Changes to the OA4MP server by version.

3.5

  • Support for public clients.
  • CIL-409: Missing cert request in OIDC getcert call causes empty certificate to be returned.
  • CIL-414: Bug prevented accurately counting number of pending approvals.

Release Notes

Public clients are supported. It is assumed that the identifier is published publicly so that, for instance a user can get a refresh token and then access tokens. No secret is needed to use a public client, however access by a public client is severely restricted, almost exclusively to the openid scope for a user.

3.4

  • OAUTH-203: Clients may request supported scopes at registration time.
  • OAUTH-212: PEM encodings broken by change to Apache base 64 codec.
  • OAUTH-213: Make TLS version configurable in the SSL configuration.
  • OAUTH-217: Added discovery, in a server/.well-known/openid_configuration.
  • CIL-339: EPTID mismatch handled as a separate case.
  • CIL-344: Client management API created. Sample scripts created as well.
  • CIL-356: Clients may have individual LDAP configurations.
  • CIL-371: added claim for cert_subject_dn to be returned for the org.cilogon.userinfo scope.
  • CIL-378: Clients with same creation timestamp are not all displayed in CLI.
  • CIL-388: Server wars now include more meta information in the META-INF/MANIFEST.MF file about the build.
  • CIL-396: More client information in email notification at registration for OIDC clients.
  • CIL-404: Errors in the getCert servlet should throw an exception.
  • CIL-405: Default for all new clients at registration is to enable ID token signing.
  • Java object serialization issue: Updated dependencies on Apache commons-collections to 3.2.2.
  • Removed legacy unused Java object serialization from backend file store.

3.4 Release notes

Note that in this release of OA4MP there are two new tables that are required if the server uses SQL -based storage. One for admin clients and another for permissions. If the user (i.e., as defined in the configuration file that accesses the data) has create permission in the database, then the tables will be automatically created. If not, then you must create them manually using one of the scripts found here.

You must also create signing keys for OIDC. This is done with the command line tool

Signing of ID tokens is now the default on the server. However, since older clients may not support this, the default is to disable signing of ID tokens for all clients. Older OA4MP clients will break if signing is enabled and they are at an earlier version (3.3 and before). Also, some installations of the mod_auth_openidc client that cache the .well-known file have been known to break when talking to a 3.4 server. Please upgrade the .well-known file to the latest version on the server.

3.3

  • CIL-252: Scope handler which queries LDAP for user attributes.
  • CIL-264: Document examples using the cURL command.
  • CIL-268: Added sample OA4MP OIDC configuration to web documentation.
  • CIL-273: LDAP support for OA4MP.
  • CIL-286: Failed client registration not cleaned up.
  • CIL-299: "Max retries exceeded" message from MariaDB connection pool. This was because the method in question was only partially synchronized.
  • CIL-309: Refresh token fixes and improvements.
  • CIL-312: Null pointer exception when parsing URIs. The built-in parser for URIs is rather stupid in certain cases and would throw an NPE when parsing. This is now being handled better to prevent this.
  • CIL-317: exception setting transaction state if use waits to finish exchange until after initial grant has expired and garbage collected.
  • CIL-319: Indicate in DN if the user is from and InCommon or eduGain IDP.
  • CIL-320: DB Service fix to get information to resolve CIL-319.
  • CIL-324: Attempting to send many email notifications at once causes failures.
  • CIL-359: ID tokens must be signed by the server.
  • OAUTH-189: Invalid nonce causes reloadof authorization page to fail.
  • OAUTH-191: Defer connecting to MyProxy until the getCert call, if possible.
  • OAUTH-194: OIDC token endpoint should return error with status of 400.
  • OAUTH-196: Documentation needs updating after file name change internally.
  • OAUTH-197: Testing from the command line documentation shows sending the secret to the authorization endpoint, which is not in the specification.
  • OAUTH-198: Pass the HTTPServletRequest to the basic scope handler. This allows implementors more flexibility.
  • OAUTH-199: Pass HttpServlet request to custom scope handlers.
  • OAUTH-200: Connection pooling does not clean out stale connections.
  • OAUTH-201: Username incorrectly flagged as the primary key for the asset table, causing and error on updates.
  • OAUTH-202: Tomcat 6 is not supported for this release of OA4MP. You must have at least version 7 or higher.
  • OAUTH-206: Refresh token lifetime limited. A logic bug made the lifetime of refresh tokens decrease on refresh, eventually yielding invalid refresh tokens. All refresh tokens now are valid for the full requested time.
  • OAUTH-208: Remove dependeny on one-jar plug in for building executable jars, since it is no longer supported.
  • OAUTH-209: Remove dependency on Google Code's maven repository.
  • OAUTH-215: default secret key length for new OIDC clients set to 512 bytes.
  • Added new command line client for testing purposes.

3.2.1

  • CIL-101: (reopened with an additional parameter for the overloaded myproxy username)
  • CIL-210: Return CILogon specific claims fromthe getUserInfo endpoint.
  • CIL-211: New attributes for the user, affiliation, display name and organizational unit.
  • CIL-227: Refresh token lifetimes should be ignored if not enabled on the server.
  • CIL-231: EPPN and EPTID no longer omitted from X509v3 extension.
  • CIL-234: Fermi National Lab specific distinguished names, along with a configuration option for the server to disable generation of these.
  • CIL-240: update for items from command line not working.
  • CIL-257: Unwanted serial string changes on user updates
  • CIL-258: Allow OGS CA to omit versio number from certification requests since MyProxy accepts these.
  • CIL-260: Allow for restoring archived users from command line.
  • OAUTH-184:Additional claims returned from the getToken endpoint.
  • OAUTH-192: Enabling use of the remote user header from an external authorization module could allow a user to change their name.
  • OAUTH-193: Empty responses to cert request.

3.2

  • OAUTH-181: Updated server walkthrough.
  • OAUTH-183: Update documentation for using remote user.
  • OAUTH-184: Plugin capability for additional IODC claims.
  • OAUTH-185: Support for custom scopes and additional claims.
  • OAUTH-188: Fixed broken links in the getting-started page.
  • CIL-194: Searching for MyProxy servers in CILogon now uses standard OA4MP libraries.
  • CIL-196: ServerDN option in configuration now can be over-ridden in the MyProxy tag.
  • CIL-197: Propagating MyProxy changes to CILogon.
  • Added PKCS 7 encoding support to the certificate utility

3.1.1

  • OAUTH-180: Support OIDC servers that do not use a nonce.
  • CIL-101: Add setTransaction state call.
  • CIL-136: Documenting the OAuth 2.0 authorized servlet.
  • CIL-141: Improve pinging servers
  • CIL-170, CIL-171: Missing log4j properties restored.
  • CIL-172: Multiple LIGO IdPs supported.
  • CIL-173: Fix handling of incorrect password.

3.1.0

  • CIL-194: CILogon server only returns cert from last Myproxy server
  • CIL-196: server DN override in myproxy configuration not read.

3.1

3.0

  • Java 8 support: Due to internal changes to Java, this release requires Java 8 and will not work with previous versions of Java.
  • OAUTH-164: Support for id_tokens in OAuth 2 module
  • OAUTH-165: Passing the skin parameter in with the initial request.
  • OAUTH-168: Making OA4MP for OAuth 2.0 spec. compliant.
  • OAUTH-169: Removed "error url" from the OAuth 2 registration page
  • OAUTH-170: Typo in online documentation. Examples had tags corrected to <service>
  • OAUTH-171: MyProxy Logon now supports setting the socket timeout.
  • OAUTH-172: Expose MyProxy socket timeout in OA4MP configuration.
  • OAUTH-173: Improved error message on session timeout.
  • OAUTH-174: Error handling in OAuth 2 component.
  • OAUTH-175: Possible concurrency issue with MariaDB connections.
  • OAUTH-176: Specify DN (distinguished name) for MyProxy server(s).
  • OAUTH-177: Documentation for the new server DN option.

1.3

  • OAUTH-162: Client secret must be sent on access token request but not on authorization request.
  • OAUTH-163: State must be returned in OAuth 2 component with authorization response callback.

1.2.1

  • OAUTH-127: MyProxyLogon website updated to point to current release.
  • OAUTH-129: Sorting entries with the the CLI ls command. Before there was no sorting, now it is done by client ID or date, where applicable.
  • OAUTH-134: Updating documentation on how to run a monitor.
  • OAUTH-154: Removed possible redundant/conflicting maven dependencies.
  • OAUTH-156: Turn off default logging for MyProxyLogon. This permits use of the MyProxyLogon module as a library without getting logging messages to the console (the previous default).
  • OAUTH-157: Client registration page not saving client secret under OAuth 1.0a protocol.
  • OAUTH-158: Updated links on generic client registration page to current documentation.
  • OAUTH-159: Update documentation for this release.
  • OAUTH-160: Regularize and improve version reporting at component (CLI, client, server) startup.

1.2

  • OAUTH-131: Improved client registration for OAuth 2 servers.
  • OAUTH-149: Remove support for MyProxyLogon to use SSL version 3. (This mitigates the POODLE attack.)
  • OAUTH-152: Do not show detailed MyProxy error message if authorization fails.
  • OAUTH-153: Improved logging for MyProxy errors and successes.
  • OAUTH-155: Updated documentation to explain new OAuth 2 client registration process.

1.1.3

  • OAUTH-139: CLI might return an incorrect list of items after several updates.
  • OAUTH-140: MyProxy component didn't quite log completely to the configured log file.
  • OAUTH-141: Improved client/server walkthough. This is documentation that permits an administrator to deploy both a client and server locally with a self-signed cert for testing purposes.
  • OAUTH-143: Enabling the Globus DN option should have had better documentation pointing at the server requirements for JGlobus.
  • OAUTH-144: Jetty version was incorrect, causing certain build issues. This was standardized on version 6.1.26 to ensure consistent builds.
  • OAUTH-147: Potential cleanup thread failure with a filestore. If a filestore is used and one of the files is corrupted (e.g. due to a system crash at the time of writing it) then the cleanup thread would fail to start. Now such corrupted files are simply logged in catalina.out and ignored otherwise.
  • OAUTH-148: Maria DB support added.

1.1.2

  • OAUTH-112: Servlet initialization is injected now, decoupling it more from Tomcat startup.
  • OAUTH-113: MyProxy does not handle PAM challenges. The documentation has been updated with a link to the appropriate page on the MyProxy website where this is discussed.
  • OAUTH-117: Server install walkthrough updated and improved to reflect changes (in particular, it now makes us of the resolution of OAUTH-110).
  • OAUTH-118. Build error in maven caused OAuth2 command line tools to issue an NPE in certain cases.
  • OAUTH-119: Loading objects into the CLI that do not have identifiers caused an NPE. This could only arise really if someone directly edited an entry in a text editor (e.g. if the installation was backed by a filestore). In that case it would not be possible to load any objects from that store into the CLI, preventing editing of them.
  • OAUTH-120: The new -component flag allows an administrator to start the CLI with the named component as an argument. E.g. rather than start the CLI and use the approval component, just issue
    ./oa4mp-cli -component approvals
  • OAUTH-125: "About" and "Overview" links on website were broken.
  • OAUTH-126: Website now lists the version number with the "latest" link.
  • OAUTH-130: Documentation amended to clarify which version of OA4MP (based on OAuth 1.0a or OAuth 2.0) to use.
  • OAUTH-133: Configuration option to convert standard DN to (legacy) Globus identifiers. This is mostly useful for installations that have been using Globus for a very long time.
  • OAUTH-135: Failure in authentication were not displaying the correct message. They should route the user back to the login page for another attempt.

1.1.1

  • OAUTH-105:Added support for file includes to configuration files.
  • OAUTH-105: Added checks to prevent cycles in aliases and files
  • OAUTH-106: Adding fully qualified host name to client approval notifications.

1.1

  • OAUTH-47 Now supports building with maven 3.0+ There was an issue with earlier an pom version that prevented this.
  • Support for OAuth 2 protocol. This includes full server and client support as well as various supported stores (mysql, postgres, files) and admin tools.
  • OAUTH-94: Fix for passthrough of Shibboleth attributes. A username transformation interface has been created. This will be invoked immediately before the call to MyProxy. Users that wish to customize this may do so by implementing the interface and setting it in the environment at server startup.
  • OAUTH-96: Check for a bad PKCS10 CSR (missing version number which must be set to 0) created by pyOpenSSL is now in place and an informative message is now issued. Earlier the Bouncy Castle code allowed for this, Sun does not.
  • OAUTH-99: Old documentation at Science Gateway Security site removed. Everything is redirected to this site now.
  • OAUTH-102: No username returned with cert in certain cases. Fixed.

1.0.7

  • Added support to make using log 4j optional. It had been disabled which interfered with some installations.
  • Fixed bug OAUTH-90.
  • Fixed bug OAUTH-94. This adds a configuration option to return the DN of the user's cert as the username.
  • All new command line tools that allow for managing clients and approvals.
  • Changed client index page to be more up to date.
  • Removed all explicit references to Bouncy Castle. This should prevent future jar pollution from incompatible versions. JGlobus still uses this though....
  • Set mysql and postgres jars to be provided rather than included in the release so that projects that need only a single type of storage are not required to install both of these.

1.0.6

  • Version number is now printed to the console whenever the server starts up.
  • Support for authentication using the REMOTE_USER (or any other) header.
  • Improved error handling on the server, especially in cases where the MyProxyLogon client encounters a runtime exception.
  • OAUTH-80: errors resulting from JGlobus broken build will be resolved by their conforming to standard maven practices
  • Fix for OAUTH-83 documentation error in configuring mail addresses
  • OAUTH-84 failure to return a complete certificate chain from MyProxy in a certain case
  • OAUTH-85 failure to configure logging could result in an error. Default is to dump everything into the tomcat logs.
  • Use of new JGlobus release 2.0.5.
  • Bouncy Castle version set to 1.43 to support JGlobus release 2.0.5.
  • Added signatures for the lastest downloadable war.

1.0.5

  • Support for limited proxy generation. Allows the server to generate a public/private keypair and issue a limited proxy. The result is a certificate chain.
  • Deny HTTP header. This sets the HTTP header to "deny" which prevents clickjacking attacks.
  • Added logging support. Standard Java logging is now available and configurable.
  • Default MyProxy server on localhost. If no MyProxy server is specified, one is assumed to be running on localhost.
  • Improved admin tools. In particular, improved the CLI to give more readable messages.
  • Improved SQL install scripts.
  • Links in the documentation to the latest versions of these scripts.
  • More and better documentation.

Last modified 10/30/17.
©2000-2013 Board of Trustees of the University of Illinois.