Changes to the OA4MP server by version.


  • CIL-352: CILogon previous subject issue. In some cases in CILogon, the country should be US and is not archived this way when updating. This really is just a minor annoyance.
  • CIL-493: Extra scopes that have not been approved for a client are ignored, as per the spec.
  • CIL-503: Creating a new user results in a serial string with the same index.
  • CIL-518: Remove zero length files. This now has a flag to enable/disable this in the configuration. It is only an issue if a server is using file storage. Look at the file store documentation to learn more.
  • CIL-525: Added a file-based claim source in addition to claim sources from LDAP, headers and such. This allows server to manage either all their claims or have a repository for very specific ones.
  • CIL-566: Fire email for admin client registration. NOTE: the reason this failed at one point was because of an upgrade from Java 8 to Java 11. Please see the email configuration documentation for the details of getting this to work. Basically you need to include on more file.
  • CIL-567: Support for RFC 7592, updating and removing client information.
  • CIL-570: Better return codes when creating a transaction fails.
  • CIL-575: List of failure codes from create transaction failure.
  • CIL-576: The CLI should use the same logic as the registration form for callback URLs. This means allowing for calls to http://localhost, e.g.
  • CIL-579: Last modified date added to all clients. When a client is saved, this is updated. Note that this will update database tables autoamtically.
  • CIL-586: return list of scopes if different from what is requested. As per the spec. if a client requests a set of scopes but the server does not honor any of them, a list of what the server will honor is returned.
  • CIL-609: remove blank lines in callback uri list when registering a new client.
  • CIL-612: Limit number of OAuth clients than an admin can register.

Other things to note in this release is the the CLI now supports setting environment variables both in a file (either a Java properties file or a JSON object in a file) and from the command line.


  • Added support for turning on/off OIDC abilities in the configuration file with the OIDCEnabled flag.
  • CIL-467:Eliminate init endpoint (this was very specific to CILogon).
  • CIL-490: Added a check box on the client registration form to allow marking a client as public. Note that this will automatically set the scopes to only "openid".
  • CIL-506: Support for the OAuth dynamic client registration specification is added.
  • CIL-515:demo client will now show the id token and information about it
  • CIL-532: eduPersonEntitlement support. Generally all additional attributes that Shibboleth sends are now returned as claims unless specifically omitted.
  • CIL-535: configuration snippets are now stored and may be accessed generally in other client configurationd. This allows for the practical inheritance of configurations.
  • CIL-545:Accept a wider range of redirects during client registration. Redirect URIs may be to any domain if the scheme is https. If the scheme is http then only redirects to localhost or a reserved private range such as 192.168.x.x are allowed. If the scheme is not http or https, any domain is allowed. This last feature is needed for mobile device support.


  • CIL-476: Allow for setting reply-to header in email notifications
  • CIL-491: Public clients get a trivial ID token when they get an access token. This allows certain services like kubernetes to check the timestamps and the ID token.
  • CIL-499: Check that certain claims are present before returning them. This prevents an unruly script from creating an unsuable claims object.
  • CIL-501: CLI displays multiple attributes when fully listing a client.
  • CIL-505: (in the DB service) Return a better error message if a request times out.
  • CIL-508: CLI should be able to list all clients for a given admin. In the admin module, this is the list_clients command.
  • CIL-512: Support for LIGO Robot DNs added
  • CIL-513: HTTP headers claim source should be configurable to ignore certain returned claims, since in a proxying situation, these may be for the proxy, not for the requesting client.
  • CIL-517: Requests to the service using POST should be refused unless the encoding is only form URL.
  • CIL-519: Client Management should return an uploaded cfg object when querying the client's attributes.


This is a major upgrade and rewrite of the OA4MP system and is the result of a great deal of feedback and experience.

  • CIL-332: Error esponses should be JSON format with HHTP status 400.
  • CIL-365: Setting scope = org.cilogon.userinfo should return an oidc claim if there is one.
  • CIL-408: OAuth 1 command line client should not look for admin client stores on startup.
  • CIL-417: Set subject claim to EPPN in certain cases
  • CIL-422: Restrict access based on group membership.
  • CIL-425: More flexible scope handling
  • CIL-435: Return group number with group information
  • CIL-436: LSST isMemberOf validation endpoint. See the doc here
  • CIL-443: CILogon isMemberOf should parse the NCSA's LDAP information into a standard format
  • CIL-448: Odd claims from surge. This requires checking eppn by domain and restricting access accordingly.
  • CIL-460: Admin service rejects attempts by clients to update themselves.
  • CIL-462: Get acr claim and return in id token
  • CIL-464: Allow for customizing identifier scheme via configuration.
  • CIL-467: Eliminate init endpoint for OIDC version.
  • CIL-477: Set voPersonExternalID. This may be done with server-side scripting now.
  • CIL-479: Issue isMemberOf claim based on IDP and SAML attributes.
  • CIL-494: Allow public clients to access user information endpoint. The response is trivial since they are only allowed the openid scope.
  • CIL-498: After error on cleitn registration page, no scopes displayed.
  • github #10: Allow CLI to edit scopes
  • Support for functors in client configurations.

Many updates, including the introduction of functor-based scripting. There is also a document relating to CIL-436 and a JWT token parsing endpoint. The major change is allowing for a full scripting language to configure client behaviors. This is what effectively solved most of the above issues.

The command line interface (CLI) now supports exporting and importing records from a file with the serialize and deserialize commands. For SQL stores, there is also a new search function that allows for limited but very useful searches. Most of the unit tests have been improved or rewritten.


  • CIL-430: Credentials sent in authorization header are to be URL encoded.


  • Support for public clients.
  • CIL-409: Missing cert request in OIDC getcert call causes empty certificate to be returned.
  • CIL-414: Bug prevented accurately counting number of pending approvals.
  • CIL-426: Send admins an email when there are too many pending approvals.
  • CIL-427: Improve handling of approvals so that unapproved, pending and revoked approvals can be tracked.

Release Notes

Public clients are supported. It is assumed that the identifier is published publicly so that, for instance a user can get a refresh token and then access tokens. No secret is needed to use a public client, however access by a public client is severely restricted, almost exclusively to the openid scope for a user.


  • OAUTH-203: Clients may request supported scopes at registration time.
  • OAUTH-212: PEM encodings broken by change to Apache base 64 codec.
  • OAUTH-213: Make TLS version configurable in the SSL configuration.
  • OAUTH-217: Added discovery, in a server/.well-known/openid_configuration.
  • CIL-339: EPTID mismatch handled as a separate case.
  • CIL-344: Client management API created. Sample scripts created as well.
  • CIL-356: Clients may have individual LDAP configurations.
  • CIL-371: added claim for cert_subject_dn to be returned for the org.cilogon.userinfo scope.
  • CIL-378: Clients with same creation timestamp are not all displayed in CLI.
  • CIL-388: Server wars now include more meta information in the META-INF/MANIFEST.MF file about the build.
  • CIL-396: More client information in email notification at registration for OIDC clients.
  • CIL-404: Errors in the getCert servlet should throw an exception.
  • CIL-405: Default for all new clients at registration is to enable ID token signing.
  • Java object serialization issue: Updated dependencies on Apache commons-collections to 3.2.2.
  • Removed legacy unused Java object serialization from backend file store.

3.4 Release notes

Note that in this release of OA4MP there are two new tables that are required if the server uses SQL -based storage. One for admin clients and another for permissions. If the user (i.e., as defined in the configuration file that accesses the data) has create permission in the database, then the tables will be automatically created. If not, then you must create them manually using one of the scripts found here.

You must also create signing keys for OIDC. This is done with the command line tool

Signing of ID tokens is now the default on the server. However, since older clients may not support this, the default is to disable signing of ID tokens for all clients. Older OA4MP clients will break if signing is enabled and they are at an earlier version (3.3 and before). Also, some installations of the mod_auth_openidc client that cache the .well-known file have been known to break when talking to a 3.4 server. Please upgrade the .well-known file to the latest version on the server.


  • CIL-252: Scope handler which queries LDAP for user attributes.
  • CIL-264: Document examples using the cURL command.
  • CIL-268: Added sample OA4MP OIDC configuration to web documentation.
  • CIL-273: LDAP support for OA4MP.
  • CIL-286: Failed client registration not cleaned up.
  • CIL-299: "Max retries exceeded" message from MariaDB connection pool. This was because the method in question was only partially synchronized.
  • CIL-309: Refresh token fixes and improvements.
  • CIL-312: Null pointer exception when parsing URIs. The built-in parser for URIs is rather stupid in certain cases and would throw an NPE when parsing. This is now being handled better to prevent this.
  • CIL-317: exception setting transaction state if use waits to finish exchange until after initial grant has expired and garbage collected.
  • CIL-319: Indicate in DN if the user is from and InCommon or eduGain IDP.
  • CIL-320: DB Service fix to get information to resolve CIL-319.
  • CIL-324: Attempting to send many email notifications at once causes failures.
  • CIL-359: ID tokens must be signed by the server.
  • OAUTH-189: Invalid nonce causes reloadof authorization page to fail.
  • OAUTH-191: Defer connecting to MyProxy until the getCert call, if possible.
  • OAUTH-194: OIDC token endpoint should return error with status of 400.
  • OAUTH-196: Documentation needs updating after file name change internally.
  • OAUTH-197: Testing from the command line documentation shows sending the secret to the authorization endpoint, which is not in the specification.
  • OAUTH-198: Pass the HTTPServletRequest to the basic scope handler. This allows implementors more flexibility.
  • OAUTH-199: Pass HttpServlet request to custom scope handlers.
  • OAUTH-200: Connection pooling does not clean out stale connections.
  • OAUTH-201: Username incorrectly flagged as the primary key for the asset table, causing and error on updates.
  • OAUTH-202: Tomcat 6 is not supported for this release of OA4MP. You must have at least version 7 or higher.
  • OAUTH-206: Refresh token lifetime limited. A logic bug made the lifetime of refresh tokens decrease on refresh, eventually yielding invalid refresh tokens. All refresh tokens now are valid for the full requested time.
  • OAUTH-208: Remove dependeny on one-jar plug in for building executable jars, since it is no longer supported.
  • OAUTH-209: Remove dependency on Google Code's maven repository.
  • OAUTH-215: default secret key length for new OIDC clients set to 512 bytes.
  • Added new command line client for testing purposes.


  • CIL-101: (reopened with an additional parameter for the overloaded myproxy username)
  • CIL-210: Return CILogon specific claims fromthe getUserInfo endpoint.
  • CIL-211: New attributes for the user, affiliation, display name and organizational unit.
  • CIL-227: Refresh token lifetimes should be ignored if not enabled on the server.
  • CIL-231: EPPN and EPTID no longer omitted from X509v3 extension.
  • CIL-234: Fermi National Lab specific distinguished names, along with a configuration option for the server to disable generation of these.
  • CIL-240: update for items from command line not working.
  • CIL-257: Unwanted serial string changes on user updates
  • CIL-258: Allow OGS CA to omit versio number from certification requests since MyProxy accepts these.
  • CIL-260: Allow for restoring archived users from command line.
  • OAUTH-184:Additional claims returned from the getToken endpoint.
  • OAUTH-192: Enabling use of the remote user header from an external authorization module could allow a user to change their name.
  • OAUTH-193: Empty responses to cert request.


  • OAUTH-181: Updated server walkthrough.
  • OAUTH-183: Update documentation for using remote user.
  • OAUTH-184: Plugin capability for additional IODC claims.
  • OAUTH-185: Support for custom scopes and additional claims.
  • OAUTH-188: Fixed broken links in the getting-started page.
  • CIL-194: Searching for MyProxy servers in CILogon now uses standard OA4MP libraries.
  • CIL-196: ServerDN option in configuration now can be over-ridden in the MyProxy tag.
  • CIL-197: Propagating MyProxy changes to CILogon.
  • Added PKCS 7 encoding support to the certificate utility


  • OAUTH-180: Support OIDC servers that do not use a nonce.
  • CIL-101: Add setTransaction state call.
  • CIL-136: Documenting the OAuth 2.0 authorized servlet.
  • CIL-141: Improve pinging servers
  • CIL-170, CIL-171: Missing log4j properties restored.
  • CIL-172: Multiple LIGO IdPs supported.
  • CIL-173: Fix handling of incorrect password.


  • CIL-194: CILogon server only returns cert from last Myproxy server
  • CIL-196: server DN override in myproxy configuration not read.



  • Java 8 support: Due to internal changes to Java, this release requires Java 8 and will not work with previous versions of Java.
  • OAUTH-164: Support for id_tokens in OAuth 2 module
  • OAUTH-165: Passing the skin parameter in with the initial request.
  • OAUTH-168: Making OA4MP for OAuth 2.0 spec. compliant.
  • OAUTH-169: Removed "error url" from the OAuth 2 registration page
  • OAUTH-170: Typo in online documentation. Examples had tags corrected to <service>
  • OAUTH-171: MyProxy Logon now supports setting the socket timeout.
  • OAUTH-172: Expose MyProxy socket timeout in OA4MP configuration.
  • OAUTH-173: Improved error message on session timeout.
  • OAUTH-174: Error handling in OAuth 2 component.
  • OAUTH-175: Possible concurrency issue with MariaDB connections.
  • OAUTH-176: Specify DN (distinguished name) for MyProxy server(s).
  • OAUTH-177: Documentation for the new server DN option.


  • OAUTH-162: Client secret must be sent on access token request but not on authorization request.
  • OAUTH-163: State must be returned in OAuth 2 component with authorization response callback.


  • OAUTH-127: MyProxyLogon website updated to point to current release.
  • OAUTH-129: Sorting entries with the the CLI ls command. Before there was no sorting, now it is done by client ID or date, where applicable.
  • OAUTH-134: Updating documentation on how to run a monitor.
  • OAUTH-154: Removed possible redundant/conflicting maven dependencies.
  • OAUTH-156: Turn off default logging for MyProxyLogon. This permits use of the MyProxyLogon module as a library without getting logging messages to the console (the previous default).
  • OAUTH-157: Client registration page not saving client secret under OAuth 1.0a protocol.
  • OAUTH-158: Updated links on generic client registration page to current documentation.
  • OAUTH-159: Update documentation for this release.
  • OAUTH-160: Regularize and improve version reporting at component (CLI, client, server) startup.


  • OAUTH-131: Improved client registration for OAuth 2 servers.
  • OAUTH-149: Remove support for MyProxyLogon to use SSL version 3. (This mitigates the POODLE attack.)
  • OAUTH-152: Do not show detailed MyProxy error message if authorization fails.
  • OAUTH-153: Improved logging for MyProxy errors and successes.
  • OAUTH-155: Updated documentation to explain new OAuth 2 client registration process.


  • OAUTH-139: CLI might return an incorrect list of items after several updates.
  • OAUTH-140: MyProxy component didn't quite log completely to the configured log file.
  • OAUTH-141: Improved client/server walkthough. This is documentation that permits an administrator to deploy both a client and server locally with a self-signed cert for testing purposes.
  • OAUTH-143: Enabling the Globus DN option should have had better documentation pointing at the server requirements for JGlobus.
  • OAUTH-144: Jetty version was incorrect, causing certain build issues. This was standardized on version 6.1.26 to ensure consistent builds.
  • OAUTH-147: Potential cleanup thread failure with a filestore. If a filestore is used and one of the files is corrupted (e.g. due to a system crash at the time of writing it) then the cleanup thread would fail to start. Now such corrupted files are simply logged in catalina.out and ignored otherwise.
  • OAUTH-148: Maria DB support added.


  • OAUTH-112: Servlet initialization is injected now, decoupling it more from Tomcat startup.
  • OAUTH-113: MyProxy does not handle PAM challenges. The documentation has been updated with a link to the appropriate page on the MyProxy website where this is discussed.
  • OAUTH-117: Server install walkthrough updated and improved to reflect changes (in particular, it now makes us of the resolution of OAUTH-110).
  • OAUTH-118. Build error in maven caused OAuth2 command line tools to issue an NPE in certain cases.
  • OAUTH-119: Loading objects into the CLI that do not have identifiers caused an NPE. This could only arise really if someone directly edited an entry in a text editor (e.g. if the installation was backed by a filestore). In that case it would not be possible to load any objects from that store into the CLI, preventing editing of them.
  • OAUTH-120: The new -component flag allows an administrator to start the CLI with the named component as an argument. E.g. rather than start the CLI and use the approval component, just issue
    ./oa4mp-cli -component approvals
  • OAUTH-125: "About" and "Overview" links on website were broken.
  • OAUTH-126: Website now lists the version number with the "latest" link.
  • OAUTH-130: Documentation amended to clarify which version of OA4MP (based on OAuth 1.0a or OAuth 2.0) to use.
  • OAUTH-133: Configuration option to convert standard DN to (legacy) Globus identifiers. This is mostly useful for installations that have been using Globus for a very long time.
  • OAUTH-135: Failure in authentication were not displaying the correct message. They should route the user back to the login page for another attempt.


  • OAUTH-105:Added support for file includes to configuration files.
  • OAUTH-105: Added checks to prevent cycles in aliases and files
  • OAUTH-106: Adding fully qualified host name to client approval notifications.


  • OAUTH-47 Now supports building with maven 3.0+ There was an issue with earlier an pom version that prevented this.
  • Support for OAuth 2 protocol. This includes full server and client support as well as various supported stores (mysql, postgres, files) and admin tools.
  • OAUTH-94: Fix for passthrough of Shibboleth attributes. A username transformation interface has been created. This will be invoked immediately before the call to MyProxy. Users that wish to customize this may do so by implementing the interface and setting it in the environment at server startup.
  • OAUTH-96: Check for a bad PKCS10 CSR (missing version number which must be set to 0) created by pyOpenSSL is now in place and an informative message is now issued. Earlier the Bouncy Castle code allowed for this, Sun does not.
  • OAUTH-99: Old documentation at Science Gateway Security site removed. Everything is redirected to this site now.
  • OAUTH-102: No username returned with cert in certain cases. Fixed.


  • Added support to make using log 4j optional. It had been disabled which interfered with some installations.
  • Fixed bug OAUTH-90.
  • Fixed bug OAUTH-94. This adds a configuration option to return the DN of the user's cert as the username.
  • All new command line tools that allow for managing clients and approvals.
  • Changed client index page to be more up to date.
  • Removed all explicit references to Bouncy Castle. This should prevent future jar pollution from incompatible versions. JGlobus still uses this though....
  • Set mysql and postgres jars to be provided rather than included in the release so that projects that need only a single type of storage are not required to install both of these.


  • Version number is now printed to the console whenever the server starts up.
  • Support for authentication using the REMOTE_USER (or any other) header.
  • Improved error handling on the server, especially in cases where the MyProxyLogon client encounters a runtime exception.
  • OAUTH-80: errors resulting from JGlobus broken build will be resolved by their conforming to standard maven practices
  • Fix for OAUTH-83 documentation error in configuring mail addresses
  • OAUTH-84 failure to return a complete certificate chain from MyProxy in a certain case
  • OAUTH-85 failure to configure logging could result in an error. Default is to dump everything into the tomcat logs.
  • Use of new JGlobus release 2.0.5.
  • Bouncy Castle version set to 1.43 to support JGlobus release 2.0.5.
  • Added signatures for the lastest downloadable war.


  • Support for limited proxy generation. Allows the server to generate a public/private keypair and issue a limited proxy. The result is a certificate chain.
  • Deny HTTP header. This sets the HTTP header to "deny" which prevents clickjacking attacks.
  • Added logging support. Standard Java logging is now available and configurable.
  • Default MyProxy server on localhost. If no MyProxy server is specified, one is assumed to be running on localhost.
  • Improved admin tools. In particular, improved the CLI to give more readable messages.
  • Improved SQL install scripts.
  • Links in the documentation to the latest versions of these scripts.
  • More and better documentation.

Last modified 11/20/19.
©2000-2013 Board of Trustees of the University of Illinois.