DRACOON OAuth Service

Version 4.18.0 (2020-07-13)

latest version

New Feature Introduced alternative to HTTP Basic authentication. For reference, please cf. RFC 6749 Section 2.3.1.

New Feature Optimized favicon for Chrome's dark mode.

New Feature Removed background color of input fields.

New Feature Improved button labeling below login box.

New Feature OAuth state length is now limited to 2048 characters.

New Feature Migrated high-emphasis buttons to medium-emphasis buttons.

New Feature Internal changes regarding exception handling.

New Feature Added reveal password buttons.

New Feature Introduced Thymeleaf

Bugfix Added missing WWW-Authenticate header in error situation.

Bugfix Fixed an issue that might hide the login mask if branding was not configured correctly.

Bugfix Improved error messages in cases where users enter invalid characters.

Bugfix Updated some localized strings in German translation.

UX Improvement Focus is now automatically set to login field.

Version 4.17.0 (2020-03-09)

New Feature Adjusted client model according to DRACOON Core Service 4.19.

Version 4.16.1 (2020-03-09)

Security Issue Updated Spring Boot dependency as a reaction to Ghostcat vulnerability (CVE-2020-1938).

Version 4.16.0 (2020-03-02)

New Feature Updated Java to version 11.

Bugfix Fixed the broken localization of OpenID login button texts.

Bugfix Fixed an issue which caused missing query/fragment separators at the authorization redirect.

Version 4.15.3 (2020-01-15)

New Feature New lines in terms are no longer automatically converted to <br/> tags.

Bugfix Corrected width of footer on terms page.

Bugfix Fixed an issue that led to incorrect URLs on the account activation page.

UX Improvement Made terms on account activation page scrollable.

Version 4.15.2 (2019-12-20)

New Feature Made DRACOON API connection and read timeout configurable.

Version 4.15.1 (2019-12-17)

Bugfix Fixed the broken localization of OpenID login button texts.

Bugfix Fixed an issue which caused missing query/fragment separators at the authorization redirect.

Version 4.15.0 (2019-12-11)

Security Issue Fixed an issue that reflected XSS might inject false information into DOM on login page.

New Feature Extended usage of accent color.

New Feature Added support for Russian, Polish, and Czech.

New Feature Updated Frensh and Spanish localizations.

New Feature Introduced CSP header.

New Feature Added (brandable) link to support page.

New Feature Appearance of local login options is now configurable.

Improvement An error message is now shown if the browser does not accept cookies.

Improvement Fixed an issue leading to an unknown error when requesting a password reset for users authenticating via OpenID Connect.

Bugfix Fixed an issue in connection with the URL query/fragment parsing.

Bugfix Introduced check for disabled client in authorization code flow.

UX Improvement Changed button labels to lower case.

UX Improvement Decreased importance of support, imprint, and data privacy links.

UX Improvement Improved position of error messages at login.

Version 4.14.2 (2019-11-28)

Bugfix Fixed an issue in connection with the URL query/fragment parsing.

Version 4.14.1 (2019-11-18)

Security Issue Fixed reflected XSS vulnerability on login page.

Bugfix Enabled usage of specific status codes for communication errors with DRACOON Core Service.

Version 4.14.0 (2019-09-27)

UX Improvement Reversed state of "use alternative authentication" button.

Version 4.13.0 (2019-08-08)

New Feature Introduced capability to restrict access token and refresh token timeouts.

New Feature Introduced attributes "createdAt" and "usedAt" to store the creation and last usage dates for authorizations.

New Feature Ended support for multiple authentication methods per user.

Version 4.12.4 (2020-07-17)

Security Issue Resolved an XSS vulnerability.

Version 4.12.3 (2020-05-19)

New Feature Improved stability of OAuth Service in cases where upstream services do not respond.

Version 4.12.2 (2020-03-24)

Security Issue Updated Spring Boot dependency as a reaction to Ghostcat vulnerability (CVE-2020-1938).

Version 4.12.1 (2019-11-18)

Security Issue Fixed reflected XSS vulnerability on login page.

Version 4.12.0 (2019-06-18)

Security Issue Fixed an XSS vulnerability on the login page.

Security Issue Fixed a reflected XSS vulnerability.

New Feature Added OAuth client types (see RFC 6749, section 2.1).

New Feature Improved support of DRACOON branding.

New Feature Introduced "lang" parameter to enable a client to request a specific language.

New Feature Introduced logout mechanism to terminate OAuth session.

New Feature Introduced token revocation endpoint.

New Feature Added an option to make the position of the login box adjustable.

New Feature DRACOON OAuth Service now uses Spring Boot.

New Feature Added device information to OAuth authorizations so that devices can be distinguished.

Improvement Discontinued usage of "X-Fowarded-Host" header.

Improvement Improved responsiveness of the UI.

Improvement Added an option to configure GZIP compression.

Bugfix Fixed an issue where special chars in branded texts prevented the UI from being correctly displayed.

Bugfix Fixed an issue with URI validation.

Bugfix Revised handling of errors on remote calls.

Version 4.11.2 (2019-06-12)

Bugfix Fixed an issue that would make the redirect fail if the state parameter was not provided.

Bugfix Fixed an issue with the caching mechanism that may lead to an incorrect branding being delivered.

Version 4.11.1 (2019-05-16)

Bugfix Fixed an issue that made the redirect fail if the state parameter contained special characters.

Version 4.11.0 (2019-04-10)

New Feature Added support for OpenID Connect Hybrid Flow.

New Feature Added support for DRACOON Branding.

New Feature Existing access and refresh token now stay valid on successful token refresh.

Improvement Focus is now immediately set on input fields.

Improvement Increased length of authorization code.

Improvement Applied material design to user interface.

Improvement Replaced Spring Security OAuth library.

Bugfix Reworked the validation of the send redirect URI so that lower case and upper case are treated equally.

Bugfix Ensured that the authorization code is deleted after usage.

Version 4.10.0 (2018-09-27)

Security Issue Updated dependencies to their latest versions.

New Feature Added error handling for OpenID user import.

Bugfix Fixed an issue that that caused redirect URLs to use http instead of https

Version 4.9.1 (2018-08-17)

Bugfix Fixed an issue with handling 404 status codes.

Version 4.9.0 (2018-08-05)

Improvement Refactored all occurences of SDS.

Bugfix Fixed an issue that allowed only one authorization per client per user.

Version 4.8.3 (2018-08-28)

Bugfix Fixed an issue that that caused redirect URLs to use http instead of https

Version 4.8.2 (2018-08-17)

Bugfix Fixed an issue with handling 404 status codes.

Version 4.8.1 (2018-08-05)

Bugfix Fixed an issue that allowed only one authorization per client per user.

Version 4.8.0 (2018-04-26)

New Feature Added a callback page that displays the authorization code.

Improvement Disabled session for token endpoint.

Improvement Improved responsiveness for passwort hint.

Improvement Improved error handling for invalid/expired sessions.

Bugfix Fixed an issue with validating empty login fields.

Bugfix Fixed an issue that prevented RADIUS authentication from working properly.

Version 4.7.0 (2018-03-29)

New Feature Added filtering to OAuth client listing API.

New Feature Added sorting to OAuth client listing API.

New Feature Added OAuth clients for official DRACOON apps.

Improvement Added responsive UI for mobile clients.

Improvement Changed configuration path to /etc/dracoon/.

Improvement Show client name on authorization page.

Improvement Removed field "clientId" and generate client ID by default.

Improvement Removed field "redirectUrl" from client configuration APIs.

Bugfix Fixed imprint link.

Bugfix Fixed an issue with multiple authorizations from the same OAuth client.