Airlock IAM 8.3 - Changelog

Airlock IAM 8.3.1

The following table shows the changes from Airlock IAM 8.3.0 to 8.3.1.

Bugfixes and improvements

Bugfix

AI-18418
AI-20026

OAuth 2.0/OIDC now supports redirect_uri using a private-use scheme (containing only one slash after the colon, e.g., com.example.app:/oauth) in the default SPA.

Bugfix

AI-19285
AI-20027

The <loginapp>/rest/public/authentication REST endpoint can now be configured with access restriction. To maintain backward compatibility, access is allowed for unauthenticated sessions by default.

Bugfix

AI-19527
AI-20023

The Set Context Data Step now produces Context Data Changed events.

Bugfix

AI-19765 AI-20172

Invalid role names are now logged correctly, with the control characters masked.

Bugfix

AI-19850
AI-20024

The Airlock 2FA Authentication Data Map now correctly respects the cooldown state of the authentication device.

Bugfix

AI-19897

The authentication timestamp in the one-shot authentication flow is now propagated correctly.

Bugfix

AI-19990

The Use STARTTLS behavior of the SMTP Email Server is now correct: It uses TLS at all times.

Bugfix

AI-19954
AI-20004

The XML File Importer task now handles empty commands correctly.

Bugfix

AI-20053

The Discovery Endpoint lookup in the OAuth 2.0 token exchange is now cached using the same timeout as the JWKS response.

Bugfix

AI-20063

A bug was fixed where the Loginapp UI stopped polling the authentication status. The bug could occur in the case of a network failure or when the Loginapp UI was sent to the background on some mobile phones.

Improvement

AI-20010 AI-20088
 

Updated the Java JDK, Spring Framework, and UBI images to the latest revision.

Airlock IAM 8.3.0

The following tables show the changes from Airlock IAM 8.2 to 8.3.

Airlock 2FA

New

AI-18462

The Airlock 2FA Delete Devices Step is now also available for protected self-service flows (already available in authentication flows). The step now supports different deletion policies for different use cases. Additionally, the step now produces an Airlock 2FA Device Deleted event that can be subscribed to.

New

AI-18831
AI-18851
AI-18752

IAM now provides the multi-numbered challenge solution, as an additional feature of One-Touch authentication with the Airlock 2FA app. If the new feature is enabled, the user must both approve a push message on the 2FA app and choose the correct number from a number list on the app screen. Upon login, the REST API response includes the new attribute multiNumberedChallenge, which contains the value to be challenged. For all details, see One-Touch with multi-numbered challenge.

New

AI-17834

It is now possible to define a cooldown period for newly registered Airlock2FA devices. During this period, new devices can only be used for low-risk authentication or action approvals. IAM provides several event notifications that inform the end-user about the cooldown period process, including the new Airlock 2FA Device in Cooldown Used event. Furthermore, the new value provider Airlock 2FA Cooldown Information informs the backend application about the cooldown status of the affected Airlock 2FA device. For all details, see Airlock 2FA cooldown period feature.

New

AI-18845
AI-18844
AI-18843

The Airlock 2FA Trusted Session Binding feature is a security feature that makes token enrollment and app recovery more secure by binding these actions to an IAM authentication flow or a protected self-service flow. For more information, see Airlock 2FA Trusted Session Binding.

New

AI-16865

For the One-Touch option of the Airlock 2FA authentication method, IAM now provides the Push-to-All feature. If an end-user uses several Airlock 2FA devices, the feature pushes messages to all devices simultaneously. This prevents users from having to interactively select a device. The feature can be enabled on several Airlock 2FA authentication and approval steps.

Improvement

AI-19101

The two steps Airlock 2FA Delete Authentication Device Stepand Airlock 2FA Delete Old Devices Step are now combined into one: Airlock 2FA Delete Devices Step. This new step also allows deleting all Airlock 2FA devices except the last-registered one.

Authentication and Loginapp

New

AI-16252

There is a new flow step User Identification by Data Step. This step allows the identification of users in authentication and public self-service flows by the user's context data. Which context data to use is configurable on the step.

New

AI-16220

Analogous to the Username Password Authentication Step, it is now possible to define a Custom Step UI to configure additional authentication buttons as well as self-registration and public self-service links, for the following steps: User Identification Step, Password-only Authentication Step, Fido Passwordless Authentication Step, and Airlock 2FA Usernameless Authentication Step. In the context of this issue, the plugin Username Password Authentication UI has been renamed to Link Configuration Authentication UI.

New

AI-18497 / AI-18498

There is a new IAM-wide REST endpoint, which returns all public keys used for signing JWTs in the Loginapp.

  • This includes public keys from the following plugins:
  • JWT Ticket RSA Signer Settings
  • JWT Ticket EC Signer Settings
  • Oauth 2.0 and OIDC Private Key JWT Client Authentication
  • OAuth 2.0 and OIDC JWT Access Token Private Key Signature
  • OIDC ID Token Private Key Signature

For more details on this new JWKS endpoint, see JWKS endpoint.

New

AI-19309

The FIDO Default AAGUID Mappings plugin provides a pre-defined list of known FIDO authenticators, which maps each AAGUID to a make and model. This list has been updated, based on data from the FIDO Alliance Metadata Service on 4 July 2024.

New

AI-19338

It is now possible to define a list of FIDO transport types that are allowed for authentication. Thus, you can limit the number of FIDO transport types to be used in your setup. Examples of FIDO transport types are Bluetooth, NFC, USB, internal, etc.

Limiting the allowed FIDO transport types is only possible if FIDO is used as second factor in an authentication flow. The feature doesn't work for FIDO passwordless authentication.

To configure the allowed FIDO transport types in the Config Editor, go to MAIN Settings >> Authentication Settings >> FIDO Settings. Specify the list of FIDO transport types in section Authentication Settings, property Authentication Transports.

Improvement

AI-18624

The plugin Cronto Push Notification Sender no longer supports the property Android API Key, as Google removed support for this method in June 2024. For more information, see https://firebase.google.com/docs/cloud-messaging/migrate-v1.

Improvement

AI-19135

The new event Filtered Flow Event allows Loginapp event subscribers to filter events based on flow ID, step ID, or flow type (authentication, public self-service, etc.).

Additionally, events that are emitted during a step with a step ID now always include this step ID in the event source data. This was not always the case in the past. For more information, see Filtered Flow Event. Note that the new event is not available for Adminapp event subscribers.

Bugfix

AI-18396

Instead of being shown an error message, the user will now be redirected to the default login page when a maintenance message is no longer active.

Bugfix

AI-19122

Loginapp: In some audit log messages, wrong Service Container prefixes appeared. These prefixes have been removed.

Bugfix

AI-19149

Word template renderers now render replacements containing the ampersand character ("&") correctly.

Bugfix

AI-19278

The following five new properties have been added to the Microgateway mapping templates:

  • global.path.adminapp
  • global.path.loginapp
  • global.path.transactionApproval
  • global.path.apiPolicyService
  • global.path.serviceContainer

These properties define the paths to the respective IAM modules. Previously, the paths were hardcoded to the format <instanceName>-<module>/, which was incompatible with the options available in the instance.properties file to change the module path (e.g., iam.adminapp.url.path).

Bugfix

AI-19577

When the domain-wide Active Directory Fine Grained Password Policies (FGPP) contained another policy than the DOMAIN_PASSWORD_COMPLEX policy in the pwdProperties LDAP field, it was misinterpreted. This issue has been fixed.

Bugfix

AI-19613

Fixed an injection problem after an unsuccessful request authentication in the protected Loginapp self-service flows.

Flows

New

AI-17812

It is now possible to manually determine when the flow continuation token is consumed in the flow. For more information, see Consumption of the Flow Continuation Token. In Continuation flow configuration with manual token consumption, it is explained how to configure the manual token consumption.

Bugfix

AI-19234

The plugin mTAN Registration Number Provider could not be used in flows that support registration of mTAN numbers. This issue has been fixed.

OAuth / OIDC / SAML

New

AI-19190

Client overrides enable client-specific configurations to supersede authorization server defaults. This includes overrides for access and ID token claims to add additional claims or to write client-specific values to existing claims. The use of PKCE, authentication settings, scopes, and flow settings can be configured per client.

New

AI-19146

OAuth 2.0 consent can now be persisted and managed. A self-service management UI allows end-users to grant, deny, and delete OAuth 2.0 consent, while administrators have a UI in the Adminapp to delete consents. Additionally, OAuth 2.0 consent can be filtered to prevent technical scopes from being presented to end-users.

New

AI-18085

PAR (Pushded Authoriatzion Requests) is now supported by the OAuth 2.0/OIDC Authorization Server. For more information, see PAR - Pushed Authorization Request on the AS/OP.

New

AI-17452

private_key_jwt is a new client authentication method supported exclusively for static clients. Public keys can be configured directly in IAM or provided as a JWKS URL.

New

AI-14332

Tags and flow attributes can now be persisted in the database. When enabled, these values are evaluated and stored during ID propagation, allowing them to be used for creating access and ID token claims both initially and during token refresh. Subsequent changes to context data items will not affect the token contents.

Improvement

AI-12106

The OAuth 2.0 Flow Client and the OIDC Discovery Flow Client now both support PKCE.

Bugfix

AI-19221

Fixed an incorrect collation on oauth_session.id with a database migration script.

Bugfix

AI-19209

Fixed an issue where URIs were incorrectly generated when there was no path behind the host part.

This only affects OAuth 2.0/OIDC redirect URIs and 2FA Scheme Overrides in the ‘Airlock 2FA Mobile Only Authentication Step’ and the 2FA Approval Steps in self-services and transaction approval.

Bugfix

AI-19109

The Client Credentials Grant now accepts specifying the charset in the Content Type on the token endpoint.

Adminapp

New

AI-18407

There is a new event User Roles Changed, which is triggered when an administrator changes the user's roles in the Adminapp. The corresponding event subscriber notifies the subscriber each time a role is changed. The event info contains information about the old, new, added, and/or removed roles of the affected user.

New

AI-19667

It is now possible to add admin-role-specific roles to the list of user roles in the Available User Roles plugin. This plugin defines the roles that are available for end-users. It is used for user management in the Adminapp.

Improvement

AI-18805

Each time an end-user, IAM administrator, or IAM tech-client is locked in the Adminapp, the lock reason is now logged. For end-users and administrators, the log reason appears in the helpdesk logs, for tech-clients in the audit logs.

Improvement

AI-17883

The Rich Text Editor (HTML Editor) has been removed from the Maintenance Messages module in the Adminapp. The plain text editor is still available.

Bugfix

AI-18247

A more specific technical error page is shown if the IAM backend is not available (HTTP 503).

Bugfix

AI-17300

Adminapp: The translation text of user.failed-logins.one-shot-radius has been changed from One-Shot/Radius to Non-flow logins (analogous translations for French and German).

Bugfix

AI-19165

User trail log messages that report the creation of a new user now include the internal identity (UserId) of the administrator who created the user. Additionally, helpdesk log messages originating from the Adminapp module now consistently use double quotes instead of a mix of double and single quotes.

Miscellaneous

New

AI-18911

The IAM docker Image is now published on quay.io. Contact support to get access. For more information, see Getting the Docker image.

New

AI-19466
AI-19245
AI-17833
AI-17831

The new Correlation ID feature links incoming HTTP requests with outgoing requests by using the same reference ID in all relevant log files. Within IAM, the correlation ID is currently only logged in the structured log. For this, the new shared attribute corr_id has been introduced. It is also possible to log the correlation ID in the Main log, but this requires a manual configuration. For detailed information, see Correlation ID for better traceability.

New

AI-19450

The correlation ID can now be provided with the HTTP Request Information Map value provider. This allows further use of the correlation ID, e.g., in the Scriptable Step.

New

AI-17761

The Request Header Ticket Adder plugin contains a new property: Content Prefix. This optional property allows adding a prefix, such as "Bearer", to the header. This prefix comes for the actual header content. For example: X-AUTH-TICKET: Bearer <token content>

New

AI-18232

It is now possible to disable the Config Editor, by setting the iam.config-editor.enabled property in the instance.properties file to "false". In this case, the Config Editor is not started upon startup of the Adminapp, and the Configuration item is not visible in the menu of the Adminapp. By default, the Config Editor is still enabled (iam.config-editor.enabled = true).

New

AI-18618

The plugins JWT Ticket EC Verifier Settings and JWT Ticket RSA Verifier Settings are used to verify EC- or RSA-based JWT signatures, respectively. For the signature verification, the plugins use certificates with public keys that correspond to the private keys used for signing. Up until now, only keystores in p12 and jks format were supported. As of this release, also public keys in PEM format are supported, e.g., public_key.pem .

Improvement

AI-18586

The new property Escape Values in HTML allows escaping all HTML values in an email. It is enabled by default.

  • The following plugins provide the new property:
  • Flow-based Password Reset,
  • Send Email Link Step,
  • Email Message Provider,
  • Email Notification Step, and
  • Email Identity Verification Step.

The new Transforming Value Map Provider plugin supports the selective escaping of specific HTML values only. Together with the HTML String Escaper plugin, the new plugin applies transformations of HTML strings to all values provided by a configured list of value provider maps.

For more information, see Escaping HTML values in emails.

Improvement

AI-19261

The Config Editor can handle large plugins lists (> 1000 elements) more efficiently.

Improvement

AI-17838
AI-17199

  • Some dependency upgrades:
  • Airlock IAM has been updated to Java 21 (AI-17838)
  • Airlock IAM has been updated to Tomcat version 10.1 (AI-17199)

Bugfix

AI-19077

A reference to test-login-rest-openapi in the mapping templates for the Loginapp has been removed. By default, the OpenAPI specification is not referenced in the protected und public REST mappings and must be configured manually.

Bugfix

AI-19125

The structured Webserver and Access Log console output now writes the log timestamp in a time field, to be consistent with the Module Detail logs. The already existing field timestamp is preserved for backwards-compatibility.

Bugfix

ALIAM-19422

Some values entered in the Config Editor were blocked by Airlock Gateway. This issue has been fixed.

Bugfix

AI-19499

Fixed the configuration migration from 7.7 to 8.0. Now, the OAuth 2.0 Client Credentials Grant configuration is correctly migrated.

Bugfix

AI-19518

The search in the Config Editor could be used to guess values of sensitive properties. This bug has been fixed.