Open in app

Sign in

Write

Sign in

Gravitee.io AM 2.8

Titouan Compiègne
graviteeio
Published in
3 min readJul 17, 2019

We are pleased to announce that Gravitee.io Access Management 2.8 is now available.

What’s new ?

Here are the highlights of this release:

  • Custom claims for tokens
  • OpenID Connect DCR Client templating
  • Usernames and emails case sensitivity

Add custom claims to Tokens

Most of the time to get information about an authenticated user you must rely on the OpenID Connect ID Token or the OpenID Connect UserInfo endpoint to request for user data (known as Claims).

When it comes to secure APIs, OAuth 2.0 Access tokens are used as opaque tokens to access authorized resources without further identification (to prevent personal information leaks if the access tokens is propagated to several services).

However, sometimes it could be interesting to include resource owner attributes directly in access tokens, so that resource servers (i.e APIs or API gateway) can consume them directly for authorization or other purposes without any further round trips to Introspection or UserInfo endpoints.

Include resource owner attributes in JWT access tokens should exercise care and verify that all privacy requirements are met.

Gravitee.io AM 2.8.0 introduces a new Custom Token Claims feature to add extra information to the OAuth 2.0 Access Token and OpenID ID Token.

Custom Claims for Tokens

You will be able to retrieve user information directly from your access tokens and also add custom information.

You can now discover this new feature via our quick-start.

OpenID Connect DCR Client templating

OpenID Connect Dynamic Client Registration defines how OpenID Connect Relying Party (third-party applications) can dynamically register with the OpenID Provider (i.e Gravitee.io Access Management) to obtain information needed to use it (e.g OAuth 2.0 client_id).

Currently only OpenID Connect protocol metadata could be set via the DCR feature and users should go back to the Gravitee.io AM administration UI to add specific AM information (e.g custom Email Templates, HTML Templates, Identity Providers …).

Gravitee.io AM 2.8 offers a new feature called DCR Client Templating that allow you to create client templates which will be used throughout the DCR registration process.

OpenID Connect DCR Client templates

You can now flag AM clients as AM client templates and retrieve them via the OpenID Connect Configuration Endpoint.

GET /oidc/.well-known/openid-configuration HTTP/1.1
Host: gravitee.io{
  ...
  "registration_templates_endpoint" : "https://auth.gravitee.io/gateway/gravitee/oidc/register_templates",
  ...}-----GET /oidc/register_templates HTTP/1.1
Host: gravitee.io[
  {
    "software_id": "9ce44fb6-a200-496b....",
    "description": "My Awesome App Template"
  }
]

The response will have a unique software_id that you can use for your OIDC registration request :

POST /oidc/register HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: gravitee.io{
  "redirect_uris": [
  "https://client.example.org/callback",
  "https://client.example.org/callback2"],
  "client_name": "My Example Client",
  "token_endpoint_auth_method": "client_secret_basic",
  "logo_uri": "https://client.example.org/logo.png",
  "jwks_uri": "https://client.example.org/my_public_keys.jwks",
  "software_id": "9ce44fb6-a200-496b...."
}

By providing the software_id, AM client template’s metadata will be merged with the plain JSON elements to create the new client.

Gravitee.io AM 2.8 supports also OAuth 2.0 default scopes and allowed scopes that you can apply during the registration process.

Usernames and emails case-sensitivity

Starting from the 2.8, users created via the AM User Management or SCIM protocol see their username to be case sensitive.

That will prevent a situation where you have userA and usera in the system which refer to different users.

This a potential breaking change if you are using an older version of Gravitee.io AM ! please be sure to follow the breaking change page before going further with this new version.

And more …

You can find the full changelog here and the list of deprecations and breaking changes here.

To discover all these new features, just follow the installation guide or start to play with Gravitee.io by using Docker.

Waiting for your feedbacks, we would be happy to talk and help you from Gitter channel.

API
Access Management
Identity Management
Openid Connect

--

--

Titouan Compiègne
graviteeio

Written by Titouan Compiègne

13 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams