Skip to main content
Version: 7.2505.x.x LTS

Release notes

nevisAuth 7.2505.3.1 - 29.08.2025

Breaking changes

Changes and new features

  • FIXED: Unreleased lock causing threads to hang in scenarios where IdentityProviderState received the logout contain session index but doesn't act as SOAP logout. (NEVISAUTH-4852)
  • FIXED: We release the session lock for IdP when returning an ERROR for SOAP logout. (NEVISAUTH-4928)
  • FIXED: We return error SAML message to the requester, when any error happens during SOAP logout. (NEVISAUTH-4923)
  • FIXED: We accept unformatted SAML SOAP logout message also. (NEVISAUTH-4924)

nevisAuth 7.2505.2.3 - 08.08.2025

Breaking changes

Changes and new features

  • CHANGED: The following jar files are revomed from the nevisauth.war file as they are already contained on the application classloader level in the rpm: commons-lang3, error_prone_annotations, failureaccess, guava, j2objc-annotations, jackson-annotations, jackson-core, jackson-databind, jspecify, listenablefuture-9999. Having these duplicated caused classloading errors in some cases. (NEVISAUTH-5147)
  • FIXED: Some query parameters were not properly URL-encoded in calls to nevisMeta endpoints.(NEVISAUTH-5161)
  • FIXED: We improved the performance by reducing the introspection endpoint calls for empty token_type_hint. (NEVISAUTH-4899)
  • UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.18.0. (NEVISAUTH-5157)

nevisAuth 7.2505.1.1 - 26.06.2025

Breaking changes

Changes and new features

  • FIXED: nevisAuth now stops on startup when a critical configuration failure happens. (NEVISAUTH-5081)
  • FIXED: Fixed a deadlock in the ThrottleSessionsState when the same user tried to login concurrently in the exact same time. (NEVISAUTH-5084)
  • FIXED: Remote session store syncPullInitial="true" failing when session indexing was configured. (NEVISAUTH-5124)
  • FIXED: Double resolution of EL expressions on Gui labels parameters.(NEVISAUTH-5121)
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.7. (NEVISAUTH-5117)

nevisAuth 7.2505.0.8 - 21.05.2025

Breaking changes

Changes and new features

  • FIXED: The correct error message is displayed when code_challenge is empty but S256 is required for AuthorizationServer. (NEVISAUTH-4800)
  • FIXED: Form encryption no longer logs excessive stacktraces when there is no input to be decrypted. (NEVISAUTH-5018)
  • FIXED: We fixed the logging of Assertion's Subject Confirmation validation. (NEVISAUTH-4946)
  • FIXED: We check for the missing request_uri parameter first when PAR is required for AuthorizationServer. (NEVISAUTH-4754)
  • FIXED: The artifact nevisauth-test-authstateharness-fat containing wrong version of Slf4j. (NEVISAUTH-5026)
  • FIXED: OpenTelemetry PeriodicMetricReader no longers logs a WARN level message when Metrics export fails during shutdown due to the application is already unloaded. (NEVISLOG-547)
  • FIXED: Double resolution of EL expressions on Gui labels. (NEVISAUTH-5068)
  • FIXED: The HttpResponse implementation in the nevisAuth HttpClient incorrectly returned HTTP headers in the header and headerDate methods case sensitively. Headers are now returned case insensitively in these methods. (NEVISAUTH-5080)
  • UPGRADED: We upgraded the Apache EL third-party dependency to version 11.0.4. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.3.0. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.80. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.49.2. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Commons codec third-party dependency to version 1.18.0. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Commons-text third-party dependency to version 1.13.0. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.26. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Guava third-party dependencies to version 33.4.6-jre. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the HikariCP third-party dependencies to version 6.3.0. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.18.3. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.18. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2505.x. (NEVISAUT
  • UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.2. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Libphonenumber third-party dependency to version 9.0.2. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.3. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.5.3. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.2.0 (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.23.1. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Nimbus JWT third-party dependency to version 10.0.2. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.48.0 (NEVISAUTH-5036)
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.5. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.17. (NEVISAUTH-5036)
  • UPGRADED: We upgraded the XmlSec third-party dependency to version to 3.0.5 (NEVISAUTH-5036)
  • UPGRADED: We upgraded the Woodstox third-party dependency to version 7.1.0. (NEVISAUTH-5036)

nevisAuth 7.2411.3.2 - 27.03.2025

Breaking changes

Changes and new features

  • FIXED: We fixed a bug that empty SessionIndex caused session not found in IdentityProviderState. (NEVISAUTH-5004)
  • UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.2.0 (IS-517)

nevisAuth 7.2411.2.1 - 14.02.2024

Breaking changes

Changes and new features

  • NEW: We introduced addKid parameter in AuthorizationServer AuthState to add kid in ID Token and Access Token. (NEVISAUTH-4837)

  • UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.1.1 (NEVISAUTH-4941)

  • NEW: Added the property concurrentLogout.terminateSessionOfSpInitLogout to disable the termination of sessions in SP-initiated Concurrent Logouts. (NEVISAUTH-4975)

  • FIXED: We fixed a bug that allowed OAuth2 requests with invalid client to redirect to a URL. (NEVISAUTH-4978)

  • FIXED: We fixed a bug in the LocalSessionStore session reaper which caused a deadlock when manual session invalidation and LocalSessionStore reaper collided. (NEVISAUTH-4988)

  • UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.2. (NEVISAUTH-4984)

nevisAuth 7.2411.1.1 - 30.01.2025

Breaking changes

Changes and new features

  • FIXED: We fixed a bug in the LocalSessionStore session reaper which caused a deadlock when manual session invalidation and LocalSessionStore reaper collided. (NEVISAUTH-4988)
  • UPGRADED: We upgraded the Nevis OpenTelemetry java agent to version 2.0.1.1 (NEVISAUTH-4941)

nevisAuth 7.2411.0.10 - 20.11.2024

Changes and new features

Breaking changes

  • CHANGED: The default value connectionMaxPoolSize property of the Remote session store and OOCD is changed to 10 from the previous 20 to be aligned with the underlying library recommended defaults. (NEVISAUTH-4819)
  • REMOVED: We removed the validation that acr_values must contain the value of the acr claim. (NEVISAUTH-4854)

General Changes

  • FIXED: SecurityTokenService logging confusing error message SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1 when generating an error response. (NEVISAUTH-4681)
  • FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
  • FIXED: Default logging.yml incorrectly containing jcan.Op instead of OpTrace. (NEVISAUTH-4774)
  • FIXED: WSSHeaderValidation auth state not sanitizing passwords in soap headers in the log. (NEVISAUTH-4826)
  • FIXED: NullPointerException in the ScripState session variable validation. (NEVISAUTH-4856)
  • FIXED: We fixed AccessTokenConsumer not accepting URLs that contain space. (NEVISAUTH-4788)
  • FIXED: We removed the limitation of only allowing a certain prefix in the envelope of SOAP logout requests in IdentityProviderState. (NEVISAUTH-4852)
  • FIXED: The session was not terminated after a SAML concurrent logout. (NEVISAUTH-4491)
  • FIXED: We reduced the verbosity of the log entries related to the translation of scope metadata. (NEVISAUTH-4507)
  • NEW: HTTP headers can be referred in the log pattern with syntax %X{httpHeader.yourHttpHeader}. Differences in source: authenticate/stepup requests arriving from nevisProxy will contain the original HTTP headers of the client in the SOAP request body and made available in the logging context. Other Web and Rest services does not have this proprietary mechanism therefore in case of those nevisAuth will simply use the HTTP headers of the current request. (NEVISAUTH-4776)
  • NEW: Configuration option server.tls.verify-sni which allows to disable SNI validation Jetty. This can be used to mitigate a Java bug when a Java client is not sending SNI information when the hostname does not contain a dot. (NEVISAUTH-4624)
  • NEW: connectionMinPoolSize configuration option for the Remote session store and OOCD. Note that by default connectionMinPoolSize takes the value of connectionMaxPoolSize which means that the pool opens all connections on start, which is the recommended way to maximise performance. For cases where you only want to create connections on demand, you can specify a lower connectionMinPoolSize value. (NEVISAUTH-4819)
  • DOWNGRADED: We fixed encrypted SAML message generation with xenc11:MGF tag by downgrading the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4870)
  • UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.25. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.2.1. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.1. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.47.0. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Commons-cli third-party dependency to version 1.19.0. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Commons codec third-party dependency to version 1.17.1. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.17.0. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Commons-text third-party dependency to version 1.12.0. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Jaxrs-ri third-party dependency to version 3.1.8. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Jaxws-rt third-party dependency to version 4.0.3. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.13. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.22. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Guava third-party dependencies to version 33.3.0-jre. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4836)
  • UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2411.0.x. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.1. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Libphonenumber third-party dependency to version 8.13.45. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.0. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.4.1. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.19.1. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Opensaml third-party dependencies to version 4.3.2. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0 (NEVISAUTH-4836)
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.4. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.7. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Rhino third-party dependency to version 1.7.15. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.16. (NEVISAUTH-4836)
  • UPGRADED: We upgraded the Woodstox third-party dependency to version 7.0.0. (NEVISAUTH-4836)

nevisAuth 7.2405.2.0 - 25.07.2024

Changes and new features

Breaking changes

  • FIXED: We changed the SAML Single Logout SOAP implementations of the SP and the IDP to align them more to the specification. Although this is a bugfix, the behavior has changed, so it may break implementations that use them. (NEVISAUTH-4761)

nevisAuth 7.2405.1.1 - 26.06.2024

Changes and new features

Breaking changes

General Changes

  • FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
  • FIXED: We now set the kid field in the JWKS endpoint with the property keyID of the AuthorizationServer, in case the keyID property exists. (NEVISAUTH-4501)
  • FIXED: SecurityTokenService logging confusing error message SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1 when generating an error response. (NEVISAUTH-4681)

nevisAuth 7.2405.0.4 - 15.05.2024

Changes and new features

Breaking changes

  • REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead. (NEVISIDM-9456)
  • REMOVED: The nevisauth-test-authstateharness-fat no longer embeds the following 3rd party dependencies: log4j, slf4j, groovy-test, groovy-test-junit5, groovy-testng as these can easily cause an unresolvable version clash. (NEVISAUTH-4553)
  • FIXED: The OOCD and Remote session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisAuth as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change OOCD entries and Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this: update nevisauth_out_of_context_data_service set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); update TNSSA_AUTH_SESSION_CACHE set ABSTO = DATE_ADD(ABSTO, INTERVAL 2 HOUR); These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error like Unknown or incorrect time zone: 'UTC' afterwards that means your database did not have the timezone database initilized. You have to run mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p to verifiy the result of that you can run SELECT * FROM mysql.time_zone_name;. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 4.40.0.10. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISAUTH-4265. (NEVISAUTH-4650)

General Changes

  • FIXED: OAuth2 only return error redirect when valid redirect_uri is provided. (NEVISAUTH-4627)
  • FIXED: We made the encryption of the AccessToken work also for OAuth2. (NEVISAUTH-4630)
  • FIXED: We fixed corrupted SecToken generated by JWT Bearer Grant Authentication flow. (NEVISAUTH-4631)
  • FIXED: Getting BadConfigurationException when setting nevismeta.httpclient.authorization.basic.* properties. (NEVISAUTH-4520)
  • FIXED: The actorCert not extracted from HTTP Request. (NEVISAUTH-4649)
  • FIXED: The public client without client secret throw exception during token request. (NEVISAUTH-4691)
  • NEW: We support EC key for JWKS. (NEVISAUTH-4515)
  • EXPERIMENTAL: We introduced the property openid.promptParameterSupported for using prompt parameter in AuthorizationServer. (NEVISAUTH-4526)
  • UPGRADED: We upgraded the Angus activation third-party dependencies to version 2.0.2. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Angus mail third-party dependencies to version 2.0.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78. (NEVISAUTH-4641)
  • UPGRADED: We upgraded the Commons codec third-party dependency to version 1.16.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.21. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Guava third-party dependencies to version 33.1.0-jre. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4585)
  • UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 7.2405.0.x. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4585)
  • UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 7.0.0. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.34. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.10.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0 (NEVISAUTH-4546)
  • UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.6. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the woodstox third-party dependency to version 6.6.2. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.4. (NEVISAUTH-4553)