INDIGO Identity and Access Management v1.11.0

Added

• Add POST endpoint for registration requests confirmation by @enricovianello in #881
• (Experimental¹) Implement MFA by @sam-glendenning, @rmiccoli, @garaimanoj, @Sae126V in #733
• Add explanation message on the user code page by @rmiccoli in 53100d1
• Add confirmation before rotate client secret by @SteDev2 in #875
• Redirect to login page when signing AUP without being authenticated by @federicaagostini in 5acde91

Fixed

• Fix account mapping in VOMS AA by @rmiccoli in #872
• Fix CERN lifecycle handler by @enricovianello in #871, #896
• Client-credentials flow won't create a refresh token by @rmiccoli in indigo-iam/OpenID-Connect-Java-Spring-Server#22
• Fix missing update of matchingPolicy by @garaimanoj in f15ef57
• Fix account research API by checking both certificate subject and issuer in VOMS AA by @rmiccoli in #897
• Prevent the issue of broken SAML login flow by @DonaldChung-HK in #885
• Fix the list of user's group membership requests form admins perspective by @enricovianello in 571d12c
• Fix missing creation of an approved site during device code flow by @federicaagostini in 1e9c200
• Combine all scope filtering logic into one ScopeFilter by @enricovianello in a0c771b
• Fix authorization on some me endpoints by @enricovianello in 5273df7

What's Changed

• Exclude IAM optional groups from VOMS AC by @rmiccoli in #894
• Grant admin scopes to admin-approved clients only by @rmiccoli in 6bbaccd ²
• Restrict access to SCIM scopes to admins only by @enricovianello in 5f20592 ²

The MFA experimental feature

Here is the summary of this experimental enhancement:

• Each authenticated user can enable/disable MFA through a button on his homepage.
  • Users must install and use an authenticator app (usually on a mobile device) as it is required to generate the time-based one-time passwords (TOTPs) necessary for authentication.
• At any time an IAM administrator can disable MFA for a user
• The second factor authentication is currently supported for local authentication only
  • An integration with X.509 certificates and external providers logins is not yet supported
• Encryption and decryption of MFA secrets

Configuration

The mfa Spring JVM profile is used to enable MFA functionality. This profile must be added to the list of active ones because by default it's not included to keep MFA disabled by default for all users.

Notes

1. This initial release featuring Multi-Factor Authentication is experimental and will be enhanced and expanded with new features in future releases, based also on user feedback. ↩

2. The privileged admin (iam:admin.read, iam:admin.write) and SCIM (scim:read, scim:write) scopes can still be assigned by admins to specific clients. The constraint added by this release is related to non-privileged users those are asking a token through this privileged clients. Even if the client is allowed to obtain them, those scopes are filtered from the obtained ones if a not-enough privileged user is involved. This means that client_credentials flow is not affected. These clients may obtain access tokens with these privileged/restricted scopes if and only if it's an admin the requestor. ↩ ↩²

INDIGO Identity and Access Management Service v1.10.2

What's Changed

• Add devcontainer configuration by @darcato in #835
• Track refresh tokens in access token AUDIT logs by @rmiccoli in #838
• Combine CERN HR logic with internal life-cycle by @enricovianello in #844
• Fix expected password min length to 8 chars by @SteDev2 in #849
• AUP signature PATCH endpoint accepts signature time as input by @enricovianello in #853

INDIGO Identity and Access Management Service v1.10.1

What's Fixed

• Fix repeated suspensions by @enricovianello in #831
• Fix typo in AUDIT log for suspended accounts by @federicaagostini in #832
• Upgrade AngularJS version by @SteDev2 in #820
• Fix AUP signature validity by @rmiccoli in #834

INDIGO Identity and Access Management Service v1.10.0

What's Changed

• Send an email when client status changes by @rmiccoli in #802
• Add a statistical anonymous endpoint by @rmiccoli in #790
• PATCH to change AUP signature time works also for client credentials by @rmiccoli in #804
• Add AUP and user's lifecycle missing email notifications by @rmiccoli in #787
• Add groups enrollment logic to be applied after users registration by @garaimanoj in #793
• Add the organization name in all email notifications subjects by @rmiccoli in #810
• Improve password quality check by @SteDev2 in #719
• Allow to totally disable cache by @federicaagostini in #778

Bug Fixes

• Refresh token flow not allowed for suspended clients by @rmiccoli in #814
• Update angular-jwt script link by @SteDev2 in #822
• Fix error 500 on old mitreId user interface by @SteDev2 in #808

Configuration Fixes

• Prefix all necessary env variables with IAM_ by @federicaagostini in #807
  • As described into #807, the environment variables DEFAULT_ACCESS_TOKEN_VALIDITY_SECONDS, DEFAULT_DEVICE_CODE_VALIDITY_SECONDS, DEFAULT_ID_TOKEN_VALIDITY_SECONDS and DEFAULT_REFRESH_TOKEN_VALIDITY_SECONDS have been renamed with IAM_ prefix.
• Fix client track-last-used setting location in .yaml by @enricovianello in #795
  • The client's "last-used" tracking has been disabled by default. You can turn it on by setting IAM_CLIENT_TRACK_LAST_USED as true. This feature allows administrators to see how many days have last since last token was issued for each client.
• The redis-cache.enabled property has been moved to cache.redis.enabled. This property is set by the same environment variable IAM_REDIS_CACHE_ENABLED so configurations that relies on this variable are not affected.

Documentation Fixes

• VOMS-AA replica deployment example provided by @darcato in #729

INDIGO Identity and Access Management Service v1.9.0

What's Changed

• Show unrestricted scopes into well-known endpoint by @federicaagostini in #628
• Fix account lifecycle workflow by @rmiccoli in #746
• Administrators can disable a client by @garaimanoj in #747
• Change VOMS warning message when requesting a too long proxy by @federicaagostini in #756
• VO members can re-sign the AUP at any time by @garaimanoj in #757
• Add delete signature and sign on behalf by @enricovianello in #777
• Increase SAML response skew from 60 to 300 secs by @enricovianello in #780
• Multiplatform docker by @jacogasp in #761
• (Experimental*) Fix audit log for issued access tokens and add refresh token event by @federicaagostini in #774
• Fix authorization on SCIM me endpoint by @enricovianello in #764
• (Experimental*) Add attributes and managed groups to the SCIM user by @enricovianello in #764
• (Experimental*) Add authorities list to SCIM user by @enricovianello in #788
• Add last used property to clients by @darcato in #675
• Display how much time is left to AUP expiry by @garaimanoj in #783
• Allow to add nickname as attribute during a registration request by @federicaagostini in #789

* The introduced AUDIT messages and info to the SCIM user must be considered as experimental and they may be changed in next RC/releases in a backward incompatible way

New Contributors

• @garaimanoj made his first contribution in #757
• @jacogasp made his first contribution in #761

Notes

SCIM users response can now be extended in order to list also:

• user's attributes
• user's authorities
• user's managed groups

In order to include authorities and|or managed groups into SCIM users details you need to enable them through the following properties:

scim:
  include_authorities: true
  include_managed_groups: true

or through the environment variables:

IAM_SCIM_INCLUDE_AUTHORITIES=true
IAM_SCIM_INCLUDE_MANAGED_GROUPS=true

Attributes can be included into SCIM user response in the same way the labels are:

scim.include_attributes[0].name=attribute-name
scim.include_attributes[1].name=another-attribute-name

Full Changelog: v1.8.4...v1.9.0

INDIGO Identity and Access Management Service v1.8.4

v1.8.4 (2024-03-25)

Added

• Add property to show SQL queries (default to false) #702
• Add refresh token value index on database #722
• Add support for admin to customize login layout #668

Fixed

• Encode/decode token value hash with Charset UTF-8 to match the MySQL algorithm #694
• Update the email address/username without needs to refresh the web UI #686
• Allow Chinese characters to be shown on user's info column #701
• Update login form display strategy #669

Changed

• Only registered users can get client credentials grant type #683
• Remove possibility to add a client logo URI #697
• Disable client editing through MitreID endpoint (/api/clients/*) #703
• Request for an optional "Apply for an account with eduGAIN" button #665

INDIGO Identity and Access Management Service v1.8.3

Recommendations

It is strongly recommended to make a backup of your database before upgrading to v1.8.3 because several migrations are planned. Also, remember that for updates from versions prior to v1.7.2 you must first upgrade to v1.7.2.
The migration to v1.8.3 will take an amount of time which will be proportional to the amount of currently active access tokens. This means that if you are deploying IAM with some kind of liveness and readiness probes, it's probably better to switch them off before upgrading. This migration may take a long time.

Changed

• Save access token value as an hash in order to use lighter db indexes and avoid conflicts by @rmiccoli in #613
• Avoid upper case characters into VO names by @SteDev2 in #616
• Enable Redis scope matchers and well-known endpoint caching by @federicaagostini in #633
• Consider scope matcher based on string equality for custom scopes by @rmiccoli in #642

Added

• Add SCIM endpoint entry to well-known endpoint by @federicaagostini in #631
• Update account AUP signature time via API by @rmiccoli in #608
• Add new JWT profile that rename 'groups' claim with 'roles' by @enricovianello in #637
• Add support for displaying specific language name in federation Metadata by @Sae126V in #640
• Add missing "Reuse refresh token" box within client management page by @rmiccoli in #650
• Add missing foreign keys to the database by @enricovianello, @rmiccoli in #632, #659
• Add OpenID Connect standard claims in ATs for WLCG JWT profile by @rmiccoli in #651

Fixed

• Allow to add certificates with the same subject DN by @rmiccoli in #624
• Delete unsupported response types by @rmiccoli in #610
• Fix management of tokens lifetime following RFC9068 by @federicaagostini in #620
• Fix CERN Restore workflow by @hannahshort in #645
• Fix authz code flow with PKCE for IAM test client application by @rmiccoli in #653
• Fix authorization on IAM APIs such to avoid cases where access is granted to already approved scopes instead of effective token scopes by @enricovianello in #664

New Contributors

• @SteDev2 made his first contribution in #616
• @federicaagostini made her first contributions in #620, #631 and #633
• @Sae126V made his first contribution in #640
• @hannahshort made her first contributions in #645

INDIGO Identity and Access Management Service v1.8.2p2

This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53.

INDIGO Identity and Access Management Service v1.8.1p2

This release fixes a privilege escalation present in all previous IAM releases. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-53.

INDIGO Identity and Access Management Service v1.8.2p1

Fixes

This release fixes an XSS vulnerability in 1.8.2. See https://advisories.egi.eu/Advisory-EGI-SVG-2023-20.