Version 2.14.0

❗ IMPORTANT Update ❗

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

• [java-api]
  • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead ⚠️ This is also relevant for Xsuaa applications not only Identity based applications
  • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
• [token-client]
  • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
  • HttpHeaders constants are extended with X-app_tid and X-client_id headers
  • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid and X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
    • DefaultOAuth2TokenKeyService
    • OAuth2TokenKeyServiceWithCache (java-security module)
    • SpringOAuth2TokenKeyService
• [java-security] AbstractToken is serializable #1207
• [java-security-test] JwtGenerator adds app_tid claims with the default value the-app-tid to the Identity tokens. ❗Some adaption might be required when calling the getZoneId() method as it will return now the app_tid value back when default values are used.

Dependency upgrades

• Bump spring.core.version from 5.3.27 to 5.3.29
• Bump spring.boot.version from 2.7.10 to 2.7.14
• Bump spring.security.version from 5.8.3 to 5.8.5
• Bump reactor-core from 3.4.24 to 3.4.31
• Bump btp-environment-variable-access from 0.6.0 to 0.8.0
• Bump json from 20230227 to 20230618
• Bump commons-io from 2.11.0 to 2.13.0

Version 3.0.1

[spring-xsuaa]

• fixes incompatible TLS version for DefaultSpringHttpClientFactory

Dependency upgrades

• Bump spring.core.version from 6.0.8 to 6.0.9
• Bump reactor-core from 3.5.5 to 3.5.6
• Bump btp-environment-variable-access from 0.5.2 to 0.6.0

Version 3.0.0

Baseline changes

cloud-security-services-integration-library requires

• Java 17
• Spring Boot 3.0.x
• Spring security 6.0.x

Breaking Changes

• Identity service configurations need to provide domains via String array in JSON key 'identity.credentials.domains'. Providing String values under key 'identity.credentials.domain' is not supported anymore. IAS configurations from service bindings have been generated like this for a long time already. This should only affect old configuration files manually written for testing.

Removed modules

• spring-xsuaa-mock → use java-security-test instead

Removed deprecated classes and interfaces

• [api]
  • XSPrincipal, XSUserInfoException → not needed anymore with new Token interface
• [env]
  • CFEnvironment, K8sEnvironment → use instead ServiceBindingEnvironment
  • CFConstants, K8sConstants → use instead ServiceConstants
• [java-security]
  • XSUserInfo, XSUserInfoAdapter → use instead Token interface and Token#getClaimAsString with TokenClaims.XSUAA constants to access XSUAA-specific claims.
  • SAPOfflineTokenServicesCloud → use instead [spring-security] module
• [spring-xsuaa]
  • XSTokenRequest, TokenBroker, UaaTokenBroker → use instead token-client module to fetch XSUAA tokens via XsuaaTokenFlows
  • TokenBrokerResolver, AuthenticaionMethod → No longer provided. See spring-security-basic-auth sample how to write your own implementation.
  • IasXsuaaExchangeBroker → Exchange is not supported by XSUAA service anymore.
  • TokenUrlUtils → use instead OAuth2ServiceEndpointsProvider
  • XsuaaServicesParser → use instead Environments#getCurrent or new ServiceBindingEnvironment(new SapVcapServicesServiceBindingAccessor(any -> xsuaaConfigJson))
  • OAuth2AuthenticationConverter → Not supported anymore because deprecated by Spring Security: https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
• [token-client]
  • UserTokenFlow → use instead JwtBearerTokenFlow

Removed deprecated methods

• [java-security]
  • OAuth2TokenKeyServiceWithCache#withCacheTime, OAuth2TokenKeyServiceWithCache#withCacheSize → use instead OAuth2TokenKeyServiceWithCache#withCacheConfiguration
  • SAPOfflineTokenServicesCloud#SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration) →
• [java-security-test]
  • SecurityTestRule#getConfigurationBuilderFromFile → use instead SecurityTestRule#getOAuth2ServiceConfigurationBuilderFromFile
  • SecurityTestRule#getWireMockRule → use instead SecurityTestRule#getWireMockServer
• [spring-xsuaa]
  • Token#getExpirationDate → use instead Token#getExpiration
• [spring-xsuaa-test]
  • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance
• [token-client]
  • XsuaaTokenFlows#userTokenFlow → use instead XsuaaTokenFlows#jwtBearerTokenFlow
  • OAuth2TokenService#retrieveAccessTokenViaUserTokenGrant → use instead OAuth2TokenService#retrieveAccessTokenViaJwtBearerTokenGrant
  • OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant(URI, ClientIdentity, String, Map, boolean) → use instead OAuth2TokenService#retrieveAccessTokenViaClientCredentialsGrant with null for argument subdomain
  • DefaultOAuth2TokenService#DefaultOAuth2TokenService → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient)
  • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient)
  • DefaultOAuth2TokenService#DefaultOAuth2TokenService(TokenCacheConfiguration) → use instead DefaultOAuth2TokenService#DefaultOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
  • XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(TokenCacheConfiguration) → use instead XsuaaOAuth2TokenService#XsuaaOAuth2TokenService(CloseableHttpClient, TokenCacheConfiguration)
  • XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(URI), XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String) → use instead XsuaaDefaultEndpoints#XsuaaDefaultEndpoints(String, String)
  • OAuth2TokenResponse#getExpiredAtDate → use instead OAuth2TokenResponse#getExpiredAt
  • Base64JwtDecoder#Base64JwtDecoder → use instead Base64JwtDecoder#getInstance

Removed deprecated fields

• [java-api]
  • GrantType#USER_TOKEN → use instead GrantType#JWT_BEARER
• [token-client]
  • OAuth2TokenServiceConstants#GRANT_TYPE_USER_TOKEN → use instead GrantType#JWT_BEARER
• [spring-xsuaa]
  • Token#GRANTTYPE_CLIENTCREDENTIAL → use instead GrantType#CLIENT_CREDENTIALS

Version 2.13.9

Patches CVE-2023-20863

[env]

• for backward compatibility domain is also supported along with the domains attribute for Identity service configuration #1153

[token-client]

• warning messages has been removed when using DefaultHttpClientFactory, HTTP client settings have been updated see README for more information
• UserTokenFlow is deprecated, use jwtBearerTokenFlow instead #1135

Dependency upgrades

• Bump spring.core.version from 5.3.26 to 5.3.27
• Bump log4j2.version from 2.19.0 to 2.20.0

Version 2.13.8

[spring-xsuaa]

• Synchronizes XsuaaJwtDecoder cache configuration with internal NimbusJwtDecoder cache
• Improved logging for XsuaaJwtDecoder fallback key validation

Dependency upgrades

• Bump spring.boot.version from 2.7.9 to 2.7.10

Version 2.13.7

[token-client]

• Fixes regression introduced with logback dependency not having scope test

Dependency upgrades

• Bump org.json from to 20230227

Version 2.13.6

[env]

• CFEnvironment has migrated to use btp-environment-variable-access library for accessing configuration from VCAP_SERVICES

[java-security]

• XsUserInfoAdapter.getSystemAttribute() supports in token xs.system.attributes values in string format along with string array

‼️ slf4j API version has been reverted back to 1.7.x to be in line with spring-boot 2.x supported slf4j API version

Dependency upgrades

• Bump spring.boot.version from 2.7.8 to 2.7.9
• Bump spring.security.version from 5.8.1 to 5.8.2

Full Changelog: 2.13.5...2.13.6

Version 2.13.5

[spring-xsuaa]

• improved logging for JwtAudienceValidator

[java-security]

• enables token validation without zones

Dependency upgrades

• Bump httpclient from 4.5.13 to 4.5.14
• Bump btp-environment-variable-access java-bom from 0.5.1 to 0.5.2
• Bump spring.boot.version from 2.7.5 to 2.7.8
• Bump spring.core.version from 5.3.23 to 5.3.25
• Bump spring.security.version from 5.7.5 to 5.8.1
• Bump slf4j.api.version from 2.0.3 to 2.0.6

Full Changelog: 2.13.4...2.13.5

Version 2.13.4

[spring-xsuaa][spring-security]

• Patches CVE-2022-31692 vulnerability in spring security dependency.

[java-security-test]

• scim_id added as default attribute for identity token Jwt generator

Dependency upgrades

• Bump spring.security.version from 5.7.3 to 5.7.5
• Bump btp-environment-variable-access java-bom from 0.4.1 to 0.5.1
• Bump spring.boot.version from 2.7.3 to 2.7.5
• Bump reactor-core from 3.4.23 to 3.4.24
• Bump slf4j.api.version from 2.0.0 to 2.0.3
• Bump spring-boot-starter-parent from 2.7.3 to 2.7.5

Version 2.13.3

[spring-xsuaa-starter]

• Patches CVE 2022-25857 vulnerability in spring boot starter transient dependency.

Dependency upgrades

• Bump spring-boot-starter-parent from 2.7.1 to 2.7.3
• Bump slf4j.api.version from 1.7.36 to 2.0.0