Version 6.2.3

Changelog

• #202 - Updated getting started pages for client and server.
• #214 - Added issuer identifier (RFC 9207) to mitigate mixup attacks.
• #234 - Update discovery page that the request parameter is not supported
• #247 - Device Flow consent page no longer skipped if using header authentication.
• #248 - OA4MP logos show up consistently on webpages
• #249 - Old functor engine removed from code base and no longer supported.
• #250 - Verifier class removed. Artifact from OAuth 1.0a that still had the unused code.
• #251 - Remove use of Apache command line utilities
• #252 - Client management endpoint return ersatz clients
• #253 - CLI: issuing update on an unknown key causes entire prompting for entire object.
• #254 - MyProxy code moved to separate module.
• #255 - CLC:, CLI: Update boostrap of CLI, CLC to reflect changes in the NCSA Security Library.
• #256 - JWK Util not setting default ID
• #257 - Setup scripts for Pelican. These are also example of how to do this.
• #260 - remove old TRX record tests. XML library changes break these, but they are testing an archaic serialization format that has not been supported since 2022.
• #261 - Port DBService to OA4MP
• #262 - Remove errant clean from maven build
• #263 - Document various the various authentication modes in OA4MP.
• #264 - Start upload to Maven central.
• #265 - Migrate away from Apache configuration
• #267 - NCSA LDAP claim source removed extra claim in ID token
• #268 - refreshed refresh token can access UserInfo endpoint.
• #269 - Return correct Content-Type of UTF-8 in client management servlet
• #270 - Bug causes "response object has been recycled" error in Tomcat
• #271 - When getting VI for a client, only raise error if client is in more than one VI
• #272 - CLI: help not initialized right because of NCSA Sec Lib parsing issue.
• #273 - CLI: Support for specifying indices with QDL syntax broke
• #274 - Wrong skin referenced for building website
• #275 - Java mail being added to wars as transitive maven dependency
• #276 - Store original request line for reference in QDL
• #278 - Missing column name in Derby SQL creation srcipt.
• #279 - Derby cannot compare CLOBs to text. Have to change column definition.

See also: QDL changes in https://github.com/ncsa/qdl/releases/tag/v1.6.2.2 and NCSA Security library changes at https://github.com/ncsa/security-lib/releases/tag/v6.2.2

Full Changelog: v5.6...v6.2.3

Version 6.2.2

Changelog

• #202 - Updated getting started pages for client and server.
• #214 - Added issuer identifier (RFC 9207) to mitigate mixup attacks.
• #234 - Update discovery page that the request parameter is not supported
• #247 - Device Flow consent page no longer skipped if using header authentication.
• #248 - OA4MP logos show up consistently on webpages
• #249 - Old functor engine removed from code base and no longer supported.
• #250 - Verifier class removed. Artifact from OAuth 1.0a that still had the unused code.
• #251 - Remove use of Apache command line utilities
• #252 - Client management endpoint return ersatz clients
• #253 - CLI: issuing update on an unknown key causes entire prompting for entire object.
• #254 - MyProxy code moved to separate module.
• #255 - CLC:, CLI: Update boostrap of CLI, CLC to reflect changes in the NCSA Security Library.
• #256 - JWK Util not setting default ID
• #257 - Setup scripts for Pelican. These are also example of how to do this.
• #260 - remove old TRX record tests. XML library changes break these, but they are testing an archaic serialization format that has not been supported since 2022.
• #261 - Port DBService to OA4MP
• #262 - Remove errant clean from maven build
• #263 - Document various the various authentication modes in OA4MP.
• #264 - Start upload to Maven central.
• #265 - Migrate away from Apache configuration
• #267 - NCSA LDAP claim source removed extra claim in ID token
• #268 - refreshed refresh token can access UserInfo endpoint.
• #269 - Return correct Content-Type of UTF-8 in client management servlet
• #270 - Bug causes "response object has been recycled" error in Tomcat
• #271 - When getting VI for a client, only raise error if client is in more than one VI
• #272 - CLI: help not initialized right because of NCSA Sec Lib parsing issue.
• #273 - CLI: Support for specifying indices with QDL syntax broke
• #274 - Wrong skin referenced for building website
• #275 - Java mail being added to wars as transitive maven dependency

See also: QDL changes in https://github.com/ncsa/qdl/releases/tag/v1.6.2.2 and NCSA Security library changes at https://github.com/ncsa/security-lib/releases/tag/v6.2.2

Full Changelog: v5.2.4...v6.2.2

version 6.2.1

Changelog

• #234 - Update discovery page that the request parameter is not supported
• #255 - update boostrap of CLI, CLC to reflect changes in the NCSA Security Library.
• #256 - JWK Util not setting default ID
• #257 - Setup scripts for Pelican. These are also example of how to do this.
• #260 - remove old TRX record tests. XML library changes break these, but they are testing an archaic serialization format that has been supported since 2022.
• #261 - Port DBService to OA4MP
• #262 - Remove errant clean from maven build
• #263 - Document various the various authentication modes in OA4MP.
• #264 - Start upload to Maven central.
• #267 - NCSA LDAP claim source removed extra claim in ID token
• #268 - refreshed refresh token can access UserInfo endpoint.
• #269 - Return correct Content-Type of UTF-8 in client management servlet

See also: QDL changes in https://github.com/ncsa/qdl/releases/tag/v1.6.2.1 and NCSA Security library changes at https://github.com/ncsa/security-lib/releases/tag/v6.2.1

Full Changelog: v5.2.4...v6.2.1

version 6.2.0

Changelog

• #234 - Update discovery page that the request parameter is not supported
• #255 - update boostrap of CLI, CLC to reflect changes in the NCSA Security Library.
• #256 - JWK Util not setting default ID
• #257 - Setup scripts for Pelican. These are also example of how to do this.
• #260 - remove old TRX record tests. XML library changes break these, but they are testing an archaic serialization format that has been supported since 2022.

See also: QDL changes in https://github.com/ncsa/qdl/releases/tag/v1.6.2.0 and NCSA Security library changes at https://github.com/ncsa/security-lib/releases/tag/v6.2.0

What's Changed

• Document retrieving all clients using the cmd tools by @GeorgianaElena in #43
• Do not assume an anonymous client is public. by @bbockelm in #81
• Bring up javadoc up to Java 11 standards by @bbockelm in #82

New Contributors

• @GeorgianaElena made their first contribution in #43
• @bbockelm made their first contribution in #81

Full Changelog: v5.2.4...v6.2.0

v6.1.0

Full Changelog: v6.0.3...v6.1.0

• #175 - support standard for well-known pages
• #181 - Scopes
• #203 - won't fix internal issue with JSP
• #220 - add sub as a parameter for client credential flow
• #232 - CLI: improve result set processing
• #238 - check if a string is null before casting
• #241 - set initial resource request in QDL runtime environment
• #242 - put back missing OA4MP index.html page that seems to be missing
• #243 - update ability to change client id. Make stores smart about related object (e.g. changing an id on a client whould update its approvals and permissions, not just leave the database littered with orphans)
• #244 - CLI: make client store status_search order by creation date, not id
• #245 - make set_id call aware of result sets
• #246 - LDAP errors not propagating back when invoked from QDL

version 6.0.3

Issues addressed

• #116 - link/unlink help in CLI updated
• #136 - NPE in logger on load in certain cases
• #181 - Device code flow does not apply header claim source rules
• #200 -- JWT utility online examples improved
• #201 - CLI throws ugly stack trace if server not running. This can still be seen if you use the -v switch at startup, but is otherwise suppressed.
• #202 - Rewrite getting started pages for client and server to point to the snazzy new installers
• #204 - Maven poms de-crufted substantially during package rename
• #205 - Rename packages for OA4MP to start with org.oa4mp
• #206 - callbacks no longer required on registration page. This supports device flow only clients
• #207 - Add in library entries for OA4MP directly, not in configuration file. These should be available everywhere so user's never have to see another Java class path
• #208 - internal class name migrator for 5.6 --> 6.0
• #209 - Support for the client credentials flow
• #210 - QDL CLC should resolve all reference when loading a configuration from an ini file
• #211 - Ersatz clients should be able to fork from any refresh token, not just the very first one.
• #212 - Post migration, the QDL ACL module was not completely initialized.
• #213 - The QDL runtime engine needs to completely initialize its state object before attempting to deserialize stored state.
• #214 - Support for RFC 9207
• #215 - inconsistent linking in documentation to downloads
• #216 - Rename "virtual organization" to "virtual issuer" since it is more descriptive.
• #217 - Audit documentation to refer to "virtual issuers"
• #218 - introspection endpoint assert incorrect exp claim
• #219 - client credentials flow no longer requires a subject.
• #221 - revise how ersatz clients are linked to provisioner in client management endpoint
• #222 - refresh of ersatz client not initialized correctly
• #224 - added service_client command to CLI
• #225 - add rm_by_client_id and stats commands to CLI
• #226 - only assert cert subject DN if the useris requesting a cert.
• #227 - MySQL vulnerability addressed
• #228 - QDL modules added coördinates of errors
• #229 - added index page for all PDFs

Full Changelog: v5.6...v6.0.3

v5.6

OA4MP Version 5.6

• #93 upkeep for unused clients.
• #117 - vet bad admin requests in the client management API
• #179 - wrong type name in documentation
• #186 - documentation of scopes was antiquated
• #187 - using Tomcat as the authz server was broken
• #192 -- added documentation for using RFC 7523 with OA4MP
• #193 - new installer created
• #194 -- jwt command line util documentation added.
• #195 - jwt command line tools now allows for setting a default key id when creating keys
• #196 - The OA4MP QDL distribution can now read a server configuration and pull out its QDL configuration, allowing you to run the exact same configuration locally.
• #197 -- RFC 7523 error handling much improved
• #198 - NCSA sec-lib changes required some updates in OA4MP
• #199 -- added ability to echo HTTP requests and response in CLC.

Full Changelog: v5.5...v5.6

v5.5

Full Changelog: v5.4.3...v5.5-rc2

• #141 - NPE during device code flow
• #149 - VO table asserts last_modified timestamp is a BigInt but tried to process it as a timestamp
• #150 - Client configuration improvements for CLC
• #151 - Update client management web page
• #152 - Default Refresh Token lifetime not being read from server config
• #153 - Get issuer from well-known page in command line client
• #154 - Add query facility for client management servlet
• #155 - Do not send original scopes as refresh/exchange scopes unless they are explicitly sent in the request
• #156 - Unused client cleanup deleting in-use clients
• #157 - Client should not check if an ID token was returned for pure OAuth clients on refresh
• #158 - Audit user id token claims in restrictive cases
• #161 - Improve test suite with introspection
• #163 - CLI remove client should remove the permissions
• #164 - RFC 7636 support for RFC 8628
• #165 - Template resolution for access token scopes should use originally returned scopes if none specified
• #166 - Refresh endpoint must check for required refresh token
• #167 - Track last login for clients
• #168 - approval_ts in client approval store not accurate
• #169 - Remove old client management tests
• #170 - Update testing harness to use in-memory and file store from Derby
• #171 - Retool unit tests for clients
• #174 - Cannot remove unmanaged clients in the CLI
• #176 - CM RT lifetime policy on create and update.
• #177 - CM assumes every admin client is in a VO.
• #178 - CM should assert expires_in for token exchange.
• #184 - NPE getting ersatz chain.

5.4.3

v5.4.3

5.4.3 release. Fix for https://github.com/ncsa/oa4mp/issues/155.

5.4.2

Fixes:

• #106
• #108
• #119
• #120
• #121
• #122
• #123
• #124
• #125
• #126
• #127
• #128
• #129
• #130
• #131
• #132
• #133

(The qdl.jar is for people that want to update their local install manually. Generally you should use the qdl-installer for a new install or even its update mode, which also updates all the documentation in the distribution too.)

NOTE: This version of OA4MP requires that the java mail file be upgraded to 1.6.7. Get the jar at https://repo1.maven.org/maven2/com/sun/mail/jakarta.mail/1.6.7/jakarta.mail-1.6.7.jar and follow the standard instructions at https://oa4mp.org/server/configuration/server-email.html