Release Highlights

Trusted Applications module in HomeUI (user profile UI)

The former, very technical modules of the HomeUI: preferences and OAuth tokens were removed and replaced by a single module with user friendly interface: Trusted Applications.

This view shows all applications for which user has expressed and saved some sort of authorization decission as allowed for offline OAuth access (i.e. there client has refresh token) or saved automatic consent approval.

In case of OAuth based apps, it is possible to show also technical details, including tokens. By default the UI speaks in user-friendly terms and allows for simple, one-click revocation of access.

 

SCIM enhancements

  • Previously missing SCIM metadata endpoints were added (/ServiceProviderConfig and /ResourceTypes)
  • Groups exposed over SCIM can now be configured more flexibly: it is possible to use wildcards in included groups specification as well as we added a possibility to configure excluded groups. Excluded groups are removed from the base list of groups, and can be as well configured with wildcards.
  • A new system SCIM related OAuth scope was added sys:scim:read_self_group. Holder of this new scope can read contents of the groups, in which the issuer is a member.

OAuth enhancements

  • Support for RFC 8707 was added, which allows OAuth client to request one or more additional audiences (except of the client itself) for the generated access token. This change affects consent behavior as additional audiences must be acknowledged by the user issuing the token.
  • A new type of authentication facility was added: OAuth 2 verifying local tokens. It is a close relative of oauth-rp with verification set to internal. This means that this authentication facility is able to validate OAuth tokens which were issued by the local Unity server. Added value of this new facility is simplistic configuration and additional feature to require clients presenting a token, to additionally authenticate themself (as a client). Note that in future we plan to make this client authentication optional, and at this point the new authentication facility will replace the oauth-rp with internal verification completely.

SAML enhancements

It is possible to blacklist SAML entities provided by a federation metadata in SAML authenticator configuration.

Upgrade from 3.9.x

Version 3.10 changes modules available in HomeUI endpoint. Former oauthToken and preferencesTab modules are replaced with a single, user-friendly module named trustedApplications module. Please check update manual in case you use HomeUI with file configuration.

This version includes database migration. Taking a DB backup is mandatory before upgrading.