Release notes
nevisMeta 1.20.5.0 - 26.06.2024
Changes and new features
Breaking changes
General
- NEW: We added entity names to export warning messages. (NEVISMETA-2059)
nevisMeta 1.20.4.1 - 14.05.2024
Changes and new features
General
- NEW: We introduced property
expiredDataCleaningTolerance
to configure minimum time needed to delete data after expiration. (NEVISMETA-1976) - NEW: We introduced property
responseCacheExpiry
to configure the cache expiry for the GET Entities endpoint. (NEVISMETA-2009) - FIXED: We fixed expired data cleanup to remove data in equal intervals defined by
expiredDataCleaningInterval
, instead of doing it once per day. (NEVISMETA-1976) - FIXED: We fixed queries using a lot of resources when querying all entities. (NEVISMETA-2009)
- UPGRADED: We upgraded the spring third-party dependency to 5.3.34. (NEVISMETA-2016)
- UPGRADED: We upgraded the postgresql third-party dependency to 42.5.6. (NEVISMETA-2016)
- UPGRADED: We upgraded the jackson third-party dependency to 2.17.0. (NEVISMETA-2021)
nevisMeta 1.20.3.0 - 21.02.2024
This is a technical release.
Changes and new features
There are no changes or new features.
nevisMeta 1.20.2.0 - 11.12.2023
Changes and new features
General
- FIXED: Session cache contains only the mandatory information. (NEVISMETA-1973)
- PERFORMANCE: We introduced 3 new configuration properties -
database.query.plan.cache.size
,database.query.plan.metadata.size
anddatabase.query.clause.parameter.padding
- to fine-tune Hibernate Query Cache size if it occupies too much space from the heap. (NEVISMETA-1962)
nevisMeta 1.20.1.0 - 15.11.2023
Changes and new features
Breaking changes
General
- PERFORMANCE: We improved the performance of client deletion. (NEVISMETA-1917)
- FIXED: We fixed the creating of a public client without secret, the token endpoint auth method set to NONE. (NEVISMETA-1928)
- REMOVED: We removed netty third-party dependency. (NEVISMETA-1937)
- UPGRADED: We upgraded the jetty third-party dependency to 9.4.53.v20231009. (NEVISMETA-1943)
- UPGRADED: We upgraded the org.json third-party dependency to 20231013. (NEVISMETA-1943)
nevisMeta 1.20.0.3 - 16.08.2023
Changes and new features
Breaking changes
- We removed some database configuration properties:
- database.connection.host
- database.connection.port
- database.type
- We automatically guess database type from database.connection.url instead of database.type
General
- FIXED: We modified the CSS in order to display the checkbox properly for Require Pushed Authorization Request in Firefox. (NEVISMETA-1885)
- UPGRADED: We upgraded the guava third-party dependency to 32.0.1. (NEVISMETA-1906)
- UPGRADED: We upgraded the netty third-party dependency to 4.1.94.Final. (NEVISMETA-1906)
- NEW: We introduced new fields for client: Id Token signature algorithm, Id Token encryption algorithm, Id Token encryption method. (NEVISMETA-1903)
- NEW: We introduced new fields for scope in Resource Server: Custom claims mapping. (NEVISMETA-1913)
- EXPERIMENTAL: Introduced support for PostgreSQL 15.0-15.3 databases. (NEVISMETA-1887)
nevisMeta 1.19.1.1 - 05.06.2023
Changes and new features
General
- FIXED: We added back missing library for flyway command. (NEVISMETA-1896)
nevisMeta 1.19.0.1 - 17.05.2023
Changes and new features
General
- UPGRADED: We upgraded the autoValue third-party dependency to 1.10.1. (NEVISMETA-1871)
- UPGRADED: We upgraded the jacksonCore third-party dependency to 2.14.2. (NEVISMETA-1871)
- UPGRADED: We upgraded the guava third-party dependency to 31.1-jre. (NEVISMETA-1871)
- UPGRADED: We upgraded the flyway third-party dependency to 9.16.1. (NEVISMETA-1871)
- UPGRADED: We upgraded the jettison third-party dependency to 1.5.4. (NEVISMETA-1871)
- UPGRADED: We upgraded the spring third-party dependency to 5.3.27. (NEVISMETA-1877)
- UPGRADED: We upgraded the commons-fileupload third-party dependency to version 1.5. (NEVISMETA-1865)
- FIXED: We fixed the issue that nevisMeta send new fields to the old endpoint response. (NEVISMETA-1875)
- FIXED: We fixed the response of the DCR client creation, now it shows the same
client_id
as shown on the UI. (NEVISMETA-1847) - FIXED: We fixed the storing of contacts field, now it is stored when creating new client with the DCR endpoint. (NEVISMETA-1848)
- NEW: We introduced new property Require Pushed Authorization Request, RFC 9126. (NEVISMETA-1857)
- NEW: We introduced new field for client: Require Pushed Authorization Request. (NEVISMETA-1857)
- NEW: We added option
client_secret_post
fortokenEndpointAuthMethod
. (NEVISMETA-1858)
nevisMeta 1.18.1.0 - 18.04.2023
Changes and new features
General
- FIXED: The nevisMeta process can stop properly in case of
OutOfMemoryError
. (NEVISMETA-1867) - FIXED: The issue that nevisMeta could not return the metadata entities to nevisAuth when the clients had multiple custom metadata attributes stored. (NEVISMETA-1869)
- FIXED: The issue that nevisMeta could not connect to MariaDB servers when server side certificate verification was enabled. (NEVISMETA-1861)
- CHANGED: To decrease the heap size, numeric parameters are also used as bind variables in Hibernate. This reduces the number of cached query plans. (NEVISMETA-1873)
nevisMeta 1.18.0.7 - 15.02.2023
Changes and new features
Breaking changes
- Response for client creation via REST V2 service is changed. The response now only contains the clientId.
- Property client.rest.creation.response.rfc has been removed.
General
- UPGRADED: We upgraded the Jackson third-party dependency to version 2.14.1. (NEVISMETA-1813)
- UPGRADED: We upgraded the Mariadb-java-client third-party dependency to version 3.1.0. (NEVISMETA-1813)
- UPGRADED: We upgraded the Flyway third-party dependency to version 9.8.3. (NEVISMETA-1813)
- UPGRADED: We upgraded Jettison to 1.5.3. (NEVISMETA-1825)
- UPGRADED: We upgraded Netty to 4.1.86.Final. (NEVISMETA-1825)
- UPGRADED: We upgraded Woodstox to 6.4.0. (NEVISMETA-1825)
- FIXED: We fixed the storing of fields (policy_uri, tos_uri, logo_uri), while doing update/create via REST API in metadata. Now the data can be stored/updated instead of only showing empty values. (NEVISMETA-1831)
- FIXED: We return the client secret only for admin users and for the user who created the client when getting the client information via REST API. (NEVISMETA-1817)
- NEW: We support MariaDB 10.6. (NEVISMETA-1822)
- NEW: We introduced a new REST endpoint for Dynamic Client Registration, RFC 7591 (NEVISMETA-1796)
- NEW: During the startup new Default Setup will be created if the schema does not contain any tables (NEVISMETA-1154)
- REMOVED: We removed the mysql-connector-java third-party dependency. (NEVISMETA-1813)
nevisMeta 1.17.0.1 - 16.11.2022
Changes and new features
General
- UPGRADED: We upgraded moment.js to 2.29.4. (NEVISMETA-1788)
- UPGRADED: We upgraded jackson to 2.13.4. (NEVISMETA-1792)
- UPGRADED: We upgraded jettison to 1.5.1. (NEVISMETA-1799)
- UPGRADED: We upgraded Ninja to 2.1.2.1. (NEVISMETA-1808)
- UPGRADED: We upgraded Primefaces to 12.0.0. (NEVISMETA-1790)
- FIXED: During client creation, jwks_uri is now expected as a URI, not only the prefix of jwks.json. (NEVISMETA-1759)
- NEW: We introduced the
client.rest.match-certificate-with-jwks
property for making the check optional between jwks or jwks_uri with client certificate while creating new client with REST service. (NEVISMETA-1787) - NEW: During item creation via REST, the error message of duplicated items gave too much information so it might cause a security issue. We have reduced the error message for duplicated items. (NEVISMETA-1794)
- REMOVED: Some Admin CLI commands are removed. For more information, see Admin CLI and RPM Installation Changes in 11.2021 RR Release. (NEVISMETA-1777)
- REMOVED: xstream is removed. (NEVISMETA-1798)
nevisMeta 1.16.0.1 - 17.08.2022
Changes and new features
Breaking changes
- Response for client creation via REST service is changed for RFC 7591. The response message change includes the following response types:
Notes: This is an experiential release for RFC 7591 - Dynamic Client Registration - compliance.
General
- UPGRADED: Spring is upgraded to 5.3.20. (NEVISMETA-1747)
- UPGRADED: moment.js is upgraded to 2.29.3. (NEVISMETA-1738)
- UPGRADED: handlebars.js is upgraded to 4.7.7. (NEVISMETA-1742)
- UPGRADED: angularjs is upgraded to 1.8.2. (NEVISMETA-1743)
- UPGRADED: Jetty is upgraded to 9.4.48.v20220622. (NEVISMETA-1766)
- UPGRADED: ninja is upgraded to 2.1.1.1. (NEVISMETA-1773)
- NEW: There is a new property available for client authentication in TLS settings: server.tls.client-auth. This property is the successor of the property server.tls.require-client-auth. It provides the options "required", "requested", and "disabled". The old property server.tls.require-client-auth is deprecated but remains backwards compatible. If you use the new property server.tls.client-auth, the system ignores the property server.tls.require-client-auth and logs a warning. (NEVISMETA-1529)
- NEW: We introduced new fields for client: JWKS, JWKS URI, Logo URI, ToS URI, Policy URI, Token Endpoint Auth Method. (NEVISMETA-1722)
- NEW: When exporting a client or resource server with the option Export state at specific date, the dates in the dropdown are sorted. (NEVISMETA-1593)
- NEW: We adapted the REST service response message for client creation for RFC 7591 compliance. (NEVISMETA-1726)
- NEW: We introduced the property client.rest.creation.response.rfc for backward compatibility. (NEVISMETA-1726)
nevisMeta 1.15.0.3 - 17.05.2022
Changes and new features
Breaking changes
- CHANGED: The previous bc and jcan-log logging using log4j1 is replaced by slf4j using log4j2. jcan-log is now only used by the jcan-optrace, which relies on the slf4j implementation of jcan-log (NEVISMETA-1702).
Log4j2 uses a different configuration structure than log4j1, and they are not compatible. If you are not using nevisAdmin4, you have to migrate the logging configuration manually. Check the default template supplied in the RPM.
nevisMeta requires a logging.yml file in the instance config directory. If it is missing, or the file is incorrectly formatted, a default configuration will log into the stdout which can be viewed in the systemd journal.
- REMOVED: NevisSyslogAppenderis no longer available. As a replacement we suggest SocketAppender. Reasons and example can be found in the Logging configuration / Syslog section in the reference guide. (NEVISMETA-1702).
- NEW: The automatic reload of logging configuration is supported by using the monitorInterval property of(https://logging.apache.org/log4j/2.x/manual/configuration.html#ConfigurationSyntax). (NEVISMETA-1702).
General
- CHANGED: Ninja debug logs can be controlled by the tracegroup ch.nevis.ninja. There is no need to set property
server.auth.ninja.log-debug
to enable ninja debug mode anymore. (NEVISMETA-1705) - CHANGED: The location of the default temporary directory changed from /tmp to /var/opt/nevismeta/{instance_name}/tmp. (NEVISMETA-1719)
- UPGRADED: Xstream version is upgraded to 1.4.19.
- UPGRADED: Jackson is upgraded to 2.13.2. (NEVISMETA-1712)
- UPGRADED: Jackson-databind is upgraded to 2.13.2.2. (NEVISMETA-1712)
- UPGRADED: Guava is upgraded to 31.0.1-jre. (NEVISMETA-1714)
- UPGRADED: Jetty is upgraded to 9.4.45.v20220203. (NEVISMETA-1714)
- UPGRADED: Spring is upgraded to 5.3.19. (NEVISMETA-1730)
nevisMeta 1.14.0.0 - 16.02.2022
Changes and new features
Breaking changes
There are no breaking changes in this release.
General
- UPDATE: We improved the performance of client deletion with a huge number of refresh tokens and resource servers. (NEVISMETA-1676)
- CHANGED: We improved handler and error message when an invalid database type is configurated in nevismeta.property file. (NEVISMETA-1490)
- CHANGED: JSF is upgraded to version 2.3.9. (NEVISMETA-1683)
- UPGRADED: Log4j version is upgraded to 1.2.17. (NEVISMETA-1691)
- REMOVED: The supplied log4j version 1.2.17 is patched to remove vulnerable classes org/apache/log4j/net/JMSAppender.class and org/apache/log4j/net/SocketServer.class. (NEVISMETA-1691)
nevisMeta 1.13.0.0 - 17.11.2021
Changes and new features
Breaking changes
There are no breaking changes in this release.
General
- NEW: Added validation for redirectURIs of the clients on GUI and REST. Now redirectURIs cannot contain whitespace and fragment. (For more information see Configuration > OAuth 2.0 > Entities.)
nevisMeta 1.12.0.0 - 18.08.2021
Changes and new features
Breaking changes
- Moved an undocumented endpoint for getting a token in REST API V2 to a correct path and adapted the official documentation accordingly. This includes the following changes:
More information
For more information, see the chapter "Resources" in the nevisMeta reference guide.
General
- NEW: This release provides new REST endpoints for deleting refresh tokens. Both a user and an admin can now delete one token or all tokens of a user under one setup. For more information, see the chapter "Resources" in the nevisMeta reference guide.
- FIXED: When deleting a resource server with scopes configured as consent persisted, nevisMeta showed an error message and the resource server could not be deleted. This bug is now fixed.
- FIXED: The GUI did not show the validation for the duplication of the valid_from setting when you edited an entity (setup, resource server, client) with a validity in the future. This feature already existed in the REST API. This bug is now fixed.
nevisMeta 1.11.0.5 - 05.07.2021
Changes and new features
General
- FIXED: The bug that resulted in missing scopes from the client has been fixed. This bug happened when the maximum ID value was used to determine the newest active resource server states. Now the validity date is used instead of the ID.
nevisMeta 1.11.0.3 - 19.05.2021
Changes and new features
Breaking changes
- It is no longer possible to create scopes in a resource server whose name already exists in the same setup. This restriction is enforced during the creation and import of a scope (either via the REST API or the GUI). If the database already contains previously created duplicates, a warning message appears in the log file, allowing you to solve the conflict manually by renaming the duplicates.
General
- NEW: During the startup of a nevisMeta instance, the new Nevis logo is shown as ASCII art in nevismeta.log.
- NEW: When accessing nevisMeta via the REST API, clients can now authenticate with an X509 certificate only; authentication via nevisProxy is no longer necessary. The certificate must include the Role attribute, as nevisMeta requires roles to create/edit/modify certain data.
- FIXED: The shutdown of nevisMeta interrupted ongoing connections. From now on, once the stopcommand is executed, nevisMeta waits a maximum of 30 seconds until all connections are stopped, and then nevisMeta itself stops.
- FIXED: In case the client secret was empty, nevisMeta stored it as an empty string. From now on, nevisMeta stores an empty client secret as NULL.
- FIXED: When restoring a deleted future state, the default validity option was Valid immediately, which not only reset the state, but changed the date as well. The default is now Keep validity date as is. This change also corrects the behavior of the function Restore overrides future state changes, which erroneously restored past states as well.
- FIXED: Queries for a client via the REST API erroneously also returned inactive/deleted client scope names. This bug is fixed. Now, only the active scope names of a client are returned.
nevisMeta 1.10.0.0 - 17.02.2021
Changes and new features
General
- CHANGED: As of this release, it is possible to create clients with an empty grant_type and response_type via the REST API. Because of this change, the behavior of the REST API is now in line with that of the Web Console when creating a new client.
- FIXED: The bug where a resource server disappeared from its original setup after you exported and reimported the server into another setup.
- FIXED: The bug where responses in the REST API contained the Expires field twice. One of these fields was incorrect (it showed an 1970 expiry date). Now the field appears only once and with the correct value.
- FIXED: The bug where the mapping of roles and userID using the Ninja configuration in the file nevismeta.properties did not work correctly.
- REMOVED: The GlassFish deployment has been removed. Use the standalone deployment instead.
Breaking changes
- As of this release, the REST API no longer returns soft deleted states by default.
nevisMeta 1.9.0.110 - 18.11.2020
Support for standalone deployment only
From this release on, only standalone deployment is supported, as mentioned in the Nevis Product Lifetime and Platform Support Matrix.Support for MariaDB database only
From this release on, only MariaDB is supported, as mentioned in the Nevis Product Lifetime and Platform Support Matrix.Changes and new features
General
- FIXED: The bug that caused an incorrect WARN message to appear while starting nevisMeta. The incorrect WARN message has been removed.
Breaking changes
NEW: nevisMeta now enables the usage of the validAt query parameter on the following endpoints:
If you do not provide the validAt query parameter, the system will use the default current time. This means that always only one snapshot will be returned.
To search without checking the state validity, supply the value "any" for the validAt query parameter.
nevisMeta 1.8.0.98 - 19.08.2020
Changes and new features
General
- NEW: nevisMeta now supports enabling hostname verification when client authentication is required in a standalone deployment. See the new verify-hostname attribute in the "Deployment Types" chapter of the reference guide for additional information.
- FIXED: The Cancel button was not working properly when editing the Client / Resource server name on the UI. This issue has now been fixed.
- FIXED: A typo in the configuration property server.auth.ninja.log-debug, server.auth.ninja.log_debug prevented detailed Ninja debug logs even if the appropriate package was set in the log4j.xml. This is now fixed.
- FIXED: The bug that caused the nevismeta status command to write warning messages such as "lsof: WARNING: can't stat() ..." in the standard output (standalone deployment type) has been fixed.
- FIXED: An error message in the log files incorrectly stating certain configuration options to be invalid has been fixed.
- FIXED: We fixed a bug related to spaces inside jvm arguments in JAVA_OPTS (env.conf) for Standalone deployments. It caused an error: "Error: Could not find or load main class" and prevented nevisMeta from starting. New definition syntax as array is introduced for JAVA_OPTS, which now also allows comments to be used between new lines. The old string type definition is still supported, but to fix the previously mentioned error, you will need to change to the array type definition. For more, see the "Deployment Types" chapter of the reference guide.
When directly using the server CLI to start nevisMeta, the manual sourcing of env.conf is no longer necessary. See the section "Example usage of the standalone CLI" in the "Deployment Types" chapter of the reference guide.
- FIXED: Syntax errors while installing nevisMeta RPM (Examples: "invalid format character", "invalid group ID") have been fixed.
Breaking changes
- User can create new nevismeta database with the nevismeta command (see the chapter "Persistence backend"). The old way cannot be used any longer.
nevisMeta 1.7.0.68 - 07.05.2020
Changes and new features
General
- NEW: We now provide support for query parameters when querying the client and resource server identifiers in a given setup. Currently supported for MariaDB only.
- NEW: We now provide support for query parameters when querying the setup identifiers. Currently supported for MariaDB only.
- CHANGED: The web-based tool for migrating to MariaDB has been replaced by a command line tool (see "Migrating from Couchbase to MariaDB"). This tool is experimental.
- CHANGED: For security reasons, the number of TLS protocols and ciphers supported by default by the standalone server has been reduced. See Server Configuration Properties in the nevisMeta Reference Guide for the updated list of supported ciphers and protocols.
This change may break existing deployments. If you use the protocols and ciphers supported by default and your clients do not support them, it is recommended that you update your HTTP clients. If this is not possible:
- FIXED: The concurrency issue that generated unauthorized (401) and forbidden (403) HTTP errors has been fixed.
- FIXED: The misconfiguration issue where the HTTP server in standalone deployments logged a WARNING on startup has been fixed.
- DEPRECATED: The Couchbase Server persistence back end has been deprecated. It will be removed in the November 2020 rolling release. Migrating to MariaDB is recommended .
- DEPRECATED: REST services do not include the identifier links in the response header.
This change may break existing deployments. If you require the identifiers in the response headers, add the attribute response.linkheader.enabled with the value "true" to the nevismeta.properties configuration file. Enabling this property could result in errors when a large number of results is returned by the query request, because the HTTP header size limit may be exceeded.
This backwards compatibility mode may be removed in future releases.
nevisMeta 1.6.0.46 - 10.04.2020
Changes and new features
- FIXED: A concurrency issue that generated unauthorized (401) and forbidden (403) HTTP errors.
nevisMeta 1.6.0.45 - 13.02.2020
Changes and new features
General
- FIXED: The bug where the truststore's passphrase could be left empty in the nevismeta.properties configuration file. (Ticket NEVISMETA-739)
- FIXED: The bug where an exception was thrown at the startup of an application when the TLS connection configuration was missing. (Ticket NEVISMETA-740)
- FIXED: The bug where the user could not re-import an existing setup. (Ticket NEVISMETA-730)
- FIXED: The bug where the Force Reauthentication icon was missing when you created a Client entity based on the Setup's default values. (Ticket NEVISMETA-1142)
- FIXED: The bug where you could create refresh tokens, even though this was not allowed (because the value of the Client attribute Refresh Token Grant was set to "Disallowed"). (Ticket NEVISMETA-1170)
- FIXED: The bug where the client_id attribute was updated unintentionally when you modified a Client entity via the REST facade. (Ticket NEVISMETA-1174)
- FIXED: The bug that caused a wrong error message to appear when you created or edited a Client with an invalid response type for the Authorization Code Grant. (Ticket NEVISMETA-1171)
- FIXED: The bug where restoring a setup with the option Valid immediately resulted in an erroneous future active state of 00:00 on the next day. (Ticket NEVISMETA-1141)
- FIXED: The bug where you could delete an entity's last remaining state via the nevisMeta Web GUI. This bug occurred when the remaining state was a future state, that is, had a future validity date. (Ticket NEVISMETA-1162)
- DEPRECATED: The GlassFish deployment has been deprecated. It will be removed in the next release. It is recommended using the standalone deployment instead.
- DEPRECATED: The Couchbase Server persistence backend has been deprecated. It will be removed in a future rolling release. Migrating to MariaDB is recommended .
Upgrading from nevisMeta 1.5.3.x
Couchbase as persistence backend
There are no changes to the data model and configuration properties.
MariaDB as persistence backend
There are no changes to the data model and configuration properties.
nevisMeta 1.5.3.71 - 20.11.2019
Changes and new features
General
- CHANGED: Revocation console improvements. (Tickets NEVISMETA-1108, NEVISMETA-1143)
- CHANGED: Enable OAuth2 public clients with optional client secret. (Ticket NEVISMETA-1139)
- CHANGED: nevisMeta supports PKCE mode from now on. Refer to, section Client Resource, for more details about the new attribute. (Ticket NEVISMETA-1136)
- CHANGED: Implement a mechanism to trigger the database schema update manually (mariaDb only). (Tickets NEVISMETA-1091, NEVISMETA-1146)
- CHANGED: Make Management Probes host configurable by adding a new key "management.server.host" in config file. (Ticket NEVISMETA-1039)
- FIXED: The bug where duplicate error messages are shown when creating "Resource server" without "Entity name". (Ticket NEVISMETA-1019)
- FIXED: The bug where all the scheduled deleted states were restored when the user restored a state. (Ticket NEVISMETA-729)
- FIXED: The bug where the user is not able to restore the scheduled delete state on the same date. (Ticket NEVISMETA-713)
- FIXED: The bug where the icon of "Force Reauthentication" is incorrect when the default value is "Reauthentication enforced". (Ticket NEVISMETA-852)
- FIXED: The bug that prevents the user from restoring a deactivated entity on the same date as delete date. (Ticket NEVISMETA-1121)
- FIXED: The bug where the user can input "zero" values into "TTL" fields when creating or editing an entity. (Ticket NEVISMETA-1125)
- FIXED: Improve Repair tool to remove AuthorizationServer. Refer to: Couchbase inconsistency repair tool for more details about the tool. (Ticket NEVISMETA-1168)
Known bug
- Only on couchbase, due to the limited function of couchbase. The total results always show the total number of refresh tokens/ persisted consents in database instead of the finding result.
Upgrading from nevisMeta 1.5.2.1
Couchbase as persistence backend
There are no changes to the data model and configuration properties.
MariaDB as persistence backend
As from this release, 1.5.3.71, nevisMeta supports PKCE, there is an update in the mariaDB database structure. To migrate to the newest database version, refer to(.