309 lines
10 KiB
Markdown
309 lines
10 KiB
Markdown
# Change Log
|
|
All notable changes to this project will be documented in this file.
|
|
|
|
## 3.6.1 - 2023-12-21
|
|
- better support for older node versions
|
|
|
|
## 3.6.0 - 2023-11-24
|
|
- adapt optimized IAS server API
|
|
|
|
## 3.5.0 - 2023-11-14
|
|
- update dependencies (e.g. axios 0 -> 1)
|
|
|
|
## 3.4.0 - 2023-10-23
|
|
- add optional x5t validation (RFC 8705) for IAS tokens
|
|
- Restore support for disableCache flag for JWKS retrieval
|
|
- Bugfix for requests to XSUAA with array values inside form
|
|
|
|
## 3.3.5 - 2023-09-28
|
|
- Support for app2service and app2app for IAS
|
|
|
|
## 3.3.4 - 2023-09-06
|
|
- Fix IAS token exchange with X509 binding
|
|
|
|
## 3.3.3 - 2023-08-08
|
|
- Send either both x-app_tid & x-client_id headers or none of them to IAS /certs endpoint to prevent bad request
|
|
|
|
## 3.3.2 - 2023-07-28
|
|
- restore backward-compatibility feature: use cleanUpPemKey function on verification keys to support PEM with missing line breaks-
|
|
- restore backward-compatible behaviour: use verificationKey as fallback if KID is not found in JWKS but throw error about missing KID if it fails
|
|
- fix error handling for cert endpoint
|
|
|
|
## 3.3.0 - 2023-07-24
|
|
- add app_tid to formular for token exchanges
|
|
- support for "x-app_tid" and "x-client-id" header for IAS cert endpoint
|
|
- bugfix for unknown variable in new cache implementation
|
|
|
|
## 3.2.18 - 2023-07-13
|
|
- Replaced keycache implementation with new JwksReplica implementation: When a JWKS is used for validation, it is now checked if the cached replica will expire soon (default refresh period: 15min before expiration). If so, it will be refreshed in the background and the cached replica will still be used for validation until it has expired completely (default expiration time: 30min since last refresh). Validation of incoming requests will only be blocked by an expired JWKS if it could not be refreshed during the refresh period. Only one call at a time will be performed to refresh the JWKS.
|
|
- Addd support for resource-attribute for token flow/token exchange calls
|
|
|
|
## 3.2.17 - 2023-01-09
|
|
- obfuscate credentials in debug output, when xssec:request debug variable is set
|
|
|
|
## 3.2.15 - 2023-01-09
|
|
- hotfix: upgrade to newest jsonwebtoken version ^9.0.0 because of security issue complainings. But the library was never affected
|
|
|
|
## 3.2.14 - 2022-10-11
|
|
- allow IAS issuer without https protocol prefix
|
|
- fix for additionalAttributes
|
|
- allow setting timeout without having credentials object provided
|
|
|
|
## 3.2.13 - 2022-02-15
|
|
- hofix in keycache implementation if you turn off to use the cache
|
|
- upgrade to newer axios library
|
|
|
|
## 3.2.12 - 2022-01-19
|
|
- add support for UAA system plan
|
|
- upgrade to newer axios library
|
|
|
|
## 3.2.11 - 2021-11-30
|
|
- add support for timeout setting for all requests-calls
|
|
- support for password token flow in requests module
|
|
- support for setting scopes for all requests to XSUAA
|
|
## 3.2.10 - 2021-11-02
|
|
- fix correlationID header names to "x-vcap-request-id" or "x-correlationid"
|
|
|
|
## 3.2.9 - 2021-10-22
|
|
- custom domain support for IAS
|
|
- support for "x-correlation-id" header to be set for createSecurityContext and tokenexchange-calls
|
|
- support to turn off the internal cache for a createSecurityContext call
|
|
|
|
## 3.2.8 - 2021-10-18
|
|
- add additional getter for user properties on XSUAA context
|
|
- remove deed and unneeded code for IAS context
|
|
- fix token flows in requests if subdomain is provided using certificate
|
|
|
|
## 3.2.7 - 2021-09-15
|
|
- replace got with axios library because of a bug in got lib during https get
|
|
|
|
## 3.2.5 - 2021-09-07
|
|
- fix to be backward-compatible for tokenFlow-APIs
|
|
|
|
## 3.2.4 - 2021-09-03
|
|
- fix an issue with IAS multitenancy support
|
|
- remove the deprecated request library with got library
|
|
|
|
## 3.2.3 - 2021-08-23
|
|
- add checkFollowingInstanceScope to SecurityContext to retrieve instance specific scope without need to build scope string on your own
|
|
- fix a reference error in key verification
|
|
- support for multitenance IAS applications using 'x-zone_uuid' Header in jwks call
|
|
|
|
## 3.2.2 - 2021-06-16
|
|
- Support for tokenexchanges with X.509 certificates managed by XSUAA
|
|
- Support for tokenexchanges with manually managed X.509 certificates
|
|
- support for configuration objects that does not provide a clientsecret (but a certificate)
|
|
|
|
## 3.2.1 - 2021-06-01
|
|
- Add some more error and tracing information
|
|
|
|
## 3.2.0 - 2021-04-20
|
|
- Support for IAS token validation. ([more details](doc/IAS.md))
|
|
|
|
## 3.1.2 - 2021-03-01
|
|
- Feature: Support for IAS to XSUAA token exchange ([more details](doc/IAStoXSUAA.md))
|
|
- Feature: Support for ZoneID enabled token flows ([more details](doc/TokenFlows.md))
|
|
|
|
|
|
## 3.1.1 - 2021-02-11
|
|
- Bugfix: Tokenexchange with additional attributes may result in a wrong formatted url
|
|
- Feature: The passport middleware allows to provide scopes to be validated at authentication time. Details [here](http://www.passportjs.org/docs/oauth/#scope)
|
|
|
|
## 3.1.0 - 2021-02-10
|
|
- Support for multiple configurations for one security context ([more details here](doc/MultiConfiguration.md))
|
|
- Bugfix: support for additional attributes in token exchange
|
|
- Bugfix: authorization now in payload for better XSUAA support
|
|
- correct support for azp (clientid) in token payload
|
|
- method to identify an XSUAA token
|
|
|
|
## 3.0.10 - 2021-10-01
|
|
- The requests to the XSUAA are now available using the requests module also if you do not have a securityContext
|
|
|
|
## 3.0.9 - 2020-08-06
|
|
- Set request library to version 2.88.2 because of security vulnerability
|
|
|
|
## 3.0.8 - 2020-08-06
|
|
- Increase timeout for jwt-bearer token flow to reduce of timeouts with very big tokens.
|
|
|
|
## 3.0.7 - 2020-07-24
|
|
- Move the token to the request body for jwt-bearer token flow, because of problems with very big tokens
|
|
|
|
## 3.0.6 - 2020-07-01
|
|
- Audience Validation validates to true when the derived client_id of broker-clone token matches the trusted client. This is relevant to support tokens of grant type user_token that contains no scopes.
|
|
|
|
## 3.0.5 - 2020-06-26
|
|
- Audience Validation accepts tokens of grant type user_token that does not provide aud claim. In that case the audience is derived from the audiences from the scopes.
|
|
- Audience Validation is skipped when cid of token matches the trusted client.
|
|
- Use getSubaccountId() method only to fetch the subaccount id, e.g. for calling the metering API for user-based pricing.
|
|
- In case you are interested in the customers tenant GUID make use of getZoneId method instead!
|
|
- A new [TokenInfo](/doc/TokenInfo.md) class is introduced for better logging capabilities.
|
|
|
|
## 3.0.3 - 2020-05-25
|
|
|
|
- Fix jwt-bearer flow to take the right token as uri parameter.
|
|
|
|
## 3.0.2 - 2020-05-20
|
|
|
|
- Fix get verification key from keycache.
|
|
|
|
## 3.0.1 - 2020-05-19
|
|
|
|
- HotFix missing debugTrace in verification key
|
|
- Fix RetryStrategy
|
|
|
|
## 3.0.0 - 2020-05-15
|
|
|
|
- Replace grant type user_token in method requestToken (TYPE_USER_TOKEN) in favor of urn:ietf:params:oauth:grant-type:jwt-bearer
|
|
- Remove obsolete method getToken (use getHdbToken or getAppToken))
|
|
- Remove obsolete method requestTokenForClient (use requestToken)
|
|
- Remove obsolete method getIdentityZone (use getZoneId() instead, or getSubaccountId() for metering purposes)
|
|
- Support for audience validation in token
|
|
- remove of SAP_JWT_TRUST_ACL environment variable support (functionality now comes with audience validation); see also [here](https://jam4.sapjam.com/blogs/show/oEdyQO183plBoQdrvcPw2w).
|
|
- remove depencency to node-jwt (ALPINE support)
|
|
- restructure internal code for better maintainability
|
|
|
|
## 2.2.5 - 2020-02-28
|
|
|
|
- Update to node-jwt version 1.6.6
|
|
|
|
## 2.2.4 - 2019-08-14
|
|
|
|
- Support for API methods getUserName and getUniquePrincipalName
|
|
|
|
## 2.2.3 - 2019-08-07
|
|
|
|
- Add retry for recieving keys
|
|
|
|
## 2.2.2 - 2019-06-24
|
|
|
|
- Use verification key from binding as backup if online key retrieval fails
|
|
|
|
## 2.2.1 - 2019-06-17
|
|
|
|
- Fix uaaDomain comparison in key cache
|
|
|
|
## 2.2.0 - 2019-06-17
|
|
|
|
- Align key cache implementation with other container security libraries
|
|
|
|
## 2.1.17 - 2019-05-17
|
|
|
|
- Introduce http timeout of two seconds
|
|
- Update version of module debug, lru-cache and @sap/xsenv
|
|
- Fix token verification for broker master instance subscriptions
|
|
|
|
## 2.1.16 - 2019-01-28
|
|
|
|
- Fix token parser: switch ASCII to Utf8 decode
|
|
|
|
## 2.1.15 - 2018-08-13
|
|
|
|
- Update version of module request
|
|
|
|
## 2.1.14 - 2018-07-24
|
|
|
|
- Evaluate SAP_JWT_TRUST_ACL if trustedclientidsuffix is present but not matching
|
|
|
|
## 2.1.13 - 2018-07-18
|
|
|
|
- Update version of module request
|
|
|
|
## 2.1.12 - 2018-06-01
|
|
|
|
- Support for API methods getSubaccountId and getOrigin
|
|
- Mark API method getIdentityZone as deprecated
|
|
|
|
## 2.1.11 - 2018-05-18
|
|
|
|
- Update version of module request
|
|
|
|
## 2.1.10 - 2018-04-20
|
|
|
|
- Fixes for keycache
|
|
|
|
## 2.1.9 - 2018-04-18
|
|
|
|
- Update version of module @sap/node-jwt (1.4.8)
|
|
- Fixes for keycache
|
|
- Update version of module request
|
|
|
|
## 2.1.8 - 2018-03-14
|
|
|
|
- Support for API method getAppToken
|
|
|
|
## 2.1.7 - 2018-03-05
|
|
|
|
- Support for API method requestToken
|
|
|
|
## 2.1.6 - 2018-02-19
|
|
|
|
- Update version of module @sap/node-jwt
|
|
|
|
## 2.1.5 - 2018-02-07
|
|
|
|
- Update version of module request
|
|
|
|
## 2.1.4 - 2017-12-04
|
|
|
|
- Support new JWT structure (attribute location ext_cxt)
|
|
- First implementation for keycache
|
|
|
|
## 2.1.3 - 2017-11-29
|
|
|
|
- Support for API method getClientId
|
|
|
|
## 2.1.2 - 2017-10-23
|
|
|
|
- Support for API method getSubdomain
|
|
|
|
## 2.1.1 - 2017-10-09
|
|
|
|
- Update version of modules @sap/node-jwt, @sap/xsenv and debug
|
|
|
|
## 2.1.0 - 2017-07-06
|
|
|
|
- Support of API method requestTokenForClient
|
|
- Update version of module @sap/node-jwt
|
|
|
|
## 2.0.0 - 2017-06-26
|
|
|
|
- Removal of deprecated constructor method createSecurityContextCc
|
|
- Removal of API method method getUserInfo
|
|
|
|
## 1.3.0 - 2017-06-23
|
|
|
|
- Revert removal of API method method getUserInfo
|
|
|
|
## 1.2.0 - 2017-06-22
|
|
|
|
- Support for API methods getLogonName, getGivenName, getFamilyName, getEmail
|
|
- Removal of API method method getUserInfo
|
|
- Fix identity zone validation (only relevant for tenants created with SAP Cloud Cockpit)
|
|
|
|
## 1.1.1 - 2017-05-30
|
|
- Update version of dependent modules
|
|
|
|
## 1.1.0 - 2017-05-22
|
|
- Mark API method createSecurityContextCC as deprecated
|
|
|
|
## 1.0.4 - 2017-05-17
|
|
|
|
- Support for validation of XSUAA broker plan tokens
|
|
- Support for API methods getCloneServiceInstanceId and getAdditionalAuthAttribute
|
|
- Support for validation of XSUAA application plan tokens in arbitrary identity zones
|
|
|
|
## 1.0.3 - 2017-03-29
|
|
|
|
- Update version of dependent modules
|
|
|
|
## 1.0.2 - 2017-02-22
|
|
|
|
- Support for validation of SAML Bearer tokens
|
|
|
|
## 1.0.1 - 2017-02-02
|
|
|
|
- Support for client credentials tokens in JWT strategy
|
|
|
|
## 1.0.0 - 2017-01-25
|
|
|
|
- Introduction of scopeing, module name changed to @sap/xssec
|