Version 2.16.0

• [env]
  • add Environment#getServiceConfigurationsAsList to retrieve all service configurations as lists mapped by service (XSUAA/IAS)
• [spring-security]
  • IdentityServicesPropertySourceFactory now populates Spring properties with ALL Xsuaa configurations found in the environment instead of only one (arbitrary) configuration of service plan 'application' and one (optional, arbitrary) additional one of service plan 'broker'.
  • XsuaaServiceConfigurations#getConfigurations now contains ALL Xsuaa configurations found as a result of the previous change
  • HybridIdentityServicesAutoConfiguration was adjusted for backward compatibility to still create a JwtDecoder that uses the same XSUAA configurations as before for token validation (one of plan 'application' and an optional one of plan 'broker')

Dependency upgrades

• Bump spring.security.version from 5.8.7 to 5.8.8
• Bump spring.boot.version from 2.7.16 to 2.7.17
• Bump log4j2 from 2.20.0 to 2.21.1
• Bump com.sap.cloud.environment.servicebinding from 0.10.0 to 0.10.1
• Bump commons-io from 2.14.0 to 2.15.0

Version 2.15.0

🔥 Hot fix for the CVE-2023-5072

• [java-security]
  • add x-azp header to IAS JWKS fetching and adjust JWKS cache key
  • OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
    • Refactor API to use generic Map instead of explicit IAS-specific parameters

Dependency upgrades

• Bump org.json.version from 20230618 to 20231013
• Bump spring.security.version from 5.8.6 to 5.8.7
• Bump spring.boot.version from 2.7.15 to 2.7.16
• Bump spring.core.version from 5.3.29 to 5.3.30
• Bump reactor-core from 3.4.32 to 3.4.33
• Bump com.sap.cloud.environment.servicebinding 0.9.0 to 0.10.0
• Bump commons-io from 2.13.0 to 2.14.0

Version 3.2.1

🔥 Hot fix for the CVE-2023-5072

Dependency upgrades

• Bump spring.boot.version from 3.1.4 to 3.1.5
• Bump log4j2.version from 2.20.0 to 2.21.0
• Bump spring.security.version from 6.1.4 to 6.1.5
• Bump org.json:json from 20230618 to 20231013

Version 3.2.0

• [java-security]
  • add x-azp header to IAS JWKS fetching
  • adjust JWKS cache key for OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
  • Refactor API to use generic Map instead of explicit IAS-specific parameters

Dependency upgrades

• Bump io.projectreactor:reactor-core from 3.5.9 to 3.5.11
• Bump spring.core.version from 6.0.11 to 6.0.13
• Bump spring.security.version from 6.1.3 to 6.1.4
• Bump commons-io:commons-io from 2.13.0 to 2.14.0
• Bump com.sap.cloud.environment.servicebinding from 0.9.0 to 0.10.0
• Bump spring.boot.version from 3.1.3 to 3.1.4
• Bump slf4j.api.version from 2.0.7 to 2.0.9

Version 3.1.3

• [java-security]
  • Fixes NPE when accessing XsuaaToken.getPrincipal() and grantType is null (#1261)
• [token-client]
  • fixes JWKs fetch from identity service issue when app_tid is not present in the token - the X-app_tid and X-client_id headers are only added when both values are available.
  • DefaultOAuth2TokenService
    • fixes issue when in case of unsuccessful token fetch OAuth2ServiceException.withHeaders() headers field were filled with only one entry containing all headers as a string
  • DefaultOAuth2TokenKeyService and SpringOAuth2TokenKeyService
    • improved error handling
      • OAuth2ServiceException that's thrown status code != 200 case doesn't get swallowed
      • fixes OAuth2ServiceException.withHeaders() semantically incorrect behavior when headers were filled with request headers instead of response headers
      • OAuth2ServiceException generated by unsuccessful JWKs fetch contains request headers as well
  • OAuth2ServiceException updated header message - contains now Response Headers instead of Headers

Dependency upgrades

• Bump spring.security.version from 6.1.2 to 6.1.3
• Bump spring.boot.version from 3.1.2 to 3.1.3

Version 2.14.2

• [java-security]
  • Fixes NPE when accessing XsuaaToken.getPrincipal() and grantType is null (#1261)
• [token-client]
  • fixes JWKs fetch from identity service issue when app_tid is not present in the token - the X-app_tid and X-client_id headers are only added when both values are available.
  • DefaultOAuth2TokenService
    • fixes issue when in case of unsuccessful token fetch OAuth2ServiceException.withHeaders() headers field were filled with only one entry containing all headers as a string
  • DefaultOAuth2TokenKeyService and SpringOAuth2TokenKeyService
    • improved error handling
      • OAuth2ServiceException that's thrown status code != 200 case doesn't get swallowed
      • fixes OAuth2ServiceException.withHeaders() semantically incorrect behavior when headers were filled with request headers instead of response headers
      • OAuth2ServiceException generated by unsuccessful JWKs fetch contains request headers as well
  • OAuth2ServiceException updated header message - contains now Response Headers instead of Headers

Dependency upgrades

• Bump spring.security.version from 5.8.5 to 5.8.6
• Bump spring.boot.version from 2.7.14 to 2.7.15
• Bump reactor-core from 3.4.31 to 3.4.32

Version 3.1.2

• [token-client]
  • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
  • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException

Version 3.1.1

• [env]
  • ServiceBindingEnvironment has been extended with a method getServiceConfigurationsAsList() that returns a list of all available service configurations parsed from environment
  • in case of multiple service configurations of the same service plans ServiceBindingEnvironment.getXsuaaConfiguration() and ServiceBindingEnvironment.getServiceConfigurations() will return the first one from the list.
    This adjustment ensures that the logic is in line with the 2.x major version.
• [token-client] reverted removal of OAuth2ServiceException.getHttpStatusCode()

Dependency upgrades

• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.8.0 to 0.9.0

Version 2.14.1

• [token-client]
  • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
  • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException

Dependency upgrades

• Bump btp-environment-variable-access from 0.8.0 to 0.9.0

Version 3.1.0

❗ IMPORTANT Update ❗

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

• [java-api]
  • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead ⚠️ This is also relevant for Xsuaa applications not only Identity based applications
  • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
• [token-client]
  • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
  • HttpHeaders constants are extended with X-app_tid and X-client_id headers
  • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid abd X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
    • DefaultOAuth2TokenKeyService
    • OAuth2TokenKeyServiceWithCache (java-security module)
    • SpringOAuth2TokenKeyService
• [java-security] AbstractToken is serializable fixes #1209
• [java-security-test] JwtGenerator adds app_tid claims with the default value the-app-tid to the Identity tokens. ❗Some adaption might be required when calling the getZoneId() method as it will return now the app_tid value back when default values are used.

Dependency upgrades

• Bump spring.core.version from 6.0.9 to 6.0.11
• Bump spring.boot.version from 3.0.6 to 3.1.2
• Bump spring.security.version from 6.0.3 to 6.1.2
• Bump reactor-core from 3.5.6 to 3.5.8
• Bump btp-environment-variable-access from 0.6.0 to 0.8.0
• Bump json from 20230227 to 20230618
• Bump commons-io from 2.11.0 to 2.13.0