Release notes
nevisFIDO 8.2411.0.13 - 20.11.2024
Changes and new features
Breaking changes
For non-docker based setups run the following SQL script to add the new database table columns required for the extended FIDO UAF status service (NEVISFIDO-2145):
ALTER TABLE token_sessions
ADD COLUMN IF NOT EXISTS `dispatch_target_ext_id` VARCHAR(128) NULL,
;
General Changes
- DEPRECATED: The
ch.nevis.auth.fido.uaf.authenticators
variable written to the nevisAuthnotes
by the FidoUafAuthState and OutOfBandFidoUafAuthState is deprecated, use thesession
variable instead. (NEVISFIDO-2145) - DEPRECATED: The
fido-uaf.metadata.polling-period
andfido-uaf.policy.polling-period
are deprecated and will be removed in the 2025 May release together with the mechanism to reload those configuration at runtime. (NEVISFIDO-2241) - EXPERIMENTAL: Allow to modify the device ID in the device credential management endpoint. (NEVISFIDO-2140)
- CHANGED: The status service lists the UAF and generic dispatch target credential extIds for successful authentication operations. (NEVISFIDO-2145)
- CHANGED: The FidoUafAuthState and OutOfBandFidoUafAuthState write the UAF and generic dispatch target credential extIds for a successful authentication operation to the current nevisAuth session. (NEVISFIDO-2145)
- NEW: Support of authenticators that can use different authentication algorithms. (NEVISFIDO-2145)
- NEW: Support additional checks for FIDO UAF Full Basic Attestations with Nevis Mobile Authentication SDK Android authenticators. (NEVISFIDO-2212)
- NEW: authenticating during FIDO UAF with a disabled nevisIDM credential now returns UAF status code 1493. This only works on a server that connects to nevisIDM via its REST API, which requires the
credential-repository.rest-url
property to be set. (NEVISFIDO-2121) - NEW: nevisFIDO now capable supporting both REST and SOAP connections towards nevisIDM at the same time (FIDO2 supports only REST, FIDO UAF supports REST and SOAP). (NEVISFIDO-2206)
- NEW: There is a new configuration property
fido-uaf.idm-connection-type
with valuessoap
andrest
that defines what connection is used to connect to nevisIDM for FIDO UAF. (NEVISFIDO-2206) - DEPRECATED: SOAP connection towards nevisIDM will be removed in a future version, replaced by the REST API client. (NEVISFIDO-2206)
- NEW: Added configuration option to allow-list certain FIDO2 authenticators via metadata. The allow-listing can be enabled by setting the
fido2.metadata.allow-listing-enabled
property to true. The allowed authenticators are configured via a metadata json file supplied in the configuration propertyfido2.metadata.path
. (NEVISFIDO-2157) - NEW: Added HTTP connection configuration options for REST nevisIDM connections in the credential repository. (NEVISFIDO-2056)
- NEW: Added configuration options for FCM dispatcher
proxy-user
andproxy-password
to enable basic proxy authentication. This will be used for both sending request to FCM and Google OAuth2 endpoint to acquire an access token. (NEVISFIDO-2108) - FIXED: The HTTP Client used to connect to nevisIdm REST service and the Firebase Cloud Messaging service was in some cases incorrectly configured limiting the maximum allowed connections per route to 5. The intended default 50 is now properly used. (NEVISFIDO-2103)
- FIXED: Confusing error message when login information status cannot be updated. (NEVISFIDO-2091)
- FIXED: The registration and authentication response endpoints now correctly return UAF status code 1492 Unacceptable Authenticator in case the UAF policy does not allow the authenticator, instead of UAF status code 1498 Unacceptable Content. (NEVISFIDO-1940)
- FIXED: Use JSON comparison to compare signature and encryption keys in device endpoints. Fixing a bug breaking the device service for iOS when multiple accounts are defined in a given device. (NEVISFIDO-2198)
- CHANGED: For backwards compatibility, FIDO UAF credentials do not use key ID attribute (kid) in the comparison of encryption and signature keys as new versions of the SDK do not provide it. (NEVISFIDO-2237)
- CHANGED: Errors occurring during the final challenge parameter validation in the authentication response service resulting in UAF status code 1491 Request Invalid are now logged on
ERROR
level. This can help to identify configuration problems (such as an incorrect appID in the Facets configuration) more quickly. (NEVISFIDO-2099) - CHANGED: nevisFIDO now updates the successful or failed login information in the generic dispatch target associated with the UAF credential used during the authentication operation. This change makes it easier to find out when a user's "device" was last used for UAF authentication as not all associated UAF credentials need to be searched. (NEVISFIDO-2088)
- CHANGED: We replaced SOAP technology stack for nevisIDM connections. (NEVISFIDO-2056)
- REMOVED: The experimental JavaScript Login Application has been removed from the nevisFIDO client RPM. Preferred integration is via the nevisadmin-plugin-mobile-auth nevisAdmin 4 pattern. (NEVISFIDO-2194)
- UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.25. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.1. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Checker Framework third-party dependency to version 3.47.0. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Google-api-client third-party dependency to version 2.7.0. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Google-auth-library third-party dependency to version 1.25.0. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Guava third-party dependency to version 33.3.0-jre. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Jakarta-validation third-party dependency to version 3.1.0. (NEVISAUTH-2193)
- UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.0. (NEVISFIDO-2193)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.4.1. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Nimbus third-party dependency to version 9.40. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0. (NEVISFIDO-2193)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.4. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.16. (NEVISFIDO-2193)
- UPGRADED: We upgraded the Spring-boot third-party dependency to version 3.3.4. (NEVISFIDO-2222)
- UPGRADED: We upgraded the Spring third-party dependencies to version 6.1.14. (NEVISFIDO-2222)
- UPGRADED: We upgraded the Webauthn4j api third-party dependency to version 0.26.0.RELEASE. (NEVISFIDO-2193)
nevisFIDO 8.2405.3.1 - 30.08.2024
Changes and new features
General Changes
- UPGRADED: We upgraded Apache CXF third-party dependencies to version 4.0.5. (NEVISFIDO-2167)
- UPGRADED: We upgraded Spring-boot third-party dependencies to version 3.2.9. (NEVISFIDO-2167)
nevisFIDO 8.2405.2.1 - 25.07.2024
Changes and new features
Breaking changes
General Changes
- CHANGED: We replaced SOAP technology stack for nevisIDM connections. (NEVISFIDO-2056)
nevisFIDO 8.2405.1.1 - 26.06.2024
Changes and new features
Breaking changes
General Changes
- FIXED: The registration and authentication response endpoints now correctly return UAF status code 1492 Unacceptable Authenticator in case the UAF policy does not allow the authenticator, instead of UAF status code 1498 Unacceptable Content. (NEVISFIDO-1940)
- CHANGED: Errors occurring during the final challenge parameter validation in the authentication response service resulting in UAF status code 1491 Request Invalid are now logged on
ERROR
level. This can help to identify configuration problems (such as an incorrect appID in the Facets configuration) more quickly. (NEVISFIDO-2099) - FIXED: The HTTP Client used to connect to nevisIdm REST service and the Firebase Cloud Messaging service was in some cases incorrectly configured limiting the maximum allowed connections per route to 5. The intended default 50 is now properly used. (NEVISFIDO-2103)
- FIXED: FIDO2 credentials that were not active in the credential repository were not being excluded during the authentication ceremony. (NEVISFIDO-2110)
nevisFIDO 8.2405.0.2 - 15.05.2024
Changes and new features
- NEW: nevisFIDO supports the Password Authenticator in the metadata and policy files. A new default policy file has been added to allow only the password authenticator to be used. (NEVISFIDO-2040)
Breaking changes
- CHANGE: The
PublicKeyCredentialOptions
stored in the FIDO2 session (webauthn_sessions) changed its format. Because of the serialisation used, it's not backward compatible. Ongoing registration or authentication ceremonies (started before upgrading) will fail. (NEVISFIDO-2006) - REMOVED: RHEL8 Linux is no longer supported, it is superseded by RHEL9. RHEL8 is still supported on 7.2405.x (LTS24). (NEVISAUTH-4667)
- FIXED: The session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisFIDO as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this:
update uaf_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update token_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated = DATE_ADD(status_updated, INTERVAL 2 HOUR); update webauthn_sessions set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR), created = DATE_ADD(created, INTERVAL 2 HOUR), status_updated_at = DATE_ADD(status_updated_at, INTERVAL 2 HOUR); update jws_requests set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR);
These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error likeUnknown or incorrect time zone: 'UTC'
afterwards that means your database did not have the timezone database initilized. You have to runmysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p
to verifiy the result of that you can runSELECT * FROM mysql.time_zone_name;
. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 2.4.0.7. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISFIDO-1817. (NEVISFIDO-2080)
General Changes
- UPGRADED: We upgraded the Apache Http Client third-party dependencies to version 5.3.1. (NEVISFIDO-2006)
- UPGRADED: We upgraded the Apache Http Core third-party dependencies to version 5.2.4. (NEVISFIDO-2006)
- UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78. (NEVISFIDO-2062)
- UPGRADED: We upgraded the google-api-client third-party dependency to version 2.4.0. (NEVISFIDO-2006)
- UPGRADED: We upgraded the google-auth-library third-party dependency to version 1.23.0. (NEVISFIDO-2006)
- UPGRADED: We upgraded the guava third-party dependency to version 33.1.0-jre. (NEVISFIDO-2006)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISFIDO-2006)
- UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x. (NEVISFIDO-2006)
- UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISFIDO-2012)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.7. (NEVISFIDO-2012)
- UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1. (NEVISFIDO-2006)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.3. (NEVISFIDO-2006)
- UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.37.0. (NEVISFIDO-2006)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.3. (NEVISFIDO-2017)
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12. (NEVISFIDO-2006)
- UPGRADED: We upgraded the Spring-boot third-party dependency to version 3.2.4. (NEVISFIDO-2065)
- UPGRADED: We upgraded Spring third-party dependencies to version 6.1.6. (NEVISFIDO-2065)
- UPGRADED: We upgraded the Webauthn4j api third-party dependency to version 0.23.0.RELEASE. (NEVISFIDO-2006)
- UPGRADED: We upgraded the ZXing third-party dependency to version 3.5.3. (NEVISFIDO-2006)
- FIXED: UAF credential login information in nevisIdm was incorrectly updated for all UAF credentials of the user during authentication instead of only the credential used for the current authentication operation. (NEVISFIDO-2047)
nevisFIDO 7.2402.1.2 - 28.03.2024
Changes and new features
- FIXED: Dispatch target and the UAF credential is only linked for the first authenticator registration of a user but not for additional ones. (NEVISFIDO-2043)
- FIXED: Session update operations did not check if the update was successful. (NEVISFIDO-2050)
- EXPERIMENTAL: The device credential management endpoint returns a WWW-Authenticate header in case of expired device signature. (NEVISFIDO-2028)
nevisFIDO 7.2402.0.3 - 21.02.2024
Breaking changes
- CHANGED: The minimum required nevisIDM Admin Service SOAP interface version was increased to
v1_46
. If a nevisFIDO instance is configured to support FIDO UAF then thecredential-repository
section of itsnevisfido.yml
has to be updated. Theadmin-service-version
has to be set tov1_46
and in case theadministration-url
config parameter value defined a specific version in the URL like/nevisidm/services/v1_42/AdminService
then it has to be also updated accordingly to/nevisidm/services/v1_46/AdminService
. (NEVISFIDO-2000)
Changes and new features
- UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.16. (NEVISFIDO-1991)
- UPGRADED: We upgraded the Bouncy castle third-party dependency to version 1.77. (NEVISFIDO-1991)
- UPGRADED: We upgraded the checker-qual third-party dependency to version 3.42.0. (NEVISFIDO-1991)
- UPGRADED: We upgraded the commons-lang3 third-party dependency to version 3.14.0. (NEVISFIDO-1991)
- UPGRADED: We upgraded the Jackson third-party dependencies to version 2.16.1. (NEVISFIDO-1975)
- UPGRADED: We upgraded the jaxws-rt third-party dependency to version 4.0.2. (NEVISAUTH-4535)
- UPGRADED: We upgraded the Jetty third-party dependencies to version 11.0.19. (NEVISFIDO-1991)
- UPGRADED: We upgraded the google-auth-library third-party dependency to version 1.22.0. (NEVISFIDO-1991)
- UPGRADED: We updated the guava third-party dependency to version 33.0.0-jre. (NEVISFIDO-1991)
- UPGRADED: We upgraded the HikariCP third-party dependency to version 5.1.0. (NEVISFIDO-1991)
- UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.3.2. (NEVISFIDO-1991)
- UPGRADED: We upgraded the nimbus third-party dependency to version 9.37.3. (NEVISFIDO-2014)
- UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.1. (NEVISFIDO-1991)
- UPGRADED: We upgraded the spring-boot third-party dependency to version 3.1.8. (NEVISFIDO-1979)
- UPGRADED: We upgraded the webauthn4j third-party dependency to version 0.22.0.RELEASE. (NEVISFIDO-1975)
- NEW: nevisFIDO now stores the encoded
keyId
values of authenticators of a successful FIDO UAF authentication in the session and exposes it over its Status service. (NEVISFIDO-1962) - NEW: In case of successful authentication, now both the
FidoUafAuthState
and theOutOfBandFidoUafAuthState
provide the FIDO UAF authenticators (AAID
andkeyId
) to subsequent AuthStates in thenotes
object. (NEVISFIDO-1962) - NEW: We added OpenTelemetry metrics listing the configured FIDO protocols for analytical purposes. (NEVISFIDO-1964)
- NEW: Supporting PostgreSQL version 15.4. (NEVISFIDO-2009)
- EXPERIMENTAL: We added a device credential management endpoint to nevisFIDO, which the Nevis Mobile Authentication SDK can use to manage dispatch targets and query ongoing out-of-band operations. See Device Service. (NEVISFIDO-1920) For non-docker based setups run the following SQL script to add the new database table columns:
ALTER TABLE token_sessions
ADD COLUMN IF NOT EXISTS `dispatch_target_id` VARCHAR(64) NULL,
ADD COLUMN IF NOT EXISTS `device_id` VARCHAR(128) NULL,
ADD COLUMN IF NOT EXISTS `out_of_band_payload` TEXT NULL,
ADD COLUMN IF NOT EXISTS `additional_information` TEXT NULL,
ADD INDEX IF NOT EXISTS `token_session_device_id_idx` (`device_id`, `status`)
;
nevisFIDO 7.2311.1.8 - 05.12.2023
- FIXED: nevisFIDO no longer sends push notifications to dispatch targets the user had disabled. (NEVISFIDO-1977)
nevisFIDO 7.2311.0.8 - 15.11.2023
Breaking changes
- REMOVED: We removed the jcan-log and jcan-optrace third-party dependencies. OpTrace logging is replaced by OpenTelemetry. (NEVISFIDO-1583)
- CHANGED: We switched the logging implementation to Log4j2 from Logback. The logging configuration now must be named
/var/opt/nevisfido/<instance>/conf/logging.yml
(instead of logback.xml) and the content should be in the log4j2 yaml format. - CHANGED: New Jetty version used in nevisFIDO performs more strict validation for TLS connections. The SNI will be checked for matching the hostname in the configured certificate. (NEVISFIDO-1921)
- CHANGED:
credential-repository.client-id'
is now a mandatory configuration property representing the nevisIDM client. It replacescredential-repository.client-name
. (NEVISFIDO-483) - CHANGED:
credential-repository.rest-url
is now a mandatory configuration property forcredential-repository.type: nevisidm
. (NEVISFIDO-483)
Changes and new features
- UPGRADED: We upgraded the auto value third-party dependency to version 1.10.4. (NEVISFIDO-1583)
- UPGRADED: We upgraded the Bouncy castle third-party dependency to version 1.76. (NEVISFIDO-1583)
- UPGRADED: We upgraded the checker-qual third-party dependency to version 3.39.0. (NEVISFIDO-1583)
- UPGRADED: We upgraded the google-api-client third-party dependency to version 2.2.0. (NEVISFIDO-1583)
- UPGRADED: We upgraded the google-auth-library third-party dependency to version 1.20.0. (NEVISFIDO-1583)
- UPGRADED: We upgraded the guava third-party dependency to version 32.1.3-jre. (NEVISFIDO-1583)
- UPGRADED: We upgraded the hibernate-validator third-party dependency to version 8.0.0.Final (NEVISFIDO-1583)
- UPGRADED: We upgraded the HikarCP third-party dependency to version 5.0.1. (NEVISFIDO-1583)
- UPGRADED: We upgraded the jackson third-party dependencies to version 2.15.3. (NEVISFIDO-1583)
- UPGRADED: We upgraded the jakarta-validation third-party dependency to version 3.0.2. (NEVISAUTH-4089)
- UPGRADED: We upgraded to the new jcan-sectoken version. (NEVISFIDO-1583)
- UPGRADED: We upgraded the jetty third-party dependencies to version 11.0.17. (NEVISFIDO-1921)
- UPGRADED: We upgraded the mariadb-java-client third-party dependency to version 3.2.0. (NEVISFIDO-1583)
- UPGRADED: We upgraded the nimbus third-party dependency to version 9.37. (NEVISFIDO-1583)
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.9. (NEVISFIDO-1583)
- UPGRADED: We upgraded the spring-boot third-party dependency to version 3.1.4. (NEVISFIDO-1583)
- UPGRADED: We upgraded the webauthn4j third-party dependency to version 0.21.7.RELEASE. (NEVISFIDO-1583)
- UPGRADED: We upgraded the xmlbeans third-party dependency to version 5.1.1. (NEVISFIDO-1583)
- UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.3. (NEVISFIDO-1939)
- NEW: nevisFIDO now records in nevisIDM the success or failure of a FIDO2 Authentication ceremony as login information for the used credential. (NEVISFIDO-483)
- NEW: nevisFIDO now records the success or failure of a FIDO UAF Authentication operation as login information for the used credential in nevisIDM. (NEVISFIDO-1930)
- CHANGED: We now set the
java.io.tmpdir
system property by default to/var/opt/nevisfido/<instance>/tmp
. When nevisfido is started, Jetty requires it at runtime. Originally the system /tmp folder was used for this purpose, however at some cases it can happen that a system cleanup job deletes the Jetty prefixed directories which causes nevisfido to return errors. (NEVISAUTH-4461) - NEW: a new configuration property
display-name-source
has been added to the FIDO2 configuration block, so integrators can better influence what property of the user is displayed during ceremonies. (NEVISFIDO-1913) - NEW: Added RHEL 9 support. (NEVISAUTH-4421)
- NEW: First release of a test client library to support load testing of nevisFIDO UAF ceremonies with Gatling. The related
nevisFIDO-test-client-core
andnevisFIDO-test-client-gatling
Java artifacts are released as ZIP archives. (NEVISFIDO-1902)
nevisFIDO 2.4.1.1 - 28.08.2023
Changes and new features
- FIXED: We removed an SQL statement from the nevisFIDO code which was incompatible with the older MariaDB version 10.3. Having the script there was a mistake, as the automatic DB schema creation supports setting up the database from scratch. In non-Kubernetes-based setups, any later patches must be applied manually from the release notes here. Note that the ALTER privileges were possibly not granted to your schema user so far. In this case, execute
GRANT CREATE, ALTER ON nevisfido.* TO 'schema-user'@'localhost';
(with the appropriate username and host). The release notes of 2.4.0.7 originally did not contain the alter table script for the UAF policy column, which was now added. For non-Kubernetes-based setups, here is the script if you have not run it yet: (NEVISFIDO-1912)
ALTER TABLE uaf_sessions
ADD COLUMN IF NOT EXISTS `policy` VARCHAR(128) NULL AFTER `user_id`;
nevisFIDO 2.4.0.7 - 16.08.2023
Breaking changes
- FIXED: We fixed the incorrectly stored system default timezone timestamps in the database. After the fix, only UTC timestamps will be stored. Existing data can be migrated with the following script if required. (in case your nevisFIDO instance was NOT running in UTC, or existing sessions are required to keep consistent) Replace the proper timezone information in the script where nevisFIDO was running! When you check the data, note that mysql or any other client will convert timestamps to the timezone of the session. So in order to see the UTC timestamp values in your sql client you have to change your client's session timezone to UTC in the current session: SET @@session.time_zone = '+00:00';. (NEVISFIDO-1817)
UPDATE uaf_sessions SET created = CONVERT_TZ(created, 'Europe/Zurich', 'UTC'), status_updated = CONVERT_TZ(status_updated, 'Europe/Zurich', 'UTC'), reap_timestamp = CONVERT_TZ(reap_timestamp, 'Europe/Zurich', 'UTC');
UPDATE token_sessions SET created = CONVERT_TZ(created, 'Europe/Zurich', 'UTC'), status_updated = CONVERT_TZ(status_updated, 'Europe/Zurich', 'UTC'), reap_timestamp = CONVERT_TZ(reap_timestamp, 'Europe/Zurich', 'UTC');
UPDATE webauthn_sessions SET created = CONVERT_TZ(created, 'Europe/Zurich', 'UTC'), status_updated_at = CONVERT_TZ(status_updated_at, 'Europe/Zurich', 'UTC'), reap_timestamp = CONVERT_TZ(reap_timestamp, 'Europe/Zurich', 'UTC');
- FIXED: Session creation time was incorrectly overwritten during updates, because of the MariaDB behaviour defined here. For non docker based setups the following script should be manually run:
ALTER TABLE uaf_sessions MODIFY COLUMN `created` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE uaf_sessions MODIFY COLUMN `status_updated` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE uaf_sessions MODIFY COLUMN `reap_timestamp` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE token_sessions MODIFY COLUMN `created` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE token_sessions MODIFY COLUMN `status_updated` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE token_sessions MODIFY COLUMN `reap_timestamp` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE webauthn_sessions MODIFY COLUMN `created` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE webauthn_sessions MODIFY COLUMN `status_updated_at` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
ALTER TABLE webauthn_sessions MODIFY COLUMN `reap_timestamp` TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6);
- FIXED: an unknown username received across nevisFIDO API's have been standardized to return either
HTTP 403 Forbidden
, UAF statusCode 1403, or in case of dispatching with a newdispatchResult
:userNotFound
. (NEVISFIDO-1889) - CHANGED: The loginId of the user is now stored in WebAuthn sessions in the database. (NEVISFIDO-1877) For non docker based setups, the following script should be run manually:
ALTER TABLE webauthn_sessions
ADD COLUMN login_id VARCHAR(300) NULL;
- CHANGED: The length of the
user_name
column of loginId in nevisIDM, now supports up to 300 characters. Theerror_message
column is changed to be able to store text dynamically which allows larger error messages to be stored in the session. (NEVISFIDO-1873) For non docker based setups the following script should be run manually:
ALTER TABLE webauthn_sessions
MODIFY COLUMN user_name VARCHAR(300),
MODIFY COLUMN error_message TEXT;
- NEW: The user agent information for the FIDO UAF dispatch targets are now stored in nevisIDM using the custom property
fidouaf_user_agent
upon creation or modification of the dispatch target. This custom property is new, make sure it exists in nevisIdm. The latest nevisIdm migration scripts contain it. (NEVISFIDO-1829) - FIXED: Unknown object and array properties in incoming JSON payloads are now properly ignored upon parsing. Additionally, the nested properties of unknown JSON objects and arrays are no longer logged. (NEVISFIDO-1908)
- NEW: nevisFIDO supports multiple policies. Refer to the concept guide for additional details. For non-Kubernetes-based setups, the following script should be manually run: (NEVISFIDO-1843)
ALTER TABLE uaf_sessions
ADD COLUMN IF NOT EXISTS `policy` VARCHAR(128) NULL AFTER `user_id`;
Changes and new features
- UPGRADED: We updated the Checker Framework third-party dependency to version 3.36.0. (NEVISFIDO-1871)
- UPGRADED: We updated the commons-io third-party dependency to version 2.13.0. (NEVISFIDO-1871)
- UPGRADED: We updated the Google-auth-library-oauth2-http third-party dependency to version 1.19.0. (NEVISFIDO-1871)
- UPGRADED: We updated the Guava third-party dependency to version 32.1.1-jre. (NEVISFIDO-1871)
- UPGRADED: We updated the Jackson third-party dependency to version 2.15.2. (NEVISFIDO-1871)
- UPGRADED: We updated the Jaxb third-party dependency to version 2.3.6. (NEVISFIDO-1871)
- UPGRADED: We upgraded Spring Boot third-party dependencies to version 2.7.14. (NEVISFIDO-1871)
- FIXED: Special characters (á,é, etc) in userFriendlyName fails to create the FIDO2 credential in nevisIDM. (NEVISFIDO-1865)
- FIXED: Sending push notifications is no longer attempted via FCM when the push notification is disabled. (NEVISFIDO-1879)
- NEW: nevisfIDO supports the Device Passcode Authenticator. (NEVISFIDO-1896)
- EXPERIMENTAL: Introduced support for PostgreSQL 15.0-15.3 databases for the session repository. (NEVISFIDO-1910)
nevisFIDO 2.3.1.0 - 05.06.2023
Changes and new features
- FIXED: Special characters (á,é, etc) in userFriendlyName fails to create the FIDO2 credential in nevisIDM. (NEVISFIDO-1865)
nevisFIDO 2.3.0.8 - 17.05.2023
Breaking changes
- REMOVED: We removed the
vmargs
legacy command in administrative cli. Use thenevisfido <instance> config env
to configure theJAVA_OPTS
. (NEVISAUTH-3134) - UPGRADED: We upgraded the mariadb-java-client third-party dependency to version 3.1.2. In case you used configuration parameters in the JDBC url check the removed options here. Other notable difference is that the driver no longer sets certain properties including the autocommit, check your database configuration and add the
?autocommit=true
to your connection url if needed. The new driver also allows better logging options, see here. This release note was missing from the 2022 August release. (NEVISFIDO-1769) - CHANGED: We greatly simplified the username mapping in nevisFIDO to avoid integration pitfalls and potential use-case errors. The
credential-repository.username-mapper
configuration block is now replaced by a single propertyuser-attribute
.
Changes and new features
- FIXED: The
nevisfido-server
CLI not properly parsing multiple options specified in theJAVA_OPTS
. (NEVISFIDO-1786) - FIXED: Dispatch token issue with push dispatching in the
OutOfBandFidoUafAuthState
where thedispatcher
property was set as auth state property but thedispatchTargetId
was not provided. (NEVISFIDO-1855) - UPGRADED: We updated the Checker Framework third-party dependency to version 3.32.0. (NEVISFIDO-1833)
- UPGRADED: We updated the Jackson third-party dependency to version 2.15.0. (NEVISFIDO-1761)
- UPGRADED: We updated the Google-api-client third-party dependency to version 2.2.0. (NEVISFIDO-1833)
- UPGRADED: We updated the Google-auth-library-oauth2-http third-party dependency to version 1.16.1. (NEVISFIDO-1833)
- UPGRADED: MariaDB jdbc driver third party dependency is updated to version 3.1.3. (NEVISFIDO-1833)
- UPGRADED: We updated the Nimbus-jose-jwt third-party dependency to version 9.31. (NEVISFIDO-1833)
- UPGRADED: We upgraded Snakeyaml third-party dependencies to version 2.0. (NEVISFIDO-1761)
- UPGRADED: We upgraded Spring Boot third-party dependencies to version 2.7.11. (NEVISFIDO-1844)
- UPGRADED: We upgraded Spring third-party dependencies to version 5.3.27. (NEVISFIDO-1833)
- UPGRADED: We updated the Webauthn4j third-party dependency to version 0.21.1.RELEASE. (NEVISFIDO-1833)
- UPGRADED: We updated the Woodstox-core third-party dependency to version 6.5.1. (NEVISFIDO-1844)
- NEW: The Fido2AuthState now supports usernameless authentication. Note, that this is not yet supported in the Admin4 patterns. (NEVISFIDO-1789)
nevisFIDO 2.2.1.0 - 17.05.2023
- FIXED: Dispatch token issue with push dispatching in the
OutOfBandFidoUafAuthState
where thedispatcher
property was set as auth state property but thedispatchTargetId
was not provided. (NEVISFIDO-1855)
nevisFIDO 2.2.0.8 - 15.02.2023
Breaking changes
- CHANGED: The nevisFIDO AuthStates delivered in the nevisfidocl package use the HttpClient introduced in nevisAuth. This means that the configuration of the key material for the AuthStates has changed.
- Instead of
trustStoreRef
usehttpclient.tls.trustStoreRef
. - Instead of
keyStoreRef
andkeyObjectRef
usehttpclient.tls.keyObjectRef
. If the previouskeyObjectRef
was unique, you can drop the value inkeyStoreRef
. Otherwise, use the value in the new property like the following:value of keyStoreRef
/value of keyObjectRef
- Instead of
Changes and new features
- NEW: The OutOfBandFidoUafAuthState now supports the Usernameless Authentication scenario. We recommend configuration of this use case using nevisAdmin4 patterns. (NEVISFIDO-1765)
- FIXED: The session reaper does not fail with an
ERROR_REAPING_SESSIONS_FROM_SQL_STORAGE
error when FIDO2 is not configured. (NEVISFIDO-1748) - UPGRADED: We upgraded Apache HttpClient third-party dependencies to version 5.2.1. (NEVISFIDO-1735)
- UPGRADED: We upgraded jcan-sectoken to not use jcan-commons. jcan-commons is no longer shipped. (NEVISAUTH-3861)
- UPGRADED: We upgraded Spring Boot third-party dependencies to version 2.7.7. (NEVISFIDO-1734)
- UPGRADED: We updated the Checker Framework third-party dependency to version 3.29.0. (NEVISFIDO-1734)
- UPGRADED: We updated the Jackson third-party dependency to version 2.14.1. (NEVISFIDO-1734)
- UPGRADED: We updated the Google-autovalue third-party dependency to version 1.10.1. (NEVISFIDO-1734)
- UPGRADED: We updated the Google-api-client third-party dependency to version 2.1.3. (NEVISFIDO-1734)
- UPGRADED: We updated the Google-auth-library-oauth2-http third-party dependency to version 1.14.0. (NEVISFIDO-1734)
- UPGRADED: We updated the Nimbus-jose-jwt third-party dependency to version 9.29. (NEVISFIDO-1734)
- UPGRADED: We updated the SnakeYaml third-party dependency to version 1.33. (NEVISFIDO-1734)
- UPGRADED: We updated the Webauthn4j third-party dependency to version 0.20.7.RELEASE. (NEVISFIDO-1734)
- UPGRADED: We updated the Woodstox-core third-party dependency to version 6.5.0. (NEVISFIDO-1758)
- UPGRADED: We updated the ZXing third-party dependency to version 3.5.1. (NEVISFIDO-1734)
- REMOVED: We removed the internal dependency to nevis-i18n. (NEVISFIDO-1722)
nevisFIDO 2.1.1.2 - 24.11.2022
Changes and new features
- FIXED: The nevisIDM user lookup was broken when using FIDO UAF only in the configuration. The use-case connects to nevisIDM using the soap interface where the detail level was incorrectly set to exclude. The detail level is now reset to low to fix the issue. (NEVISFIDO-1742)
nevisFIDO 2.1.0.3 - 16.11.2022
Changes and new features
- UPGRADED: We upgraded Spring Boot third-party dependencies to version 2.7.3. (NEVISFIDO-1707)
- UPGRADED: We updated the Checker Framework third-party dependency to version 3.25.0. (NEVISFIDO-1707)
- UPGRADED: We updated the Jackson third party dependency to version 2.13.4. (NEVISFIDO-1707)
- UPGRADED: We updated the Google-api-client third-party dependency to version 2.0.0. (NEVISFIDO-1687)
- UPGRADED: We updated the Google-auth-library-oauth2-http third-party dependency to version 1.11.0. (NEVISFIDO-1707)
- UPGRADED: We updated the Nimbus-jose-jwt third-party dependency to version 9.25. (NEVISFIDO-1707)
- UPGRADED: We updated the Webauthn4j third-party dependency to version 0.20.3.RELEASE. (NEVISFIDO-1707)
- UPGRADED: We updated the SnakeYaml third party dependency to version 1.32. (NEVISFIDO-1707)
- FIXED: The client-id of the credential-repository is now parsed as a string, instead of as an integer. (NEVISFIDO-1715)
- FIXED: We decreased the detail level of the username lookup query to nevisIDM using
username-mapper
. The fix affects UAF only, and provides performance increase on nevisIDM side. (NEVISFIDO-1665) - FIXED: Double query of nevisIDM credentials in case of UAF authentication is now reduced by request-scoped caching. (NEVISFIDO-1673)
- FIXED: The expected position of
extId
insideusername-mapper
in the configuration is now validated at startup time. (NEVISFIDO-1701) - FIXED: From now on, REST query to nevisIDM is not sent to look up the
extId
if an empty or missing username is received from the client in the JSON request. (NEVISFIDO-1701)
nevisFIDO 2.0.1.6 - 17.08.2022
Changes and new features
Breaking changes
- NEW: FIDO2 is now supported by the component. For more information, see Nevis FIDO2 / WebAuthn Concept and Integration Guide.
- NEW: FIDO2 uses the nevisIDM REST API, configure the
rest-url
property for the credential-repository.- FIDO UAF still uses the SOAP endpoint, which requires
administration-url
to be configured.
- FIDO UAF still uses the SOAP endpoint, which requires
- CHANGED: Configuring FIDO2 and FIDO UAF leads to the following changes in the nevisFIDO instance configuration YAML file:
- Both the
fido2
andfido-uaf
blocks have a Boolean propertyenabled
.- For backwards compatibility, the change for
fido-uaf
is not mandatory, and if theenabled
property is missing, then the deciding factor is whether thefido-uaf
configuration block is present.
- For backwards compatibility, the change for
- The top-level configuration block
authorization
is now present under thefido-uaf
andfido2
blocks. - The top-level configuration block
dispatchers
is now present under thefido-uaf
block. - Instead of deprecated the top-level configuration block
dispatch-target-repository
, usecredential-repository
instead.
- Both the
- UPGRADED: We upgraded the mariadb-java-client third-party dependency to version 3.1.2. In case you used configuration parameters in the JDBC url check the removed options here. Other notable difference is that the driver no longer sets certain properties including the autocommit check your database configuration and add the
?autocommit=true
to your connection url if needed. The new driver also allows better logging options, see here. (NEVISFIDO-1769)
General
- UPGRADED: Jackson third party dependencies are upgraded to version 2.13.3. (NEVISFIDO-1623
- UPGRADED: Jetty third party dependencies are upgraded to version 9.4.48.v20220622 (NEVISFIDO-1657)
- UPGRADED: Google-api-client third party dependency is updated to version 1.35.2. (NEVISFIDO-1623)
- UPGRADED: Checker framework third party dependency is updated to version 3.22.2. (NEVISFIDO-1623)
- UPGRADED: Nimbus third party dependency is updated to version 9.23. (NEVISFIDO-1623)
- UPGRADED: Google-auth-library-oauth2-http third party dependency is updated to version 1.8.0. (NEVISFIDO-1623)
- UPGRADED: Zxing third party dependency is updated to version 3.5.0. (NEVISFIDO-1623)
- FIXED: The facet configuration property is now not incorrectly logged as unknown. (NEVISFIDO-1631)
- FIXED: The admin CLI now correctly lists instances located in a symlink directory. (NEVISFIDO-1635)
- FIXED: Component version in jar manifest files and logs. (NEVISFIDO-1662)
nevisFIDO 1.18.0.4 - 18.05.2022
Breaking changes
- DEPRECATED: The configuration property dispatch-target-repository is no longer parsed by the server. The configuration of credential-repository is used as the configuration of the dispatch target repository instead. (NEVISFIDO-1444)
We removed the dispatch-target-repository entry because separate configurations for the dispatch and credential repositories provides no added value. You can safely remove the dispatch-target-repositoryentry in the configuration YAML file completely, then the credential-repository configuration block is used. If you keep the dispatch-target-repository,the configuration is ignored and a warning is logged.
- CHANGED: To address a potential performance bottleneck, we removed the dynamic reloading of the policy JSON configuration file. As a result, a nevisFIDO instance requires restart after changing the policy file. This is classified as a breaking change compared to previous behavior. The feature was not actively used, as nevisAdmin 4 and Kubernetes-based deployments restart the component after a configuration change. (NEVISFIDO-1591)
General
- FIXED: nvluser, nvbuser, and members of the nevisadmin group could not use the nevisAuth Admin CLI commands. The issue is now fixed. (NEVISFIDO-1577)
- UPGRADED: Spring-boot third party dependency is updated to version 2.6.7. (NEVISAUTH-3612)
- UPGRADED: Google-api-client third party dependency is updated to version 1.34.0. (NEVISFIDO-1555)
- UPGRADED: Guava third party dependency is updated to version 31.1-jre. (NEVISFIDO-1567)
- UPGRADED: Jackson third party dependencies to version 2.13.2. and jackson-dababind to 2.13.2.2. (NEVISFIDO-1567)
- UPGRADED: Auto-value third party dependency is updated to version 1.9. (NEVISFIDO-1567).
- UPGRADED: Checker framework third party dependency is updated to version 3.21.4. (NEVISFIDO-1567)
- UPGRADED: Reactive streams third party dependency is updated to version 1.0.3. (NEVISFIDO-1567)
- UPGRADED: Rx java third party dependency is updated to version 2.2.21. (NEVISFIDO-1567)
- UPGRADED: Nimbus third party dependency is updated to version 9.22. (NEVISFIDO-1567)
- UPGRADED: Apache http client third party dependency is updated to version 4.5.13. (NEVISFIDO-1567)
- UPGRADED: Bouncy castle third party dependency is updated to version 1.70. (NEVISFIDO-1567)
- UPGRADED: MariaDB jdbc driver third party dependency is updated to version 2.7.5. (NEVISFIDO-1567)
- UPGRADED: Google-auth-library-oauth2-http third party dependency is updated to version 1.6.0. (NEVISFIDO-1567)
- UPGRADED: Zxing third party dependency is updated to version 3.4.1. (NEVISFIDO-1567)
nevisFIDO 1.17.0.1 - 16.02.2022
Changes and new features
- CHANGED: The iOS push notification sent via Firebase explicitly requests the default sound to be played. This fixes an issue where no sound is played on iPhones upon receiving the authentication push message. (NEVISFIDO-1528)
nevisFIDO 1.16.0.8 - 17.11.2021
Changes and new features
- NEW: The default metadata and policy of nevisFIDO now contains the new Android Nevis Access App biometric authenticator, identified with AAID
F1D0#0003
.
nevisFIDO 1.15.0.3 - 18.08.2021
Changes and new features
- NEW: As of this release, jcan.Op logging is available in nevisFIDO. You can use the transaction ID (tID) to correlate log lines between nevisProxy, nevisIDM and nevisFIDO. To enable the jcan.Op logging, add the following snippet to the file
/var/opt/nevisfido/<instance>/conf/logback.xml
:
<logger name="jcan.Op" level="INFO" additivity="false">
<appender-ref ref="STDOUT" />
<appender-ref ref="FILE" />
</logger>
The next code snippet shows an example output:
2021-06-07 10:39:17,362 10170 [qtp1638631856-21] INFO jcan.Op 2 <<<<< rtCtx=defaultPackage/v1.0/defaultServerInstance, pCtx=7f000001/2995/6e4599c0, obj=ch.nevis.jca
n.optrace.web.RequestContextFilter, mth=GET /nevisfido/uaf/1.1/facets, tID=01000000-11aaf5-7f0100-179e5a047fb-00000094, pri=<anonymous>, sC=OK, dT=46ms, usedMem=276562808, freeMem=27
0269576, cR=0, httpSC=200, clID
- CHANGE: From now on, the nevisFIDO API responds with the HTTP error code 405 Method not allowed in the case unsupported HTTP methods such as TRACE, HEAD and OPTIONS are used.
- FIXED: The link dispatcher of nevisFIDO did not properly handle Custom URL Scheme with x-callback-url query parameters in the generated links, such as x-success, x-error and x-cancel. This bug is now fixed.
- DEPRECATED: The Admin CLI command syntax is deprecated. The syntax will be standardized to match nevisAuth & nevisLogrend both in syntax and functionality with the November Rolling Release. For more information, see Admin CLI and RPM Installation Changes in 11.2021 RR Release]" on the NEVISDOC homepage. Note that the linked documentation does not mention the different syntax of nevisFIDO and its limited functionality.
nevisFIDO 1.14.0.1 - 05.05.2021
Changes and new features
- NEW: There is a new configuration attribute: fido-uaf.transaction-confirmation.max-text-length
.
The default value is "200" (characters), as defined in the FIDO specification. "200" is also the minimum value. The maximum value is "2000".
This new feature allows longer transaction confirmation messages than defined in the FIDO specification ("200"), because in some cases 200 characters may not be enough.
However, note that a maximum text length above "200" is beyond the FIDO specifications, which could lead to incompatibility with other systems. So before you set any other value than the default one, we recommend checking the documentation of the other components in the setup for compatibility.
- FIXED: When a user wanted to modify an existing dispatch target, and included the current name of this dispatch target in the modify dispatch target request, the system incorrectly returned an HTTP 422 error response. This bug has now been fixed.
nevisFIDO 1.13.0.1 - 08.02.2021
This is a technical release only.
Changes and new features
There are no changes or new features.