We are pleased to announce that Gravitee.io Access Management 2.8 is now available.
What’s new ?
Here are the highlights of this release:
- Custom claims for tokens
- OpenID Connect DCR Client templating
- Usernames and emails case sensitivity
Add custom claims to Tokens
When it comes to secure APIs, OAuth 2.0 Access tokens are used as opaque tokens to access authorized resources without further identification (to prevent personal information leaks if the access tokens is propagated to several services).
However, sometimes it could be interesting to include resource owner attributes directly in access tokens, so that resource servers (i.e APIs or API gateway) can consume them directly for authorization or other purposes without any further round trips to Introspection or UserInfo endpoints.
Include resource owner attributes in JWT access tokens should exercise care and verify that all privacy requirements are met.
Gravitee.io AM 2.8.0 introduces a new Custom Token Claims feature to add extra information to the OAuth 2.0 Access Token and OpenID ID Token.
You will be able to retrieve user information directly from your access tokens and also add custom information.
You can now discover this new feature via our quick-start.
OpenID Connect DCR Client templating
OpenID Connect Dynamic Client Registration defines how OpenID Connect Relying Party (third-party applications) can dynamically register with the OpenID Provider (i.e Gravitee.io Access Management) to obtain information needed to use it (e.g OAuth 2.0 client_id).
Currently only OpenID Connect protocol metadata could be set via the DCR feature and users should go back to the Gravitee.io AM administration UI to add specific AM information (e.g custom Email Templates, HTML Templates, Identity Providers …).
Gravitee.io AM 2.8 offers a new feature called DCR Client Templating that allow you to create client templates which will be used throughout the DCR registration process.
You can now flag AM clients as AM client templates and retrieve them via the OpenID Connect Configuration Endpoint.
GET /oidc/.well-known/openid-configuration HTTP/1.1
"registration_templates_endpoint" : "https://auth.gravitee.io/gateway/gravitee/oidc/register_templates",
...}-----GET /oidc/register_templates HTTP/1.1
"description": "My Awesome App Template"
The response will have a unique software_id that you can use for your OIDC registration request :
POST /oidc/register HTTP/1.1
"client_name": "My Example Client",
By providing the software_id, AM client template’s metadata will be merged with the plain JSON elements to create the new client.
Gravitee.io AM 2.8 supports also OAuth 2.0 default scopes and allowed scopes that you can apply during the registration process.
Usernames and emails case-sensitivity
Starting from the 2.8, users created via the AM User Management or SCIM protocol see their username to be case sensitive.
That will prevent a situation where you have userA and usera in the system which refer to different users.
This a potential breaking change if you are using an older version of Gravitee.io AM ! please be sure to follow the breaking change page before going further with this new version.