Version 2.15.0

🔥 Hot fix for the CVE-2023-5072

• [java-security]
  • add x-azp header to IAS JWKS fetching and adjust JWKS cache key
  • OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
    • Refactor API to use generic Map instead of explicit IAS-specific parameters

Dependency upgrades

• Bump org.json.version from 20230618 to 20231013
• Bump spring.security.version from 5.8.6 to 5.8.7
• Bump spring.boot.version from 2.7.15 to 2.7.16
• Bump spring.core.version from 5.3.29 to 5.3.30
• Bump reactor-core from 3.4.32 to 3.4.33
• Bump com.sap.cloud.environment.servicebinding 0.9.0 to 0.10.0
• Bump commons-io from 2.13.0 to 2.14.0

Version 3.2.1

🔥 Hot fix for the CVE-2023-5072

Dependency upgrades

• Bump spring.boot.version from 3.1.4 to 3.1.5
• Bump log4j2.version from 2.20.0 to 2.21.0
• Bump spring.security.version from 6.1.4 to 6.1.5
• Bump org.json:json from 20230618 to 20231013

Version 3.2.0

• [java-security]
  • add x-azp header to IAS JWKS fetching
  • adjust JWKS cache key for OAuth2TokenKeyService and OAuth2TokenKeyServiceWithCache
  • Refactor API to use generic Map instead of explicit IAS-specific parameters

Dependency upgrades

• Bump io.projectreactor:reactor-core from 3.5.9 to 3.5.11
• Bump spring.core.version from 6.0.11 to 6.0.13
• Bump spring.security.version from 6.1.3 to 6.1.4
• Bump commons-io:commons-io from 2.13.0 to 2.14.0
• Bump com.sap.cloud.environment.servicebinding from 0.9.0 to 0.10.0
• Bump spring.boot.version from 3.1.3 to 3.1.4
• Bump slf4j.api.version from 2.0.7 to 2.0.9

Version 3.1.3

• [java-security]
  • Fixes NPE when accessing XsuaaToken.getPrincipal() and grantType is null (#1261)
• [token-client]
  • fixes JWKs fetch from identity service issue when app_tid is not present in the token - the X-app_tid and X-client_id headers are only added when both values are available.
  • DefaultOAuth2TokenService
    • fixes issue when in case of unsuccessful token fetch OAuth2ServiceException.withHeaders() headers field were filled with only one entry containing all headers as a string
  • DefaultOAuth2TokenKeyService and SpringOAuth2TokenKeyService
    • improved error handling
      • OAuth2ServiceException that's thrown status code != 200 case doesn't get swallowed
      • fixes OAuth2ServiceException.withHeaders() semantically incorrect behavior when headers were filled with request headers instead of response headers
      • OAuth2ServiceException generated by unsuccessful JWKs fetch contains request headers as well
  • OAuth2ServiceException updated header message - contains now Response Headers instead of Headers

Dependency upgrades

• Bump spring.security.version from 6.1.2 to 6.1.3
• Bump spring.boot.version from 3.1.2 to 3.1.3

Version 2.14.2

• [java-security]
  • Fixes NPE when accessing XsuaaToken.getPrincipal() and grantType is null (#1261)
• [token-client]
  • fixes JWKs fetch from identity service issue when app_tid is not present in the token - the X-app_tid and X-client_id headers are only added when both values are available.
  • DefaultOAuth2TokenService
    • fixes issue when in case of unsuccessful token fetch OAuth2ServiceException.withHeaders() headers field were filled with only one entry containing all headers as a string
  • DefaultOAuth2TokenKeyService and SpringOAuth2TokenKeyService
    • improved error handling
      • OAuth2ServiceException that's thrown status code != 200 case doesn't get swallowed
      • fixes OAuth2ServiceException.withHeaders() semantically incorrect behavior when headers were filled with request headers instead of response headers
      • OAuth2ServiceException generated by unsuccessful JWKs fetch contains request headers as well
  • OAuth2ServiceException updated header message - contains now Response Headers instead of Headers

Dependency upgrades

• Bump spring.security.version from 5.8.5 to 5.8.6
• Bump spring.boot.version from 2.7.14 to 2.7.15
• Bump reactor-core from 3.4.31 to 3.4.32

Version 3.1.2

• [token-client]
  • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
  • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException

Version 3.1.1

• [env]
  • ServiceBindingEnvironment has been extended with a method getServiceConfigurationsAsList() that returns a list of all available service configurations parsed from environment
  • in case of multiple service configurations of the same service plans ServiceBindingEnvironment.getXsuaaConfiguration() and ServiceBindingEnvironment.getServiceConfigurations() will return the first one from the list.
    This adjustment ensures that the logic is in line with the 2.x major version.
• [token-client] reverted removal of OAuth2ServiceException.getHttpStatusCode()

Dependency upgrades

• Bump com.sap.cloud.environment.servicebinding:java-bom from 0.8.0 to 0.9.0

Version 2.14.1

• [token-client]
  • OAuth2ServiceException has been extended with getter method getHeaders() that gives the access to failed request's response headers
  • XsuaaOAuth2TokenService and DefaultOAuth2TokenService add the response headers and status code to the thrown OAuth2ServiceException

Dependency upgrades

• Bump btp-environment-variable-access from 0.8.0 to 0.9.0

Version 3.1.0

❗ IMPORTANT Update ❗

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

• [java-api]
  • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead ⚠️ This is also relevant for Xsuaa applications not only Identity based applications
  • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
• [token-client]
  • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
  • HttpHeaders constants are extended with X-app_tid and X-client_id headers
  • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid abd X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
    • DefaultOAuth2TokenKeyService
    • OAuth2TokenKeyServiceWithCache (java-security module)
    • SpringOAuth2TokenKeyService
• [java-security] AbstractToken is serializable fixes #1209
• [java-security-test] JwtGenerator adds app_tid claims with the default value the-app-tid to the Identity tokens. ❗Some adaption might be required when calling the getZoneId() method as it will return now the app_tid value back when default values are used.

Dependency upgrades

• Bump spring.core.version from 6.0.9 to 6.0.11
• Bump spring.boot.version from 3.0.6 to 3.1.2
• Bump spring.security.version from 6.0.3 to 6.1.2
• Bump reactor-core from 3.5.6 to 3.5.8
• Bump btp-environment-variable-access from 0.6.0 to 0.8.0
• Bump json from 20230227 to 20230618
• Bump commons-io from 2.11.0 to 2.13.0

Version 2.14.0

❗ IMPORTANT Update ❗

The zone_uuid claim in Identity service tokens has been deprecated and is now replaced by the app_tid claim. You should use the app_tid claim to identify the unique tenant id, which was previously referred to as the zone.

• [java-api]
  • Token interface is extended with default method getAppTid() and getZoneId() method has been deprecated, use getAppTid() method instead ⚠️ This is also relevant for Xsuaa applications not only Identity based applications
  • TokenClaims is extended with the SAP_GLOBAL_APP_TID and SAP_GLOBAL_ZONE_ID is deprecated
• [token-client]
  • OAuth2TokenKeyService interface has been extended with retrieveTokenKeys(@Nonnull URI tokenKeysEndpointUri, @Nullable String tenantId, @Nullable String clientId) method
  • HttpHeaders constants are extended with X-app_tid and X-client_id headers
  • JWKs fetch from identity service going forward requires mandatory headers: X-app_tid and X-client_id this has been updated in the default implementations of the OAuth2TokenKeyService:
    • DefaultOAuth2TokenKeyService
    • OAuth2TokenKeyServiceWithCache (java-security module)
    • SpringOAuth2TokenKeyService
• [java-security] AbstractToken is serializable #1207
• [java-security-test] JwtGenerator adds app_tid claims with the default value the-app-tid to the Identity tokens. ❗Some adaption might be required when calling the getZoneId() method as it will return now the app_tid value back when default values are used.

Dependency upgrades

• Bump spring.core.version from 5.3.27 to 5.3.29
• Bump spring.boot.version from 2.7.10 to 2.7.14
• Bump spring.security.version from 5.8.3 to 5.8.5
• Bump reactor-core from 3.4.24 to 3.4.31
• Bump btp-environment-variable-access from 0.6.0 to 0.8.0
• Bump json from 20230227 to 20230618
• Bump commons-io from 2.11.0 to 2.13.0