Skip to content

Release Notes

What's New in Version 4.2#

oxd 4.2 includes architectural changes as well as different bug fixes and improvements:

Fixes / Enhancements in 4.2.0#

  • #503 Add bindhost with default value localhost
  • #499 Passing Request Object by Value and Request Object by Reference in Authorization Request
  • #495 Use WebFinger (RFC7033) and OpenID Provider Issuer Discovery to determine the location of the OpenID Provider
  • #501 Correct security alert in test dependency
  • #57 UMA protection for oauth2 hack
  • #458 Add border around error logs to highlight the errors
  • #486 Improve error message when client_secret is not returned by OP
  • #490 trust_all_certs feature in oxd-server.yml not working
  • #484 Upgrade oxd to log4j version 2
  • #478 Read jedis version from gluu-core-bom
  • #474 Configuration changes for oxd Windows service installer
  • #471 Set default sync_client_from_op and sync_client_period_in_seconds in RP for clients created using oxd version <= 4.1
  • #466 Support different AS for access_token validation (other than the one processing API call)
  • #441 Identify the invalid sub value and reject the UserInfo Response
  • #464 Make Bearer case insensitive in oxd
  • #449 Adding nonce request parameter to explicity pass nonce value to Authentication Request
  • #453 Verify the c_hash presence in the returned ID token for "code id_token" and "code id_token token" hybrid flow
  • #454 Verify the at_hash presence in the ID_token for "id_token token" (implicit) and "code id_token token" (hybrid) flow
  • #451 Fix client registration request where response_types sent in ["code", "code id_token", "code token"] format instead of ["code", "id_token", "token"]
  • #439 Accept the ID Token after doing ID Token validation when id_token_signed_response_alg is none
  • #438 If iat value is missing from ID_TOKEN then ID_TOKEN should be rejected during validation
  • #440 Identify the missing sub value and reject the ID token
  • #442 If kid is absent in ID_TOKEN header then use the matching key out of the Issuer's published set
  • #374 Use cached mocked objects in OpClientFactoryMockImpl
  • #422 Upgrade oxd to use gluu-core-bomb (the same as oxauth)
  • #364 Add support for proxy configuration
  • #430 Add support for JDBC connection to be able to connect to any RDBMS
  • #372 Performance: oxd under high load has problem with state validation
  • #423 Fix oxd after httpsclient upgrade in oxauth
  • #165 UMA : add creation and expiration resource support to oxd
  • #91 UMA 2: add custom redirect parameters to get_claims_gathering_url command
  • #158 change op_host config param to "op_discovery_uri"
  • #195 Migrate to swagger 3.0 once swagger-codegen has stable release
  • #126 Setup script for oxd
  • #128 Windows setup file needed for oxd service
  • #409 Add spontaneous scopes to oxd
  • #400 Check and add to validation missed steps if identified
  • #362 We need scopes explicitly passed into /uma-rs-check-access to have granular access handling
  • #384 Remove ability to set/update Pre-Authorization flag from oxd
  • #363 Introduce new /uma-rs-modify command to be able to modify existing resource
  • #402 Rename site -> rp except persistence
  • #403 Introduce Builder for Validator and remove JwsSignerObject
  • #390 Sync client from OP : Update oxd database by reading client
  • #396 Upgrade Dropwizard dependency from version 1.3.1 to 2.0.0
  • #389 HA: RpService should cache RP object for configurable amount of time (not indefinitely)
  • #388 Make h2 database username/password connection details configurable in yml file
  • #387 StateService keeps state and nonce in-memory which prevents HA of oxd
  • #182 Add tracing metrics to oxd server
  • #381 Refactor /register-site operation code
  • #379 Incorrect scopes are added when client is updated using /update-site command
  • #378 Rhel-7 package of oxd Does not purge the oxd db at /opt/oxd-server/data
  • #50 Provide fallback for all parameters
  • #210 Introduce ability to lock oxd to list of specific IDPs
  • #360 Create stress/load test which should cover all APIs with mocked OP
  • #162 Add description and oxdID to client metadata
  • #65 Return Signed JWT for get_user_info
  • #114 Hybrid flow : add ability to set response_type directly during authorization url request