Releases: spring-projects/spring-authorization-server
Releases · spring-projects/spring-authorization-server
0.2.3
⭐ New Features
- Apply default settings for public client type #656
- Decompose OAuth2ClientAuthenticationProvider #655
- Optimize InMemoryOAuth2AuthorizationService #654
- Federated Identity sample #641
- Use OAuth2TokenGenerator for OAuth2AuthorizationCode #639
- Add OAuth2TokenGenerator implementation for OAuth2RefreshToken #638
- Allow Token Introspection to be customized #630
- Introduce OAuth2TokenGenerator #628
- Add Assert.notNull() for AuthenticationProvider additions #530
- Support opaque access tokens #500
- Allow Token Introspection to be customized #493
- Seperate JWT Token generation #414
- Add a login with Google Authorization Server Sample #106
🪲 Bug Fixes
- Dynamic client registration should not generate client_secret for private_key_jwt #657
- /.well-known/openid-configuration endpoint Expected @transient Authentication #632
🔨 Dependency Upgrades
- Update to Reactor 2020.0.16 #661
- Update to Spring Security 5.5.5 #660
- Update to Spring Framework 5.3.16 #659
- Update to Spring Boot 2.5.10 #658
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
transient
Assets 2
0.2.2
⭐ New Features
- Improve support for large data columns in JdbcOAuth2AuthorizationService #604
- Deprecate OAuth2TokenIntrospectionClaimAccessor #597
- Deprecate JwtEncoder and associated classes #596
- JdbcOAuth2AuthorizationService supports clob and text datatype for token columns #491
- Allow Token Revocation to be customized #490
- Adds userinfo_endpoint to authorization server metadata #489
- Authorization server metadata is missing userinfo_endpoint #488
- JdbcOAuth2AuthorizationService should support clob and text datatype for token columns #480
- Support resolving issuer from current request #479
- Allow Token Revocation to be customized #476
- Client authentication with JWT assertion #293
- Support JWT Bearer Client Authentication #59
🪲 Bug Fixes
- Missing
statein initial request + deny consent results in failure #595 - Throw invalid_grant when invalid token request with PKCE #581
- Default schema exceeds mysql row limits #550
- OAuth2ClientAuthenticationToken should not be persisted across requests #482
🔨 Dependency Upgrades
- Update to Jackson 2.12.6 #609
- Update to Spring Boot 2.5.9 #608
- Update to Reactor 2020.0.15 #607
- Update to Spring Security 5.5.4 #606
- Update to Spring Framework 5.3.15 #605
- Upgrade
io.spring.ge.conventionsto 0.0.9 #578 - Update gradle enterprise to 3.8 to address CVE-2021-45105. #547
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.2.1
⭐ New Features
- Allow subclassing OAuth2AuthenticationContext #492
- Restructure samples #485
- Update README.adoc #471
- Customize OAuth2AuthorizationConsent prior to saving #470
- Make OAuth2ClientAuthenticationToken @transient #450
- authenticationDetailsSource of OAuth2TokenEndpointFilter should be customizable #448
- Implement User Info Endpoint #441
- Make OAuth2AuthorizationConsent customizable #436
- authenticationDetailsSource of OAuth2TokenEndpointFilter should be customizable #431
- Implement Client Configuration Endpoint #427
- Removed an empty statement #421
- Implement Client Configuration Endpoint #355
- Implement UserInfo Endpoint #176
🪲 Bug Fixes
- Missing state parameter in Authorization Consent request throws 500 #503
- Fix registration access token cannot be deserialized #497
- Registration access token cannot be de-serialized when calling Client Configuration Endpoint #495
- Documentation links in README.adoc to Spring Security are broken #494
- Require code_verifier if code_challenge provided #465
- JdbcOAuth2AuthorizationService now uses LobCreator in findBy method #464
- Add support for deserializing LinkedHashSet #460
- Jackson throws IllegalArgumentException when loading OAuth2Authorization from JdbcOAuth2AuthorizationService #457
- JdbcOAuth2AuthorizationService.findBy should use LobCreatorArgumentPreparedStatementSetter #455
- Require code_verifier if code_challenge provided #453
- Update RegisteredClient.Builder to use getters #451
- OAuth2 token introspection assuming issuer claim is present #438
- Client secret double encoding issue when updating an existing registered client #433
- Refreshed access token is inactive after token revocation #432
- Fix cancel consent functionality on default consent page #411
- Cancel consent button does not submit form #393
- Client secret double encoding issue when updating an existing registered client #389
🔨 Dependency Upgrades
- Update to jackson-bom 2.12.5 #517
- Update to Spring Boot 2.5.7 #516
- Update Reactor to 2020.0.13 #515
- Update to Spring Security 5.5.3 #514
- Update to Spring Framework 5.3.13 #513
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
transient
Assets 2
0.2.0
⭐ New Features
- Use OAuth2AuthenticationException(String errorCode) #402
- Replace stream usage with for loops #401
- Polish loopback address validation in DefaultRedirectUriOAuth2AuthenticationValidator #396
- Validate redirect_uri on dynamic client registration #392
- JdbcRegisteredClientRepository hashes client secret on save #381
- Provide capability for customizing client authentication #380
- Hash RegisteredClient client_secret on save #378
- Provide configuration for refresh token generator #377
- Provide configuration for authorization code generator #376
- Introduce OAuth2AuthenticationValidator #374
- Add post processor to register ProviderSettings @bean #373
- Add update support in JdbcRegisteredClientRepository #365
- Add update support in JdbcRegisteredClientRepository #356
🪲 Bug Fixes
- Authorization failure should not clear current Authentication #409
- The JDBC-based sample code does not work properly #385
- Do not issue refresh token to public client #379
- Remove use of deprecated ClientAuthenticationMethod's #350
- Cannot request access token for client with CLIENT_SECRET_BASIC #346
- OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client #296
🔨 Dependency Upgrades
- Update to nimbus-jose-jwt 9.10.1 #408
- Update to jackson-bom 2.12.4 #407
- Update to Spring Boot 2.5.3 #406
- Update Reactor to 2020.0.10 #405
- Update to Spring Security 5.5.2 #404
- Update to Spring Framework 5.3.9 #403
⏪ Non-passive
- Disable Oidc client registration by default #398
- Move OAuth2AuthorizationCode #395
- Polish JwtEncoder APIs #391
- OAuth2ClientAuthenticationToken should support any type of credentials #382
- Remove Context.of() #375
- Extract constants from Settings implementations #369
- Remove OAuth2ErrorCodes2 #368
- Remove OAuth2RefreshToken2 #367
- Make Settings implementations immutable #366
- Use OAuth2Token in OAuth2Authorization #364
- Rename ClientSettings.requireUserConsent() to requireAuthorizationConsent() #363
- Remove deprecated code #362
- Remove OAuth2ParameterNames2 #361
- Make AuthenticationProvider implementations final #360
- Make Filter implementations final #359
- Reduce visibility of default endpoint URI constants #358
- Move AuthenticationConverter's to web.authentication package #357
- Rename OAuth2TokenIntrospectionClaimAccessor.getScope() to getScopes() #354
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
Contributors
bean
Assets 2
0.1.2
⭐ New Features
- Provide capability for customizing the authorization endpoint #342
- Update authorization server sample to use jdbc #337
- Provide sample based on JDBC #329
- Include WebAuthenticationDetails in token requests #322
- Provide capability for customizing the token endpoint #319
- Refresh token grant may issue ID token #318
- Provide JDBC implementation of OAuth2AuthorizationConsentService #314
- Provide JDBC implementation of OAuth2AuthorizationConsentService #313
- Provide JDBC implementation of OAuth2AuthorizationService #304
- JDBC implementation of RegisteredClientRepository #291
- Refresh token grant may issue ID token #287
- Provide configuration for custom Authorization Consent page #283
- Remember user consent and make consent page configurable #280
- Introduce integration tests for the sample oauth server #277
- Provide JDBC implementation of RegisteredClientRepository #265
- Provide JDBC implementation of OAuth2AuthorizationService #245
🪲 Bug Fixes
- Add jackson module for authorization server #331
- Attributes column of the authorization table is to small #328
- Fix NPE saving public client #327
- JdbcRegisteredClientRepository throws NPE when saving public client #326
- OAuth2AuthorizationCodeAuthenticationProvider does not properly deserialize OAuth2Authorization object attributes #324
- Temporarily fix expires_in for access token response #321
- Fix authorization code expired check #299
- OAuth2AuthorizationCodeAuthenticationProvider should check if the code has expired #290
- Oauth2 Client expects "expires_in" to be a number #281
🔨 Dependency Upgrades
- Update dependencies for 0.1.2 release #344
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.1.1
⭐ New Features
- master->main #284
- Use PasswordEncoder in OAuth2ClientAuthenticationProvider #272
- Use PasswordEncoder to verify client credentials #271
- Redirect URI validation for loopback address #244
- Redirect URI validation for loopback address #243
- Implement OpenID client registration endpoint #189
- Implement OAuth 2.0 Server Metadata (RFC 8414) #167
- Implement Token Introspection Endpoint #161
- Implement OpenID Connect 1.0 Client Registration Endpoint #57
- Implement OAuth 2.0 Authorization Server Metadata #54
- Implement Token Introspection Endpoint #52
🪲 Bug Fixes
- Sample auth server doesn't work #273
- Login page should not be configured in OAuth2AuthorizationServerConfigurer #267
- Scope "openid" should be in access token scopes #252
🔨 Dependency Upgrades
- Use nimbus-jose-jwt and oauth2-oidc-sdk versions from spring-security #257
- Align dependencies with the version of Spring Security being used #256
- Bump Jacoco to 0.8.6 #246
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.1.0
⭐ New Features
- Propagate additional token request parameters #226
- openid scope should not require user consent #225
- Set iss claim in Jwt using configured issuer #223
- Add OAuth2Authorization.id #220
- Introduce base Authentication for authorization grant #216
- Add JoseHeader.builder() #215
- Use configuration from ProviderSettings in OAuth2AuthorizationServerConfigurer #201
- Use ProviderSettings in OAuth2AuthorizationServerConfigurer #182
- Allow customizing Jwt claims and headers #173
- Register SecurityFilterChain instead of WebSecurityConfigurerAdapter #163
- Implement OpenID Provider Configuration endpoint #143
- Add client secret POST authentication method support #140
- Support client authentication method POST #134
- Implement OpenID Provider Configuration endpoint #55
- Implement OpenID Connect 1.0 Authorization Code Flow #53
🪲 Bug Fixes
- OAuth2AccessToken.scopes includes authorized or requested scopes #224
- InMemoryOAuth2AuthorizationService.save() should support insert and update #222
- JwkSet endpoint returns empty keys #198
- token_type_hint should be used as a hint only #188
- token_type_hint should be used as a hint only #175
- Unknown token_type_hint should be ignored #174
- Configured TokenSettings.accessTokenTimeToLive() not used #172
- Ensure refresh token is not revoked #169
- Refresh token should not be issued if client is not configured with refresh_token grant type#155 #168
- Ensure refresh token is not revoked #158
- Refresh token should not be issued if client is not configured with refresh_token grant type #155
- Sample not working with Spring Boot 2.4.0 #154
- Building the project fails #153
🔨 Dependency Upgrades
- Update to json-path 2.4.0 #239
- Update to okhttp3:okhttp 3.14.9 #238
- Update to okhttp3:mockwebserver 3.14.9 #237
- Update to mockito-core 3.6.28 #236
- Update to assertj-core 3.18.1 #235
- Update to junit 4.13.1 #234
- Update to javax.servlet-api 4.0.1 #233
- Update to nimbus-jose-jwt 9.1.3 #232
- Update to oauth2-oidc-sdk 8.23.1 #231
- Update to Reactor 2020.0.3 #230
- Update to Spring Security 5.4.2 #229
- Update to Spring Framework 5.3.3 #228
- Update to Spring Boot 2.4.2 #227
⏪ Non-passive
- Improve naming of KeyManager and ManagedKey #105
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.0.3
⭐ New Features
- Reuse client authentication assertion #144
- Enforce one-time use for authorization code #138
- Introduce OAuth2Tokens #137
- Add Refresh Token grant support #128
- Implement Token Revocation Endpoint #84
- Implement Token Revocation Endpoint #83
- Add Refresh Token Grant #50
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.0.2
⭐ New Features
- Provide client configuration settings #117
- Allow CORS requests to JWK Set endpoint #110
- Add docs skeleton to the project #107
- Add PKCE support #93
- Add support for Proof Key for Code Exchange (PKCE) #45
- Add Authorization (User) Consent page #42
🪲 Bug Fixes
- Oauth 2.0 Integration Sample: java.lang.NoSuchMethodError: com.nimbusds.jose.Header.toJSONObject() #122
- Constrain version for com.nimbusds:nimbus-jose-jwt #113
- WebSecurityConfigurer @order(100) is broken when Actuator is also present #103
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
0.0.1
⭐ New Features
- InMemoryOAuth2AuthorizationService should uniquely identify an OAuth2Authorization #98
- Add OAuth2AuthorizationServerConfigurer.getEndpointMatchers() #97
- Introduce JwtEncoder with JWS implementation #96
- Align modules with Spring Security #95
- Add @configuration providing default security configuration #91
- Add integration tests for Authorization Code Grant #89
- Add client_credentials grant type support #88
- Copy SpringTestRule #86
- Add OAuth2AuthorizationServerConfigurer #85
- Implement JWK Set Endpoint #82
- Add JwtEncoder to support JWT/JWS #81
- Added token endpoint implementation #79
- Add client credentials authentication filter #78
- Authorization Endpoint filter for Authorization Code flow #77
- Implement Client Credentials Authentication #72
- Add in-memory implementation for OAuth2AuthorizationService #71
- Add support for Client Registration Model and InMemory Client Repository #70
- Implement authorization_code AuthenticationProvider #68
- Implement Token Endpoint #67
- Implement Authorization Endpoint #66
- Stub out authorization_code grant implementation #65
- Add support for Client Credentials Grant #51
- Epic: JWT / JWS / JWK #46
- Implement Authorization Model / Service #43
- Epic: Client Authorization Model #41
- Implement Client Registration Model / Repository #40
- Implement Client Authentication #39
- Epic: Access Token Request Exchange #38
- Epic: Authorization Request Exchange #36
- JWK endpoint as filter #31
- Add Resource Server Sample #30
- Add Authorization Code Grant sample #25
- Spring Boot sample #23
- Integrate Gradle Enterprise plugin #20
- Add a Client Credentials Authentication Filter #5
- Add Resource Server Sample #4
- Add JWK Set Endpoint #2
- Add Empty Spring Boot Sample #1
❤️ Contributors
We'd like to thank all the contributors who worked on this release!