Skip to content

1.8.0 Release Notes

Compare
Choose a tag to compare
@fhanik fhanik released this 29 Jul 13:58
· 7421 commits to master since this release

Scope wildcards
In UAA we now support client scopes to have a wildcard. Imagine this scenario

Client Scopes

  • cloud_controller.*

User Joe

  • cloud_controller.read
  • cloud_controller.write

User Mary

  • cloud_controller.read
  • cloud_controller.write
  • cloud_controller.admin

When respective user requests a token, Joe will receive cloud_controller.read/write and Mary will receive cloud_controller.read/write/admin scopes.

To receive these scopes, the token/authorize request

  • may not contain any scopes to receive the default intersection of scopes between client and user
  • can include a wild card scope, cloud_controller.*, but it has to match the scope of the client
  • can include a specific scope, cloud_controller.read, that matches a user assigned scope

The wildcard matching is very simple. An asterisks, *, character represents a wild card. The wild card will never reach beyond a dot, ., that is considered a scope delimiting character.

For matching examples, take a look at the following tests

Limitations

User scopes may not contain wild cards. In a user scope, a wildcard will not be treated as a special character.

Extract Mail Attribute from LDAP user
A very simple feature has been implemented to extract the LDAP mail attribute from a user's record when a user is authenticated against LDAP
This feature simply looks at the LDAP record, extracts the 'mail' field and picks the first address on file. Currently we have not implemented a more advanced feature to select a specific email address if multiple exist. However, from the authentication, we do get all the email addresses and populate them into the Ldap User Details object.
When the user gets converted to a UAA record, it selects the first email address on file.

Ldap Documentation
Read it now

Gradle

UAA now builds with gradle instead of maven. This simplifies the build process, as one can now build from scratch, and run the uaa, app, and api apps with a simple

./gradlew run

Unit tests can be run with ./gradlew test, and integration tests with ./gradlew integrationTest

War and Jar files can be built with ./gradlew assemble

Tigthen security around /token endpoints
We have tightened security in the /oauth/token endpoint. Previously a token with a scope of oauth.<anything>, essentially having audience=oauth, was allowed to issue tokens without requiring user password or client secrets. We believe this scope is too broad to be allowed. Currently the login-server uses a scope of oauth.login for trusted endpoints, and even then, client_secret is required to issue a password grant token.

Stories Completed
Features
Allow client scopes/authorities to have wildcards
Expand oauth_client_details scope and authorities columns
Extract mail attribute from an LDAP user when user stored in UAA
Group memberships are tracked by origin
Email address is updated each time an LDAP user authenticates
Security tightened around token endpoints
External group map endpoint