Release notes
nevisAuth 7.2505.3.1 - 29.08.2025
Breaking changes
Changes and new features
- FIXED: Unreleased lock causing threads to hang in scenarios where
IdentityProviderState
received the logout contain session index but doesn't act as SOAP logout. (NEVISAUTH-4852) - FIXED: We release the session lock for IdP when returning an ERROR for SOAP logout. (NEVISAUTH-4928)
- FIXED: We return error SAML message to the requester, when any error happens during SOAP logout. (NEVISAUTH-4923)
- FIXED: We accept unformatted SAML SOAP logout message also. (NEVISAUTH-4924)
nevisAuth 7.2505.2.3 - 08.08.2025
Breaking changes
Changes and new features
- CHANGED: The following jar files are revomed from the nevisauth.war file as they are already contained on the application classloader level in the rpm: commons-lang3, error_prone_annotations, failureaccess, guava, j2objc-annotations, jackson-annotations, jackson-core, jackson-databind, jspecify, listenablefuture-9999. Having these duplicated caused classloading errors in some cases. (NEVISAUTH-5147)
- FIXED: Some query parameters were not properly URL-encoded in calls to nevisMeta endpoints.(NEVISAUTH-5161)
- FIXED: We improved the performance by reducing the introspection endpoint calls for empty
token_type_hint
. (NEVISAUTH-4899) - UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.18.0. (NEVISAUTH-5157)
nevisAuth 7.2505.1.1 - 26.06.2025
Breaking changes
Changes and new features
- FIXED: nevisAuth now stops on startup when a critical configuration failure happens. (NEVISAUTH-5081)
- FIXED: Fixed a deadlock in the
ThrottleSessionsState
when the same user tried to login concurrently in the exact same time. (NEVISAUTH-5084) - FIXED: Remote session store
syncPullInitial="true"
failing when session indexing was configured. (NEVISAUTH-5124) - FIXED: Double resolution of EL expressions on Gui labels parameters.(NEVISAUTH-5121)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.7. (NEVISAUTH-5117)
nevisAuth 7.2505.0.8 - 21.05.2025
Breaking changes
Changes and new features
- FIXED: The correct error message is displayed when code_challenge is empty but S256 is required for AuthorizationServer. (NEVISAUTH-4800)
- FIXED: Form encryption no longer logs excessive stacktraces when there is no input to be decrypted. (NEVISAUTH-5018)
- FIXED: We fixed the logging of Assertion's Subject Confirmation validation. (NEVISAUTH-4946)
- FIXED: We check for the missing
request_uri
parameter first when PAR is required forAuthorizationServer
. (NEVISAUTH-4754) - FIXED: The artifact
nevisauth-test-authstateharness-fat
containing wrong version of Slf4j. (NEVISAUTH-5026) - FIXED: OpenTelemetry PeriodicMetricReader no longers logs a WARN level message when Metrics export fails during shutdown due to the application is already unloaded. (NEVISLOG-547)
- FIXED: Double resolution of EL expressions on Gui labels. (NEVISAUTH-5068)
- FIXED: The
HttpResponse
implementation in the nevisAuthHttpClient
incorrectly returned HTTP headers in theheader
andheaderDate
methods case sensitively. Headers are now returned case insensitively in these methods. (NEVISAUTH-5080) - UPGRADED: We upgraded the Apache EL third-party dependency to version 11.0.4. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.3.0. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.80. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.49.2. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Commons codec third-party dependency to version 1.18.0. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Commons-text third-party dependency to version 1.13.0. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.26. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Guava third-party dependencies to version 33.4.6-jre. (NEVISAUTH-5036)
- UPGRADED: We upgraded the HikariCP third-party dependencies to version 6.3.0. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.18.3. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.18. (NEVISAUTH-5036)
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2505.x. (NEVISAUT
- UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.2. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Libphonenumber third-party dependency to version 9.0.2. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.3. (NEVISAUTH-5036)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.5.3. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.2.0 (NEVISAUTH-5036)
- UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.23.1. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Nimbus JWT third-party dependency to version 10.0.2. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.48.0 (NEVISAUTH-5036)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.5. (NEVISAUTH-5036)
- UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.17. (NEVISAUTH-5036)
- UPGRADED: We upgraded the XmlSec third-party dependency to version to 3.0.5 (NEVISAUTH-5036)
- UPGRADED: We upgraded the Woodstox third-party dependency to version 7.1.0. (NEVISAUTH-5036)
nevisAuth 7.2411.3.2 - 27.03.2025
Breaking changes
Changes and new features
- FIXED: We fixed a bug that empty SessionIndex caused session not found in IdentityProviderState. (NEVISAUTH-5004)
- UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.2.0 (IS-517)
nevisAuth 7.2411.2.1 - 14.02.2024
Breaking changes
Changes and new features
NEW: We introduced
addKid
parameter inAuthorizationServer
AuthState to addkid
inID Token
andAccess Token
. (NEVISAUTH-4837)UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.1.1 (NEVISAUTH-4941)
NEW: Added the property
concurrentLogout.terminateSessionOfSpInitLogout
to disable the termination of sessions in SP-initiated Concurrent Logouts. (NEVISAUTH-4975)FIXED: We fixed a bug that allowed OAuth2 requests with invalid client to redirect to a URL. (NEVISAUTH-4978)
FIXED: We fixed a bug in the LocalSessionStore session reaper which caused a deadlock when manual session invalidation and LocalSessionStore reaper collided. (NEVISAUTH-4988)
UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.2. (NEVISAUTH-4984)
nevisAuth 7.2411.1.1 - 30.01.2025
Breaking changes
Changes and new features
- FIXED: We fixed a bug in the LocalSessionStore session reaper which caused a deadlock when manual session invalidation and LocalSessionStore reaper collided. (NEVISAUTH-4988)
- UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.1.1 (NEVISAUTH-4941)
nevisAuth 7.2411.0.10 - 20.11.2024
Changes and new features
Breaking changes
- CHANGED: The default value
connectionMaxPoolSize
property of the Remote session store and OOCD is changed to 10 from the previous 20 to be aligned with the underlying library recommended defaults. (NEVISAUTH-4819) - REMOVED: We removed the validation that
acr_values
must contain the value of theacr
claim. (NEVISAUTH-4854)
General Changes
- FIXED: SecurityTokenService logging confusing error message
SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1
when generating an error response. (NEVISAUTH-4681) - FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
- FIXED: Default logging.yml incorrectly containing
jcan.Op
instead ofOpTrace
. (NEVISAUTH-4774) - FIXED: WSSHeaderValidation auth state not sanitizing passwords in soap headers in the log. (NEVISAUTH-4826)
- FIXED: NullPointerException in the ScripState session variable validation. (NEVISAUTH-4856)
- FIXED: We fixed
AccessTokenConsumer
not accepting URLs that contain space. (NEVISAUTH-4788) - FIXED: We removed the limitation of only allowing a certain prefix in the envelope of SOAP logout requests in
IdentityProviderState
. (NEVISAUTH-4852) - FIXED: The session was not terminated after a SAML concurrent logout. (NEVISAUTH-4491)
- FIXED: We reduced the verbosity of the log entries related to the translation of scope metadata. (NEVISAUTH-4507)
- NEW: HTTP headers can be referred in the log pattern with syntax
%X{httpHeader.yourHttpHeader}
. Differences in source: authenticate/stepup requests arriving from nevisProxy will contain the original HTTP headers of the client in the SOAP request body and made available in the logging context. Other Web and Rest services does not have this proprietary mechanism therefore in case of those nevisAuth will simply use the HTTP headers of the current request. (NEVISAUTH-4776) - NEW: Configuration option
server.tls.verify-sni
which allows to disable SNI validation Jetty. This can be used to mitigate a Java bug when a Java client is not sending SNI information when the hostname does not contain a dot. (NEVISAUTH-4624) - NEW:
connectionMinPoolSize
configuration option for the Remote session store and OOCD. Note that by defaultconnectionMinPoolSize
takes the value ofconnectionMaxPoolSize
which means that the pool opens all connections on start, which is the recommended way to maximise performance. For cases where you only want to create connections on demand, you can specify a lowerconnectionMinPoolSize
value. (NEVISAUTH-4819) - DOWNGRADED: We fixed encrypted SAML message generation with
xenc11:MGF
tag by downgrading the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4870) - UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.25. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.2.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.47.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons-cli third-party dependency to version 1.19.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons codec third-party dependency to version 1.17.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.17.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Commons-text third-party dependency to version 1.12.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jaxrs-ri third-party dependency to version 3.1.8. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jaxws-rt third-party dependency to version 4.0.3. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.13. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.22. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Guava third-party dependencies to version 33.3.0-jre. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4836)
- UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4836)
- UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4836)
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2411.0.x. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Libphonenumber third-party dependency to version 8.13.45. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.0. (NEVISAUTH-4836)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.4.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.19.1. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Opensaml third-party dependencies to version 4.3.2. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0 (NEVISAUTH-4836)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.4. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.7. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Rhino third-party dependency to version 1.7.15. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.16. (NEVISAUTH-4836)
- UPGRADED: We upgraded the Woodstox third-party dependency to version 7.0.0. (NEVISAUTH-4836)
nevisAuth 7.2405.2.0 - 25.07.2024
Changes and new features
Breaking changes
- FIXED: We changed the SAML Single Logout SOAP implementations of the SP and the IDP to align them more to the specification. Although this is a bugfix, the behavior has changed, so it may break implementations that use them. (NEVISAUTH-4761)
nevisAuth 7.2405.1.1 - 26.06.2024
Changes and new features
Breaking changes
General Changes
- FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
- FIXED: We now set the
kid
field in the JWKS endpoint with the propertykeyID
of the AuthorizationServer, in case thekeyID
property exists. (NEVISAUTH-4501) - FIXED: SecurityTokenService logging confusing error message
SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1
when generating an error response. (NEVISAUTH-4681)
nevisAuth 7.2405.0.4 - 15.05.2024
Changes and new features
Breaking changes
- REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value
SHA256withRSA
instead. (NEVISIDM-9456) - REMOVED: The nevisauth-test-authstateharness-fat no longer embeds the following 3rd party dependencies: log4j, slf4j, groovy-test, groovy-test-junit5, groovy-testng as these can easily cause an unresolvable version clash. (NEVISAUTH-4553)
- FIXED: The OOCD and Remote session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisAuth as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change OOCD entries and Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this:
update nevisauth_out_of_context_data_service set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); update TNSSA_AUTH_SESSION_CACHE set ABSTO = DATE_ADD(ABSTO, INTERVAL 2 HOUR);
These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error likeUnknown or incorrect time zone: 'UTC'
afterwards that means your database did not have the timezone database initilized. You have to runmysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p
to verifiy the result of that you can runSELECT * FROM mysql.time_zone_name;
. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 4.40.0.10. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISAUTH-4265. (NEVISAUTH-4650)
General Changes
- FIXED: OAuth2 only return error redirect when valid redirect_uri is provided. (NEVISAUTH-4627)
- FIXED: We made the encryption of the AccessToken work also for OAuth2. (NEVISAUTH-4630)
- FIXED: We fixed corrupted SecToken generated by JWT Bearer Grant Authentication flow. (NEVISAUTH-4631)
- FIXED: Getting BadConfigurationException when setting
nevismeta.httpclient.authorization.basic.*
properties. (NEVISAUTH-4520) - FIXED: The actorCert not extracted from HTTP Request. (NEVISAUTH-4649)
- FIXED: The public client without client secret throw exception during token request. (NEVISAUTH-4691)
- NEW: We support EC key for JWKS. (NEVISAUTH-4515)
- EXPERIMENTAL: We introduced the property
openid.promptParameterSupported
for usingprompt
parameter inAuthorizationServer
. (NEVISAUTH-4526) - UPGRADED: We upgraded the Angus activation third-party dependencies to version 2.0.2. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Angus mail third-party dependencies to version 2.0.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78. (NEVISAUTH-4641)
- UPGRADED: We upgraded the Commons codec third-party dependency to version 1.16.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.21. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Guava third-party dependencies to version 33.1.0-jre. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4585)
- UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4553)
- UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4553)
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 7.2405.0.x. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4585)
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 7.0.0. (NEVISAUTH-4553)
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.34. (NEVISAUTH-4553)
- UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.10.1. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0 (NEVISAUTH-4546)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.6. (NEVISAUTH-4553)
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12. (NEVISAUTH-4553)
- UPGRADED: We upgraded the woodstox third-party dependency to version 6.6.2. (NEVISAUTH-4553)
- UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.3. (NEVISAUTH-4553)
- UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.4. (NEVISAUTH-4553)