Releases: SAP/cloud-security-services-integration-library
Version 3.1.0
❗ IMPORTANT Update ❗
The zone_uuid
claim in Identity service tokens has been deprecated and is now replaced by the app_tid
claim. You should use the app_tid
claim to identify the unique tenant id, which was previously referred to as the zone.
- [java-api]
Token
interface is extended with default methodgetAppTid()
andgetZoneId()
method has been deprecated, usegetAppTid()
method instead⚠️ This is also relevant for Xsuaa applications not only Identity based applicationsTokenClaims
is extended with theSAP_GLOBAL_APP_TID
andSAP_GLOBAL_ZONE_ID
is deprecated
- [token-client]
OAuth2TokenKeyService
interface has been extended withretrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId)
methodHttpHeaders
constants are extended withX-app_tid
andX-client_id
headers- JWKs fetch from identity service going forward requires mandatory headers:
X-app_tid
abdX-client_id
this has been updated in the default implementations of theOAuth2TokenKeyService
:DefaultOAuth2TokenKeyService
OAuth2TokenKeyServiceWithCache
(java-security module)SpringOAuth2TokenKeyService
- [java-security]
AbstractToken
is serializable fixes #1209 - [java-security-test]
JwtGenerator
addsapp_tid
claims with the default valuethe-app-tid
to the Identity tokens. ❗Some adaption might be required when calling thegetZoneId()
method as it will return now theapp_tid
value back when default values are used.
Dependency upgrades
- Bump spring.core.version from 6.0.9 to 6.0.11
- Bump spring.boot.version from 3.0.6 to 3.1.2
- Bump spring.security.version from 6.0.3 to 6.1.2
- Bump reactor-core from 3.5.6 to 3.5.8
- Bump btp-environment-variable-access from 0.6.0 to 0.8.0
- Bump json from 20230227 to 20230618
- Bump commons-io from 2.11.0 to 2.13.0
Version 2.14.0
❗ IMPORTANT Update ❗
The zone_uuid
claim in Identity service tokens has been deprecated and is now replaced by the app_tid
claim. You should use the app_tid
claim to identify the unique tenant id, which was previously referred to as the zone.
- [java-api]
Token
interface is extended with default methodgetAppTid()
andgetZoneId()
method has been deprecated, usegetAppTid()
method instead⚠️ This is also relevant for Xsuaa applications not only Identity based applicationsTokenClaims
is extended with theSAP_GLOBAL_APP_TID
andSAP_GLOBAL_ZONE_ID
is deprecated
- [token-client]
OAuth2TokenKeyService
interface has been extended withretrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId)
methodHttpHeaders
constants are extended withX-app_tid
andX-client_id
headers- JWKs fetch from identity service going forward requires mandatory headers:
X-app_tid
andX-client_id
this has been updated in the default implementations of theOAuth2TokenKeyService
:DefaultOAuth2TokenKeyService
OAuth2TokenKeyServiceWithCache
(java-security module)SpringOAuth2TokenKeyService
- [java-security]
AbstractToken
is serializable #1207 - [java-security-test]
JwtGenerator
addsapp_tid
claims with the default valuethe-app-tid
to the Identity tokens. ❗Some adaption might be required when calling thegetZoneId()
method as it will return now theapp_tid
value back when default values are used.
Dependency upgrades
- Bump spring.core.version from 5.3.27 to 5.3.29
- Bump spring.boot.version from 2.7.10 to 2.7.14
- Bump spring.security.version from 5.8.3 to 5.8.5
- Bump reactor-core from 3.4.24 to 3.4.31
- Bump btp-environment-variable-access from 0.6.0 to 0.8.0
- Bump json from 20230227 to 20230618
- Bump commons-io from 2.11.0 to 2.13.0
Version 3.0.1
[spring-xsuaa]
- fixes incompatible TLS version for
DefaultSpringHttpClientFactory
Dependency upgrades
- Bump spring.core.version from 6.0.8 to 6.0.9
- Bump reactor-core from 3.5.5 to 3.5.6
- Bump btp-environment-variable-access from 0.5.2 to 0.6.0
Version 3.0.0
Baseline changes
cloud-security-services-integration-library
requires
- Java 17
- Spring Boot 3.0.x
- Spring security 6.0.x
Breaking Changes
- Identity service configurations need to provide domains via String array in JSON key 'identity.credentials.domains'. Providing String values under key 'identity.credentials.domain' is not supported anymore. IAS configurations from service bindings have been generated like this for a long time already. This should only affect old configuration files manually written for testing.
Removed modules
spring-xsuaa-mock
→ use java-security-test instead
Removed deprecated classes and interfaces
- [api]
XSPrincipal
,XSUserInfoException
→ not needed anymore with new Token interface
- [env]
CFEnvironment
,K8sEnvironment
→ use insteadServiceBindingEnvironment
CFConstants
,K8sConstants
→ use insteadServiceConstants
- [java-security]
XSUserInfo
,XSUserInfoAdapter
→ use instead Token interface andToken#getClaimAsString
with TokenClaims.XSUAA constants to access XSUAA-specific claims.SAPOfflineTokenServicesCloud
→ use instead [spring-security] module
- [spring-xsuaa]
XSTokenRequest
,TokenBroker
,UaaTokenBroker
→ use instead token-client module to fetch XSUAA tokens via XsuaaTokenFlowsTokenBrokerResolver
,AuthenticaionMethod
→ No longer provided. Seespring-security-basic-auth
sample how to write your own implementation.IasXsuaaExchangeBroker
→ Exchange is not supported by XSUAA service anymore.TokenUrlUtils
→ use insteadOAuth2ServiceEndpointsProvider
XsuaaServicesParser
→ use insteadEnvironments#getCurrent
ornew ServiceBindingEnvironment(new SapVcapServicesServiceBindingAccessor(any -> xsuaaConfigJson))
OAuth2AuthenticationConverter
→ Not supported anymore because deprecated by Spring Security: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
- [token-client]
UserTokenFlow
→ use insteadJwtBearerTokenFlow
Removed deprecated methods
- [java-security]
OAuth2TokenKeyServiceWithCache#withCacheTime
,OAuth2TokenKeyServiceWithCache#withCacheSize
→ use insteadOAuth2TokenKeyServiceWithCache#withCacheConfiguration
SAPOfflineTokenServicesCloud#SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration)
→
- [java-security-test]
SecurityTestRule#getConfigurationBuilderFromFile
→ use insteadSecurityTestRule#getOAuth2ServiceConfigurationBuilderFromFile
SecurityTestRule#getWireMockRule
→ use insteadSecurityTestRule#getWireMockServer
- [spring-xsuaa]
Token#getExpirationDate
→ use insteadToken#getExpiration
- [spring-xsuaa-test]
Base64JwtDecoder#Base64JwtDecoder
→ use insteadBase64JwtDecoder#getInstance
- [token-client]
XsuaaTokenFlows#userTokenFlow
→ use insteadXsuaaTokenFlows#jwtBearerTokenFlow
OAuth2TokenService#retrieveAccessTokenViaUserTokenGrant
→ use insteadOAuth2TokenService#retrieveAccessTokenViaJwtBearerTokenGrant
OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant(URI, ClientIdentity, String, Map, boolean)
→ use instead OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant with null for argumentsubdomain
DefaultOAuth2TokenService#DefaultOAuth2TokenService
→ use insteadDefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient)
XsuaaOAuth2TokenService#XsuaaOAuth2TokenService
→ use insteadXsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient)
DefaultOAuth2TokenService#DefaultOAuth2TokenService(TokenCacheConfiguration)
→ use insteadDefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(TokenCacheConfiguration)
→ use insteadXsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(URI)
,XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String)
→ use insteadXsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String, String)
OAuth2TokenResponse#getExpiredAtDate
→ use insteadOAuth2TokenResponse#getExpiredAt
Base64JwtDecoder#Base64JwtDecoder
→ use insteadBase64JwtDecoder#getInstance
Removed deprecated fields
- [java-api]
GrantType#USER_TOKEN
→ use insteadGrantType#JWT_BEARER
- [token-client]
OAuth2TokenServiceConstants#GRANT_TYPE_USER_TOKEN
→ use insteadGrantType#JWT_BEARER
- [spring-xsuaa]
Token#GRANTTYPE_CLIENTCREDENTIAL
→ use insteadGrantType#CLIENT_CREDENTIALS
Version 2.13.9
Patches CVE-2023-20863
[env]
- for backward compatibility
domain
is also supported along with thedomains
attribute for Identity service configuration #1153
[token-client]
- warning messages has been removed when using
DefaultHttpClientFactory
, HTTP client settings have been updated see README for more information UserTokenFlow
is deprecated, use jwtBearerTokenFlow instead #1135
Dependency upgrades
- Bump spring.core.version from 5.3.26 to 5.3.27
- Bump log4j2.version from 2.19.0 to 2.20.0
Version 2.13.8
[spring-xsuaa]
- Synchronizes
XsuaaJwtDecoder
cache configuration with internalNimbusJwtDecoder
cache - Improved logging for
XsuaaJwtDecoder
fallback key validation
Dependency upgrades
- Bump spring.boot.version from 2.7.9 to 2.7.10
Version 2.13.7
[token-client]
- Fixes regression introduced with logback dependency not having scope test
Dependency upgrades
- Bump org.json from to 20230227
Version 2.13.6
[env]
CFEnvironment
has migrated to use btp-environment-variable-access library for accessing configuration from VCAP_SERVICES
[java-security]
XsUserInfoAdapter.getSystemAttribute()
supports in tokenxs.system.attributes
values in string format along with string array
Dependency upgrades
- Bump spring.boot.version from 2.7.8 to 2.7.9
- Bump spring.security.version from 5.8.1 to 5.8.2
Full Changelog: 2.13.5...2.13.6
Version 2.13.5
[spring-xsuaa]
- improved logging for JwtAudienceValidator
[java-security]
- enables token validation without zones
Dependency upgrades
- Bump httpclient from 4.5.13 to 4.5.14
- Bump btp-environment-variable-access java-bom from 0.5.1 to 0.5.2
- Bump spring.boot.version from 2.7.5 to 2.7.8
- Bump spring.core.version from 5.3.23 to 5.3.25
- Bump spring.security.version from 5.7.5 to 5.8.1
- Bump slf4j.api.version from 2.0.3 to 2.0.6
Full Changelog: 2.13.4...2.13.5
Version 2.13.4
[spring-xsuaa][spring-security]
- Patches CVE-2022-31692 vulnerability in spring security dependency.
[java-security-test]
- scim_id added as default attribute for identity token Jwt generator
Dependency upgrades
- Bump spring.security.version from 5.7.3 to 5.7.5
- Bump btp-environment-variable-access java-bom from 0.4.1 to 0.5.1
- Bump spring.boot.version from 2.7.3 to 2.7.5
- Bump reactor-core from 3.4.23 to 3.4.24
- Bump slf4j.api.version from 2.0.0 to 2.0.3
- Bump spring-boot-starter-parent from 2.7.3 to 2.7.5