Release Notes

Version 1.22.5

Released Saturday September 22nd, 2018

Fixed

  • If Setup Password is disabled because email is not configured or no template is selected during a User create that happens as a result of a full User Registration, a 500 will be returned instead of a 400 with the correct error message in the response body.

  • When a user is actioned due to reaching the failed login count threshold and a 409 response code is returned on the Login API, the JSON body was empty. Only subsequent login attempts would contain the JSON body which contained the actions. Now the first time the user reaches this threshold due to a bad password the JSON body will be returned along with the 409 status code.

Version 1.22.4

Released Thursday August 23rd, 2018

Fixed

  • In some circumstances the user.passwordChangeRequired field was not being set to false after a successful password change.

Version 1.22.3

Released Tuesday August 21st, 2018

Enhancements

  • When using more than one tenant some APIs will require a tenantId. This can be provided via an HTTP Header or an API key, when calling an anonymous API an API key is generally not provided and thus you would have to provide the tenantId on an HTTP Header. For consistency and ease of use, you may now optionally provide the tenantId via a locked API key on these APIs.

Version 1.22.2

Released Thursday August 16th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

Changed

  • Minimum supported version of MySQL has been changed from 5.6.1 to 5.6.17

New

  • Multi-tenant support. While Passport is still fundamentally a single tenant solution, we now support a multi-tenant configuration within a discrete instance of Passport. This can help satisfy a use case where you wish to use Passport and you have a multi-tenant product and you need to allow multiple accounts with the same email address. Contact us at sales@inversoft.com if you’d like additional information on this feature. See the Tenant APIs and the Tenant tutorial for additional information.

Enhancements

  • The unique Id can now be provided in the UI when creating a User Action reason.

  • The Comment API now returns a JSON body on a successful response.

  • A User’s birthday may now be modified in the Edit User panel in the UI.

Fixed

  • When a User was already actioned and another attempt was taken to Action the User a 500 status code was returned instead of a 400.

  • The message indicating the License had expired was missing from the Login page so it was difficult to identify if login was failing due to a license expiration.

  • Added missing message to indicate a username or email was duplicated by an inactive user during User Create in the UI.

  • When a user does not have an email address defined, do not show the green checkbox in the Manage User panel indicating their email address has been verified.

Version 1.21.5

Released Sunday July 29th, 2018

Fixed

  • Running Passport Search Engine service on Windows may fail. This issue was introduced in version 1.21.3. The following exception will be produced when you encounter this issue.

Exception in thread "main" java.lang.IllegalArgumentException: Could not resolve placeholder 'ELASTICSEARCH_DATA_DIRECTORY'

Version 1.21.4

Released Wednesday July 4th, 2018

Fixed

  • When installing a new instance of Passport that requires you to complete the Setup Wizard, the form submit may fail with a 500 status code. This issue was introduced in version 1.21.3. If you encounter this issue, please upgrade or contact Inversoft Support and we will assist you.

Version 1.21.3

Released Thursday May 31st, 2018

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

Fixed

  • Startup scripts can now handle Microsoft Windows line returns on passport.properties. Previously if you were to modify passport.properties on a Windows computer and then attempt to start Passport on a Linux or Unix based system the properties may not be parsed correctly causing Passport to fail during startup.

  • Setting the passport-search-engine.data-directory property in passport.properties may not be honored on Microsoft Windows.

Security

  • Upgraded JWT library to address a potential vulnerability of JWT validation.

Version 1.21.2

Released Monday April 2nd, 2018

Fixed

  • Email templates can now use more complex user data or registration attributes in branching logic.

    • For example accessing an attribute such as user.data.attributes['foo'] will now pass template validation.

Version 1.21.1

Released Thursday March 29th, 2018

New

  • Simplified workflow during create User or createRegistration that requires both a setup password email and a verification email.

    • When creating a new User, and Email Verification is enabled and you also request to have Passport send a Setup Password email as part of the User creation, Passport will now only send a single email instead of two. Only the Setup Password email will be sent to the User, and the User’s email will be implicitly verified when the use the changePasswordId sent in the email to set their initial password.

    • When creating a new Registration, and Registration Verification is enabled for the Application and you also request to have Passport send a Setup Password email as part of the Registration creation, Passport will now only send a single email instead of two. Only the Setup Password email will be sent to the User, and the User’s Registration will be implicitly verified when the use the changePasswordId sent in the email to set their initial password.

    • See Create a User API

    • See Create a Registration for an existing User API

    • See Create a User and Registration API

    • See Change Password API

Version 1.21.0

Released Friday March 23th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

Internal

  • Internal changes

Version 1.20.0

Released Thursday March 15th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

New

  • Support offline_access scope during OAuth grant workflow. This scope will return a refresh token.

  • Support refresh_token OAuth grant to obtain a new access token using a refresh token using the Token endpoint.

Enhancements

  • Handle network changes during runtime to better handle development environments.

Version 1.19.2

Released Tuesday March 8th, 2018

Fixed

  • SMTP connection settings for Security type SSL will not function as expected.

Version 1.19.1

Released Tuesday March 6th, 2018

Fixed

  • Accessing Passport Backend using a local port with OAuth login

  • Actioning a User from the UI with a non temporal action such as 'Warn' was failing.

Version 1.19.0

Released Wednesday February 28th, 2018

Please Read

The Passport Frontend package is no longer available. Read the following release notes carefully and contact support@inversoft.com if you have further questions.

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

Changed

  • The Passport Frontend webservice is no longer shipped as a separate webservice. All endpoints exposed in this webservice are now available in the Passport Backend webservice. If you were not using the OAuth 2.0 endpoints or other features of the Passport Frontend service, no change is required.

    • If you were previously using the Passport Frontend webservice it will continue to operate. At your earliest convenience update your email templates and other integration points to use these same endpoints in the Passport Backend webservice.

    • All passport-frontend.* properties in passport.properties are now deprecated

  • The Application Authentication Tokens feature added in 1.14.0 will be disabled for the Passport application.

  • The OAuth2 configuration for the Passport Application is now restricted and managed by Passport.

  • Removed SystemConfiguration.passportFrontendURL and SystemConfiguration.useOauthForBackend. The Passport Backend webservice now always uses the OAuth login provided by Passport.

  • Removed deprecated field User.verificationId

  • Soft enforcement of user count

Enhancements

  • The timezone selection during login has been removed to simplify the login workflow. Your timezone will be guessed based upon the location reported by the browser. Once logged into Passport backend you will have the option to edit your preferred locale when you edit your profile. Setting the timezone in your User profile will override the automatically selected value. The timezone is used to display dates and times in the Passport backend user interface.

  • All times displayed in the Passport backend interface will now include a Timezone suffix.

  • Better support for Cross-Origin Resource Sharing. See CORS reference documentation. Prior to this release all endpoints were allowed through the CORS filter.

  • Added Two Factor Trust. During login when the User is prompted for a Two Factor challenge the User may optionally indicate the device is trusted. This allows Passport to bypass the Two Factor challenge for a configured amount of time for this device. This feature is available for use by integrators as well on the Two Factor Login API.

New

  • Added additional configurable password constraint to require a number.

  • New OpenId endpoint /oauth2/userinfo

  • Support openid scope during OAuth grants

  • Additional externalIds used for Two Factor Trust and Authorize Grant timeouts

    • SystemConfiguration.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds

    • SystemConfiguration.externalIdentifierConfiguration.twoFactorTrustIdTimeToLiveInSeconds

  • New Password constraint, require number

    • SystemConfiguration.passwordValidationRules.requireNumber

Security

  • Upgraded JWT library to address a potential vulnerability of JWT validation. CVE-2018-1000125.

Version 1.18.1

Released Thursday January 4th, 2018

Fixed

  • A password validation bug.

Version 1.18.0

Released Tuesday December 19th, 2017

New

  • Add OAuth 2.0 Token Introspection as defined by RFC 7662

Version 1.17.0

Released Wednesday December 13th, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

New

Enhancements

  • Usability improvements when enabling Two Factor authentication for a User using the User API.

    • If using TextMessage delivery the Two Factor secret will be automatically generated if not provided

  • Additional validation on User create and Update to enforce a mobile phone when attempting to enable Two Factor delivery with TextMessage as the delivery mode.

  • New database index to enhance the performance of retrieving a recent login report using the Login Report API.

Fixed

  • Testing Twilio configuration properly picks up the Messaging Service Id to ensure the configuration is correct.

  • CleanSpeak username filtering integration.

  • An expired license will still allow the UI to be rendered to display the correct message indicating the license status.

  • A Passport admin user with user_manager role can now properly manage group memberships and application registrations.

Version 1.16.2

Released Monday November 20th, 2017

Enhancements

  • Allow configuration of the time to live for each type of external identifier. See the System Configuration API.

Version 1.16.1

Released Friday November 17th, 2017

Compatibility

  • For backwards compatibility with pre 1.16.0 installations, allow the Retrieve User by Verification Id to work with a Change Password Id.

Version 1.16.0

Released Tuesday November 14th, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

New

Enhancements

  • JWT payload now contains a new claim named email. See JSON Web Token Payload.

  • Additional UI actions will add the old and new values to the audit log data when editing the object.

    • Email templates

    • User Actions

    • User Action Reasons

Changed

  • user.verificationId is now deprecated on the Update a User API. If required, prefer using changePasswordId on the Start Forgot Password API.

  • Forgot Password API response now contains changePasswordId instead of verificationId

  • Email templates will no longer utilize the ${user.verificationId}, existing templates have been migrated to use ${verificationId}

  • The Retrieve a User by Email Verification Id is now separated into two separate APIs to remove ambiguity. When using this API to retrieve a User as part of the Change Password or Forgot Password workflow use Retrieve a User by Change Password Id.

Fixed

  • Edit role dialog may not correctly set the state of toggles for Default and Super role.

Version 1.15.0

Released Friday September 15th, 2017

New

  • Added Kafka integration to support sending Webhook events to a Kafka topic.

  • Added id and createInstant fields to all Events. See Events.

Fixed

  • Modifying a Webhook in the UI and changing the Webhook to apply to Applications when Applications are still selected failed to save changes.

  • Passport Frontend (OAuth) default theme style had a broken link to the Inversoft Stylesheet.

Version 1.14.0

Released Thursday August 31st, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

New

Enhancements

  • JWT payload now contains a new claim named authenticationType. See JSON Web Tokens Custom Claims. This new claim identifies how Passport has authenticated the User.

Version 1.13.2

Released Wednesday August 23rd, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

Enhancements

  • Added index on user.parentId field to improve re-index performance.

  • User Search in the UI will sort based upon search relevance unless column sort is selected. This will generally provide a more appropriate sort order.

Version 1.13.1

Released Tuesday August 15th, 2017

New

Version 1.13.0

Released Tuesday August 8th, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

New

Internal

  • Upgraded Freemarker to 2.3.26

Version 1.12.0

Released Tuesday July 18th, 2017

New

Version 1.11.2

Released Friday July 7th, 2017

  • Support both application/zip and application/octet-stream for import zip upload

Version 1.11.1

Released Friday July 7th, 2017

  • Added password support for encrypted zips during Stormpath import

Version 1.11.0

Released Monday July 3rd, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

New

  • Added Twilio integration to support SMS push notification for two factor challenge

  • Added Integration API

  • Support for Import plugins.

Changes

  • CleanSpeak configuration moved from System Configuration to Integrations in Passport Backend.

  • CleanSpeak configuration removed from the System Configuration API and added to the new Integration API.

Version 1.10.4

Released Thursday June 8th, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

Search Index Rebuild

A major version upgrade of Elastic Search requires a full rebuild of the user index. This will be done automatically on startup, this may cause additional load on the system until completed.

New

  • New webhook events.

    • jwt.refresh-token.revoke. This event can be used for revoking JWTs before they expire.

    • jwt.public-key.update. This event occurs when the RSA Public Private Keys are modified for a JWT configuration.

  • Support for HMAC SHA-256 Password Encryption Scheme. This is primarily provided for migration support.

  • The Minimum Password age can now be configured to limit brute force attacking and circumventing password re-use.

  • The last N passwords can be remembered to restrict password re-use.

  • Added Retrieve an Audit Log API to retrieve a single Audit Log by Id.

Enhancements

  • Testing the Webhook from the Management Interface allows testing for most user events even when disabled for the webhook.

  • Performance improvements to the Import Users API and the search index operations.

  • Upgraded to Elastic Search 5.3.4 and moved from the native Java Transport Client to the Java REST client. This adds compatibility between Passport and future Elastic Search versions.

  • The Audit Log API can take the old and new value for changes and an optional reason message.

Changes

  • Due to the upgrade of Elastic Search, there are now limitations on sort fields on the Search for Users API. These are enforced and validated on the API request, however it is possible there are fields previously allowed as sort fields that will no longer be supported.

Version 1.9.4

Released Wednesday April 19th, 2017

New

  • New Bulk Delete Users API

  • Command line utility to hash plain text passwords prior to bulk importing users.

  • Default Password Hashing Scheme can be configure in the Passport Backend management interface.

  • Password Hashing Scheme can be modified during next user login to match the configured default.

Enhancements

  • Import Users API allows for existing users in the database

  • Testing the Webhook from the Management Interface remembers previously tested endpoint and will send a test event even when the event type is not globally enabled or enabled for the specific webhook.

Fixed

  • Creating an Application and specifying webhook Ids when the Webhook is already configured now works properly.

Version 1.9.3

Released Monday March 14th, 2017

Enhancements

Version 1.9.2

Released Monday March 13th, 2017

New

  • Added /api/jwt/issue to allow an access token (JWT) to be issued to a new application using an existing access token. (SSO)

Fixed

  • When using Passport Frontend SSO with multiple applications a user authorizing to a second application may still be prompted for credentials.

  • The possibility exists that an expired Refresh Token could be returned by the Login API.

Version 1.9.1

Released Thursday March 9th, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

Enhancements

  • Transactional events such as create, update, delete user will return a specific 504 error code instead of 500 when the transaction fails.

  • Authenticate a User Clarified API response codes for Email Verification required (412) and License Exceeded (429).

  • Logout API takes two additional optional parameters. A refresh token may be provided on the request in place of a cookie, and a global parameter to revoke all refresh tokens.

  • Password Change causes all refresh tokens to be revoked.

  • Revoke Refresh Tokens All tokens for a User or Application may be revoked at once with an API key.

Version 1.9.0

Released Tuesday February 28th, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Fixed. A user action that prevents login must be temporal.

  • Fixed. Viewing Trusted Devices from the Manage User panel in the UI may fail.

  • Enhancement. Add the refresh token to the HTTP response body in addition to the existing cookie on a successful login.

  • Feature. Added transaction support for user actions and webhook events. You can now manage whether or not webhook endpoints need to successfully respond to events.

  • Feature. Added a webhook endpoint testing system for developers to quickly test webhook event handlers.

  • API. Add [DELETE] /api/jwt/refresh

Version 1.8.2

Released Saturday February 18th, 2017

  • Fixed. Allow the insertInstant for a registration on the Import Users API.

  • Fixed. Passport applied User Actions may cause a rendering failure of the manage user page.

Version 1.8.1

Released Tuesday January 31st, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Fixed. If CleanSpeak integration is enable in System Settings and CleanSpeak is not reachable an error may occur when adding or editing an Application.

  • Enhancement. When no request origins are defined the /oauth2/authorize endpoint will allow any request origin. This essentially allows the request origin enforcement to be disabled.

  • Enhancement. Additional roles for the provided Passport application.

  • API. Add IP Address to the Login Request for the Login API. Previously the X-Forwarded-For was utilized.

  • API. Added isSuperRole to the Application Role.

  • Internal. Added X-Frame-Options: DENY header for all Passport-Frontend HTTP responses.

  • Internal. Upgraded from Apache Tomcat 8.0.12 to 8.5.9.

  • Internal. The version is no longer used in the path name inside of the installation packages for Apache Tomcat and ElasticSearch

Version 1.7.0

Released Thursday January 5th, 2017

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Fixed. Null Pointer Exception logged by UserActionEndNotifier scheduled service.

  • Fixed. If CleanSpeak integration is enable in System Settings it cannot be disabled and may cause an error when adding a new Application.

  • Enhancement. Add insertInstant to the User.

  • Enhancement. User Search can be sorted by insertInstant

  • Enhancement. Display create instant for user and registrations on the Manager User page.

Version 1.6.2

Released Thursday December 29th, 2016

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Feature. JWT Support.

    • New APIs

      • /api/jwt/validate Validate a JWT and return a new JWT with an updated expiration.

      • /api/jwt/refresh Use a refresh token to exchange for a new JWT

      • /api/jwt/public-key Return public keys used for JWT verification

    • Updated APIs

      • /api/login [POST] does not require an API key and the success response returns a JWT

      • /api/user [GET] and [PUT] are allowed using a JWT as an alternative to an API key

      • /oauth2/token The returned Access Token is a JWT, the Password Grant flow is now supported.

  • Feature. Too Many Failed Authentication Attempts Action.

  • Feature. Enhanced User Search. Results are sortable and may be limited by Application registration and Role.

  • Feature. Add X-Frame-Options=DENY header to default Passport Frontend templates.

Version 1.5.2

Released Tuesday October 4th, 2016

Version 1.5.1

Released Monday September 19th, 2016

  • Fixed. Creating a user through the Passport Backend management interface returns an unknown error when attempting to create a duplicate when the existing user is inactive.

  • Fixed. Add validation for Import Users API when providing an existing password encryption scheme.

  • Fixed. Add default value for optional parameter passwordLastUpdateInstant on Import Users API when providing an existing password encryption scheme.

Version 1.5.0

Released Thursday September 8th, 2016

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Fixed. Once the license expired a infinite redirect caused the login page to not be displayed. The user will now see a message indicating the license is expired.

  • Added support a child account without an email to initiate the Forgot Password workflow and utilize the parent’s email address.

  • Usernames are now handled case insensitive.

Version 1.4.1

Released Wednesday August 10th, 2016

  • Fixed. Maintenance mode may fail due to a typo in a template.

  • Enhance mobile support.

Version 1.4.0

Released Friday August 5th, 2016

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Better support for logging in with username or email. See /api/login.

  • Display user data and registration user data from the User Details if available.

  • Global password expiration configuration

Version 1.3.0

Released Tuesday July 26th, 2016

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Add Gravatar support

  • Add additional Password Encryption schemes and add a factor to modify iteration count.

    • PBKDF2

    • Bcrypt

  • Change default password hash to PBKDF2

  • Added a viewable dialog for user data

  • Daily active users analytics available for the current day.

  • Monthly active users analytics available in the current month.

Version 1.2.1

Released Wednesday June 29th, 2016

  • Fixed metric call back.

Version 1.2.0

Released Tuesday June 28th, 2016

  • Moved email configuration from passport.properties to a UI configuration in Passport Backend

  • Improved Totals Report to provide additional explanation of the metrics.

Version 1.1.0

Released Friday May 13th, 2016

Database migration

The database schema has changed and an upgrade is required for this version of Passport. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.

  • Add CodeMirror for Email template editor to provide HTML / JavaScript and CSS highlighting.

  • COPPA support for parent / child account relationship

  • Fixed: Email address mixed case issues. All email addresses are now normalized to lowercase.

Version 1.0.9

Released Monday March 14th, 2016

  • Internal library updates.

Version 1.0.8

Released Friday March 11th, 2016

  • Internal library updates.

Version 1.0.7

Released Tuesday February 10th, 2016

  • Updated Random Number generation strategy for generating two factor secret to reduce wait time on Linux systems.

  • Enable the Status API.

Version 1.0.6

Released Friday January 22nd, 2016

  • Enhanced ability to preview templates when using FreeMarker built-ins.

Version 1.0.5

Released Wednesday January 20th, 2016

  • Bug fixes and other internal improvements.

  • Added feature to allow customers to send logs to Inversoft.

Version 1.0.4

Released Saturday December 26th, 2015

  • Bug fixes and usability improvements.

  • Enhanced maintenance mode provides database configuration options.

  • Add Passport Frontend maintenance mode to accept license and backend connection information.

Version 1.0.3

Released Tuesday November 24th, 2015

  • Bug fixes and usability improvements.

Version 1.0.2

Released Tuesday November 10th, 2015

General availability release.