v23.18-beta

CHANGELOG

Breaking changes

• In resource list, the include_deleted and exclude_global_only params are replaced by exclude param (#196, PLUM Sprint 230421)
• Cookie authorize requests require that cookie_entry_uri be configured (#188, PLUM Sprint 230421)
• The state-redirect mechanism in cookie flow has been removed (#188, PLUM Sprint 230421)

Fix

• Fix provisioning initialization (#195, PLUM Sprint 230412)
• Fix request access control attributes and methods (#197, PLUM Sprint 230421)
• Reintroduce metrics (#198, PLUM Sprint 230421)
• Allow batman to be configured without basic auth (#199, PLUM Sprint 230421)
• Include client cookie name in client detail (#200, PLUM Sprint 230421)
• Fix cookie entrypoint when no webhook is configured (#201, PLUM Sprint 230421)

Features

• Filter resource list by resource type using the exclude query parameter (#196, PLUM Sprint 230421)
• Cookie entrypoint webhook for setting custom response headers (#188, PLUM Sprint 230421)

Refactoring

• Each client has their unique cookie name (#188, PLUM Sprint 230421)

v23.16-beta1

Patches

• Fix provisioning initialization (#195, PLUM Sprint 230412)

v23.16-beta

Compatibility

Tested with

• Seacat Admin UI v23.16-beta
• Seacat Auth UI v23.16-beta

This release introduces granular resource control to all Admin API endpoints (#183). In web UI app, this was implemented in TeskaLabs/seacat-admin-webui#28.

CHANGELOG

Breaking changes

• Introspection requests require client_id in the query (#156, PLUM Sprint 230324)
• Every cookie introspection should be paired with a cookie entrypoint (#156, PLUM Sprint 230324)
• Bouncer module replaced by cookie entrypoint (#156, PLUM Sprint 230324)
• Dropped support for custom cookie domains in the configuration (#156, PLUM Sprint 230324)
• External login status messages changed (#185, PLUM Sprint 230324)
• Bulk-unassign tenants using "UNASSIGN-TENANT" (#189, PLUM Sprint 230324)
• Resource "authz:tenant:admin" is deprecated and replaced by several resources (#183, PLUM Sprint 230412)
• Viewing and browsing all tenants requires superuser privileges (#183, PLUM Sprint 230412)
• Seacat Admin built-in resources are not editable (#183, PLUM Sprint 230412)
• Mock mode option of SMSbrana.cz provider changed (#191, PLUM Sprint 230412)

Fix

• Improve last login search performance (#173, PLUM Sprint 230324)
• M2M session now has access to all the M2M credentials' assigned tenants (#186, PLUM Sprint 230324)
• Fix tenant check in role assignment (#187, PLUM Sprint 230324)
• Fix credential service lookup (#192, PLUM Sprint 230412)
• Fix pymongo import error (#193, PLUM Sprint 230412)
• Fix client initialization in provisioning (#194, PLUM Sprint 230412)

Features

• Per-client configurable authorization, login and cookies (#156, PLUM Sprint 230324)
• External login ident stored (#185, PLUM Sprint 230324)
• Granular access control for Admin API (#183, PLUM Sprint 230412)
• SMTP provider mock mode (#191, PLUM Sprint 230412)

Refactoring

• OpenAPI docs updated (#181, PLUM Sprint 230324)
• Bulk-unassign tenants using "UNASSIGN-TENANT" (#189, PLUM Sprint 230324)

v23.13-beta

Compatibility

• Tested with Seacat Admin WebUI v23.13-beta
• Tested with Seacat Auth WebUI v23.13-beta

Major breaking changes

• This version introduces the validation of Redirect URI parameter in the OAuth authorize request. Invalid Redirect URI will cause a warning in the application log. See #157 for details and how to fix it.

---

Changelog

Breaking changes

• Renamed the Code Challenge Method client feature (#168, PLUM Sprint 230224)
• Code Challenge Method is now enforced if set (#168, PLUM Sprint 230224)
• Invalid OAuth redirect URIs raise a warning (#157, PLUM Sprint 230310)

Fix

• Removed required fields from client update (#144, PLUM Sprint 230113)
• Store client cookie domain (#147, PLUM Sprint 230113)
• Efficient count in MongoDB credential provider (#150, PLUM Sprint 230127)
• Fix sync method in Batman module (3c68cb8, PLUM Sprint 230210)
• Fix cookie client session flow (#155, PLUM Sprint 230210)
• Renaming resources without description (#158, PLUM Sprint 230210)
• Batman does not add nonexistent roles to Kibana users (#159, PLUM Sprint 230210)
• Fixed empty string check in client registration (#168, PLUM Sprint 230224)

Features

• Allow unsetting some client features (#148, PLUM Sprint 230113)
• OAuth 2.0 PKCE challenge (RFC7636) (#152, PLUM Sprint 230127)
• Session tracking ID introduced (#135, PLUM Sprint 230210)
• Clients can register a custom login_uri and login_key (#151, PLUM Sprint 230210)
• Authorize request adds client_id to login URL query (#151, PLUM Sprint 230210)
• Upgrade Docker image OS to Alpine 3.17 (#166, PLUM Sprint 230224)
• Assign roles and tenants to multiple credentials at once (#146, PLUM Sprint 230113)
• Allow OAuth authorize requests with anonymous sessions (#165, PLUM Sprint 230224)
• Allow extra login parameters to be supplied in login prologue body (#169, PLUM Sprint 230310)
• Assign roles and tenants to multiple credentials at once (#167, PLUM Sprint 230310)
• Introduce event type descriptors (#172, PLUM Sprint 230310)
• OAuth redirect URI validation options (#157, #175, PLUM Sprint 230310)
• TOTP secrets moved to dedicated collection (#176, PLUM Sprint 230310)

Refactoring

• Regex validation of cookie_domain client attribute (#144, PLUM Sprint 230113)
• Swagger doc page uses the same auth rules as ASAB API (#164, PLUM Sprint 230224)
• Renamed the Code Challenge Method client feature (#168, PLUM Sprint 230224)
• Code Challenge Method is now enforced if set (#168, PLUM Sprint 230224)

v23.08.01-alpha

CHANGELOG

since v23.08-alpha

Fix

• Locked ASAB version to commit bf1918b

since v23.03

Fix

• Removed required fields from client update (#144, PLUM Sprint 230113)
• Store client cookie domain (#147, PLUM Sprint 230113)
• Efficient count in MongoDB credential provider (#150, PLUM Sprint 230127)
• Fix sync method in Batman module (3c68cb8, PLUM Sprint 230210)
• Fix cookie client session flow (#155, PLUM Sprint 230210)
• Renaming resources without description (#158, PLUM Sprint 230210)
• Batman does not add nonexistent roles to Kibana users (#159, PLUM Sprint 230210)

Features

• Allow unsetting some client features (#148, PLUM Sprint 230113)
• OAuth 2.0 PKCE challenge (RFC7636) (#152, PLUM Sprint 230127)
• Session tracking ID introduced (#135, PLUM Sprint 230210)
• Clients can register a custom login_uri and login_key (#151, PLUM Sprint 230210)
• Authorize request adds client_id to login URL query (#151, PLUM Sprint 230210)

Refactoring

• Regex validation of cookie_domain client attribute (#144, PLUM Sprint 230113)

v23.08-alpha

CHANGELOG

since v23.03

Fix

• Removed required fields from client update (#144, PLUM Sprint 230113)
• Store client cookie domain (#147, PLUM Sprint 230113)
• Efficient count in MongoDB credential provider (#150, PLUM Sprint 230127)
• Fix sync method in Batman module (3c68cb8, PLUM Sprint 230210)
• Fix cookie client session flow (#155, PLUM Sprint 230210)
• Renaming resources without description (#158, PLUM Sprint 230210)
• Batman does not add nonexistent roles to Kibana users (#159, PLUM Sprint 230210)

Features

• Allow unsetting some client features (#148, PLUM Sprint 230113)
• OAuth 2.0 PKCE challenge (RFC7636) (#152, PLUM Sprint 230127)
• Session tracking ID introduced (#135, PLUM Sprint 230210)
• Clients can register a custom login_uri and login_key (#151, PLUM Sprint 230210)
• Authorize request adds client_id to login URL query (#151, PLUM Sprint 230210)

Refactoring

• Regex validation of cookie_domain client attribute (#144, PLUM Sprint 230113)

v23.03.01

CHANGELOG

v23.03.01

Fix

• Fix sync method in Batman module (PLUM Sprint 230210)

---

v23.03

Breaking changes

• Authorize endpoint no longer authorizes unregistered clients (#137, PLUM Sprint 230113)
• Introspecting a cookie-based client session requires client_id in query (#137, PLUM Sprint 230113)

Fix

• Remove set_cookie from authorize response (#125, PLUM Sprint 221202)
• Attempts to access a nonexistent tenant result in 403 (#133, #138, PLUM Sprint 221216)
• Fixed default registration expiration (#142, PLUM Sprint 230113)

Features

• Client registration allows custom client ID (#128, PLUM Sprint 221202)
• Login with external OAuth2 (Facebook) (#129, PLUM Sprint 221216)
• Cookie-based client sessions can now authorize for a specific scope and tenant (#137, PLUM Sprint 230113)
• Standardized error codes in authorize response (#137, PLUM Sprint 230113)
• OIDC-standardized scope values (#143, PLUM Sprint 230113)
• M2M sessions are now authorized for all the assigned tenants (#141, PLUM Sprint 230113)

Refactoring

• Cookie introspection for anonymous access is moved to a separate endpoint (#124, PLUM Sprint 221216)

v23.3

CHANGELOG

v23.3

Breaking changes

• Authorize endpoint no longer authorizes unregistered clients (#137, PLUM Sprint 230113)
• Introspecting a cookie-based client session requires client_id in query (#137, PLUM Sprint 230113)

Fix

• Remove set_cookie from authorize response (#125, PLUM Sprint 221202)
• Attempts to access a nonexistent tenant result in 403 (#133, #138, PLUM Sprint 221216)
• Fixed default registration expiration (#142, PLUM Sprint 230113)

Features

• Client registration allows custom client ID (#128, PLUM Sprint 221202)
• Login with external OAuth2 (Facebook) (#129, PLUM Sprint 221216)
• Cookie-based client sessions can now authorize for a specific scope and tenant (#137, PLUM Sprint 230113)
• Standardized error codes in authorize response (#137, PLUM Sprint 230113)
• OIDC-standardized scope values (#143, PLUM Sprint 230113)
• M2M sessions are now authorized for all the assigned tenants (#141, PLUM Sprint 230113)

Refactoring

• Cookie introspection for anonymous access is moved to a separate endpoint (#124, PLUM Sprint 221216)

v22.48

Compatibility

☑ ASAB UI v22.48 or newer
☑ SeaCat Admin UI v22.48 or newer

⚠️ Due to breaking changes in the OpenID Connect module, tenant authorization will not work with older versions of ASAB-UI-based apps.

Changelog

v22.48

Breaking changes

• Access to tenants must be requested in authorization scope (#92, PLUM Sprint 221118)

Features

• Anonymous sessions for unauthenticated user access (#120, PLUM Sprint 221118)
• Display blocked LDAP credentials as suspended (#123, PLUM Sprint 221118)
• Access to tenants must be requested in authorization scope (#92, PLUM Sprint 221118)
• Resource authz:tenant:access grants access to any tenant (#92, PLUM Sprint 221118)

Refactoring

• MySQL and XMongoDB inherit from read-only provider class (#122, PLUM Sprint 221118)
• Userinfo fields preferred_username and phone_number have been renamed (#92, PLUM Sprint 221118)

v22.46

CHANGELOG

v22.46

Breaking changes

• Endpoint for updating custom tenant data changed (#98, PLUM Sprint 221104)
• Unset credential phone/email by setting it to null instead of empty string (#117, PLUM Sprint 221104)

Fix

• Logout with ID token (#116, PLUM Sprint 221104)
• Disable registration service when no credential provider supports registration (#118, PLUM Sprint 221104)

Features

• Roles have an optional "description" field (#103, PLUM Sprint 221021)
• User registration (invitation only) (#86, PLUM Sprint 221021)
• Delete and rename resources (#113, PLUM Sprint 221104)
• List roles that contain a specific resource (#113, PLUM Sprint 221104)
• Include session ID and parent session ID in ID token (#116, PLUM Sprint 221104)

Refactoring

• Keep superuser role after provisioning (#102, PLUM Sprint 221021)
• Endpoint for updating custom tenant data changed (#98, PLUM Sprint 221104)
• Unset credential phone/email by setting it to null instead of empty string (#117, PLUM Sprint 221104)