Micronaut Security 2.1.3

Builds micronaut security with Micronaut Core 2.1.3.

This solves micronaut-bom 2.0.1 (in micronaut-security) requires a non-existent version of ktor-bom (1.3.2) #422

Micronaut Security 2.1.2

v2.1.2 (2020-10-27)

Full Changelog

Fixed bugs:

• Micronaut Security is pulling in the kotlin standard lib #414. Thanks to (@swanandvk) #415

• fix: client credential grant scope not scopes #425 (@sdelamo)

Closed issues:

• @ExecuteOn is ignored when using Micronaut Token Validator #313

Micronaut Security 2.1.1

v2.1.1 (2020-10-06)

Full Changelog

Closed issues:

• JWT Refresh Tokens RFC 7519 #410
• Deprecate DefaultOpenIdUserDetailsMapper#createUserDetails #309

Merged pull requests:

• Dependency upgrades #409 (@micronaut-build)
• feat: annotate address with @introspected #407 (@sdelamo)
• Remove section about UserDetails being deleted #406 (@niraj8)

* This Changelog was automatically generated by github_changelog_generator

Micronaut Security 2.0.2

v2.0.2 (2020-09-26)

Full Changelog

Implemented enhancements:

• Refresh Token Cookie name should be configurable #334
• Token Refresh Cookie max-age should be configurable #333
• Logout Handler should also clear JWT_REFRESH_TOKEN cookie and invalidate token #332
• Limit JWT_REFRESH_TOKEN cookie paths #331
• feat: add introspection endpoint #405 (@sdelamo)

Closed issues:

• Support HttpRequest as a method parameter in JWTClaimsValidator #381
• Multiple Login Handler #374
• JWT "secure" and "SameSite" configs seem to be ignored #369
• Add Release History section to Micronaut security documentation #366

Merged pull requests:

• refactor: split DefaultOpenIdAuthorization methods #404 (@sdelamo)
• checkstyle: remove unused import #400 (@sdelamo)
• refactor: extract basic auth parsing to its own class #399 (@sdelamo)
• bump up micronaut test to 2.1.0 #398 (@micronaut-build)
• Improve refresh token cookie story. Closes #334 #333 #332 #331 #397 (@jameskleeh)
• refactor: add request to jwt claims validator #396 (@sdelamo)
• ci: set github core branch to 2.1.x #395 (@sdelamo)
• build: version to 2.1.0.BUILD-SNAPSHOT #394 (@sdelamo)
• doc: Add release History section #392 (@sdelamo)
• git: gitignore .nova #391 (@sdelamo)
• nimbus-jose-jwt from 8.20 to 9.0.1 #379 (@dependabot[bot])

* This Changelog was automatically generated by github_changelog_generator

• Session not saved during calling OAuth callback (#319)

Micronaut Security 2.1.0

v2.1.0 (2020-09-26)

Full Changelog

Features

• Introspection Endpoint #405

Fixes

Improvements around Refresh Token Cookie management #397

Closes issues #334 #333 #332 #331

Dependency upgrades

Bump up Nimbus JOSE JWT to 9.0

• Nimbus Jose JWT 8.0 8.1 and 8.2 release notes

• Nimbus Jose JWT 9.0 release notes.
  #386

Refactor

• Extract utility class BasicAuthUtils #399

• Add request to JWTClaimsvalidator #396

Docs

Add Release History section #392

Micronaut Security 2.0.1

Dependency upgrades

• nimbus-jose-jwt from 8.19 to 8.20
• bump unboundid-ldapsdk from 5.1.0 to 5.1.1

Fixes

• fix: SecurityService::hasRole case sensitive (#326)
• load cookieNoncePersistence in application context (#355)

Improvements

• Small refactoring of TokenAuthenticationFetcher (#289)

• log: better logging if nonce validator fails (

• Allow NonceClaimValidator to be disabled (#358)

DefaultOpenIdTokenResponseValidator:

• cache JkwsSignature for jwks uri
• extract two proteced methods to simplify override

JwtValidator:

• Don’t parse JWT if it does not have two dots
• DefaultSecurityService should use RolesFinder (#328)

---

v2.0.1 (2020-09-23)

Full Changelog

Fixed bugs:

• JWT validation failed using Cognito with Google Oauth2 #346
• SecurityService::hasRole should be case sensitive both for collections and strings #325
• fix: load CookieNoncePersistence in application context #355 (@sdelamo)
• DefaultSecurityService should use RolesFinder #328 (@sdelamo)
• Check if the Authorization value is long enough to substring the prefix in BasicAuthAuthenticationFetcher #321 (@sdelamo)

Closed issues:

• Recognise absolute oauth2 callback-uri as absolute and don't append it to the base uri #370
• Unnecessary warning: Invalid JWT serialization #344
• Token refresh process improvements #315
• Micronaut Security: master as the default branch #312
• jwt authentication support in http/2 #300
• SAML Support #290

Merged pull requests:

• doc: fix broken link to javadoc #382 (@sdelamo)
• build(deps): bump unboundid-ldapsdk from 5.1.0 to 5.1.1 #373 (@dependabot[bot])
• refactor: cache JkwsSignature for jwks uri #362 (@sdelamo)
• feat: allow NonceClaimValidator to be disabled #358 (@sdelamo)
• refactor: extract two proteced methods to simplify override #357 (@sdelamo)
• docs: Improve documentation about nonce #356 (@sdelamo)
• test: add test for session nonce persistence #354 (@sdelamo)
• test: simplify state parsing #353 (@sdelamo)
• test: bean of type NonceConfiguration by default #352 (@sdelamo)
• log: better logging if nonce validator fails #351 (@sdelamo)
• refactor: move JWTValidator logging to trace level #350 (@sdelamo)
• Update rejectNotFound.adoc, boolean value is incorrect in doc #345 (@chrismckiernan)
• fix: SecurityService::hasRole case sensitive #326 (@sdelamo)
• test: @secured roles case sensitive #324 (@sdelamo)
• Small refactoring of TokenAuthenticationFetcher #289 (@dstepanov)

• Recognise absolute oauth2 callback-uri as absolute and don't append it to the base uri (#370)

Micronaut Security v2.0.0

What's new

Micronaut Security 2.0.0 includes the following new features and improvements.

Annotation Processing

• The @Secured annotation has been moved to a separate module in order to reduce the number of classes in the annotation processor scope. If you currently have micronaut-security in the classpath of your compiler, the entry can be changed to micronaut-security-annotations.

Improvements

• A new constructor for AuthenticationFailed that takes a string message has been added to allow for custom error messages.

• It is now possible to require all AuthenticationProviders to return a successful authentication response. Set micronaut.security.authentication-provider-strategy: ALL to enable this functionality.

• The token propagation implementation will now no longer override an existing token.

• It is now possible to allow for requests that would normally result in a 404 to return with 404 instead of almost always returning a 401 or 403. The current behavior is still the default because it prevents attackers from discovering what endpoints are available in your application. To enable the alternative behavior, set micronaut.security.reject-not-found: false in your configuration.

• It is now supported out of the box to redirect back to the prior URL after a successful login. If a user requests a URL that returns an unauthenticated response, after logging in successfully, the user can then be returned to the URL that previously returned unauthorized. This setting can be enabled with micronaut.security.redirect.prior-to-login: true in your configuration. It is disabled by default.

• Support for using tokens directly from OpenID providers has been added. By default the information from the OpenID JWT token is used to create a new token that uses Micronaut's JWT settings. This allows for a common format across providers as well as standardized expiration. Some users may want to use the token coming from the provider directly. That is now supported with the configuration option and value micronaut.security.authentication: idtoken. Note that this authentication mode requires each application to implement any necessary refresh token functionality. The refresh token functionality in this library is specific to the tokens created by this library.

• The TokenValidator API now has access to the current request.

Breaking Changes

This section will document breaking changes that may happen during milestone or release candidate releases, as well as major releases eg (1.x.x -> 2.x.x).

2.0.0

New Maven Group ID

The Maven Group ID has changed from io.micronaut to io.micronaut.security.

Modules Enabled by default

• Modules are now enabled by default. The configuration keys micronaut.security.enabled, micronaut.security.token.jwt.enabled, micronaut.security.oauth2.enabled, and micronaut.security.session.enabled are now all true by default.

Endpoints enabled by default

• You don't need to enable Endpoints. The configuration keys micronaut.security.endpoints.keys.enabled, micronaut.security.endpoints.login.enabled, micronaut.security.endpoints.logout.enabled, micronaut.security.endpoints.oauth.enabled are now all true by default. However, You will need to provide the required beans for each endpoint.

UserDetails deleted in favour of Authentication

UserDetails has been removed. Every api which previously used UserDetails uses Authentication instead. Authentication provides several static build methods to creates instances of Authentication for a particular user.

io.micronaut.security.oauth2.endpoint.token.response.OauthUserDetailsMapper has been renamed to io.micronaut.security.oauth2.endpoint.token.response.OauthAuthenticationMapper

io.micronaut.security.oauth2.endpoint.token.response.OpenIdUserDetailsMapper has been renamed to io.micronaut.security.oauth2.endpoint.token.response.OpenIdAuthenticationMapper.

io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdUserDetailsMapper renamed to io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdAuthenticationMapper.

Authentication Provider

• The AuthenticationProvider API has changed to include the HTTP request as a parameter. Thus, it is now possible to gain access to the request in your AuthenticationProvider. Simply override the default method in the interface that takes the request as an argument with your own implementation. The old method is no longer called from the framework.

• It is no longer assumed that a failed authentication response is an instance of AuthenticationFailed. That now allows for any subclass of AuthenticationResponse to be emitted in the case of an authentication failure.

• Previously AuthenticationProviders were allowed to return hot observables, meaning the logic to authenticate the user could be done upon execution of the method. Allowing for that behavior caused the logic to execute the authenticators to be difficult to maintain. Now providers must return cold observables. The authenticate method will be executed for every authentication provider for every authentication request. If you were previously doing the authentication work then using something like Flowable.just, you must use something like Flowable.create to create a cold observable.

Delegating Authentication Provider

• The DelegatingAuthenticationProvider and it's related interfaces has been removed. If you provided implementations for UserFetcher, UserState, PasswordEncoder, and AuthoritiesFetcher, integrate them into your own implementation of api:security.authentication.AuthenticationProvider[]. This API was removed because it only served a niche use case and increased the surface of this library's API. None of the classes mentioned were directly used in this library and thus belong in the realm of user's applications. Check LDAP and Database authentication providers tutorial to learn how to write a DelegatingAuthenticationProvider.

LdapAuthenticationProvider

The constructor for LdapAuthenticationProvider has been changed to accept an executor to schedule the LDAP lookup operation on. By default it is now scheduled on the IO thread pool.

LoginHandler

• The LoginHandler API has changed to accept an api:security.authentication.AuthenticationResponse[] object instead of an AuthenticationFailed.

• Previously, AccessRefreshTokenLoginHandler was enabled by default. Currently, no LoginHandler is enabled by default. If you wish to use any of the built-in LoginHandlers, you have to set the configuration:

** micronaut.security.authentication: bearer to enable AccessRefreshTokenLoginHandler
** micronaut.security.authentication: cookie to enable JwtCookieLoginHandler
** micronaut.security.authentication: session to enable SessionLoginHandler
** micronaut.security.authentication: idtoken to enable IdTokenLoginHandler

Migration Example A

If you were using the default bearer authentication, you should set:

micronaut:
    security:
        authentication: bearer

Migration Example B

For a previous configuration such as:

micronaut:
    security:
        token:
            jwt:
                bearer:
                     enabled: false
                cookie:
                     enabled: true

use instead:

micronaut:
    security:
        authentication: cookie

LogoutHandler

• To use any of the built-in LogoutHandler you have to set the configuration:

** micronaut.security.authentication: cookie or idtoken to enable JwtCookieClearerLogoutHandler
** micronaut.security.authentication: session to enable SessionLogoutHandler

Refresh Token

The story around refresh tokens has been changed. There were a couple of core issues with the old implementation that needed resolved.

• The refresh tokens were JWT tokens which also allowed them to be u...

Micronaut Security 2.0.0.RC1

v2.0.0.RC1 (2020-06-15)

Full Changelog

Implemented enhancements:

• Key for the user's name in the authentication attributes is hardcoded #286
• Redirect user back to the page where they started, after authentication #23

Fixed bugs:

• BasicAuthAuthenticationConfiguration defines its own roles key but TokenConfiguration should be used instead #284
• fix: BasicAuthAuthenticationFetcher should use TokenConfiguration #285 (@sdelamo)

Closed issues:

• Schedule LdapAuthenticationProvider to IO #281
• The Micronaut JWT Authentication guide's UnsignedRefreshTokenSpec does not hit CustomRefreshTokenPersistence #272
• Micronaut Security JWT guide references 2.0.0.BUILD-SNAPSHOT and classes not available in any stable release #271
• Improvements of Refresh Token behaviour for security.authentication.cookie #262

Merged pull requests:

• Don`t call onComplete after onError in tests #288 (@sdelamo)
• Schedules LDAP Authentication Provider at IO #287 (@sdelamo)
• [security] Update common files for branch master #279 (@micronaut-build)
• [security] Update common files for branch master #277 (@micronaut-build)

* This Changelog was automatically generated by github_changelog_generator

Micronaut Security 2.0.0.M3

v2.0.0.M3 (2020-06-08)

Full Changelog

Implemented enhancements:

• Handling logout for Okta when micronaut.security.idtoken is used #263
• Enhance DefaultProviderResolver to resolve provider via iss claim #258
• Authorization header prefix treated case-sensitive #252
• Simplify the configuration of LoginHandlers and Logout Handlers #246
• Simplify redirect configuration #245
• login controller enabled by default #244
• logout controller enabled by default #243
• refresh controller enabled by default #242
• Keys endpoint enabled by default #241
• Create ErrorResponse contract #233

Fixed bugs:

• TokenCookieConfiguration not being loaded #270
• invalid refresh token should return 400 #235
• wrong response JSON body for invalid refresh request #234
• OpenIdClientCondition causing circular bean reference #220

Closed issues:

• Security-session only looks for old config #261
• Idtoken should support session #260
• Ability to set the token expiration time dinamically. #255
• RefreshTokenPersistence response in case of invalid refresh token #251
• Deprecate JwtGeneratorConfiguration #247
• Version 1.4.0 Support for request/request-headers in TokenValidator #236
• io.micronaut.security.oauth2.ApplicationContextSpecification starts embeeded server #232
• Improve RefreshTokenConfigurationProperties Javadoc and docs default value for enabled #231
• Oauth scopes lead to NullPointerException #225
• Update guide #193

Merged pull requests:

• [security] Update common files for branch master #274 (@micronaut-build)
• [security] Update common files for branch master #273 (@micronaut-build)
• [security] Update common files for branch master #268 (@micronaut-build)
• [WIP] Make Authorization header prefix check case insensitive #257 (@jcassee)
• GraalVM: Initialize com.nimbusds.jose.JWSAlgorithm at build-time #240 (@ilopmar)
• refactor: simpler refresh token generator #237 (@sdelamo)

* This Changelog was automatically generated by github_changelog_generator

Micronaut Security 2.0.0.M2

v2.0.0.M2 (2020-04-30)

Full Changelog

Fixed bugs:

• Auth0EndSessionEndpoint mangles URLs #221
• IPatternsRule does not protect against InetSocketAddress::getAddress can return null #219

Closed issues:

• LoginSuccessfulEvent is invoked twice when using OAuth security #223
• Add SameSite property to JwtConfigurationProperties #217
• Does micronaut closes the connection when the JWT expires? #214
• DefaultSecurityService.hasRole(String roleName) should honor custom roles-name setting of token #211
• MACProvider NullPointerException when validating JWT #209
• Don't include refresh_token in the /login response unless scope offline_access is requested #189
• Set a default expiration for refresh tokens #175
• Review accessToken and refreshToken behavior in other implementations #174

Merged pull requests:

• Add SameSite property to JwtConfigurationProperties #218 (@abedurftig)
• DefaultSecurityService.hasRole honor the custom roles-name key Fixes #211 #213 (@sdelamo)

* This Changelog was automatically generated by github_changelog_generator