Skip to main content

Changelogs

4.19.0

Date: 19.10.2023

Keycloak Core Version - 19.0.3

Added

  • Added a component named IDP Scheduler where IDP events will be streamlined for the auditing process and to enhance the performance of the Scheduler.

Fixed

  • In the KOBIL Cookie authenticator, user's AST ClientId will be validated along with the token.

  • Fixed the performance issues and infinispan timeout problems which were occurring while clicking on the "Consents" tab.

4.18.1

Date: 29.09.2023

Keycloak Core Version - 19.0.3

Added

  • Masked UUID has been added to the log of OTP Brute force info for KOBIL Email Verification, KOBIL Phone Verification and KOBIL Verify User Identity.

Changed

  • Usernames and email addresses are now masked in the logs of OTP Brute Force Information for the KOBIL Email Verification, KOBIL Phone Verification, and KOBIL Verify User Identity authenticators.

Fixed

  • In KOBIL Verify authenticator for kobil-v2 theme, when the pooler is down, an "Service unavailable. Please try again later!" error message will be displayed instead of polling infinitely.

  • On the "Login with Email" page, when a user enters an invalid email ID, the app will display the 'Invalid Email address' popup in the KOBIL AST TMS authenticator.

  • In the KOBIL PAM authenticator, when user is restricted to logging in with the same email ID, an "multiple users with same email" error message will be displayed.

  • In the Account- KOBIL Change Password authenticator, after completing the change password flow, the user will be redirected to the configured URL in the Login Url configuration.


4.18.0

Date: 01.09.2023

Keycloak Core Version - 19.0.3

Added

  • Implemented two authenticators named KOBIL KeyPass Login and KOBIL KeyPass Registration. These authenticators utilize an NFC tag for user registration and login flow.

Changed

  • On the TMS popup page, time format has been changed in the KOBIL AST TMS authenticator.

Fixed

  • In the KOBIL AST TMS authenticator, on the TMS popup page, where the title did not match the design.

4.17.0

Date: 21.08.2023

Keycloak Core Version - 19.0.3

Added

  • Added an authenticator called KOBIL AST Client Properties to update the device details in AST.

  • Added the following configurations in KOBIL AST TMS authenticator.

    • Display Stale Device Cleaner Popup which is used to notify the device name which has been already registered in the AST.

    • Enable Update MLoA configuration is implemented which will decide whether to update device authentication levels or not.

  • The function of Display Remaining Attempts is to showcase the remaining credential input attempts before the user gets locked out due to Brute Force. It is added in KOBIL Username Password Form authenticator.

  • A mask_character key has been added in General Settings for masking the phone number.

  • Added kobil v3 support for the Consent Screen.

Fixed

  • Unlinked device is listed in the TMS transaction even after being deleted from the AST in KOBIL AST TMS authenticator.

  • Users are restricted to resend the Magic Link in KOBIL Magic Link authenticator for headless-v2 theme.

  • Invalid error message will be displayed when users are locked or while trying to login with unlinked devices in KOBIL AST TMS authenticator.


4.16.0

Date: 10.08.2023

Keycloak Core Version - 19.0.3

Added

  • Huawei platform support has been implemented in the "Get app setting" and "Update app setting" APIs.

  • Technical Workspace User role and QR flow are included in the Partial Import.

  • Infinispan cache eviction and expiration policy can be configured via charts.

Default Configuration:

      dist:
lifespan: "259200000"
volume: "300000"
strategy: LRU
sess:
volume:
offlineUser: "300000"
offlineCli: "300000"
lifespan:
offlineUser: "259200000"
offlineCli: "259200000"

Fixed

  • Fixed the following issues in the Login with QR/Email page:

    • Error message has been updated in case of invalid email is entered in the 'Sign in with email'.'

    • User is able to zoom in and zoom out of the screen.

    • When the screen is minimized, there's a text overlapping issue at the bottom of the webpage.

    • The website screen is not properly optimized for viewing on a mobile browser.


4.15.3

Date: 03.08.2023

Keycloak Core Version - 19.0.3

Added

  • Added an API named Update App Settings which is used to update the app settings details which are configured in the realm settings.

  • Clear user sessions configuration is added in KOBIL Configure Password. This option is used to decide whether users will be automatically logged out or not after changing their password.

  • In the Realm Settings, the skipLogout key is introduced to retain the ongoing user session for specific client IDs after a password change, other sessions will be cleared.

  • Added OTP BRUTE FORCE feature in the Magic Link authenticator, which is used to restrict the resend email option after reaching the maximum limit of sending emails.

Fixed

  • The ENTER button functionality has been enabled to execute page actions in the Kobil V2 theme for Username Password Form authenticator.

  • In the KOBIL Magic Link authenticator, only the last received email will be valid.

Removed

  • Client name configuration has been removed from the KOBIL Magic Link authenticator.

4.15.2

Date: 21.07.2023

Keycloak Core Version - 19.0.3

Added

  • In KOBIL AST TMS authenticator, added a configuration called Reset flow if user aborts. It is used to redirect Username Password request page when TMS flow is cancelled and supports for kobil v2 theme.

  • IS_SHIFT_LITE environment variable is added to stop the system from calling the SCP service providers and SCP connector.

  • Headless V2 theme support and Client name configuration is implemented in KOBIL Magic Link authenticator. Client name is used to perform necessary actions using different themes.

Changed

  • The app name was displayed in KOBIL AST TMS authenticator, now device name will be displayed by fetching information from the "AST client management" service using get Linked Clients By User Id API.

  • The copyright notice "© Copyright 2021 - KOBIL GmbH" is updated to the current year.

Fixed

  • When generating an access token with an offline refresh token and a user does not have a current online session associated with the refresh token, a user session is not created in the IAM.

  • When KOBIL Cookie authenticator is configured as alternative, users were not restricted from logging in when no token was passed in the header.

  • After cookie validation in KOBIL Cookie authenticator, the custom Authentication Method Reference (AMR) value is not being successfully updated in the access token.

  • ID Card login was failed in KOBIL ID Card Login authenticator.


4.15.1

Date: 14.07.2023

Keycloak Core Version - 19.0.3

Fixed

  • Some of the APIs are resolved in the idp core job.

4.15.0

Date: 07.07.2023

Keycloak Core Version - 19.0.3

Added

  • Use OTP Bruteforce Global Settings configuration is designed to implement the default IAM's OTP brute force logic in KOBIL Email Registration authenticator.

  • In KOBIL Register Security Question authenticator, added a configuration called Registration Policy Regex Info Text. It is used to configure the message which will guide users when their answer does not match the specified criteria.

  • KOBIL Verify User Identity authenticator now includes a new configuration option called Is Captcha Required to support the reCAPTCHA.

  • Magic Link Email Subject configuration is added in KOBIL Magic Link authenticator to configure the subject of the email.

  • A new required action called Kobil Update Password has been added.

  • MAGIC_LINK_LOGIN_URI key is added in the Realm Setting for redirecting the user to Login page, while using KOBIL Magic Link authenticator.

  • When the Allow Login Directly with Magic Link configuration is enabled in KOBIL Magic Link authenticator, the Magic Link will display an expiration time.

Changed

  • The cloud-connector-client version has been upgraded from 4.1.0 to 5.0.0.

  • The action of setting the ACR value to zero in the KOBIL Condition - ACR Selection authenticator has been removed when the email is not verified.

  • When the reset password configuration is enabled, success page will be displayed in the KOBIL Magic Link authenticator.

  • The submit button in the "Verify Captcha" page will be disabled until captcha verification is successful.

Fixed

  • To prevent the creation of an admin user without credentials during Realm creation, the option to create an admin user has been removed.

  • "PhoneNumber Verified" page was not displayed when Show Phone Confirmation is enabled in KOBIL Phone Registration authenticator.

  • In the KOBIL Register Security Question authenticator, if the configured question count is lower than the "Number of Questions to be Registered", then invalid error message will be displayed.

  • The minor alignment issue in the transaction cancellation screen of KOBIL AST TMS authenticator, within the kobil-v2 theme, has been resolved.

  • Resolved an issue, where the user was unable to get the access token using a refresh token with the scope of offline access when an offline client session was not present in the cache.

Fixed Vulnerability

  • CVE-2023-2422 - The issue of improper validation of the client certificate chain for OAuth/OpenID clients has been resolved.

Removed

  • The KOBIL Cloud Connector URL configuration is removed from the following Authenticators:

    • KOBIL Login
    • KOBIL OTP
    • KOBIL Verify
    • KOBIL PAM
    • KOBIL OneShot
    • KOBIL QR

Components Updated

  • Connector Version: kobil-cloud-connector: 5.0.0.
  • Pooler Version: kobil-cloud-pooler: 5.0.0

4.14.0

Date: 27.06.2023

Keycloak Core Version - 19.0.3

Added

  • An istio-proxy sidecar is added to support the idp-core pod.
    • The istio-proxy sidecar can be enabled manually, after that PeerAuthentication resource is created.
    • The created PeerAuthentication resource ensures that mutual Transport Layer Security (TLS) is enforced on all ports of the idp-core pod except for ports 8443, 8444, and 9990.

Changed

  • Allowed admin APIs to work on port 8080.

4.13.0

Date: 22.06.2023

Keycloak Core Version - 19.0.3

Added

  • App Store (IOS) link has been added in the QR page for kobilv3 theme.

  • groups attribute has been added to Create User API, used to add the user for a particular group while creating a user.

  • Added support for the static OTP verification with test_users role in KOBIL Phone Verification authenticator.

Changed

Breakthrough
  • smart-dashboard theme has been renamed as kobil-portal.

Fixed

  • In KOBIL Magic Link authenticator, fixed the appearance of "blank screen" when users tried to open the same link in multiple tabs within the same session.

  • In KOBIL Username Password Form authenticator, resolved the invalid error message which occurred when an user try to login without credentials in kobil-headless-v2 theme.

  • In KOBIL User Password Registration authenticator, resolved the error message which occurred when "new" and "confirm" password field is submitted empty in kobil-headless-v2 theme.

  • In KOBIL Phone Registration authenticator, fixed the "Internal Server Error" when "Resend code" button is clicked in the OTP request page.

  • In Account - KOBIL Change Phone authenticator, resolved the "Internal Server Error" which occurred while verifying the phone number.

  • An issue has been resolved in KOBIL AST TMS authenticator's TMS Timeout configuration, one-minute time duration was displayed in device list page when 'TMS Timeout' was configured below 59 seconds.

Removed

  • The following configurations are removed from KOBIL Oneshot authenticator:
    • KOBIL Service Username
    • KOBIL Service Password
    • KOBIL Management Username
    • KOBIL Management Password

4.12.0

Date: 15.06.2023

Keycloak Core Version - 19.0.3

Added

  • Enable broadcasting TMS configuration is added in KOBIL AST TMS authenticator, it will be used to initiate transaction for the latest logged-in or activated device.

  • Added AST support for KOBIL QR authenticator.

  • Added the kobilv3 theme for the TMS transaction and QR scanning page.

Removed

  • SSMS device property configuration is removed from the KOBIL QR authenticator.

4.11.1

Date: 13.06.2023

Keycloak Core Version - 19.0.3

Fixed

  • API calls for the AST login were not triggered during subsequent login attempts.

4.11.0

Date: 08.06.2023

Keycloak Core Version - 19.0.3

Added

  • Redirect URI configuration is added in KOBIL Magic Link authenticator, configure the 'URI' to which the user will be redirected after authentication.

  • Added the following filter options in Get User By User Group and Get Users Based On Client Role APIs:

    • fromDate is used to fetch the user data based on the date of createdTimestamp in milliseconds.
    • toDate is used to fetch the user data based on the date until which users have been createdTimestamp in milliseconds.
    • genericSearchValue is also used to filter based on the user ID.

Fixed

  • In KOBIL Register Security Question authenticator, where it displays "Invalid Answer" message when the value configured in Number of Questions to be Answered exceeds than the set of question configured in JSON Script. This issue has been fixed by considering the minimum value between the Number of Questions to be Answered and the number of questions specified in the JSON Script configurations in the kobil-headless-v2 and KOBIL V2 themes.

  • In KOBIL Phone Verification authenticator, where resend OTP button to remain enabled even when the remaining time to resend the OTP had not elapsed. The issue has been fixed, and the resend OTP button is now disabled until the required time has passed.

Changed

  • Minimum Number of Answers configuration has been renamed to Number of Questions to be Answered in KOBIL Register Security Question authenticator.

Fixed Vulnerability

  • Fixed - CVE-2022-4492 - Undertow client is not checking the server identity presented by server certificate in https connections. Updated undertow to version 2.2.24.Final.

4.10.0

Date: 07.06.2023

Keycloak Core Version - 19.0.3

Added

  • Added KOBIL Condition - User Role authenticator to verify multiple Roles of the user.

  • Delete AST Devices API has been added, with that users can unlink their AST device(s).

  • Added createdTimestamp parameter in response of Get User By Group User group, Get Users Based On Client Role and other Users APIs to provide each users creation time. This parameter can be used to filter the user's list in either ascending or descending order based on the creation time.

  • In KOBIL Cookie authenticator, where user can be automatically activate with the null Client ID and login with the AST Client ID.

Fixed

  • Fixed an issue in Get Users Based On Role API, where isUserEnabled parameter was not filtering the users when enabled.

  • Fixed an issue in Super App, where user's are not deleted from Super App User's eventhough "Deleted" message is displayed.


4.9.1

Date: 25.05.2023

Keycloak Core Version - 19.0.3

Added

Added the following configuration in KOBIL AST TMS authenticator:

  • Enable TMS Push Notification - Enable to send contents present in the Push notification title and Push notification body.
  • Skip Device Selection - Enabled and device ID should present in the header so that device selection option can be skipped.

Fixed

  • Fixed an issue in the Delete Tenant API, while attempting to delete a tenant, failure occurred due to client policy restrictions that prevent the deletion process from being completed successfully.

  • Fixed an issue in KOBIL Delete Account authenticator on the delete account screen, when users tapped the "Delete My Account" button the app started to shimmer, instead of being redirected to the home screen and deleting the account.

Changed

  • AST_ADMIN_CLIENT_SECRET key has been changed to the optional in the Realm General Settings.

4.9.0

Date: 23.05.2023

Keycloak Core Version - 19.0.3

important

Known Issue

  • When attempting to delete a tenant using the Delete Tenant API, failures occurred due to client policy restrictions that prevent the deletion process from being completed successfully.

Added

  • Added a KOBIL AST Claims authenticator in which current ACR and AMR values are calculated and stored in the session.

  • Added ecdsa-ibm-hsm key provider in Keys tab to ensure security.

  • Added Retarus email provider in Email tab to send the email.

  • Reset Bruteforce failure count parameter is added in Kobil Email Verification authenticator, if enabled OTP failure count will be reset to 0 after the successful login.

  • Enable BruteForce Check parameter is added in the KOBIL Cookie authenticator. If enabled, an error page is displayed when user is locked in bruteforce.

  • Added the following configuration in KOBIL AST TMS authenticator:

    • Execute based on ACR flow type - If enabled, execution will be based on the session data.
    • Web portal device name - Configure the device name to be displayed in the web portal.
    • Push notification title - Configure the specific push notification title's message key to fetch value from Realm localization with locale support or message bundle will send actual title text to the Master device.
    • Push notification body - Configure the specific push notification text's message key to fetch value from Realm localization with locale support or message bundles will send actual title text to the Master device.
    • Skip If No Target ACR Devices - If enabled, the transaction will be skipped.
    • Skip JSON Script - If enabled, JSON script will not be displayed.
  • Added the following configuration in KOBIL Configure Password authenticator:

    • Password Page Title - Configure the content to be displayed in the title on the Password Page.
    • Password Page Header- Configure the content to be displayed in the header on the Password Page.
    • Disable Brute force general error page- If enabled, brute force error message display customised theme page.
    • Password Validation Error Page Header - Configure the header message to be displayed on the password validation error page.
    • Success Page Action- Select the option to which flow to be continued after the success page.
    • Redirect URL after Success - Configure URL to redirect after the success flow. Execute only when redirect option is selected from Success Page Action configuration.
    • Auth Flow Cancel Deep link - Configure deep link to redirect when user abort's the flow.
    • New Password PlaceHolder - Configure the text to be displayed in the placeholder of the new password field.
    • Password Page Submit Button Caption - Configure the submit button caption of the password page.
  • Added the following parameters in KOBIL Verify Password authenticator:

    • Biometric Verification Hyperlink - Configure the link to redirect for biometric verification.
    • Reset Credential Hyperlink - Configure the link to redirect for reset credentials.
  • Added the following parameters in Account - KOBIL Manage Devices authenticator:

    • AST Device Delete Action - Select the flow to delete the device from AST.
    • Order Devices by - Select on which order the registered device should be displayed for the user.
    • Show Success Page - Enable to show success page in the flow.
  • Change password option is added in the Authentication Flow Type configuration in the following authenticators:

    • KOBIL Verify User Identity
    • KOBIL Phone Verification
    • KOBIL Email Verification
    • KOBIL Create Account
    • Condition - Email Verification
    • KOBIL Condition -ACR Selection
    • KOBIL Configure ACR
    • KOBIL Configure User Details
    • KOBIL Change Email
    • KOBIL eTan
  • Logging with OpenTelemetry has been enabled.

  • Added dependencies for the Eccelerate Core Crypto Toolkit.

  • Implemented a composite index for the below mentioned fields for faster data retrieval.

    TablesColumns
    user-attributeuser_id and name
    offline_user_sessionrealm_id, offline_flag and last_session_refresh

Changed

  • Renamed the following configuration label in KOBIL Configure Password authenticator:

    • Show Success Popup Screen parameter to Show Success Page Screen.
    • Success Popup Title parameter to Success Page Title.
    • Success Popup Description parameter to Success Page Description.
  • The subject of the Test Connection Email has been changed to "E-MAIL test message".

  •  The minimum heap size has been changed to 50.0 percent of the available physical memory.


4.8.1

Date: 19.05.2023

Keycloak Core Version - 19.0.3

Fixed

  • Fixed an issue in KOBIL Register Security Question authenticator, where users are not restricted to register the security questions without providing answers on the Security Question Registration page.

  • Following issues are fixed in the KOBIL Validate Security Question authenticator on the Verify Security Question page:

    • In the kobil-headless-v2 theme, instead of displaying the error message, user remains on the same page when empty or incorrect answer is submitted. 
    • In the KOBIL V2 theme, when an empty field is submitted, an error message "Invalid Answer" is displayed instead of disabling the submit button.
  • Fixed an issue in KOBIL Phone Registration authenticator, where the data are not transferred to FTL from the authenticator which caused UI issue.

  • Following issues are fixed in the KOBIL Phone Verification authenticator on the OTP Verification page:

    • Resend Code button had a white colour font instead of a blue colour font in the KOBIL V2 theme.
    • In the kobil-headless-v2 theme, 'PhoneNumber verification code mismatch, try again' message was displayed instead of 'PhoneNumber verification code is empty' error message when the OTP field was submitted empty.
    • Where users are able to register and verify the phone number without a region code.
  • Fixed an issue in KOBIL Username Password Form authenticator in the kobil-headless-v2 theme, where spaces preceding or following the password were not considered as characters in the password field and allowed user to login instead of restricting the user.

Fixed Vulnerability

  • CVE-2023-0091- This allows to register the Client using revoked token for Bearer type. Fixed the issue by restricting authentication request with revoked token.

4.8.0

Date: 11.05.2023

Keycloak Core Version - 19.0.3

Added

  • Added a Kobil Captcha authenticator initiated to prevent bot spamming.

  • reset password configuration is added in KOBIL Magic Link authenticator, that allows users to reset their password by clicking on the Magic Link if the parameter is enabled. Else, users will not be able to reset their password.

  • reset password query parameter is added in MAGIC LINK API, which enables the reset password option when the Magic Link is clicked if the parameter is set to true.

  • Added Windows and macOS support for the Get App Settings API to fetch the app settings details.

Changed

  • Query parameter has been changed to request body in JSON format and method has been changed from GET to POST in the MAGIC LINK API.

  • User querying order has been changed from Email following with Username, to Username following with Email for the listed below authenticators:

    • mPower Cookie
    • KOBIL Verify User Identity
    • KOBIL Oneshot
    • KOBIL Username Password Form
    • KOBIL Login

Fixed

  • Fixed an issue in Phone Number Verification page of the KOBIL Phone Verification authenticator where the user receives OTP by clicking the resend OTP button but an error message "Resend is not allowed" was displayed.

4.7.0

Date: 27.04.2023

Keycloak Core Version - 19.0.3

Added

  • Added the following configuration in AST Login authenticator:
    • prompt user before unbind all if enabled, it will request for confirmation before unlinking the device(s) in 'Confirmation screen'. If disabled, it will unlink without the 'Confirmation screen'.
    • JSON Script is configured with the contents in Headless V2 theme to display, when prompt user before unbind all is enabled.
  • If an user is existing in the session, only the password is required for KOBIL Username Password Form authenticator.

Fixed

  • Fixed an issue in unlinkAll configuration of AST Login authenticator, where device(s) are still persisted in user attributes of IDP, even though removed in AST service.

  • Fixed an issue, where the Health status call is now blocked for SSMS. Previously, the Health status call was directed to both SSMS and AST.

  • Fixed an issue in Kobil User Password Registration authenticator, where validation is not handled in Password Registration page when Hash and store secret password is enabled. Now password validation is added.

Changed

  • Support tool audit page related event logs are moved to separate table.

4.6.0

Date: 20.04.2023

Keycloak Core Version - 19.0.3

Added

  • Allow Login Directly with Magic Link configuration is added in KOBIL Magic Link authenticator, if enabled, the user will be authenticated through email via link.

  • Added a Send Magic Link API to authenticate user through email via link.

  • Show success page configuration is added in KOBIL AST TMS authenticator, if enabled, it will display the success page after completing the TMS flow.

  • Select Default Region Code configuration is added in KOBIL Phone Verification authenticator, to select the default country flag to display in Phone Number page.

  • UnlinkAll configuration is added in the AST Login authenticator, which is used to unbind all the device(s) automatically.

Fixed

  • Fixed the following UI issues in KOBIL Username Password Form authenticator:
    • In Update password page, when password field is in focus, password policy validation are not performing while entering the password.
    • In Login page, the help desk link disappeared while submitting valid username and invalid password in KOBIL V2 theme.
    • In Update password page, error icon and eye icon is overlapped when next button is clicked without values.
  • Fixed an issue, where transaction waiting screen keeps reloading until the TMS flow completes.

  • In Phone number verification page of KOBIL Phone Verification authenticator, the phone number is getting unmasked when the resend button is double submitted. This has been fixed.

Changed

  • Optimized tailwindcss script execution to support multiple theme folders instead of hardcoded login page. 

4.5.1

Date: 13.04.2023

Keycloak Core Version - 19.0.3

Fixed


4.5.0

Date: 07.04.2023

Keycloak Core Version - 19.0.3

Added

  • Disable show previous input configuration is added in KOBIL Verify User Identity authenticator, which will be used by application for erasing the previously entered credentials.

  • Support added for Turkish character in Password field that is applicable for Registration, Change Password and Forgot Password flows in Headless V2 theme.

  • Added KOBIL - Store AST Headers To Session authenticator that will save the AST Client ID and Client Data present in the header to the session.

  • Added the following new APIs for Address feature:

    • Add Address API that will add the address for the given user.
    • Get Address API that will fetch the address of the requested user.
    • Edit Address API that will update the address of the requested user.
    • Delete Address API that will delete the address of the requested user.
  • Read AST Client ID and Client Data from session configuration is added in AST Login authenticator, where AST Client ID and Client Data will be taken from session if enabled, else by default it will be taken from header as first priority and session as second priority.

  • Query User From configuration is added in KOBIL Phone Verification authenticator, which will Query the user based on username or user attribute(phone_number).

  • JSON Script for Headless V2 theme configuration is added in KOBIL User Password Registration authenticator.

  • Token authentication is added for the Signer Certificate API and Recover Signer Certificate API.

Changed

  • In KOBIL Username Password Form authenticator, for KOBIL V2 theme, on clicking 'Forgot Password' option, if the Reset Credential URL is configured in the auth config, the user will be directed to the URL. If not, the validation will be taken from the Bindings tab. Previously, only the Bindings tab was validated.

Fixed

  • In KOBIL Username Password authenticator, for Headless V2 theme, if invalid password entered above the configured count, the user was not locked by brute force. This has been fixed.

4.4.0

Date: 27.03.2023

Keycloak Core Version - 19.0.3

Added

  • Added a new label 'Health' in KOBIL tab, that will sync with SCP Connector and display the status of the realm.

  • Added an API to fetch realm status from SCP Connector.

  • Added a 'Recover' button to recover the Signer certificate for tenant and certificates to identity users in case of not being '"ACTIVE".

  • Added kobil-helper module which holds all the generic functionalities which could be used by stakeholder projects.

  • Added support to create and pass KOBIL Custom Metrics in existing metrics endpoint.

  • Added a Get user by Phone Number configuration in KOBIL Phone Verification authenticator.

  • Added Enable Metrics, Custom Metrics Name and Custom Metrics description configuration in KOBIL Username Password Form authenticator.

Changed

  • Changed kobil-metrics-spi library version from 2.5.3 to 3.0.0 with added custom functionalities.

  • Optimized dockerfile to reduce layer and unwanted file compression and vice-versa.

  • Removed few services from CI environments to reduce pipeline runtime: 

    • Disable SCP tests and deployment of SCP services. 

    • Disable deployment of payment services. 

    • Disable deployment of smartscreen services.has context menu.

Fixed

  • Fixed an issue in SAML where assertion audience is interrupted with error because of illegal character.

  • Fixed the responsive issue in 'Reset Password' and 'Confirmation Email' screens for Smart Dashboard client.

  • Fixed an issue of displacement of Eye-icon UI in KOBIL Username Password Form when invalid credentials are submitted after JSON is edited.

  • Fixed an issue, where error message is not displayed while rapidly submitting without a value in the username and password field of KOBIL Username Password Form.

  • In KOBIL Username Password Form, the configured JSON Error Script in the error message is not displayed. This has been fixed.

  • Fixed an issue, where invalid OTP have been entered beyond the limit eventhough the user didn't get locked in KOBIL Phone Verification.

Deprecated

  • Removed Create User with Phone Number during phone registration configuration in KOBIL Phone Verification authenticator.

4.3.2

Date: 29.03.2023

Keycloak Core Version - 19.0.3

Changed

  • jre11-idp-core image reverted to 1.5.2 (java 11.0.17).

4.3.1

Date: 22.03.2023

Keycloak Core Version - 19.0.3

Fixed

  • In PAM authenticator user querying has been changed to the following order username and then email.

4.3.0

Date: 15.03.2023

Keycloak Core Version - 19.0.3

Added

  • Added KOBIL Magic Link authenticator for 2FA verification.
  • Added KOBIL Maintenance Page authenticator to display static maintenance page.
  • Added ask phone number every time if not verified configuration in KOBIL Phone Verification authenticator.
  • Added headlesssv2 support for Username Password Form authenticator.
  • Added headlesssv2 support for KOBIL AST TMS authenticator.
  • Added support to accommodate Form Title, Description and Button text from JSON config for KOBIL AST TMS dependent FTL in KobilV2 theme.

Fixed

  • Fixed an issue in TMS Authenticator. Where a transaction is triggered while clicking the browser back button.
  • Following issues are fixed in the Reset Your Password page of Smart Dashboard:
    • Fixed showing the Update Password Page instead of the Error Page during invalid state navigation.
    • Fixed showing the incorrect error message while updating/creating the password in the 'New Password'/ 'Confirm Password' fields.

4.2.2

Date: 13.03.2023

Keycloak Core Version - 19.0.3

Fixed

  • Fixed an issue, where the Get User Devices API is available for all devices, not just the offline devices.

Fixed Vulnerabilities

  • CVE-2023-0264 - This allows an attacker to impersonate a user via stolen UUID code.

4.2.1

Date: 01.03.2023

Keycloak Core Version - 19.0.3

Changed

  • Changed all AST related response models to accommodate AST Login version 4.5.0.

4.2.0

Date: 24.02.2023

Keycloak Core Version - 19.0.3

Added

  • Added KOBIL Shift SuperApp flavour design for OTP Verification Email.

  • Support added for jaeger in chart which can be enabled via tracing enabled.

  • Hypen support added for realm name in routes.

  • Added v3_user route - /auth/realms/[\w-]+/v3_user.

  • Added Create User with Phone Number during phone registration configuration in KOBIL Phone Verification authenticator.

  • Added a Verify Secret Passwordand Header on filtering secret credential ID, when Verify Secret Password is enabled configuration in KOBIL Username Password Form authenticator.

Changed

  • Changed KOBIL Logo and Icons for Shift SuperApp Verification Emails (OTP/Link).

Fixed

  • Fixed an issue for client mapper audience persistence issue.

  • Fixed an issue in realm model cache reset, while calling dead event related functions.

  • For Smart dashboard, fixed UI issue in 'New Password'/'Confirm Password' page.

  • MessageType 'smartScreenService' was not added in chat API payload. This has been fixed.


4.1.1

Date: 11.02.2023

Keycloak Core Version - 19.0.3

Added

  • Added restriction for the API auth/realms/master/v4_realm (Http Method: GET), the API will return response only for the 'admin' user from 'master' tenant.

  • Added new environment variable in chart AST_CLIENT_PROPERTIES_URL for idp-core main container to specify URL of 'Ast Client Properties' service. This environment variable is controlled via ast.clientPropertiesService under values.yaml.

  • Added config DISABLE_SAML_AUDIENCE_ASSERTION in realm settings to enable or disable SAML audience assertion.

  • Added an optional field astClientId in payload for email verification API
    (https ://<HOST>/auth/realms/<TENANT>/mail/<USER>).

Fixed

  • Scheduler next runtime update cache issue has been fixed.

  • Prevent lookup of client service account when feature is disabled in order to optimize DB performance.

Fixed Vulnerabilities

  • CVE-2022-3782 - Path traversal via double URL encoding.

4.1.0

Date: 25.01.2022

Keycloak Core Version - 19.0.3

Added

  • Added KOBIL AST TMS authenticator to trigger multi-factor transaction to the user's device, where the user can accept/decline the transaction.

  • Added Start TMS API to initiate a transaction.

  • Added Get TMS API to get the updates on the initiated transaction.

  • Added Headless V2 theme support for KOBIL Phone Verification authenticator.

Changed

  • Changed validation for all SHIFT based Auth tokens, where if the Client Data or Client ID is invalid, the token will not be generated.

Fixed

  • Fixed an issue in Support Tool search page, where on clicking the detail-view link, internal server issue is thrown if the support client does not have a support-delete-user role. 

4.0.0

Date: 22.12.2022

Keycloak Core Version - 19.0.3

Fixed

  • Fixed an issue, where the claims tab will be functionable for any type of tenant.

Changed

  • The functional changes found in Keycloak 19.0.3 are noted below:
    • Upgraded Keycloak 15.0.0 to Keycloak 19.0.3.
    • By default the Keycloak 19.0.3 provided Step-up Authentication feature, this has been disabled for backward compatibility.
    • KOBIL based customizations has not been added to Keycloak V2 theme. Hence, Keycloak V2 theme is disabled for Account and Admin console.
    • This version (4.0.0) is based on Wildfly distribution.

To know more about Keycloak 19.0.3 Migration. Refer here.

Components Updated

  • ScpConnector Version: 0.9.0

  • Shift Chart Version: 0.59.0

  • Connector Version: kobil-cloud-connector:4.1.0

  • Pooler Version: kobil-cloud-pooler:4.1.0

  • DB: Postgres


3.4.0

Date: 07.12.2022

Keycloak Core Version - 15.0.0

Added

  • In KOBIL eTan Authenticator, added SSMS support for Email verification flow where the realm type should be SSMS for it to be excuted.

3.3.0

Date: 22.11.2022

Keycloak Core Version - 15.0.0

important

Known Issue

  • V4 support is not added for Update Tenant related API's.

Added

  • In Partial Import, added support to import Required Actions, Realm Settings, Token Exchange Policy and Password Policy.

Fixed

  • Fixed an issue, where Username field is auto filled after accepting account disable popup. Previously, the username field was not auto filled.
  • In Get User By Role API and Get User By User Group API, fixed an issue where the Total Records value is calculated based on the search criteria. Previously, wrong values were calculated.
  • Fixed startup script failure issue when CUSTOM_THEME env is not set.

Changed

  • Added the following fields for Admin in Get Realm API :
    • adminEmailVerified
    • adminStatus
    • name
    • adminUsername
    • CreatedTimeOfTheUser

3.2.0

Date: 17.11.2022

Keycloak Core Version - 15.0.0

Changed

  • Changed Base Image for vulnerability fixes.

Fixed Vulnerabilities

Following vulnerabilities are fixed through Base Image update:

  • CVE-2022-1304  - libcom_err

  • CVE-2016-3709  - libxml2


3.1.0

Date: 29.09.2022

Keycloak Core Version - 15.0.0

Added

  • Added Kobil Update User Profile required action which allows user to register/update firstname, lastname and password.

  • Added Get User by UserGroup API to filter and search user options based on provided search values.

  • Added the following Authenticators:

  • Added the following authenticator config fields in Delete Account Authenticator :

    • Verify User Identity - If enabled, the user has to verify his/her user identity value based on the option set in User Identity Attribute config.
    • User Identity attribute.
    • User Attribute.
    • Invalid User ID message - The message to be displayed when the user identity validation is failed.

Fixed

  • In forgot password flow, fixed the resend code timer of non-existent user based on the existing user in the system.

  • Fixed JWT Grant AMR values comma separated issue in received response.

  • Removed JWT Grant support for SSMS realm type.

  • In forgot password flow, fixed an issue where on submitting the email of a non-existing user, the flow should continue and invalid user attribute should be set as true. Previosuly, An error screen is displayed on submitting the email of a non-existing user.

  • In GetUserByRole API, fixed the total number of counts in totalRecords. Previosuly, wrong number of counts were displayed.

Changed

  • Active user's email will no longer be pre-filled in the email address field of forgot password flow via subsequent login.

  • Active user's email address will no longer be displayed in the check your email address popup of forget password flow in Shift super app.

  • Included email address field in the delete account flow of shift super app and handled field validation.

  • Optimized hidden first factor to persist first factor values in the format hidden_first_factors_<astClientId> and to get values accordingly.

  • A new attribute capitalize which will be set as "true" for capitalizing the first letter of user's first name and last name in shift supper app registration flow.

  • In Chat API, added a new field smartScreenServiceUuid and new message type smartScreenService in MessageContent request body.

  • Support for new type is added in send email digitanium api - "UPDATE_USER_PROFILE" which can be used to trigger a email with identity of sender, which when verified leads to execution of required action specified in request.

  • Below are the following authenticators for persisting and getting the first factors:

    • Authenticators persisting first factor: VerifyPasswordAuthenticator, ConfigurePasswordAuthenticator.

    • Authenticators getting first factor values: VerifyUserIdentityAuthenticator, KobilEtanAuthenticator, KobilChangeEmailAuthenticator.


3.0.0

Date: 12.08.2022

Keycloak Core Version - 15.0.0

important

Known Issue

  • Gateway Timeout error is thrown during Realm Migration API execution, but the migration will be successful.
  • Previously the JWT Token contains the amr values separated by space. Now in the current flow, the AMR values are separated by comma and causes issue in token validation.

Added

  • Introduced a new property - type for realms to differentiate if the realm is based on SSMS or AST services.

  • Added a new option in Create Realm page called Realm Type to specify if realm should be of type SSMS or AST.

  • In Realm Creation Core API and Digitanium API, added a new field in request body called type to specify if realm type is AST or SSMS. Default value for Realm creation will be SSMS.

  • Added new headers to the IAM Token Endpoint to support AST-based actions like Login or Updating MLoA. This applies to all grant types of the Token Endpoint. The headers are below:

    • X-KOBIL-AST-LOGIN-REQUIRED - true/false acts as toggle to decide whether the AST-based API calls should be invoked.
    • X-KOBIL-ASTCLIENTID - Unique Device Id.
    • X-KOBIL-ASTCLIENTDATA - Encrypted and Encoded device information generating in the device.
    • When the header X-KOBIL-AST-LOGIN-REQUIRED is set to true and the AST-based actions are successful, the output access token will contain a new claim astClientId and the Token Endpoint Response body will contain a new field response_data.
  • Added support to export/import SSMS based Realm JSONs into Maverick IAM based realm and vice versa.

  • Support has been added to register ACR AMR combinations based on first and second factor steps completed by a user with below options or CRUD APIs for ACR AMR table (Fields: first_factor, second_factor, acr, amr).

    • Realm Settings -> Claims tab to view existing combinations and setup initial table for existing tenants.
    • During tenant creation process, a basic set of combinations will be automatically created for the tenant. Additions/Updations can be added later on using the CRUD APIs. Permissions to access these CRUD APIs are client roles - view-claims and manage-claims for client realm-management. Refer about ACR AMR.
  • Added a new grant_type - jwt_grant for IAM Token endpoint which accepts JWT token and grants access and refresh token:

    • Grant type: urn:ietf:params:oauth:grant-type:jwt-bearer.
    • Supported Algorithms: RSA, ECDSA (EdDSA is not supported currently).
    • Added support for JTI one time usage; JTI is handled via cache storage like the authorization code.
  • Added azp and audience validation with client_id when token exchange is performed.

  • While deleting an authentication flow, the usage of the flow is checked and the deletion is allowed only if there is no usage of the flow in any of the clients or identity providers or authentication bindings.

  • Added a CORE API to get usage status of an authentication flow to check if an authentication flow is being used in any of the clients, identity providers or authentication bindings.

  • SMS Test connection option has been added to the Realm SMS config page; this requires sms provider config and an user with a valid phone number.

  • Added option to update Shared Settings of a realm in Update Realm Digitanium API.

  • Added Get Appsettings API that will fetch the app settings details which is configured in the realm settings.

  • Added Get Realms API that will fetch information of all the realms.

  • Added Get Realm API that will fetch information of the requested realm.

  • Added Get Realm Creation Status API that will fetch the status of the Realm creation.

caution

Added a Realm Migration API which migrates all the existing tenants in an environment to type AST. Additional query param "tenants" which accepts comma-separated values of tenant names to be migrated to AST. Performs 2 actions: Update the tenant's type attribute to AST, Update the theme from kobil v2 to kobil-ast since Kobil V2 is also the theme used for SSMS based features.

  • Added Get OTP Brute Force Status API to get OTP Brute Force lock status of a user.

  • Added Unlock User OTP Brute Force API that will unlock the user, locked by the OTP Brute Force.

  • Added Unlock all Users OTP Brute Force API that will unlock all the users locked by the OTP Brute Force.

  • Added Headless V2 theme support for "Kobil User Attribute Handler" authenticator. Also added a success page to display the update was done successfully and a new authenticator config to enable/disable the success page.

  • Added two authenticator configs in Kobil Cookie Authenticator to enable/disable AST-based actions:

  • AST Registration - When enabled, AST Activate or Verify API and AST Link User API are executed to generate a new device ID and link it with the current user in the flow.

  • AST Login - When enabled, AST Login is executed.

  • Added Partial Import support for Authentication flows, Authenticator Configs and Client scopes.

  • Added HeadlessV2 theme support for the KOBIL Registration Status Verification Required Action.

  • Introduced new theme for AST Based Authenticators - kobil-ast, and headless theme - kobil-headless and headless v2 theme - kobil-headless-v2

  • Introduces a new login and email theme for Smartdashboard - smart-dashboard

  • Added the following Authenticators with support to initiate AST-based actions (Device Registration, Login and Update MLoA) wherever needed and adhere to ACR-AMR standards:

  • KOBIL Configure Password Authenticator- Apart from configuring password, added support to persist first factor based on devie ID in user attributes for ACR AMR Computation

  • KOBIL Verify Password Authenticator - Apart from password verification, added support to persist first factor based on device ID in user attributes for ACR AMR computation.

  • KOBIL Configure User Identity - Get the value for user identity field based on the Authenticator config and is set for the user.

  • KOBIL Verify User Identity - Performs the user identification based on the identity field specified in Authenticator config with support for AST actions like AST Login.

  • KOBIL Phone Verification Authenticator- Apart from phone number verification based on OTP, added support to update MLoA for user as out-of-band to AST services based on device ID.

  • KOBIL Email Verification Authenticator - Apart from phone number verification based on OTP and link, added support to update MLoA for user as weak out-of-band to AST services based on device ID.

  • KOBIL Create Account Authenticator - Creates a new user in IDP and links the device ID to user ID through AST Services. Also optional support is provided to overwrite an existing account if an existing unverified email id is verified by a new user.

  • Condition - Email Verification Authenticator - A conditional authenticator that helps to decide whether the email verification step should be triggered in the flow or not based on a toggle in the authenticator config. If set to true, the email verification step is triggered only if the user in the flow has not verified their email. If set to false, the email verification step is triggered only if the user in the flow has verified their email.

  • KOBIL Condition - ACR Selection Authenticator - A conditional authenticator that helps to decide what actions need to be performed by the user in the flow to step up their ACR values. It accepts and validates user token and checks the ACR in the token against the expected ACR value. If the ACR in the token is lesser than the expected ACR, it forces the user to execute the follow-up steps in the conditional sub-flow to increase their ACR value.

  • KOBIL Configure ACR Authenticator - Used to verify and validate the token including additional ACR validation and identify the user.

  • KOBIL Configure User Details Authenticator - Gets user details from the user based on the requested fields mentioned in the Authenticator config and stores them in the user attribute fields.

  • Consent Manager Authenticator - Authenticator with Kobil Headless V2 support to accept and store consents from user based on Client Scopes.

  • KOBIL Change Email Authenticator - Authenticator to get new email id, perform verification of this email id and update it for the user.

  • KOBIL eTan Authenticator - Email verification and password validation with support for AST actions such as AST Login and AST Update MLoA.

  • KOBIL Delete Account authenticator - Deletes user from IDP after a user successfully verifies their password.

  • AST Login Authenticator - An authenticator specifically designed to insert AST-based actions anywhere in the flow. The action can be chosen from Authenticator config and supports AST ActivateOrVerify, Login, LinkUser and Update MLoA. The input params needed to invoke these APIs should have been set in the session in the authenticators preceeding this authenticator in the auth flow.

note

All the authenticators except the KOBIL Phone Verification Authenticator has the support for HeadlessV2 theme.

  • When a realm of type AST is created, the following actions are added as a part of Realm Creation Events
    • A client for external scheduler purposes will be created. The name of the client is taken from the environment variable SCHEDULER_CLIENT or by default scheduler_client is set as client name.
    • The Frontend URL of the realm will be updated based on the value set in the Master realm's general setting under the key frontendUrl
    • The Signer Certificate and Identity User Certificate issuing process will be triggered. For this purpose, two identity users will be created with usernames as {{realmName}}_external_identity and {{realmName}}_internal_identity.

Fixed

  • The Test SMTP Connection Digitanium API always throws unauthorized even if proper token is passed. This has been fixed.

Components Updated

  • ScpConnector Version: 0.8.1-rc.215875

  • Shift Chart Version: 0.27.0

  • Kobil IAM version: 2.6.0

  • Maverick IAM Version: 1.13.0

  • Connector Version: kobil-cloud-connector:2.4.1

  • Pooler Version: kobil-cloud-pooler:2.4.2

  • DB: Postgres


2.8.1

Date: 10.03.2023

Keycloak Core Version - 15.0.0

Fixed Vulnerabilities

  • CVE-2023-0264 - This allows an attacker to impersonate a user via stolen UUID code.

2.8.0

Date: 22.02.2023

Keycloak Core Version - 15.0.0

Fixed

  • Fixed an issue, where the Realm model cache was reset while calling dead event related functions.

2.7.4

Date: 03.02.2023

Keycloak Core Version - 15.0.0

Fixed

  • Fixed Database performance issue when updating Next Runtime of schedulers after each execution.

  • Prevent lookup of client service account when feature is disabled inorder to optimize Database performance.

Fixed Vulnerabilities

  • CVE-2022-3782 -  keycloak: path traversal via double URL encoding.

2.7.3

Date: 13.12.2022

Keycloak Core Version - 15.0.0

Added

  • Added an option for triggering transaction to last loggedIn device.

  • In KOBIL User Password Registration Authenticator, added to config to stop triggering the update password event after successfully completing the password registration.

  • In Support tool profile page, added an option to delete the user.

  • In Cookie Authenticator, config added to configure loader to restrict back navigation.

Changed

  • In Client Policy ACR value parameters are changed to >=ACR1 and >=ACR2. Previously, it was <=ACR1 and <=ACR2.

  • Changed QR login and transaction from long waiting to polling for better performance.

  • Restricted back navigation from the user password registration and change password success page.


2.7.2

Date: 11.11.2022

Keycloak Core Version - 15.0.0

Added

  • In Client Policy, added support to accommodate ACR values against a policy (<=ACR1 and <=ACR2).
  • Added Keytool support in Base Image.

Fixed

  • In Kobil Create SSMS User Authenticator, fixed null pointer exception issue during auth details construction.
  • Skip check - Some UserSessionId entries are missing in offline_user_session table at a very random case, hence skipped the check when there is error due to missing entry.

2.7.1

Date: 28.09.2022

Keycloak Core Version - 15.0.0

Added

  • Added Support Tools :
    • Delete User Option in Profile Page.
    • Included User Attributes in SearchBean.
    • Option added to include total count of search results.
  • In KOBIL QR Authenticator, added a new option "remain Signed In".
  • In Change Password Authenticator, added a config for optional validation of current password.

Fixed

  • In SAML Login, Instead of the SP's ID, wrong SAML ID is filled in the SP's InResponse.
  • Query to delete the expired events from EVENT_ENTITY takes long time to execute. This issue has been fixed.
  • Prevented deadlock occurrence for clear expired events transaction by running as seperate transaction. Previously, deadlock issue occurred when event expiration is set to longer duration.

Database Changes

  • Scheduler Provider Table - Added Not Null constraint to the columns CREATE_TIME, LAST_RUN_TIME, NEXT_RUN_TIME.
  • Event Entity Table - Added search index on USER_ID and TYPE for faster queries.

2.7.0

Date: 12.09.2022

Keycloak Core Version - 15.0.0

Added

  • In KOBIL Login Authenticator, a new configuration digitaniumUserID is added to allow the user to login.

  • Added templates for the following email based API's in KOBIL V2 theme - verify-email, reset-password, tenant-details and welcome template.

  • Added Get OTP Brute Force Status Digitanium API to get OTP Brute Force lock status of a user.

  • Created Unlock User OTP Brute Force Digitanium API that will unlock the user, locked by the OTP Brute Force.

  • Created Unlock all Users OTP Brute Force Digitanium API that will unlock all the users locked by the OTP Brute Force.

  • In KOBIL Consent Manager Authenticator, utilized a config where it displays the consent description in Consent acceptance screen in KOBIL V2 theme.

  • Added new AWS Credential Type IAM-Service-Role-V2 in IDP to connect with AWS KMS via attached service role without providing access key ID, secret key and role ARN under IDP.

Fixed

  • In a cluster setup, when the pod which registered a Scheduler goes down, the Scheduled tasks are lost. This issue has been fixed in the current image. The Scheduler will continue to function in a cluster until the last standing pod in the cluster goes down.

  • Fixed the below list of issues in KOBIL V2 theme UI:

    • KOBIL User Password Registration - When an incorrect password is given by the user, only a single toast message will be displayed. Previously, multiple toast messages were displayed.

    • Single eye icon is displayed in password field of the following authenticators:

      • KOBIL Login
      • KOBIL Username Password Form
      • KOBIL User Password Registration
      • Account - KOBIL Change Password authentication flows,

      Previously, double eye icon was displayed in the password field while using EDGE browser.

  • In KOBIL Phone Registration Authenticator, fixed an issue where the user is not able to submit the valid phone number using enter button, where the toast message is displayed "phone number is a required field". Now, the user is able to submit the phone number using the enter button.

  • In KOBIL Verify Authenticator, When digitaniumUserIdOnboardingType is configured as letter, the Play store and App store button is displayed when the app URL is not configured. This has been fixed where if there is no app URL configured the button will not displayed.

  • When the consent scope is set to local or global for KOBIL V2 theme, in the KOBIL Consent Manager Authenticator an "Unexpected error happen" is thrown in the consent acceptance screen. This has been fixed.

  • In Account - KOBIL Change Phone Authenticator, fixed an issue where the user is not able to submit the valid phone number using enter button, the toast message is displayed "phone number is a required field". Now, the user is able to submit the phone number using the enter button.

  • Fixed an issue in Account - KOBIL Change Phone Authenticator, where on clicking "send code" button the user is displayed with error page. Now, the user is able to submit the phone number by clicking send code button.

Changed

  • In KOBIL Login Authenticator, the user can reset password using forgot password option with all supported formats (Name, ID, User attributes, digitaniumUserId). Before, only the email format was taken as input.

Fixed Vulnerabilities

  • CVE-2021-3632 - This Critical Vulnerability allows any user to register a new security device or key when there is no device registered for the user by using the WebAuthn password-less login flow.

  • CVE-2021-41184 , CVE-2021-41183 and CVE-2021-41182 - Fixed Vulnerabilities related to JQuery UI by updating to JQuery UI version 1.13.2


2.6.0

Date: 24.06.2022

Keycloak Core Version - 15.0.0

Added

  • Created Delete Tenant Settings Digitanium API to delete a specific realm setting.

  • Created Get Users Based On Client Role Digitanium API that will fetch users based on roles associated with that client.

  • In KOBIL User Password Registration authenticator, a new configuration is added to allow the user to select the kind of password that needs to be generated and given to them during authentication.

  • Added support to get realm specific general settings even if Shared Feature is enabled in Master realm. This is achieved throughquery param "restrictSharedFeature" in Get Realm Settings Digitanium API.

  • Support has been added to access realm-specific general settings even if the Master realm has Shared Feature enabled. This is handled by using the query parameter restrictSharedFeature in the Digitanium API for Get Tenant Settings.

  • The Get Tenant SettingsDigitanium API now supports retrieving the value of a single realm setting. This can be done by using key as a query parameter and value as the setting's key which needs to be fetched.

  • Locale was added to the payload to send emails based on the locale.

Changed

  • Keycloak's client search now includes a client Name search in addition to the client ID search that it previously exclusively supported.

  • When an invalid app name is provided to the Send Verification Email API, the message App does not exist appears. Before, it shows, App name should not be null or empty.

  • Requests to the Create Tenant API should only come from the realm specified in MASTER TENANT PROXY or from the Master tenant. Before, only one tenant name could be specified. Now multiple tenant names can be specified as comma-separated values, those tenants are allowed to trigger the Create Tenant API.

Fixed

  • The submit button should turn on (or) active when a toast message is displayed and a value is entered. Previously, the submit button won't be active once a value had been entered while the toast message was displayed.

  • When the OTP length is less than or equal to 6, the user is shown in different boxes on the OTP verification screen. It was formerly presented as a single text box.

  • When adding realm settings with the Add Realm Settings API, an unknown error message is displayed rather than a successful update. This has been fixed.

  • Requests to the Create Tenant API should only come from the realm specified in MASTER TENANT PROXY or from the Master tenant. The request was previously accepted from Multiple tenants, which is inappropriate. Now, this has been fixed.

  • In Riskbits Digitanium APIs, an error occurs when the realmId attribute is set to an empty string. Now it has been fixed.

Fixed Vulnerabilities
  • CVE-2022-26520 - Arbitrary File Write Vulnerability.

  • CVE-2022-21724 - Postgres DB driver Vulnerability.

  • CVE-2020-13692 - PostgreSQL JDBC Driver allows XXE.

  • CVE-2021-3827 - ECP binding flow.

  • CVE-2021-4133 - This allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.


2.5.0

Date: 10.05.2022

Keycloak Core Version - 15.0.0

Added

  • KOBIL V2 Theme: Support to prevent multiple button clicks has been added to all KOBIL V2 theme pages.

  • Use Get Tenant Settings API to fetch the realm settings for a particular realm.

  • Support tool: In Search Page, pagination support has been added to the KOBIL V2 theme.

  • For security reasons, sensitive data log masking has been added to the KOBIL event logs.

  • Added a config option to customize the page title, info and button texts for the below authenticators:

    • Account-Change Password

    • Account-Change Email

    • KOBIL Email Registration

    • KOBIL User Password Registration

note

All the text fields must be a map, with the key being the language tag and the value being the appropriate text of the specific locale. During the flow execution, the locale is chosen from "Default Locale" specified under Realm Settings -> Themes Tab when Internationalization is enabled. If locale is not specified, it defaults to English('en').

Possible Form Fields Texts that are configurable:(Highlighted fields are not used in all the authenticators)

Form Title, Form Description, Form Submit Button, Login Button, Redirect Button, Success Page Title, Success Page Description and Success Page Submit Button.

Fixed

  • The issue of getting an unknown error while adding the SSMS riskbit with duplicate id in a request has been resolved, and a conflict message (Riskbit already exists) will be shown for duplicate id validation.

  • In KOBIL Email Registration authenticator, added a Disable Email Back Button option in auth config. When disabled, the edit icon on the OTP verification page will be enabled and acts as a back button to go back to the previous page to re-enter Email ID.

  • In Kobil Phone Registration Authenticator, added a Disable Back Button option in auth config. When disabled, the edit icon on the OTP Verification page will be enabled and act as a back button to go back to the previous page to re-enter phone number.

  • Fixed the below list of issues in KOBIL V2 theme UI:

    • Issue with the KOBIL logo cropping on the KOBIL Email authenticator verification page.

    • Spacing issue between phone number field and send OTP button.

    • Alignment and spacing issues at the KOBIL Email registration authenticator page.

    • Alignment issue in displaying having trouble? Help desk at the footer of the KOBIL Login and KOBIL Verify authenticator pages.

    • Issue with the login page loading in KOBIL Verify authenticator UI, when the login theme was not specified in the Realm themes settings.

  • In KOBIL Login authenticator UI, fixed multiple Forgot Password links issue. Previously, when the Forgot Password option was enabled in both Realm Setting and Authenticator Configuration, two Forgot Password links were displayed in the UI. Now, only the Realm Setting based option will be shown.

  • Fixed the below list of issues in KOBIL Display Username authenticator:

    • When the auth config User Property to display username is set to email, but the user does not have an email, internal server error was getting displayed. This issue has been fixed. Now User not found error page will be displayed.

    • When the auth config User Property to display username is set to a specific user attribute, but the user does not have the specified user attribute, empty username (blank space) was getting displayed. This issue has been fixed. Now User not found error page will be displayed.

  • When searching for a user in Support tool, if the user does not have any user attributes, the user will not be displayed. This has been fixed now.

  • Fixed the list of Support tool issues in KOBIL V2 theme.

    • Fixed a side menu alignment issue in the user details page.

    • Misalignment issue with device details tabulation have been resolved.

    • Fixed UI issue, where the password field error icon overlaps the password hide/show eye icon.

  • Create User, Update User, and Delete User Digitanium APIs have been fixed to store admin events along with correct user representation in event logs if store admin event is enabled in the Keycloak dashboard.

  • In KOBIL Create SSMS User Authenticator, ERROR - IllegalStateException thrown during store admin events call is fixed. If the store admin event is enabled in the Keycloak dashboard, the create user event will be saved with the appropriate auth and user representation starting with this version.

  • In KOBIL Create SSMS User Authenticator, fixed null pointer exception issue during user creation due to missing auth details, during create user KOBIL Event trigger.

  • When the password validation fails in the KOBIL Login authenticator, the error screen will now display username instead of userID.

  • To avoid an Internal server error in KOBIL Verify authenticator, a null check was added on QR image and activation code before displaying the digitaniumUserIdOnboardingType "onscreen" page.

  • Fixed an issue with LDAP User Synchronization digitanium API which returns user not found, even if the user is present.

  • In KOBIL Verify authenticator, fixed a null pointer exception issue which occurs on user login, when the user is not registered to any device and Do not show activation code for no devices option is enabled in the authenticator configuration.

  • Fixed DB error ORA-00923: FROM keyword not found where expected in health check page for oracle_servicename database vendor.

  • Fixed a handle type mismatch issue, while trying to import an authentication sub-flow as a top level flow in Keycloak admin UI.

  • Fixed the list of issues on Create App API requests:

    • Direct grant flow not getting set under Authentication Flow Overrides even for available authentication flows on the realm.

    • When a resource is provided in the authorization settings on the Create App request, the message Client not created and App already exists is displayed. [When authorizationServicesEnabled is set to true, the default resource name should not be provided.]

    • If protocol is openid-connect and web origins is defined as root url; then in the following cases, the web origin will be set to the same, as the request:

      • Both the root and redirect urls are not provided in the request.

      • Both the root and redirect urls are provided in the request.

  • Removed confusing characters in randomly generated OTPs for verification through SMS/Email. Presently it generates OTPs between ACDEGHJLMNPQRSTUXYZacdeghjmnprstuxyz2345679. For Example, i,1,0,o,l looks similar and can be misinterpreted.

Changed

  • The format of the OTP request field in the KOBIL Email registration authenticator and KOBIL Phone number Registration authenticator has been changed in the KOBIL V2 Theme. Now, when the OTP length is set to 6 or less, the OTP request field will be displayed in individual boxes, whereas when the OTP length is set to 6 or more, it will be displayed as a single field.

  • Support tool: Enable user actions only when the appropriate role is assigned to the support user. For example, display the RESET USER, and ENABLE/DISABLE User action button on the profile screen only when the support user has the support-manage-profile role provided to them.

  • For the authenticators listed below, additional hidden log statements and masking have been added:

    • KOBIL PAM

    • KOBIL Oneshot

    • KOBIL mTAN

note

Hidden logs are not shown by default. Set the following value in the realm's general settings to see it:

  • Hidden logs will be visible if h_info=true is specified.
  • For Digitanium APIs mPowerChat Attachment, Start Signature and mPowerChat Message, if Identity Operator password is not defined for the requested tenant, null Id (00000000-0000-0000-0000-000000000000) is set for Authorization field of mPower Messaging API's.

  • For Digitanium APIs Create Payment Transaction, Cancel Payment Transaction and Refund Payment Transaction, if Tenant Service Providers (operator, partner, information, backend) are not available, null Id (00000000-0000-0000-0000-000000000000) is set for merchantServiceProviderUUID field.

  • Support for tls.crt and tls.key has been added. Whenever the certs folder contains tls.crt and tls.key files, the Keycloak should use that to create its own keystore. If there are no tls.crt and tls.key, then the Keycloak will utilize keycloak.keystore.

Components Updated

  • Connector Version - 2.4.1

  • Pooler Version - 2.4.1


2.4.3

Date: 05.05.2022

Keycloak Core Version - 15.0.0

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

Fixed Vulnerabilities

  • Fixed CVE-2022-21476 Refer Link

    Problem

    • This vulnerability allows an unauthenticated attacker with network access to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition through several protocols. Unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition exposed data can come from successful attacks on this vulnerability.

    Solution

    • Updated Java from 11.0.14.1 to 11.0.15.0.9-2.el8.

2.4.2

Date: 01.04.2022

Keycloak Core Version - 15.0.0

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

Added

  • KOBIL QR authenticator - Added new options in authenticator configuration to enhance the QR feature.

    NEW CONFIG OPTIONS:

    • SSMS device property - This field requires SSMS device property to poll, by default it is qrcodeNonce.

    • TTL of QR- Set the QR code timeout in seconds. Example: 20 seconds, Defaults to 120.

    • Disable Remember me Option - Enable this option to hide the remember me option in QR page. This provides support to store the QR login based cookie.

    • Disable back option - Enable to display option to reset flow.

  • Kobil Remember Cookie Authenticator - The main use case is to check the flow based on the cookie if it is saved previously. It works similar to conditional authenticator, here the flow is executed based on the cookie name and flow type specified in the authenticator config.

    • Cookie Name - Enter the cookie name to validate the flow.

    • Enable for Alternate flow - Enable to go to alternate flow if cookie is present , else by default it will proceed in the same flow.

Fixed

  • Handled LDAP sync failure in Users: List of Tenants API

    • Previous behavior: If the user does not exist in Keycloak and the tenant has an LDAP connection set up, Keycloak checks whether the user exists in LDAP and, if so, attempts to create the user in IDP. If the LDAP connection is lost, the API returns USER NOT FOUND immediately even if the user exist in remaining tenants.

    • Current behavior: The tenant with a failed LDAP connection will be skipped, and the remaining tenants where the user exist will be returned.

  • After disabling the UMA functionality, the issuer URL for UMA check was fixed. Previously, when disable UMA was set to false, the issuer URL functionality did not work as intended in granting UMA access.

  • Unsubscription issue in the connector events scheduler has been fixed:

    • Previous behavior: On restarting the pod, a null pointer exception occurred during unsubscribing the connector event scheduler.

    • Current behavior: The existing connector event will be unsubscribed and re-subscribed when the pod is restarted.

  • Account Change Password authenticator - Fixed causing Null pointer exception issue during change password validation by leaving the new password field empty.

  • In the Realm General settings, the limitation on shared features was fixed.

    • Previous behavior: Only master realm settings are accessible when the shared feature for settings is enabled/turned ON, and if a realm has no settings.

    • Current behavior: If a setting is requested from a subtenant, check whether it is present in that realm. If not, fetch it from master, if the shared feature is ON.

  • KOBIL QR authenticator - Handled the authenticator to retrieve user properties such as Id, Name, and DigitaniumUserId based on the provided SSMS User Id settings.

Changed

  • General settings refinement:

    • Removed unwanted datatype conversion.

    • Added functions to get, add, and remove a single setting.

  • The NULL ID parameter in Mpower APIs has been changed to a null UUID instead of a null ULID.

  • KOBIL QR authenticator

    • Removed KOBIL Login (1FA) dependency. Now KOBIL QR authenticator can also be used independently.

    • Removed Page loader waiting for login result.

  • KOBIL Verify authenticator – Removed Page loader waiting for Transaction result.

  • When trying to create a UMA Client from dashboard through digitanium APIs, the latest IDP was reverting back to the created tenant, therefore we increased the timeout of the HTTP client.


2.4.1

Date: 15.02.2022

Keycloak Core Version 15.0.0

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

Fixed

  • Digitanium realm creation API - Realm creation rollback exception fixed.
  • Connector-api client - Fixed empty client-secret issue, when access type is set to confidential via realm creation api.
  • Digitanium-app client - Fixed missing credentials tab during client creation via realm creation api.
  • Handled exceptions when invalid details are passed in the tenant creation request.

2.4.0

Date: 02.02.2022

Keycloak Core Version - 15.0.0

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

important

Known Issue:

On triggering cancel transaction of KOBIL Verify on cluster environment, the authenticator keeps restarting.

Added

  • Added the option to import and export authentication flows, in which the main flow can be exported and imported as a sub-flow and by specifying a unique alias name, the entire authflow may be exported and imported independently.

  • In the KOBIL Cookie and Conditional – ACR KOBIL Cookie authenticators config, a new option Expected Client Name has been added to evaluate the client name of the token supplied in the cookie.

  • Support for the Force user re-login feature has been added to the KOBIL Cookie authenticator, which supports query parameters prompt and max_age and verifies them against the input access token. These parameters can only be used in Browser flow.

    • prompt: login
      On providing, the user is forced to re-login.

    • max_age: In seconds [for example, max_age=5 denotes 5 seconds]
      The user is required to re-login if the specified max_age time + Auth time (First active authentication time available in the input access token) is earlier than the current timestamp.

caution

If the query parameters listed above are utilized, the KOBIL Cookie authenticator should be established as an alternate flow, followed by a Login flow as an another alternative.

note

In KOBIL Cookie authenticator, there is no support for the default Keycloak query parameters login_hint and kc_idp_hint.

  • Verify mail API now enables sending verification emails using the email parameter in the request body, allowing users to verify mail even if their user profile does not contain an email address.

  • Additional logging statements has been added for the authenticators listed below:

    • KOBIL User Password Registration
    • KOBIL User Registration
    • KOBIL QR
    • KOBIL Verify
note
  • Hidden logs are not shown by default. Set the following value in the realm's general settings to see it:
    • Hidden logs will be visible if h_info=true is specified.

Fixed

  • Fixed an issue with the SMS and realm settings config not getting updated during realm import; now, when importing a realm with SMS and realm settings config, the SMS and realm settings config are updated, whereas previously, they were not.

  • If no applinks are specified in the auth settings, the KOBIL Verify authenticator will not display the playstore or appstore buttons.

  • Fixed an issue with deleting authentication flows through API to delete the complete authentication flow, whereas previously, even if the auth flow was deleted, the sub-flow would still persist in the database.

  • Fixed UI alignment issues with the KOBIL V2 Theme's KOBIL Username password form.

  • During incorrect pin validation in the KOBIL-1FA authenticator, the error message displays username instead of userID.

  • Change of behavior in User Registration Authenticator:

    • Previously, if the enable_user authenticator config was set to false, even though the user was enabled, an error screen claiming that the user was disabled would appear.
    • The flow acts as per user state when the enable_user config is set to false. If the user enabled - success. If the user disabled – error screen.
Digitanium API’s Fixes

Create Client API

Request JSON

  • Scenario: 1

    • Request Body:
      • rootUrl is specified
      • redirectUri's is not specified
    • Previous Behaviour:
      • redirectUri's of the created client will not be set.
    • Expected and Current Behaviour:
      • redirectUri's of the created client should be same as rootUrl
  • Scenario: 2

    • Request Body:
      • rootUrl is specified
      • adminUri is not specified
    • Previous Behaviour:
      • adminUri of the created client will not be set.
    • Expected and Current Behaviour:
      • adminUri of the created client should be same as rootUrl
  • Scenario: 3

    • Request Body:
      • webOrigins is specified
    • Previous Behaviour:
      • The webOrigins specified in the request will not be set.
    • Expected and Current Behaviour:
      • webOrigins specified in the request should be set to the created client.
  • Scenario: 4

    • While creating confidential client
    • Request Body:
      • If secret field is not specified
    • Previous Behaviour:
      • secret is not generated.
    • Expected and Current Behaviour:
      • secret is generated.
  • Scenario: 5

    • While creating confidential client
    • Request Body:
      • If either publicApp or bearerOnly set as false
      • serviceAccountsEnabled set as true
    • Previous Behaviour:
      • The service account(user) is not created, when the confidential client is created with service account enabled.
    • Expected and Current Behaviour:
      • The service account(user) is getting created, when the confidential client is created with service account enabled.
  • Scenario: 6

    • While creating confidential client
    • Request Body:
      • serviceAccountsEnabled set as false
      • authorizationServicesEnabled set as true
    • Previous Behaviour:
      • Response: Failed to create App Caused by Client does not have a service account.
      • But the client was created.
    • Expected and Current Behaviour:
      • Response: Failed to create App Caused by Client does not have a service account.
      • The client creation will be rolled back.
note

In order for the Expected and Current Behaviour to function, the request body for all of the aforementioned APIs should have protocol set to openid-connect.

Delete Riskbits API

  • Request:
    • Hit the delete riskbit API with non existent Keycloak Riskbits ID.
  • Previous Behaviour:
    • Unknown error was displayed as the response.
  • Expected and Current Behaviour:
    • Response code will be 404 Not Found. ,

Delete SSMS Riskbits API

  • Request:
    • Hit the delete SSMS riskbit API with non existent SSMS Riskbits ID.
  • Previous Behaviour:
    • Internal server error was displayed as the response.
  • Expected and Current Behaviour:
    • Response code will be 404 Not Found.

Delete Client API

  • Request:
    • Hit the Delete client API and try to delete a client with a service account.
  • Previous Behaviour:
    • The client will be deleted but the service account will not be deleted.
  • Expected and Current Behaviour:
    • On deleting the client, the service account is also deleted.

AST Activation Setup API
Includes 3 resource creation

  • Previous Behaviour:
    • The API can be hit from all realms.
    • If any of the resource is already present, the flow will exit immediately with error response.
  • Expected and Current Behaviour:
    • Restricted to hit the API from master realm.
    • If any of the resource is already present, the respective resource creation will be skipped otherwise it will be created.

Changed

  • Due to security concerns, the unmask logs functionality has been removed.

  • In all KOBIL V2 Theme ftl, the button will be auto-disabled till a valid input is provided in the input field.

  • In the change password event email template, support updated for displaying the user's browser time instead of the server time. Only when browser time is supplied from the frontend and utilized in the email template from the backend this change will be effective.

  • External validation feature option has been removed from the KOBIL User Registration authenticator configuration.

  • In the KOBIL User Password Registration authenticator config, the Always initial password feature was removed.

  • Refactored docker-keycloak by eliminating unnecessary scripts, git-related environment variables, and removed the support to pull the Keycloak from Github when deploying.

note

Environment variable config change in JGROUPS_DISCOVERY_PROTOCOL to support JDBC_PING.

Previously, docker-keycloak enabled JDBC PING multiple database support via multiple db files to function as a cluster. If a client wants to point to a Postgres database, they must provide JGROUPS_DISCOVERY_PROTOCOL=JDBC_PING_PG, which points to a file for Postgres, much like the other databases.

This has now been simplified in the sense that the client can specify JDBC_PING as the value for the JGROUPS_DISCOVERY_PROTOCOL key, and the server will switch to the current database configuration. The previous format of JDBC_PING _ (db_name), that leads to a different file is still available, but it will be deprecated in future versions, and such files will be deleted. mssql currently not supported


2.3.0

Date: 04.01.2022

Keycloak Core Version - 15.0.0

caution

Database Backward Compatibility is not supported on downgrading Keycloak from higher to lower version.

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP, changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

info

Vulnerability CVE-2021-4133 (see to:https://www.keycloak.org/2021/12/cve.html) has been fixed. The same vulnerability will appear when the image is scanned as it carries Keycloak 15.0.0 details but the issue is fixed, so if the same vulnerability appears when scanning the image, ignore since the issue has been fixed.

important

Known Issue:

In Keycloak 15, General Settings and SMS Configuration will be empty when a new realm is imported. In the forthcoming IAM releases, this issue will be fixed.

Added

  • Keycloak 15 with Integrated Open Telemetry

  • For the authenticators specified below, additional logging statements and masking have been added:

    • KOBIL Username Password
    • KOBIL Username Password form
    • KOBIL User Alias Registration
    • KOBIL User Attribute Handler authenticator
  • Debug logs for the following Schedulers have been added:

    • Connector Event Scheduler
    • Dead Event Cleaner Scheduler
    • Dead User Event Scheduler
note

To display hidden logs, set the following value in the realm's general settings:

  • If h_info=true is set, hidden logs will be displayed.
  • If h_info=false is set, hidden logs will not be displayed.

Unmask data in logs with the following environment variable:

  • If UNMASK_LOGS=true is set, Sensitive data will not be masked.
  • If UNMASK_LOGS=false is set, Sensitive data will be masked.

Data that will be masked:

  • username
  • user attributes
  • One Time Password (OTP)
  • kvnr
  • tckn
  • email
  • firstname
  • lastname
  • phone
  • phonenumber
  • telephone
  • password
  • credentials
  • data
  • user Id
  • activation code
  • QR image
  • device Id
  • transaction Id

Fixed

  • The issue with the scheduler not being unregistered in Keycloak 15 after it was deleted via the Keycloak Admin UI has been fixed.

  • If the realm contains valid SSMS credentials, the user will be generated in SSMS when they are created in Keycloak. Newly generated users will not be created in SSMS and will be added to dead events if the SSMS credentials have been changed to invalid credentials via the Digitanium API. When the SSMS credentials are changed to valid credentials, the Dead User Event Scheduler's invalid connection is not updated, and user creation in SSMS continues to fail. This issue has now been fixed.

  • When several client scopes are supplied and the list of provided scopes include kobil_oneshot or kobil_password, other scopes in the list are permitted instead of preventing the user when creating a token using Auth or Token Endpoint. This issue is now fixed. (Known problem with Keycloak 15-based IDP images previously provided)

  • The AST Setup API (Digitanium API /apps/preface/setup) was inaccessible as a result of recent Keycloak 15 changes that block APIs with empty response body content. This issue has been resolved in this release for all APIs that return an empty response body. (Known problem with Keycloak 15-based IDP images previously provided)

  • For Oracle Database, the Kobil Health Check Endpoint now supports both "oracle" and "oracle_servicename" vendors. Only the "oracle" vendor was previously supported.

  • The issue with the Create SSMS User Authenticator - which caused an IllegalStateException when the authenticator was run several times - has been fixed.

Fixed Vulnerabilities
note

Problem Statement

Fine Grain Admin Permissions is a Technology Preview feature that isn't completely supported yet. This functionality is enabled on by default, and the vulnerability can only be reproduced if it is disabled.

  • Unprivileged users are able to create additional users due to incorrect authorization.

    • When the Fine Grained Admin permission is disabled in Keycloak 12.0.0, users in the group with manage-members and manage-membership have the ability to add new users to the group. This issue was resolved in Keycloak 15.1.1, and we've updated our IDP image to reflect the change.
    • For additional information on Fine-Grained Authorization, (see to https://www.keycloak.org/docs/latest/server_admin/#_fine_grain_permissions).
  • CVE-2021-42575 has been fixed (Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-42575):

    • Prior to version 20211018.1, the OWASP Java HTML Sanitizer did not effectively enforce policies related to the SELECT, STYLE, and OPTION elements.
    • Updated the version to 20211018.2
  • Critical Vulnerability fixes dependent on the operating system:

    • registry.access.redhat.com/ubi8-minimal has been updated to include the following changes: 8.4-205 was the old, and 8.5-204 was the new.
    note

    Due to the following open issue, vulnerabilities originating from dependencies included in the Wildfly distribution cannot be updated. (see to https://github.com/keycloak/keycloak/issues/9258)


2.2.0

Date: 02.12.2021

Keycloak Core Version - 15.0.0

caution

Database Backward Compatibility is not supported on downgrading Keycloak from higher to lower version.

important

Known Issue:

When multiple client scopes are supplied and the list of provided scopes includes kobil oneshot or kobil password, other scopes in the list are permitted instead of preventing the user when creating a token using Auth or Token Endpoint. Only client scopes that have been explicitly added to the client should be permitted, according to Keycloak 15 functionality. The next version will include a patch for this issue.

important

Known Issue:

Due to new updates in Keycloak 15, the AST Setup API (Digitanium API /apps/preface/setup) is presently inaccessible. Certain response codes, starting with Keycloak 10, require that the response body be provided without fail. For the most latest Keycloak images, the AST Setup API contains an empty response body and will fail.

This problem might also arise with other APIs that send an empty response body. In the forthcoming IAM releases, these APIs will be updated.

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP, changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

important

Known Issue:

In Keycloak 15, General Settings and SMS Configuration will be empty when a new realm is imported. In the forthcoming IAM releases, this issue will be fixed.

Changed

  • If a tenant Service Provider is not available, the SCP Messaging, Signature, and Payment Digitanium APIs now support setting Null ID to Service Provider Id fields.

  • Custom error response has been added to Conditional Cookie Authenticator for invalid flows when used in Direct Grant flow type.

note

Conditional Cookie Authenticator is developed specifically for browser flows but can be used in Direct Grant flows too.

  • Support has been added to provide multiple scopes in Kobil PAM Authenticator. (Previously, it was restricted to a single scope either kobil_oneshot or kobil_password at a time.)

  • Support has been added for 'Send Verification Email' Digitanium API to send the verification email to self user with their respective token. Previously only admin tokens were supported. (Authorization scope for self user : email:send:self)

Fixed

  • Create SSMS User Authenticator - NullPointer exception fixed - Auth details have now been set properly before triggering kobil admin event.

  • Resource path has been added to Email Template to fix "resource path missing" error while sending email.

  • Okhttp library has been updated to V4.9.1 for Keycloak 15 Cloud Connector Client Plugin to fix the Network Interceptor StackOverflow issue that occurs in older Okhttp versions. Other dependencies in Cloud Connector Client that got updated because of the new OpenAPI Generator tool (V5.3.0) used to generate the client plugin are mentioned below:

    • Swagger Annotations: Old - 1.5.17; Current - 1.6.2
    • Okhttp3: Old - 2.7.5; Current - 4.9.1
    • Logging interceptor: Old - 2.7.5; Current - 4.9.1
    • Gson: Old - 2.8.1; Current - 2.8.6
    • Gson Fire: Old - 1.8.0; Current - 1.8.5
note

The Feature Distribution plugin Galleon Wildfly still uses Okhttp V3.9.0 artifact transitively. This does not affect our code flows and will be soon be replaced with Quarkus (https://www.keycloak.org/2021/10/keycloak-x-update.html).

Components Updated

  • Connector Version - 2.3.2

  • Connector Client plugin - 2.3.2_v2

  • Pooler Version- 2.3.0

  • Core - 2.1.1

  • SCP Connector - 1.8.8


2.1.0

Date: 17.11.2021

Keycloak Core Version - 15.0.0

caution

Database Backward Compatibility is not supported on downgrading Keycloak from higher to lower version.

caution

To utilize the default and optional client scopes in the Auth and Token Endpoint in Keycloak 15, the scope must be explicitly added to the client.

info

The OIDC Well-known Logout Endpoint previously accepted Access, Refresh and ID tokens in the "id_token_hint" field to logout a user. But from Keycloak 14 only ID tokens are supported.

important

Known Issue:

When multiple client scopes are supplied and the list of provided scopes includes kobil oneshot or kobil password, other scopes in the list are permitted instead of preventing the user when creating a token using Auth or Token Endpoint. Only client scopes that have been explicitly added to the client should be permitted, according to Keycloak 15 functionality. The next version will include a patch for this issue.

important

Known Issue:

Due to new updates in Keycloak 15, the AST Setup API (Digitanium API /apps/preface/setup) is presently inaccessible. Certain response codes, starting with Keycloak 10, require that the response body be provided without fail. For the most latest Keycloak images, the AST Setup API contains an empty response body and will fail.

This problem might also arise with other APIs that send an empty response body. In the forthcoming IAM releases, these APIs will be updated.

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP, changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

important

Known Issue:

In Keycloak 15, General Settings and SMS Configuration will be empty when a new realm is imported. In the forthcoming IAM releases, this issue will be fixed.

Added

  • Added headless browser user login for KOBIL Login authenticator.
  • Connector Events Scheduler can now subscribe to multiple events as comma-separated values in the deviceEvents option under Realm Settings. For example, to subscribe to both events, use NEW_DEVICE and DEVICE_DELETION. All supported events will be unsubscribed when the scheduler is removed.
    • NEW_DEVICE - When we subscribe to this sort of event, it sends us a callback response once a new device is activated ie., registration occurs.
    • DEVICE_DELETION - When we subscribe to this sort of event, it sends us a callback response once a device is deleted.
note

The event type for 'deviceEvents' can be assigned has individual type or multiple event with comma separated e.g: NEW_DEVICE , DEVICE_DELETION. If 'deviceEvents' is not added or left null by default NEW_DEVICE will get subscribed.

  • Support has been added to get the redirectUri parameter provided in OIDC url within the frontend FTL files.
  • Exposed Brute Force User Unlock Time as an attribute to the frontend (in FTL) in mTAN authenticator.
  • Added support to update the Realm Name in Keycloak Admin UI. The respective SSMS credentials need to be configured in the Kobil tab.
  • Support tool - After the user search is completed in the backend, the first and maximum results are attached to the search response, which is then delivered to the frontend.
  • Images and fonts can be added to resources folder in themes/{themeName}/email folder and consumed in email templates.
  • Added JPA queries to filter the users from the Keycloak database using user attributes.
  • The JPA user queries have been improved/optimized. (From native to criteria queries).
  • For the info icon, the support tool info text has been included.
  • In Kobil Verify authenticator, support has been added to send transaction to a particular app based on App name defined in Authenticator configuration.
  • Support for getting remote IP address via "X-Real-IP" header from Nginx.
  • External SMS Provider support has been added for Kobil Phone Registration and Kobil -Account Change Phone Authenticator.
  • When adding and updating users, the Hash value of the Access token is generated and reported in logs.
  • Change Email Authenticator: New Authentication configuration has been added to support Custom Action token handler.
  • Support to generate OIDC URL through the below endpoint added to Keycloak 15.
    • POST https://{tenantId}.{hostname}/{realm}/clients/{client_id}/oidc

Changed

  • 1FA Authenticator has been stabilized.
  • In the initial password creation, the characters i, l, L, o, and 0 were removed.

Fixed

  • AWS KMS Key Provider - Missing Dependency has been added to fix ClassDefNotfFoundError.
  • IBM Key Provider - Missing template for email has been added to fix issue in sending CSR as email.
  • If the client scope and Kobil policy name matches, the client scope need not be explicitly added to the client to be used in OIDC flows.
  • Token generated using grant_type=client_credentials will not generate session and refresh token in Keycloak 15 which will break Digitanium APIs that trigger kobil-event. This issue is fixed.
  • Support has been added to mask password in Credentials tab in Keycloak Admin UI.
  • Token Exchange Service provider has been added.
  • Fixed an issue with the Auto-generate One Time Password size in KOBIL User Password Registration.
  • Fixed an issue where the auto-generate One Time Password size was not working in KOBIL User Password Registration.
  • Fixed Support Tool search for username alias with search filter the user is not fetched.

Components Updated

  • Connector Version : 2.3.1
  • Pooler Version: 2.3.0

2.0.0

Date: 13.09.2021

Keycloak Core Version - 15.0.0

caution

Database Backward Compatibility is not supported on downgrading Keycloak from higher to lower version.

info

We have upgraded Keycloak Core to Version 15, as well as incorporated performance enhancements and bug fixes through this release.

important

Known Issue:

When multiple client scopes are supplied and the list of provided scopes includes kobil oneshot or kobil password, other scopes in the list are permitted instead of preventing the user when creating a token using Auth or Token Endpoint. Only client scopes that have been explicitly added to the client should be permitted, according to Keycloak 15 functionality. The next version will include a patch for this issue.

important

Known Issue:

Due to new updates in Keycloak 15, the AST Setup API (Digitanium API /apps/preface/setup) is presently inaccessible. Certain response codes, starting with Keycloak 10, require that the response body be provided without fail. For the most latest Keycloak images, the AST Setup API contains an empty response body and will fail.

This problem might also arise with other APIs that send an empty response body. In the forthcoming IAM releases, these APIs will be updated.

important

Known Issue:

After LDAP Synchronization, the LDAP User Synchronization API is expected to return the User information of a specified Username. LDAP Synchronization implies that if a user data in IDP, changes from those in LDAP Storage, IDP will be updated.

The API is not working as it should after the keycloak 15 upgrade. Even if the user is existing in LDAP/IDP, it returns "user doesn't exist" as a response for LDAP users.

In the forthcoming IAM releases, these APIs will be updated.

important

Known Issue:

In Keycloak 15, General Settings and SMS Configuration will be empty when a new realm is imported. In the forthcoming IAM releases, this issue will be fixed.

Added

  • Extensions should be migrated to the event listener. During tenant creation, the following extensions will be moved to the event listener
    • AuthFlow Creation
    • mPower Client Creation
    • Connector-API setup
    • Forgot password flow
    • Role Creation
    • UpdateAccountClient

Changed

  • Keycloak has been updated from version 9.0.0 to version 15.0.0.
  • Modified a well-known API to accommodate Keycloak 15.0.0's most recent response.
  • Renamed application.keystore to keycloak.keystore, it is present in certs folder for docker-compose or in secrets.yaml for helm.
  • In Keycloak 15.0.0, the mysql drivers have been updated.
  • Provided backward compatibility against Keycloak 15.0.0 for KOBIL PAM authenticator KOBIL_Password and KOBIL_Oneshot scopes.
  • TokenManager has been removed from the KOBILIAM class file migration. The timestamp updates and checkTokenValidForIntrospection should be migrated to the OpenShiftTokenReviewEndpoint.

Fixed

  • Fixed vulnerabilities in the KOBIL IAM project.
  • Null pointer exception issue occurs during phone registration, Kobil change phone authenticator and phone registration required action.
  • Fixed a texting issue in the OTP bruteforce alert message when the maximum number of OTP tries was reached.
  • With OpenLDAP and olcSizeLimit, an infinite loop during LDAP sync was fixed.
  • Fixed an issue with uppercase character validation on the user registration email page .
  • Concurrent Modification exception fixed for the Keycloak Sanitizer Method array and consent list retrieval.

Components Updated

  • Connector Version : 2.2.0
  • Pooler Version: 2.2.0

1.32.0

Date: 11.07.2022

Keycloak Core Version - 9.0.0

Added

  • Added additional parameters to a transactional message of the KOBIL Verify Authenticator, including an IP address, browser name, and timestamp.

  • Added a config to generate a custom QR code in the KOBIL QR Authenticator.

  • Created Get Users Based On Client Role Digitanium API that will fetch users based on roles associated with that client.

  • Added a config for the dynamic page title and info in the Account - KOBIL Change Password Authenticator.

  • Added a config to display the error page when no devices are activated in KOBIL Verify Authenticator.

  • In KOBIL Consent Manager Authenticator, utilized a config where it displays the consent description in Consent acceptance screen in KOBIL V2 theme.

Fixed

  • When the consent scope is set to local or global for KOBIL V2 theme, in the KOBIL Consent Manager Authenticator an Unexpected error is thrown in the consent acceptance screen. This has been fixed.

  • When a user initiates multiple emails for verification, only the most recent email will be active and taken into account, invalidating all earlier emails. Before this, all of the emails that are triggered were active. Now, this has been fixed.

  • Issue with OTP Bruteforce Get User Satus API: Earlier proper response is obtained only if the admin console has both the Login and OTP brute force mechanisms enabled. This issue has been resolved, and now if OTP brute force is enabled regardless of the login brute force state, the proper response will be returned.

  • Fixed an issue in the KOBIL QR Authenticator; the QR verification screen will now redirect accordingly, in the event of a server error. Previosuly verification screen with QR scanning was shown.

Changed

  • During the transaction in the KOBIL Verify Authenticator, a web page was loaded. This has been refactored such that the web page will not load while a transaction is in progress. This was performed by refactoring into an AJAX request.

  • During the transaction in the KOBIL Verify Authenticator, while reloading the page, a new transaction will be triggered. This has been refactored such that it will show a cancel transaction page now.

  • Extended support for searching the client in IAM dashboard. Now the client can be searched through their ClientID and Client Name.


1.31.0

Date: 11.02.2022

Keycloak Core Version - 9.0.0

Added

  • Use the Get Tenant Settings API to fetch the realm settings of a particular realm.

  • Support tool: In Search Page, pagination support has been added to the KOBIL V2 theme.

  • For security concerns, sensitive data log masking has been added to event listeners and SCP services-based logs.

  • The Get Users Based on Role API returns a list of users who have the specified role. The user's list will be ordered alphabetically according to the username.

Fixed

  • Create User, Update User, and Delete User Digitanium APIs have been fixed to store admin events along with correct user representation in event logs if store admin event is enabled in the Keycloak dashboard.

  • Support tool- Search user issue: When searching for a user who does not have any attributes, the user will not be displayed. This has been fixed now.

  • In KOBIL Create SSMS User Authenticator , ERROR - IllegalStateException thrown during store admin events call is fixed. From this version the create user event will be persisted with necessary auth and user representation if store admin event is enabled in the Keycloak dashboard.

  • When the password validation fails in the KOBIL Login authenticator, the error screen will now display username instead of userID.

  • Fixed DB error ORA-00923: FROM keyword not found where expected in health check page for oracle_servicename database vendor.

Changed

  • For Digitanium APIs mPowerChat Attachment, Start Signature and mPowerChat Message, if Identity Operator password is not defined for the requested tenant, null Id (0000000000000000) is set for Authorization field of mPower Messaging API's.

  • For Digitanium APIs Create Payment Transaction, Cancel Payment Transaction and Refund Payment Transaction, if Tenant Service Providers (operator, partner, information, backend) are not available, null Id (0000000000000000) is set for merchantServiceProviderUUID field.

  • Support tool: Enable user actions only when the appropriate role is assigned to the support user. For example, display the RESET USER action button on the profile screen only when the support user has the support-manage-profile role provided to them.


1.30.0

Date: 09.11.2021

Keycloak Core Version - 9.0.0

info

Incorporated performance enhancements and bug fixes through this release.

Added

  • The redirectUri parameter can be used to specify a Redirect URL to the ftl.
  • Added brute force user unlocks time as attributes for FTL in mTAN authenticator.
  • In all locations where we receive SSMS credentials and connector API calls, we used Realm name instead of RealmId.
  • Pagination has been added to the Support Tool's user search.
  • Support tool - After the user search is completed in the backend, the first and maximum results are attached to the search response, which is then delivered to the frontend.
  • The email templates get images and fonts from resource paths.
  • Added JPA queries to filter the users from the Keycloak database.
  • The JPA queries have been improved/optimized.
  • For the info icon, the support tool info text has been included.
  • Support tool - JPA query to search users by name and attribute has been added.
  • In the authentication configuration, there is now a data field where you can put the appname and a value.
  • Getting Real IP from nginx in Keycloak 9.
  • Nginx has been updated to stable version 1.20.1-alpine.
  • External SMS Provider support has been added for Kobil Phone Registration and Kobil -Account Change Phone Authenticator.
  • When adding and updating users, the Hash value of the Access token was generated and reported.
  • Added an option to configure Email Action Token Handler Account - Change Email Authenticator.

Changed

  • In 1FA Authenticator, the static variables were removed and used them as private variables.
  • In the initial password creation, the characters i, l, L, o, and 0 were removed.
  • trustore.jks have been updated to support the existing ssms.aws1.kobil.com.
  • In ftl, irrelevant code was removed.
  • Removed 1FA Headless Validation of Username.

Fixed

  • Support tool - Reset user actions described in external support provider bug has been solved.
  • During registration, a distinct position endless loop of errors was fixed.
  • Fixed an issue where the auto-generate One Time Password size was not working in KOBIL User Password Registration.
  • Fixed Support Tool search for username alias with search filter the user is not fetched.

Components Updated

  • Connector Version : 2.3.1
  • Pooler Version: 2.3.0

1.29.0

Date: 14.09.2021

info

We have added headless themes and support for headless-webview for 1FA authenticators through this release.

Added

  • In KOBIL Login and KOBIL mTAN authenticator, headless themes and support for headless-webview have been included.

1.28.2

Fixed

  • Connector API invoking issues during load test with multiple tenants.

1.28.1

Changed

  • Added non-root support for openshift.

1.28.0

Added

  • API to adopt dynamic roles and UMA validation with two Scopes for all dual operations. For example, an Update User API can be performed by the same user as well as the admin user.
    • One Scope for SELF update, Example: users:update:self
    • One scope for GENERIC update, Example: users:update
  • Migration API to migrate existing UMA Clients
    Request Method: PUT
    Request URL: https://{hosturl}/digitanium/v3/apps/uma
    Request Body: NOT APPLICABLE

Note : User Role will be bonded to SELF scopes, whereas Admin will have SELF + Generic Scopes.

Changed

  • GET Admin Users – This API's performance has been improved.
  • Revoke Roles API – Enhanced this API to revoke realm roles assigned to the user.
    Request Method: DELETE
    Request URL: https://{tenantId}.{hostname}/digitanium/v3/users/{userid}/role
    Request Body:
{
"clientRoles": {
"client_Name": ["client_role1", "client_role2", "client_role3", "client_role4"]
},
"realmRoles": ["realm_role1", "realm_role2"]
}

Fixed

  • KOBIL V2 theme - KOBIL Email Confirmation Authenticator – Fixed ‘I don’t have access to the email’ button issue.
  • KOBIL V2 theme - KOBIL mTAN Confirmation Authenticator – Fixed ‘I don’t have access to the cell phone’ button issue.
  • KOBIL Alias Username Registration Authenticator – Fixed rename user issue in IDP
  • GET Admin Users API – Fixed timeout error
  • Fixed User Status check in IAM Health Page

1.27.0

Added

  • New realm setting EnableForgotPassword option is added to enable Forgot Password Option at authenticator level. If this option is set to True, clicking on forgot password link will get redirected to the reset credential flow.

    Note: If Realm Setting is not available then authenticator level settings will be considered.

  • KOBIL V2 theme for KOBIL Username Password form authenticator.

  • New API Added - For creating apps in SCP-Presence and to remove auto-created apps in new tenants.

    • Different API calls are listed below:

      Request Method: GET
      Request URL: https://{hosturl}/digitanium/v3/service/apps

      Request Method: PUT
      Request URL: https://{hosturl}/digitanium/v3/service/apps/{tenantId}/{appId}

      Request Method: GET
      Request URL: https://{hosturl}/digitanium/v3/service/apps/{tenantId}/{appId}

      Request Method: DELETE
      Request URL: https://{hosturl}/digitanium/v3/service/apps/{tenantId}/{appId}

Changed

  • Made a text change in KOBIL v2 theme from Kobil Systems GmbH to KOBIL GmbH.

Fixed

  • Fixed Create User API issue, allowing to create users by digitaniumUserID with no case sensitive restriction.
  • Cancel the Transaction issue to cancel by clicking on the cancel button from the browser.
  • Fixed token mismatch issue in KOBIL verify authenticator, previously the token displayed in the browser and the token received to mobile did not match.
  • Fixed KOBIL verify authenticator transaction issue.
  • KOBIL MTAN authenticator - Fixed OTP validation issue for user login.
  • KOBIL contact Admin and KOBIL Display Username authenticator - Fixed page redirection issue while clicking on login button.
  • KOBIL Phone registration and KOBIL Email registration authenticator - Fixed edit icon issue to make the Phone/Email editable.
  • Account - KOBIL Change password authenticator - Fixed maximum password limit display issue based on auth config.

Components Updated

  • Pooler Version: 2.1.0
  • Connector Version : 2.1.0

1.26.0

Added

  • KOBIL Login Authenticator - Added Enable Forgot Password option.
    • Enable this button to provide an option for forgot password flow incase the user forgot the password.
  • Added a new error page to inform users to enable Cookie/Javascript, if browser cookie/javascript is blocked.
  • Reset User - Clear event logs related to the user on calling reset user.

Changed

  • Phase 2 -> Account management compatible for a mobile view including the navigation menu to switch between various menu items.

Fixed

  • Fixed KOBIL Verify authenticator activation instruction issue - Configured Activation instruction will be displayed if not the default instruction to activate a new device is displayed.
  • Fixed wildfly unique node warning.
  • Revoke Client Roles API - Composite client roles deletion issue is fixed.
  • Get Users API - Search user using query parameter issue is fixed.
  • Fixed KOBIL Login authenticator password field text overlap, KOBIL Verify authenticator and KOBIL Logo truncated UI issues.

1.25.1

Fixed

  • Resolved issue while fetching users through Get Users API

1.25.0

Added

  • New API Added - Search User By User Attribute - API to search and fetch the user list using user attributes.
    Request Method: GET
    Request URL: https://{hosturl}/digitanium/v3/users/search/attribute?key={attribute_name}&value={attribute_value}

    Note : In the value column while searching the user with integers make sure the special character (+) is replaced with (%2b). (Example: On using the phone number (+123456) to search, the user should use this format (%2b123456).

  • Added "tokenHandlerType" parameter in Verify Email API request body to set Dynamic token type for verify email token handler.
    Request Parameter: "tokenHandlerType":"{your_custom_action_handler_token_name}"
    This is used as an optional parameter and is used in email verify API.
  • Add new events INVALID_LOGIN, INVALID_LOGIN_ERROR to track the user's invalid attempts.
  • KOBIL Email Registration - Added Disable email editing options
    • If this option is Enabled, the email edit icon will be removed.
    • If this option is Disabled, the email edit icon will be displayed.

Changed

  • Phase 1 -> Account management compatible for mobile.
  • Changed Claim AMR to the array of string, previously Keycloak sets the amr as a string.

    Note: Make sure the AMR is updated/changed to an array of strings or else there is a possibility of getting unexpected issue.

Fixed

  • Fixed KOBIL OTP V2 theme edit icon UI issues.

Known Issue

  • Get Users API - Not fetching the list of users.

1.24.0

New Features

  • New support tool role support-admin added to support admin role in support tool to show the "audit" details.
  • New API Added - User Logout - API to Revoke the required actions of a user. SSMS → true/false, SSMS query param is to decide whether to logout the user from SSMS or not.
    Request Method: PUT
    Request URL: https://{hosturl}/digitanium/v3/users/{userid}/logout?ssms=true
  • Added transaction callback support along with the callback header
  • New API Added - LDAP User Synchronisation - API to synchronize the user from LDAP.
    Request Method: GET
    Request URL: https://{hosturl}/digitanium/v3/users/{userid}/ldap/sync

Bug Fixes

  • Fixed V2 theme UI issues.
  • Fixed multiple notification issues for device activation events.
  • Fixed Copy/paste OTP issue in mtan and email flows.
  • Removed redundant infinispan CACHE_OWNERS environment variable in jgroups cli files.
  • Delete user issue in while user property set to ID and digitaniumUserId.
  • LDAP user details synchronization issue.

Components Updated

  • Pooler Version: 2.0.2 (This change is mandatory for the device activation scheduler fix).
  • Connector Version : 2.0.4

1.23.0

New Features

  • New API Added - Revoke required actions - API to Revoke the required actions of a user.
    Request Method: DELETE
    Request URL: https://{hosturl}/digitanium/v3/users/(.*)/requiredaction
{
"requiredActions": [“Action1”, “Action2”, …]
}
  • KOBIL User Attribute Handler Authenticator - Added User Attribute Update and Remove options.
    • The authenticator will receive a collection of attributes in the authenticator configuration as a JSON file and add/remove attributes depending on the supplied JSON. The backward compatibility of a single attribute upgrade has also been established.
  • Support for oracle DB on health check page.
  • Kobil v2 theme for the support tool and the localization of DE is added.
  • Keycloak-metrics spi which exposes metrics at /auth/realms/master/metrics and can be enabled in the UI (Events->Config->Event Listeners and select metrics-listener).
  • KobilUserPasswordRegistration - Trigger below events on registering a new password
    • UPDATE_PASSWORD
    • INITIAL_PASSWORD_VALIDITY
    • INITIAL_PASSWORD_CREATION

Bug Fixes

  • KOBIL Login - User redirection issue for the locked user while passing username through a query parameter.
  • Fixed transaction callback support issue, If the callback URL is present at the request poll, the result will be considered true and vice versa (null or empty).

1.22.1

Date: 25.11.2021

Keycloak Core Version - 9.0.0

info

To auto-generate the Cloud Connector Client jar, Swagger Codegen CLI (V2.4.15) was previously utilized. The OpenAPI Generator tool has now replaced this utility.

Fixed

  • Cloud connector client plugin updated from 2.3.1 to 2.3.1.1 to fix an issue with the Cloud connector client jar's outdated Okhttp library. Other Cloud Connector Client requirements that were modified as a result of the new OpenAPI Generator tool (V5.3.0) are listed below:
    • Swagger Annotations: Old - 1.5.17; Current - 1.6.2
    • Okhttp3: Old - 2.7.5; Current - 4.9.1
    • Logging interceptor: Old - 2.7.5; Current - 4.9.1
    • Gson: Old - 2.8.1; Current - 2.8.6
    • Gson Fire: Old - 1.8.0; Current - 1.8.5

Components Updated

  • Connector Version : 2.3.1
  • Pooler Version: 2.3.0

1.22.0

New Features

  • Create and Update user API Extension to composite client roles are partially supported.
    Request Body: "clientRoles": {"client_name": ["client_role1", "client_role2"]}
  • New API Added - Revoke Client Role API - API to Revoke the composite client roles from the required user.
    Request Method: DELETE
    Request URL: https://{hosturl}/digitanium/v3/users/(.*)/role
  • KOBIL MTAN - Added maximum incorrect attempt parameter to be displayed on every retry attempts and a timestamp parameter is returned when the user is locked exceeding the maximum retry count.
  • Support Tool - Localisation support.
  • Support Tool - Reordered the menu based on User flow.
  • Support Tool - Display username on top of each section.

Bug Fixes

  • Support Tool - Tapping on sign-out causes Internal server error.
  • KOBIL MTAN - Removed the zero prefix placeholder from the phone number request field.
  • Scheduler - Device activation event unsubscribe issue.

Components Updated:

  • Pooler Version : 2.0.1 (This change is mandatory for the device activation scheduler fix).

1.21.1

Improvements

  • Pooler upgraded to 2.0.1
  • Connector Events scheduler - Time to live (TTL) value updated to -1 for Event Subscription.

    Note: Earlier TTL value was configured as 300 seconds.

Bug Fixes

  • Connector Events Scheduler - Once deleted, the event (Device Activation) will be unsubscribed automatically.

1.21.0

New Features

  • Extended mPower Service API’s to accept new field tags. This new field is added for all Create, Delete, and Get API calls.
  • Added a new API to add/update Realm settings. This API can be used to set/modify several values at a time as a JSON.
  • Added a new API to search users with a key. The search API will work exactly like user search in IDP Admin UI.
  • Added option to Lock, Unlock and Delete Devices from Support Portal.
  • Added option to Display and Revoke user consents from Support Portal.

Improvements

  • Modified the validation messages in Account - KOBIL Change Password Authenticator.
  • Modified email template message in Account - KOBIL Change Email Authenticator for both Link and OTP flows.
  • Removed old password validation config from Account - KOBIL Change Password Authenticator.
  • Changed status codes for all Realm and User related API for unexpected error scenarios.

Bug Fixes

  • Fixed phone_number attribute value stored as a null issue in phone number registration flow specifically for Required Action Flow.
  • Disabled the Password fields in the KOBIL tab under Realm Settings. This field will be enabled only if the test connection fails.
  • Fixed displaying device details in the support portal.

1.20.0

New Features

  • Option to Enable / Disable Password Policy Validation for old password during password change. This can be configured at Account - KOBIL Change Password Authenticator level.
  • Option to send notification to Email in Account - KOBIL Manage Devices authenticator.
  • Added Brute force protection to Account - KOBIL Change Email authenticator.
  • Localisation support was added to verify email success page.
  • Support Portal - Phase 1 : Includes the following features
    • Option to create support clients and the corresponding roles.
    • Console to filter users using username, firstname, lastname and email.
    • Added support to extend the search properties through external providers.
    • Options to manage users and devices which can be restricted through a specific role.

Improvements

  • Enhanced Log level for dead events scheduler to DEBUG mode.

Bug Fixes

  • Username and Tenant deletion issue in SSMS while deleting from IAM UI.
  • Fixed Email update issue in Account - KOBIL Change Email Authenticator
  • Fixed mTAN SMS validation issue in Cluster mode.
  • Schedulers - Delete Issue in cluster mode.
  • Fixed the removal of user’s Email during Email verification flow.

Deprecated

  • Removed Migrate Client Policies API.

1.19.0

New Features

  • IBM key protect with elliptic curve
  • Enable / Disable mail notification to old mail during change email can be configured at ChangeEmailAuthenticator level

Improvements

  • New request body parameter added for SendVerifyEmail API → templateName":"filename.ftl"

Bug Fixes

  • Alvi token signature verification issue with AWS KMS
  • Fixed issues in Registration process when user quits the flow in between.
  • Kobil LOGIN (1fa) should work without any config.
  • Slow performance issue when UMA is enabled

1.18.0

New Features

  • New Scheduler Dead User Events Scheduler to listen for Dead user events occurs during user migration or due to SSMS connectivity issue and this Event Scheduler allows the user and activation code to get created in SSMS when already in IAM. A realm setting is added to control the deletion of dead events based on the following setting names. disableDeadEvent: This will stop pushing the failure items to dead event bin if set to true
  • New Scheduler Dead Event Cleanup Scheduler will delete all the dead events from the database based on the provided deadEventTTL value in realm settings.
    deadEventTTL: This control the deletion of dead events based on timestamp and value should be non zero integer value in Days, If nothing is specified defaults to 7. i.e., 7 days.
    Ex: If you set deadEventTTL to 2. Then when registering the Dead Event Cleanup Scheduler the scheduler will delete all the dead events from the DB which were created 2 days back.
  • Added Result ACR Value option in the configuration settings of KOBIL PAM, KOBIL Cookie and in Condition - ACR KOBIL Cookie Authenticators.
  • Account - KOBIL Manage Devices authenticator - Added device management configuration page were admin can configure Enable Lock/Unlock Option , Enable Delete Option, Select Way of Next Step and Navigation URL. Options to stay and continue to page controllable through config.
  • KOBIL Username Password Form authenticator - Added Registration URL option to configure user registration link and Reset Credentials URL option to configure forgot login details . Default flow will be assigned if no configuration is set.
  • Added support to supply trust store to IDP component through volumes.
  • New API Added - Client Policy Migrator API - API to migrate existing client policies to updated policy format.
    Request Method: PUT
    Request URL: https://{hosturl}/digitanium/v2/apps/policies/migrate
  • New API Added - User Logout API - API added to Kobil Extensions to support user logout from SSMS.
    Request method: PUT
    Request URL: https://{hosturl}/digitanium/v3/users/{userid}/ssms/logout
  • Add Login Url option in Account - KOBIL Change Email and Account - KOBIL Change Password authenticator configuration settings, this provide custom redirect Url on completing change password and change email flow.

Improvements

  • Realm settings restricted to 255 characters - Changed the alert message.

Bug Fixes

  • Bug fixed in start signature transaction API response code to display 200 for successful transaction, previously it displayed as 400.
  • ListUsers API - unable to to fetch the records for large number.
  • Fixed tenant creation issue with oracle database.
  • Fixed policy sizing issue - storage of policy in database
  • Mpower: Issue in tenant creation

Supported SSMS version

  • 3.X.X

1.17.0

New Features

  • New Scheduler to listen for Device Activation Event to broadcast the device activation to IDP,In order to receive that event in a custom callback set "deviceEventUrl" in realm settings.
  • Added support to get firstname and lastname in KOBIL Login Authenticator page.
  • Added support to debug IAM in the hosted environment.
  • KOBIL Username Password Form authenticator - Included an additional option "User Alias Attribute" with in this authenticator config where admin can set the user attribute for login validation.
  • Account - KOBIL Change Email authenticator - Added email configuration page were admin can configure "Email Verification Code Length" , "Email Verification Code TTL", "Show Email Confirmation", "Email Retry Delay", "Email Verification Way". Using "Email Verification Way" admin can select the "OTP" or "Link" format for email validation.
  • Account - KOBIL Change Password authenticator - Added password configuration page were admin can configure "Select Way of Next Step", "Maximum length of a password". Using "Select Way of Next Step" admin can select "Success" or "Continue" option to proceed with next step.
  • Added Amazon KMS support.

Improvements

  • Realm settings restricted to 255 characters - Realm settings will accept any number of entries. But each entry is restricted with 255 characters.
  • Phone number region gets updated based on the phone number changed.

Bug Fixes

  • Bug fixed in creating portal services during tenant creation in Connector.

Components updated

  • mID Connector Version: 2.0.3

1.16.0

New Features

  • KOBIL Username Password Form authenticator - Included an option to configure "User Disabled Message" in authenticator config. Through which admin can configure the alert message to be displayed when user is disabled. If nothing is configured then default message will be displayed.
  • Added Backward Compatibility to V2 API's.

Improvements

  • KOBIL User Password Registration authenticator - Changed the timestamp format from milliseconds to Epoch format for both creation and expiry.

Bug Fixes

  • Port number issue in email verification link is fixed.
  • Login issue when all client policies were set optional has been rectified.
  • Fixed the timestamp issue in KOBIL User Password Registration authenticator for "otp_expiry_timestamp" and "otp_creation_timestamp". The timestamp for "otp_expiry_timestamp" will be set based on authenticator configuration.

Deprecated Version

  • All API’s belongs to digitanium/v2.

Components updated

  • mID Connector Version: 2.0.2
  • Pooler Version: 2.0.0
  • Digitanium Version: V3

1.15.0

New Features

  • KOBIL Username Password authenticator - Included an additional option "User Property for Login Validation" with in this authenticator config where admin can choose what property of user that authenticator should use in order to perform login. If nothing is configured then default will be username.
  • Added Health Check API to check KOBIL health status.
    GET https://<--HOST-->/auth/realms/master/health/check
  • KOBIL Username Password Form authenticator - Included an additional option "Invalid Credentials Message" with in this authenticator config where admin can configure the alert message for User credential invalid alert message, Default message will be displayed If no message is configured.
  • KOBIL User Registration authenticator - Included an additional option "Enable User" with in this authenticator config where admin can Enable or Disable, As if set to enabled then the user gets enabled after 4 field validation got success.
  • Added additional issuer validation during UMA. Set your additional issuers through key issuerUrls: <Multiple Issuer URL's separated by Comma>. This can be set in MASTER realm settings → settings. To support multi-tenant scenarios you can add issuer URL like this :
    https://<host>/auth/realms/{realm}

Improvements

  • The attribute "phone" has been be replaced to "phone_number".
  • disableUMA:true disables UMA for all API’s which can be accessed from MASTER realm settings → settings. For enabling UMA, it's not mandatory to set this flag as false in settings as UMA is enabled by default.

Bug Fixes

  • Fixed issue in KOBIL Email Registration authenticator as User contains Email-ID but not verified flow.

1.14.0

New Features

  • Added support for sharing Email / SMS provider and Email / SMS settings from Master tenant to Sub-Tenant is included. Incase if no configuration has been set to Sub-Tenant , it will consume the configuration setup from Master tenant.
  • Added bruteforce support for mTAN OTP retry counter. Previously, every authenticator will add up their own OTP retry counter which created block, but now it shall be reset in case of new session.
  • Added support for Copy Feature option to copy Authentication flows and Register required actions features from the Master tenant to the respective sub-tenants.
  • Added Support for Scheduler provider within Keycloak.
  • Added Required Action page in Verify Email flow.
  • Email logo change is made configurable from Realm settings.
  • Following the email verification flow user will remain on the same screen saying device not activated until user device activation is successful.
  • Added new flags "disableUMA" and "emailLogo" in MASTER settings for ease of use.
  • Added new a parameter to Realm Creation "enableMtan" if set to true the authentication flow named MPOWER_APP_FLOW will have KOBIL MTAN FLOW enabled. It defaults to false so that KOBIL MTAN FLOW will be added but remains disabled.

Improvements

  • Updated the Transaction parameters which includes configurable message, timeout, push notification message, appstore/playstore link details at Kobil Verify Authenticator level

Bug Fixes

  • GetUserDevices returns all the online and offline devices now.
  • Included KOBIL V2 theme UI fixes for all authenticators.
  • Fixed 'iat' from string to timestamp format along with ziestempal mapper.
  • The following digitanium attributes, digitaniumUserIdDelete, digitaniumActivationCode, digitaniumClearActivation, digitaniumActivationValidity, digitaniumActivationSecret, digitaniumCallbackUrl and digitaniumRequiredAction will not be displayed in user attributes, and Temporary attribute digitaniumActivationCode will be deleted from Keycloak once added to SSMS.
  • Fixed the unexpected error issue for Kobil QR authenticator.
  • Changed the response body and response code in Kobil_oneshot PAM authenticator for Riskbit validation.
  • Fix implemented to ensure that telephone and username attributes are propagated to mPower SCP address book while importing users from LDAP.
  • Fixed implemented to ensure that success response should not be displayed unless the scope based required actions are satisfied and complete.

1.14.0-beta.169

New Features

  • Added support for sharing Email / SMS provider and Email / SMS settings from Master tenant to Sub-Tenant, in case the sub-tenants do not have their own settings configured.

Bug Fixes

  • GetUserDevices returns all the online and offline devices.
  • Included KOBIL V2 theme UI fixes for all authenticators.

1.13.0

Features

  • Added Refund transaction api for mPay payments.
  • Phone number registration Required Action is included.
  • RiskBits management is enabled in PAM Kobil_oneshot and KOBIL ONESHOT authenticator, to check for riskbits operation and to restricts the user login based on risk level.
  • Added support for base forgot password flow in IAM core.

Improvements

  • KOBIL mTAN - SMS configuration has been deprecated in authenticator level and moved to realm settings.
  • Mpay Cancel transaction api - Request body parameters and mPay cancel transaction URL are updated.
  • Mpay transaction Status api - Updated the request body parameters are updated.
  • “Execute one time” option is included in configuration for KOBIL mTAN.
  • Send EMail - Required actions settings configuration support is included.
  • “Birthdate” required action keyword has been changed to “birthdate”.

Bug Fixes


1.13.0-beta.142

Features

  • Phone number registration required action is included
  • RiskBits management is enabled in PAM Kobil_oneshot and KOBIL ONESHOT authenticator, to check for riskbits operation and to restricts the user login based on risk level.

Improvements

  • “Execute one time” option is included in configuration for KOBIL mTAN.
  • Added support to configure required Actions through Email.

Bug Fixes


1.13.0-beta.134

Features

  • Added Refund transaction api for mPay payments

Improvements

  • KOBIL mTAN - SMS configuration has been deprecated in authenticator level and moved to realm settings.
  • Mpay Cancel transaction api - Request body parameters and mPay cancel transaction URL are updated.
  • Mpay transaction Status api - Request body parameters are updated.

Bug Fixes

  • Issue with KOBIL Offline OTP is fixed.

1.12.1

Features

  • Added an option under Realms for Global settings.
  • Added ecdsa selfimport certificate support.

Improvements

  • Added new parameter merchantUserId to mpay Create Payment Transaction API, to identify the admin id used for authorization token creation.
  • New parameter referenceNumber added to mpay Create Payment Transaction API where merchant can provide custom reference number for smooth tracking.
  • All Individual Authenticators and Extensions are organized into a Single project to reduce build time.

Deprecated/Removed features

The following required actions for user login are removed to avoid redundancy.

  • Kobil-1fa-required-action
  • Kobil-2fa-required-action
  • Kobil-otp-required-action
  • Kobil-qr-required-action

1.12.0

Features

  • Kobil Username Password Form Authenticator:
    • User login form with brute force logic added with a configurable message which shows the lockout period for the disabled user.
    • Validation of temporary one-time password credentials for user added.
  • Riskbits detection for Kobil Oneshot Authenticator.
    • Validation of the devices based on their risk levels for device transactions during login. Rooted/Unsafe devices are denied login.

Improvements

  • Client Policy:
    • Support for empty policy list added to Policy Validator Required Action.

1.11.0

Features

  • Client Policy Validation, Implemented using Policy Validator Required Action. Policies can be defined for a client each having one or more conditions under Client -> Kobil Policy. Mandatory policies need to be satisfied by the user for a successful login and the policy is set in the user's client scope. Optional policies, if failed by the user will not block the login but the scope is not set for that policy.

1.10.0

Features

  • Added a new API to verify user creation status in IAM, SSMS and mPower components.
  • All KOBIL authenticators are made compatible to handle Brute Force Attacks.
  • Added ACR of respective authenticators to token scope.

Improvements

  • Upgraded mID Connector version 1.3.2 to 1.4.1
  • Token API with refresh_token grant will not refresh a token for scope offline_access with ACR greater than. This restriction is applicable only if the client has kobil_secured_refresh as an optional scope.
  • Extended mPower externalApp service API to store Android and iOS package names.
  • KOBIL QR and Oneshot authenticators are now compatible with Id as SSMS User Property.

Bug Fixes

  • Fixed device management options in user account page.

1.9.0

Features

  • Introduced mPower payment API's.
  • Added API's for creating and deleting realm roles.
  • A new authenticator Condition - KOBIL Scope is introduced.
  • Introduced an API to update user.
  • Created an option to enable/disable Person to Person chat in mPower.
  • Introduced an API to upgrade mPower affiliations.

Improvements

  • Test connection feature in KOBIL tab will now work for sub tenants as well when logged in with Master.
  • KOBIL Verify and Offline OTP Authenticators are now compatible with Id as SSMS User Property.
  • KOBIL Cookie authenticator will work by receiving token as Query param.
  • Improved KOBIL mTAN to restrict resend OTP option to 3 times only. Also the timeout value in the configuration has been changed from minutes to seconds. So please make sure to edit mTAN configuration after this update.
  • Update user API will update mPower static attributes as well.

Bug Fixes

  • Fixed converting username to lowercase issue while creating user.
  • Syncing user email, first and last name attributes to mPower from LDAP issue is fixed.
  • null value issue while creating mPower external app services is fixed.

1.8.3

Features

  • Added support for LDAP
    • Extended LDAP functions to sync users to SSMS and Address book
    • Added Support to sync ldap users with SSMSUserProperty set to id
    • Added Support for on demand user creation from LDAP
  • Introduced new API's to initiate chat messages from IAM to mPower services/users.
  • Added callback support to mPower chat API's

Improvements

  • User creation for Admin UI will now work while setting SSMS User Property to id
  • Added a confirmation message before updating SSMS User Property from UI
  • Added an API to help existing tenants/users to adopt UMA

Bug Fixes

  • SSMS credentials reset issue while updating SSMS User Property was fixed.
  • Fixed multiple appearances of KOBIL Logo in certain screens during login flow.

1.8.2

Features

  • Added KOBIL Tab to Realm Settings, where you can manage the Realm related SSMS settings.
  • Added an option to control which property of the user should save in SSMS, available options username, user ID, digitaniumUserId attribute.
  • Moved digitanium API’s to version2

Improvements

  • Added a new API to create a UMA(User Management Access) access client
  • KOBIL LOGIN and VERIFY authenticators will now work by taking REST connector URL from environment variable. So mentioning the URL in Authenticator config is optional
  • All API’s from version2 are UMA enabled. So with out proper UMA access the API’s are not accessible

1.8.1

Features

  • Authenticator
    • Added new Condition - ACR KOBIL Cookie
  • Health check
    • Health check periodically triggers functional tests to show current operational status of mID Provider(IAM)

Improvements

  • mID Provider(IAM) Login Theme - Improved to support mobile devices