Release Notes
The TCG Authorization Server release notes contain important information that you are recommended to read before using this product.
What's new for Version 3.1.3
- The routes
api/roles,api/usersandapi/identityprovidersare now available for confidential clients with the resource service permission. Querying roles is used for user role assignments, for example on the platform service. - Support for custom schema names on PostgreSQL, as long as they are lowercase. Also see the Installation Configuration section in the Installation Guide.
- On Oracle, an unsupported transaction isolation level was logged as an error by the Oracle library. Database access code was changed to not use that isolation level with oracle to prevent the logged error. The error did not inhibit functionality.
- The database configuration for SQLServer has been extended to support mandatory and strict SSL connections to the SQLServer.
Two new properties have been added to the configuration.
For backwards compatibility, in case encryption has not been specified, the service defaults to trust the certificate chain and to only optionally use encrypted communication. - Azure AD (Azure ActiveDirectory) has been renamed to (Microsoft) Entra ID
- Entra ID user discovery gets paginated responses and did not discover more than 100 users. The new implementation fetches all available pages and enlarges the page size to 999.
- Software Bills of Material are now part of the installation.
They are found in the installation directory under "SBOM":
<install_dir>\SBOM.
Updated Vulnerable Dependencies
Notable are:
- System.IdentityModel.Tokens.Jwt 6.24.0 -> 6.35.0 (moderate):
Microsoft Security Advisory CVE-2024-21319: .NET Denial of Service Vulnerability - Microsoft.Data.SqlClient 2.1.4 -> 5.1.4 (high):
Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass
What's new for Version 3.1.2
- Add an API endpoint that allows searching for users by username (GET ~/api/users/?name=JohnDoe)
- Add an API endpoint to get the current version (GET ~/api/version)
- Add an API endpoint for get active identity provides, for example, ActiveDirectory and Keycloak (GET ~/api/identityproviders). Administrative permissions are required.
- ID Tokens now contain
authorityandidentity_providerentries to expose how the user was authenticated.
Fixed Thirdparty Vulnerabilities
- Update Oracle.EntityFrameworkCore to version 6.21.90 due to CVE-2023-21893 in Oracle.EntityFrameworkCore https://github.com/advisories/GHSA-5pm2-9mr2-3frq: Component takeover in Oracle Data Provider for .NET
- Update System.Security.Cryptography.Pkcs from version 6.0.1 to 6.0.3 due to CVE-2023-29331 https://github.com/advisories/GHSA-555c-2p6r-68mm: .NET Denial of Service vulnerability
Bugfixes
- The external IDP configuration panel did not allow setting multiple claim mappings, or to delete claim mappings. Disabling the password login box when using an external identity provider is fixed.
- IIS request filtering is set to 10000kb by default, to prevent issues with large ID tokens. Extend documentation about IIS request filtering limitation and how to configure scopes for rich client application registrations
- Provide a more helpful error message when configuring an invalid redirect URI (fragments are not allowed)
- The auth-admin client registration incorrectly received password and authorization code flow permissions. It now only has the client credential authorization flow enabled.
Bugfixes
- The external IDP configuration panel did not allow setting multiple claim mappings, or to delete claim mappings. Disabling the password login box when using an external identity provider is fixed.
- IIS request filtering is set to 10000kb by default, to prevent issues with large ID tokens. Extend documentation about IIS request filtering limitation and how to configure scopes for rich client application registrations
- Provide a more helpful error message when configuring an invalid redirect URI (fragments are not allowed)
- The auth-admin client registration incorrectly received password and authorization code flow permissions. It now only has the client credential authorization flow enabled.
What's new for Version 3.1.1
Version 3.1.1 contains security improvements, better external Identity Provider integration, and several bug fixes.
- Security for the user has been improved:
- Session cookies allow for deleting of a session on the server side.
After a sign-out, even using a copy of the issued cookie does not allow users to be logged in - Sign-out provides the user the option to delete all tokens that have been issued for this user
- Cookie expiration time spans, as well as access and refresh token expiration time spans can be adjusted.
Short time spans provider higher security, longer time spans are more comfortable for users. - The message during sign-out has been improved to better communicate to the user what is going to happen
- SSL usage: redirect to HTTPS is configurable
- SSL usage: HSTS with configurable max-age header
- Session cookies allow for deleting of a session on the server side.
- External Identity Providers are configurable via the Web UI. Entra ID and Keycloak are integrated so that no plugins must be written.
Roles of external IDPs are fetched periodically in the background, as well as collected whenever a user authenticates via them. - Reverse Proxy capabilities have been improved:
Forwarded headers allow SSL offloading and defining the authority's hostname,
so that internal and external applications can use the same instance. - Available roles/groups are stored in the database, to improve integration of external IDPs.
- A new cmd line option
-ConfigOnlyfor configuring the appsettings with an encrypted connection string without touching the database:
AuthorizationService.exe setup database -c "connection string..." -p PostgreSQL -EncryptionCertificateThumbprint MYTHUMBPRINT -ConfigOnly
Breaking Changes
- The nuget package and the namespaces for the TCG Authorization Server interface DLLs has changed.
If you wrote a plugin, you have to adjust and recompile it.
This drastic step was taken because we were able to obsolete most reasons for a plugin.- The configuration setting to load a plugin changed from
Service->UserStoreAssemblyPathtoService->PluginAssemblyPath - The
IClaimsSearcherinterface was dropped.
- The configuration setting to load a plugin changed from
- Claim changes: a user has the subject claim set to a unique identifier, instead of the username.
The username value is stored in a 'username' claim.
The user's display name is stored in the 'name' claim.
Appliations displaying the user's display name or username in a UI must adjust. - Load balancing requires X-Forwarded-* headers.
Please read the documentation section and update the load balancer or reverse proxy configuration.
What's new for Version 3.1
- Primus API 3.1
- New component that allows you to achieve single sign-on (SSO) for Primus and its components and external clients.