77.10.0

What's Changed

Fix

• fix: allow to change or delete a relyingPartySecret on IdP by @strehle in #2896
• fix: always rotate refresh tokens for public clients by @mikeroda in #2846
• fix: /info docs test expectation by @peterhaochen47 in #2884

Misc

• Misc dev script improvements by @peterhaochen47 in #2876
• refactor: avoid indirect dep from EOL lib spring-security-saml2-core by @peterhaochen47 in #2879
• Sonar refactoring - AbstractUaaEvent class by @strehle in #2891

Dependency Bumps

• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.37.3 to 9.38 by @dependabot in #2877
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.38 to 9.39 by @dependabot in #2881
• build(deps): bump nokogiri from 1.16.4 to 1.16.5 in /uaa/slate by @dependabot in #2886
• build(deps): bump k8s.io/client-go from 0.30.0 to 0.30.1 in /k8s by @dependabot in #2893
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 9.39 to 9.39.1 by @dependabot in #2892
• build(deps): bump versions.springFrameworkVersion from 5.3.34 to 5.3.35 by @dependabot in #2897
• build(deps): bump versions.springFrameworkVersion from 5.3.35 to 5.3.36 by @dependabot in #2901

Full Changelog: v77.9.0...v77.10.0

77.9.0

What's Changed

• Move OAuth2 Core Server Classes to UAA namespace by @strehle in #2813
• test-refactoring: remove forked class in tests by @strehle in #2845
• build(deps): bump versions.guavaVersion from 33.1.0-jre to 33.2.0-jre by @dependabot in #2865
• build(deps): bump versions.jacksonVersion from 2.17.0 to 2.17.1 by @dependabot in #2869
• Refactoring: testable code in JdbcScimUserProvisioning by @strehle in #2863
• Refactoring: use namedJdbcTemplate bean instead of internal new object by @strehle in #2864
• Update tool chain by @strehle in #2873
• build(deps): bump versions.tomcatCargoVersion from 9.0.88 to 9.0.89 by @dependabot in #2872

Full Changelog: v77.8.0...v77.9.0

77.8.0

What's Changed

• build(deps): bump github.com/onsi/gomega from 1.33.0 to 1.33.1 in /k8s by @dependabot in #2858
• fix: MySQL Performance Issues in "/ids/Users" Endpoint by @adrianhoelzl-sap in #2859

Full Changelog: v77.7.0...v77.8.0

77.7.0

What's Changed

This release addresses a serious performance issue that can affect installations using a MySQL database for UAA and has a large number of users (10,000+).

Fix

• Fix: performance issue in MySQL -- revert #2704 by @bruce-ricard in #2857

Full Changelog: v77.6.0...v77.7.0

77.6.0

What's Changed

Security

• The bc-fips bump addresses CVE-2024-29857.

Fix

• fix: load static resources from default zone if zone not found by @tack-sap in #2828

Misc

• Remove direct usage of commons-httpclient 3.1 by @strehle in #2826
• Refactor tests for EntityAliasHandler.ensureConsistencyOfAliasEntity by @adrianhoelzl-sap in #2824

Dependency Bumps

• build(deps): bump versions.springSecurityVersion from 5.8.11 to 5.8.12 by @dependabot in #2829
• build(deps): bump versions.tomcatCargoVersion from 9.0.87 to 9.0.88 by @dependabot in #2832
• build(deps): bump k8s.io/client-go from 0.29.3 to 0.29.4 in /k8s by @dependabot in #2835
• build(deps): bump org.apache.commons:commons-text from 1.11.0 to 1.12.0 by @dependabot in #2833
• build(deps): bump k8s.io/client-go from 0.29.4 to 0.30.0 in /k8s by @dependabot in #2839
• build(deps): bump github.com/onsi/gomega from 1.32.0 to 1.33.0 in /k8s by @dependabot in #2842
• build(deps): bump org.gradle:test-retry-gradle-plugin from 1.5.8 to 1.5.9 by @dependabot in #2852
• build(deps): bump org.bouncycastle:bc-fips from 1.0.2.4 to 1.0.2.5 by @dependabot in #2853

Full Changelog: v77.5.0...v77.6.0

77.5.0

What's Changed

Security Fix

• Spring Framework update from 5.3.33 to 5.3.34 by @dependabot in #2822, solves https://spring.io/security/cve-2024-22262

Misc

• Fix flaky test in ScimUserEndpointsMockMvcTests by @adrianhoelzl-sap in #2804
• Further Integration Tests for Alias Identity Providers Feature by @adrianhoelzl-sap in #2722
• Set default SAML signatureAlgorithm value to SHA256 by @hsinn0 in #2807
• Misc API docs improvements by @peterhaochen47 in #2795
• fix: gradle test might give false green by @peterhaochen47 in #2801
• backfill tests: SAML SP metadata by @peterhaochen47 in #2794
• Prevent Update and Delete of Entities with Alias if Alias Feature is disabled by @adrianhoelzl-sap in #2803
• Sonar fix by @strehle in #2816
• Move OAuth2 classes BaseClientDetails to UaaClientDetails by @strehle in #2806

Dependency Bumps

• build(deps): bump commons-io:commons-io from 2.15.1 to 2.16.0 by @dependabot in #2811
• build(deps): bump commons-io:commons-io from 2.16.0 to 2.16.1 by @dependabot in #2819
• build(deps): bump versions.braveVersion from 6.0.2 to 6.0.3 by @dependabot in #2823
• update dependency nokogiri to v1.16.4 by @strehle in #2827

Full Changelog: v77.4.0...v77.5.0

77.4.0

What's Changed

• Add 'aliasId' and 'aliasZid' Fields to ScimUser by @adrianhoelzl-sap in #2765
• Cleanup from PR 2765 by @strehle in #2797
• Bump Gradle to 8.7 by @strehle in #2798
• Support own key and cert for jwtClientAuthentication by @strehle in #2771
• build(deps): bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 4.4.1.3373 to 5.0.0.4638 by @dependabot in #2800

Full Changelog: v77.3.0...v77.4.0

77.3.0

What's Changed

• Load jwtClientAuthentication in uaa.yml by @strehle in #2758
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 6.8.0.202311291450-r to 6.9.0.202403050737-r by @dependabot in #2772
• Update rack in Gemfile.lock by @strehle in #2773
• Optimize "/ids/Users" endpoint by @adrianhoelzl-sap in #2704
• feat: Use Database availability as indicator for /healthz response by @tack-sap in #2763
• build(deps): bump versions.jacksonVersion from 2.16.1 to 2.16.2 by @dependabot in #2774
• Fix sonar by @strehle in #2770
• build(deps): bump versions.springFrameworkVersion from 5.3.32 to 5.3.33 by @dependabot in #2777
• build(deps): bump versions.guavaVersion from 33.0.0-jre to 33.1.0-jre by @dependabot in #2778
• build(deps): bump org.postgresql:postgresql from 42.7.2 to 42.7.3 by @dependabot in #2781
• build(deps): bump versions.tomcatCargoVersion from 9.0.86 to 9.0.87 by @dependabot in #2780
• build(deps): bump versions.jacksonVersion from 2.16.2 to 2.17.0 by @dependabot in #2776
• build(deps): bump k8s.io/client-go from 0.29.2 to 0.29.3 in /k8s by @dependabot in #2786
• update dependency nokogiri to v1.16.3 by @strehle in #2787
• build(deps): bump versions.springSecurityVersion from 5.8.10 to 5.8.11 by @dependabot in #2788
• Fix uaa start. Prevent exception if encryption section missing by @strehle in #2767
• build(deps): bump github.com/onsi/gomega from 1.31.1 to 1.32.0 in /k8s by @dependabot in #2791
• fix: saml signatureAlgorithm in AuthnRequest by @swalchemist in #2792

Full Changelog: v77.2.0...v77.3.0

77.2.0

What's Changed

Fixes

• Fix audience type by @strehle in #2757
• avoid NPE by @klaus-sap in #2747
• Sonar fixes by @strehle in #2760
• Solve sonar bug by @strehle in #2768
• more methods for sanitized logging by @klaus-sap in #2764

Misc

• refactor: Remove a use of a constant from opensaml library by @hsinn0 in #2743
• Move IdP Alias Handling to separate Class by @adrianhoelzl-sap in #2737
• remove more IdP tests by @swalchemist in #2742
• doc: clarify token revocation by @peterhaochen47 in #2749

Dependency Bumps

• build(deps): bump org.apache.santuario:xmlsec from 4.0.1 to 4.0.2 by @dependabot in #2746
• build(deps): bump versions.braveVersion from 6.0.1 to 6.0.2 by @dependabot in #2748
• update dependency org.seleniumhq.selenium:selenium-java to v4.18.1 by @strehle in #2744
• build(deps): bump org.json:json from 20240205 to 20240303 by @dependabot in #2761

Known Issues

• During the upgrade to this version from UAA v76 or below with canary deployment (where briefly both new and old UAA servers could be running), UAA delete user endpoint might respond with an error even though the user deletion is successful. Mitigation: Delete users after the canary deployment finishes. But if you do run into this issue, you can ignore the error and check whether the user has been successfully deleted after the canary deployment finishes.

Full Changelog: v77.1.0...v77.2.0

77.1.0

What's Changed

Fixes

• Fix invalid identity zone by @klaus-sap in #2711
• Fix filter check in ids/Users endpoint by @adrianhoelzl-sap in #2702
• Revert "Ignore failing integration test" by @peterhaochen47 in #2731

Misc

• refactor: split test by @swalchemist in #2725
• Misc SAML tests refactors by @peterhaochen47 in #2727
• Maintain tomcat version by @strehle in #2721
• refactor: use non-deprecated saml configs in uaa.yml by @peterhaochen47 in #2732

Dependency Bumps

• build(deps): bump versions.springFrameworkVersion from 5.3.31 to 5.3.32 by @dependabot in #2733
• build(deps): bump versions.springSecurityVersion from 5.8.9 to 5.8.10 by @dependabot in #2734
• build(deps): bump versions.tomcatCargoVersion from 9.0.85 to 9.0.86 by @dependabot in #2736
• renovate: update dependency org.mariadb.jdbc:mariadb-java-client to v2.7.12 by @strehle in #2740
• build(deps): bump org.postgresql:postgresql from 42.7.1 to 42.7.2 by @dependabot in #2739
• build(deps): bump jasmine-core from 5.1.1 to 5.1.2 in /uaa by @dependabot in #2720
• build(deps): bump versions.braveVersion from 6.0.0 to 6.0.1 by @dependabot in #2726
• build(deps): bump k8s.io/api from 0.29.1 to 0.29.2 in /k8s by @dependabot in #2728
• build(deps): bump k8s.io/client-go from 0.29.1 to 0.29.2 in /k8s by @dependabot in #2730

Known Issues

• During the upgrade to this version from UAA v76 or below with canary deployment (where briefly both new and old UAA servers could be running), UAA delete user endpoint might respond with an error even though the user deletion is successful. Mitigation: Delete users after the canary deployment finishes. But if you do run into this issue, you can ignore the error and check whether the user has been successfully deleted after the canary deployment finishes.

Full Changelog: v77.0.0...v77.1.0