

Deprecated

• Manage Clients MitreID page for administartors
• Self-service Client Registration MitreID page for users

Upgrading

• In case you're upgrading from IAM v1.7.2 please read the Changed section above.
• In case you're upgrading from a IAM version < 1.7.2, you MUST upgrade to v1.7.2 before. Otherwise it won't work due to a problem described here.

Other notes

February 15th repackaging

On February 15th we built a new v1.8.0 image with tag v1.8.0-2 that solves a vulnerability inside the angular-ui-bootstrap library which was including a hidden '.DS_Store' file which could give to an attacker information on the structure and contents of the website.

docker pull indigoiam/iam-login-service:v1.8.0-2

INDIGO Identity and Access Management Service v1.7.2

1.7.2 (2021-12-03)

This release provides a single dependency change for the IAM login service
application.

Added

• Upgrade flyway to version 4.2.0. This is needed to enable a smooth transition to
  the flyway version that will come with IAM v1.8.0 (which moves to Spring boot
  2.5.x) (#443)

INDIGO Identity and Access Management Service v1.7.1

1.7.1 (2021-09-13)

This release provides changes and bug fixes to the IAM test client application.

Added

• The IAM test client application, in its default configuration, no longer exposes tokens, but only the
  claims contained in tokens. It's possible to revert to the previous behavior by setting the IAM_CLIENT_HIDE_TOKENS=false
  environment variable (#414)

Fixed

• A problem that prevented the correct behaviour of the IAM test client has
  been fixed (#415)

INDIGO Identity and Access Management Service v1.7.0

1.7.0 (2021-09-02)

Added

• IAM now enforces intermediate group membership (#400)

• Support for X.509 managed proxies (#356)

• Characters allowed in username are now restricted to the UNIX valid username
  characters (#347)

• Support for including custom HTML content at the bottom of the login page has
  been added (#341)

• Improved token exchange flexibility (#306)

• CI has been migrated from travis to Github actions (#340)

• IAM now allows to link ssh keys to an account (#374)

Fixed

• A problem that prevented the deletion of dynamically registered clients under
  certains conditions has been fixed (#397)

• Token exchange is no longer allowed for single-client exchanges that involve
  the offline_access scope (#392)

• More flexibility in populating registration fields from SAML authentication
  assertion attributes (#371)

• A problem with the userinfo endpoint disclosing too much information has been
  fixed (#348)

• A problem which allowed to submit multiple group requests for the same group
  has been fixed (#351)

• A problem with the escaping of certificate subjects in the IAM dashboard has
  been fixed (#373)

• A problem with the refresh of CRLs on the test client application has been
  fixed (#368)

Documentation

• The IAM website and documentation has been migrated to a site based on
  Google Docsy, including improved documentation for the SCIM, Scope
  policy and Token exchange IAM APIs (#410)

INDIGO Identity and Access Management Service v1.6.0

Changelog

1.6.0 (2020-07-31)

Added

• IAM now supports multiple token profiles (#313)

• IAM now implements basic account lifecycle management (#327)

• It is now possible to disable local authentication and only rely on brokered
  authentication (#330)

• The editing of user profile information can now be disabled (#329)

• IAM can now be configured to require authentication through an external
  identity provider at registration time (#328)

• IAM now stores and manages a URL pointing to the AUP document instead of
  storing the AUP text in the database (#287)

• IAM now allows to customize the organization logo size presented in login and
  other pages (#280)

Fixed

• A race condition that could lead to SAML login being blocked has been fixed
  (#334)

• The applicant username is now included in the registration confirmation email
  (#325)

• The "link external account" button is now disabled when no external IdP is
  configured (#323) and the registration page does not mention external IdPs
  when none are configured (#322)

• A bug in the pagination handling of "Add to group" dialog has been fixed
  (#318)

• The token management API no longer shows registration tokens (#312)

• The token management API no longer exposes token values to privileged users
  (#308)

• IAM no longer requires client authentication for the device code grant (#316)

• A bug that prevented adding users to an IAM instance from the dashboard when
  registration is disabled has been fixed (#326)

INDIGO Identity and Access Management Service v1.5.0.RELEASE

1.5.0.RELEASE (2019-10-25)

Added

• It is now possible to configure multiple external OpenID Connect providers
  (#229)

• IAM now supports group managers (#231). Group managers can approve group
  membership requests.

• It is now possible to define validation rules on external SAML and OpenID
  Connect authentications, e.g., to limit access to IAM based on entitlements
  (#297 )

• Real support for login hint on authorization requests: this feature allows a
  relying party to specify a preference on which external SAML IdP should be
  used for authentication (#230)

• Improved scalability on user and group search APIs (#250)

• IAM supports serving static local resources (#288); this support can be used,
  for instance, to locally serve custom logo images (#275)

• Actuator endpoints can now be secured more effectively, by having dedicated
  credentials for IAM service deployers (#244)

• It is now possible to configure IAM to include the scope claim in issued
  access tokens (#289)

• Support for custom local SAML metadata configuration (#273)

• Improved SAML configuration flexibility (#292)

Fixed

• Stronger validation logic on user-editable account information (#243)

• EduPersonTargetedID SAML attribute is now correctly resolved (#253)

• The token management API now supports sorting (#255)

• Orphaned tokens are now cleaned up from the database (#263)

• A bug that prevented the deployment of the IAM DB on MySQL 5.7 has been
  resolved (#265)

• Support for the OAuth Device Code flow is now correctly advertised in the IAM
  OpenID Connect discovery document (#268)

• The device code default expiration is correctly set for dynamically
  registered clients (#267)

• The updated_at user info claim is now correctly encoded as an epoch second
  (#272)

• IAM now defaults to transient NameID in SAML authentication requests (#291)

• A bug in email validation that prevented the use of certain email addresses
  during registration has been fixed (#302)

INDIGO Identity and Access Management Service v1.4.0

1.4.0 (2018-05-18)

Added

• New paginated user and group search API (#217)

• Support for login hint on authorization requests: this feature allows a
  relying party to specify a preference on which external SAML IdP should be
  used for authentication (#230)

• Doc: documentation for the IAM group request API (#228)

Fixed

• A problem that caused the device code expiration time setting to 0 seconds
  for dynamically registered clients has been fixed (#236)

• Dashboard: the tokens management section now shows a loading modal when
  loading information (#234)

• Notification: a problem that caused the sending of a "null" string instead of
  the IAM URL in notification has been fixed (#232)

INDIGO Identity and Access Management Service v1.3.0

1.3.0 (2018-04-12)

Added

• New group membership requests API: this API allows user to submit requests
  for membership in groups, and provide administrators the ability to
  approve/reject such requests. Support for the API will be included in the IAM
  dashboard in a future release (#200)

• IAM now includes additional claims in the issued ID token:
  preferred_username, email, organisation_name, groups (#202)

• IAM now can be configured to include additional claims in the issued access
  tokens: preferred_username, email, organisation_name, groups. This
  behaviour is controlled with the IAM_ACCESS_TOKEN_INCLUDE_AUTHN_INFO
  environment variable (#208)

Fixed

• Dashboard: a problem that prevented the correct setting of the token exchange grant for
  clients has been fixed (#223)

• Dashboard: protection against double clicks has been added to approve/reject requests
  buttons (#222)

• Dashboard: a broken import has been removed from the IAM main page (#215)

• A problem in the tokens API that prevented the filtering of expired tokens
  has been fixed (#213)

• Dashboard: token pagination is now correctly leveraged by the IAM dashboard
  in the token management page (#211)

• Dashboard: OpenID connect account manangement panel is now hidden when Google
  authentication is disabled (#206)

• Dashboard: SAML account management panel is now hidden when SAML
  authentication is disabled (#203)