V1.6.1

This release adds support for JSON Web Encryption (JWE) in OIDC Single Sign-On (SSO) with TIB, providing enhanced security for token handling in authentication flows. This feature enables processing and validation of JWE tokens, with configuration options for setting the private key required for decryption.

v1.5.1

Fixes

• Fixed a panic that happens when performing an SSO flow using SocialProvider in Dashboard v5.3

V1.5.0

• Transitioned the default MongoDB driver from mgo to mongo-go-driver to leverage the latest features and improvements.
• Deprecated direct Redis usage in favor of the more flexible Temporal Storage Interface, enhancing adaptability and performance.
• Upgraded to Golang 1.21, ensuring compatibility with the latest language enhancements and security patches.
• Updated golang.org/x/net to v0.17.0, addressing CVE-2023-39325 and reinforcing security measures against potential vulnerabilities.
• Resolved an issue in TIB that led to superfluous TYK_IB_SESSION_SECRET warnings on initialization for embedded instances. Thotic storage now requires explicit initialization by the host application, streamlining the startup process and reducing unnecessary logging.

V1.4.2

• Fixed SSO Integration: Resolved issues affecting SAML and Azure-based Single Sign-On authentication.

v1.4.1

Highlights

In this release, we have fixed a bug where mTLS request with an expired certificate allowed the request to be proxied upstream in static mTLS and dynamic mTLS. We have also fixed 2 CVE issues, updated to go v1.19, and storage library to v1.0.5.

Change Log

Updated

• Update TIB to Go 1.19

• Update storage lib to v1.0.5

Fixed

• Fixed a bug where an mTLS request with an expired certificate allowed the request to be proxied upstream in static mTLS and dynamic mTLS

• NVD - CVE-2021-3538 - go.uuid

• NVD - CVE-2021-4238 - goutils

v1.4.0

In this release, we are using a new Tyk storage library to connect to Mongo DB. This would allow us to switch to use the official Mongo Driver very easily in the future.

What's changed?

• Use latest Tyk storage library to connect to Mongo so customers are allowed to use the lastest mongo versions (#244)

v1.3.2

What's changed?

• Fixed CVE-2021-3538 in which the library that generated uuid's are predictable.
• Fixed CVE-2022-41912 in which the crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.

v1.3.1

• Added an option that allows the user to set the appropriate character (e.g. comma) used to separate a list of values returned by the IDP in the user-groups claim; the default remains blank-space (TT-4685)
• Added an option for Identity Broker to ignore the values in the config file and load its configuration only from environment variables and default values (TT-3705)
• Fixed a bug where TIB would panic if the name and surname claims were not received in SAML (TT-2977)

v1.2.4

• Make TIB compatible with dashboard versions that doesn't support SQL and embed this application.
• Update the dev-portal object so when it calls the update method the information is not lost (#195 )

v1.3.0

• Update the dev-portal object so when it calls the update method the information is not lost (#195 )
• For embeded TIB this should be used only in dashboard versions that support SQL