Broadleaf Microservices
  • v1.0.0-latest-prod

Auth Release Notes for 1.8.13-GA

New Features & Notable Changes

  • Upgraded Node.js version from 16.16.0 to 18.15.0 for login forms. This should be a seamless change since it’s primarily a build tool for these forms to allow using Postcss.

    • Node 16 is reaching end of life.

  • Added a new Search Service authorized client

  • Introduced support for quote

    • Full feature support will be completed in a future release

    • Added PUBLISH_QUOTE to default broadleaf.auth.security.oauth2.whitelistedImpersonationAuthorities

    • Added the ability for a CSR to act as a seller rather than impersonating a guest or registered customer. This makes use of the same impersonation functionality as the latter cases use and can be thought of as a CSR impersonating themselves.

      • To indicate this new mode,ImpersonationRequest has a new field, impersonate_self.

      • A new claim has also been added to the signed JWT to indicate this state to other systems: impersonating_self

      • AuthenticationUtils also has a new method #userIsCSRActingAsSelf that can be used in other services like Cart Operations to check the claim’s value.

Bug Fixes

  • Added security scopes, permission scopes, and permissions for READ_APPLICATION_PROFILE_VIEW and READ_APPLICATION_CATALOG_VIEW to hide those metadata views unless assigned

    • These permissions are also added to existing out of box roles that already have READ_TENANT or ALL_TENANT assigned

  • Updated the liquibase changesets to not run EncryptionMigrationTask migration on empty table

  • Addressed race condition where rule-based customer segments that were updated by simultaneous events could potentially be processed in the wrong other by the event listeners.

    • Introduced attribute last_process_segment_date to User to track the timestamp of the last segment process was received

    • Added timestamp field to ClearCustomerSegmentRequest.

    • Updated SegmentMemberPersistenceHandler and ClearCustomerSegmentEventListener to ignore events whose timestamp is earlier than the user’s last_process_segment_date.

  • Fixed a check in AuthTenantPersistenceHandler causing an application copy to be deleted when an application catalog is deleted.

API Changes

AuthenticationServices OpenAPI Docs

New Endpoints

Path Description

GET /impersonate?impersonate_self=true

Impersonates self

New Seed Data

Permissions and Scopes for the Metadata Views

New permissions and scopes have been added and should be inserted into the auth database with the following SQL:

-- New scopes, permissions, and role assignments
INSERT INTO blc_security_scope (id, name, open) VALUES ('-623', 'APPLICATION_PROFILE_VIEW', 'N');
INSERT INTO blc_permission_scope (id, permission, is_permission_root, scope_id) VALUES ('-1024', 'APPLICATION_PROFILE_VIEW', 'Y', '-623');
INSERT INTO blc_user_permission (id, archived, last_updated, name, is_account_perm, user_assignable) VALUES ('-851', 'N', '1970-01-01 00:00:00.000000', 'READ_APPLICATION_PROFILE_VIEW', 'N', 'Y');

INSERT INTO blc_security_scope (id, name, open) VALUES ('-624', 'APPLICATION_CATALOG_VIEW', 'N');
INSERT INTO blc_permission_scope (id, permission, is_permission_root, scope_id) VALUES ('-1025', 'APPLICATION_CATALOG_VIEW', 'Y', '-624');
INSERT INTO blc_user_permission (id, archived, last_updated, name, is_account_perm, user_assignable) VALUES ('-852', 'N', '1970-01-01 00:00:00.000000', 'READ_APPLICATION_CATALOG_VIEW', 'N', 'Y');

-- Add permissions to out of box admin roles
INSERT INTO blc_role_permission_xref (role_id, permission_id) VALUES
('-1', '-851'),
('-1', '-852'),
('-200', '-851'),
('-200', '-852'),
('-201', '-851'),
('-201', '-852'),
('-202', '-851'),
('-202', '-852'),
('-2', '-851'),
('-2', '-852'),
('-7', '-851'),
('-7', '-852')

Permissions, Scopes, and Client for SearchService’s TenantProvider

To support reduction of indexed fields by using the default tenant data for the tenant’s default locale translatable fields, the following auth data was added to enable lookup of the tenant.

-- New scopes, permissions, and client
INSERT INTO auth.blc_client (id, application_id, attributes, client_id, client_secret, friendly_name, is_admin, auth_server_id, token_timeout_seconds, default_redirect_uri, refresh_token_rot_intrvl_scnds, refresh_token_timeout_seconds) VALUES ('searchclient',null,'{}','searchclient','TODO MY SECRET','Search Service Client','N',2,300,null,60,7200);

INSERT INTO auth.blc_client_grant_types (id, grant_type) VALUES ('searchclient','client_credentials');

INSERT INTO auth.blc_client_scopes (id, scope) VALUES ('searchclient','TENANT');

INSERT INTO auth.blc_client_permissions (id, permission) VALUES ('searchclient','READ_TENANT');

Inventory Permissions and Scopes for the OpenAPI client

If you’re consuming the openapi client for use with OpenAPI, the following permission updates are necessary:

INSERT INTO blc_client_scopes (id, scope) VALUES
('openapi', 'CONSOLIDATED_INVENTORY_AVAILABILITY'),
('openapi', 'INVENTORY'),
('openapi', 'INVENTORY_LOCATION'),
('openapi', 'INVENTORY_RESERVATION'),
('openapi', 'INVENTORY_SUMMARY');

INSERT INTO blc_client_permissions (id, permission) VALUES
('openapi', 'ALL_INVENTORY_SUMMARY'),
('openapi', 'ALL_INVENTORY_RESERVATION'),
('openapi', 'ALL_INVENTORY_LOCATION'),
('openapi', 'ALL_INVENTORY'),
('openapi', 'ALL_CONSOLIDATED_INVENTORY_AVAILABILITY');

Permissions and Scopes for Quote

New permissions and scopes have been added and should be inserted into the auth database with the following SQL:

-- New scopes and permissions for PUBLISH_QUOTE
INSERT INTO blc_security_scope (id, name, open) VALUES ('-625', 'PUBLISH_QUOTE', 'N');
INSERT INTO blc_permission_scope (id, permission, is_permission_root, scope_id) VALUES ('-1026', 'PUBLISH_QUOTE', 'Y', '-625');
INSERT INTO blc_user_permission (id, archived, last_updated, name, is_account_perm, user_assignable) VALUES ('-853', 'N', '1970-01-01 00:00:00.000000', 'ALL_PUBLISH_QUOTE', 'N', 'Y');
-- New scopes and permissions for CART_NOTE
INSERT INTO blc_security_scope (id, name, open) VALUES ('-626', 'CART_NOTE', 'N');
INSERT INTO blc_permission_scope (id, permission, is_permission_root, scope_id) VALUES ('-1027', 'CART_NOTE', 'Y', '-626');
INSERT INTO blc_user_permission (id, archived, last_updated, name, is_account_perm, user_assignable) VALUES ('-854', 'N', '1970-01-01 00:00:00.000000', 'ALL_CART_NOTE', 'N', 'Y');
-- Add permissions to out of box admin roles
INSERT INTO blc_role_permission_xref (role_id, permission_id) VALUES
('-2', '-853'),
('-10', '-853'),
('-2', '-854'),
('-10', '-854');
-- Add permissions to out of box service clients
INSERT INTO blc_client_scopes (id, "scope") VALUES('cartopsclient', 'CART_NOTE');
INSERT INTO blc_client_permissions (id, "permission") VALUES('cartopsclient', 'ALL_CART_NOTE');

If you’re consuming the openapi client for use with OpenAPI, the following permission updates are necessary:

INSERT INTO blc_client_scopes (id, scope) VALUES ('openapi', 'PUBLISH_QUOTE');
INSERT INTO blc_client_permissions (id, permission) VALUES ('openapi', 'ALL_PUBLISH_QUOTE');
INSERT INTO blc_client_scopes (id, scope) VALUES ('openapi', 'CART_NOTE');
INSERT INTO blc_client_permissions (id, permission) VALUES ('openapi', 'ALL_CART_NOTE');

Redirect URIs for Quote

In order for quote related functionalities to work, the following redirect URIs should be added:

INSERT INTO blc_client_redirect_uris (id, redirect_uri) VALUES ('01GV162M0WGT8H039EWD8Z1WQG', 'https://allthesauce.localhost:8456/my-account/quotes');
INSERT INTO blc_client_redirect_uris (id, redirect_uri) VALUES ('01GV162KYVW0ZP0MS41EV50X7E', 'https://heatclinic.localhost:8456/my-account/quotes');
INSERT INTO blc_client_redirect_uris (id, redirect_uri) VALUES ('01GV162KWP3SXB0V4F6ZT01R1V', 'https://aaahotsauces.localhost:8456/my-account/quotes');
INSERT INTO blc_client_redirect_uris (id, redirect_uri) VALUES ('01GV162M0WGT8H039EWD8Z1WQG', 'https://localhost:8456/my-account/quotes');
INSERT INTO blc_client_redirect_uris (id, redirect_uri) VALUES ('01GV162KYVW0ZP0MS41EV50X7E', 'https://localhost:8456/my-account/quotes');
INSERT INTO blc_client_redirect_uris (id, redirect_uri) VALUES ('01GV162KWP3SXB0V4F6ZT01R1V', 'https://localhost:8456/my-account/quotes');

Data Migration

New Permissions and Scopes for the Metadata Views for Custom Users and Roles

With these new permissions and scopes introduced, custom users and roles should also be updated accordingly to ensure the access are the same after the upgrade. With the migration script below, it will add the READ_APPLICATION_PROFILE_VIEW and READ_APPLICATION_CATALOG_VIEW to any users and roles that have READ_TENANT or ALL_TENANT permissions.

It is recommended to review the access and remove READ_APPLICATION_PROFILE_VIEW and READ_APPLICATION_CATALOG_VIEW permissions as needed.

Assigning to Custom Users

-- Add READ_APPLICATION_PROFILE_VIEW permission for existing user permission xref with ALL_TENANT permission
WITH data (userid, permissionid) AS (
  SELECT user_id, permission_id FROM auth.blc_user_permission_xref WHERE permission_id = '-29'
)
INSERT INTO auth.blc_user_permission_xref (user_id, permission_id)
SELECT userid, '-851' FROM data;

-- update the same user on the admin side
UPDATE adminuser.blc_admin_user au
SET permission_ids = replace(au.permission_ids, ']', ', "-851"]')
WHERE au.permission_ids != '[]' AND au.permission_ids LIKE '%"-29"%';


-- Add READ_APPLICATION_CATALOG_VIEW permissions for existing user permission xref with ALL_TENANT permission
WITH data (userid, permissionid) AS (
  SELECT user_id, permission_id FROM auth.blc_user_permission_xref WHERE permission_id = '-29'
)
INSERT INTO auth.blc_user_permission_xref (user_id, permission_id)
SELECT userid, '-852' FROM data;

-- update the same user on the admin side
UPDATE adminuser.blc_admin_user au
SET permission_ids = replace(au.permission_ids, ']', ', "-852"]')
WHERE au.permission_ids != '[]' AND au.permission_ids LIKE '%"-29"%';


-- Add READ_APPLICATION_PROFILE_VIEW permission for existing user permission xref with READ_TENANT permission
WITH data (userid, permissionid) AS (
  SELECT user_id, permission_id FROM auth.blc_user_permission_xref WHERE permission_id = '-30'
)
INSERT INTO auth.blc_user_permission_xref (user_id, permission_id)
SELECT userid, '-851' FROM data;

-- update the same user on the admin side
UPDATE adminuser.blc_admin_user au
SET permission_ids = replace(au.permission_ids, ']', ', "-851"]')
WHERE au.permission_ids != '[]' AND au.permission_ids LIKE '%"-30"%';


-- Add READ_APPLICATION_CATALOG_VIEW permissions for existing user permission xref with READ_TENANT permission
WITH data (userid, permissionid) AS (
  SELECT user_id, permission_id FROM auth.blc_user_permission_xref WHERE permission_id = '-30'
)
INSERT INTO auth.blc_user_permission_xref (user_id, permission_id)
SELECT userid, '-852' FROM data;

-- update the same user on the admin side
UPDATE adminuser.blc_admin_user au
SET permission_ids = replace(au.permission_ids, ']', ', "-852"]')
WHERE au.permission_ids != '[]' AND au.permission_ids LIKE '%"-30"%';

Assigning to Custom Roles

-- Add READ_APPLICATION_PROFILE_VIEW permission for existing role permission xref with ALL_TENANT permission
WITH data (roleid, permissionid) AS (
  SELECT role_id, permission_id FROM auth.blc_role_permission_xref WHERE permission_id = '-29'
)
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id)
SELECT roleid, '-851' FROM data
ON CONFLICT do nothing;

-- Add READ_APPLICATION_CATALOG_VIEW permissions for existing role permission xref with ALL_TENANT permission
WITH data (roleid, permissionid) AS (
  SELECT role_id, permission_id FROM auth.blc_role_permission_xref WHERE permission_id = '-29'
)
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id)
SELECT roleid, '-852' FROM data
ON CONFLICT do nothing;


-- Add READ_APPLICATION_PROFILE_VIEW permission for existing role permission xref with READ_TENANT permission
WITH data (roleid, permissionid) AS (
  SELECT role_id, permission_id FROM auth.blc_role_permission_xref WHERE permission_id = '-30'
)
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id)
SELECT roleid, '-851' FROM data
ON CONFLICT do nothing;

-- Add READ_APPLICATION_CATALOG_VIEW permissions for existing role permission xref with READ_TENANT permission
WITH data (roleid, permissionid) AS (
  SELECT role_id, permission_id FROM auth.blc_role_permission_xref WHERE permission_id = '-30'
)
INSERT INTO auth.blc_role_permission_xref (role_id, permission_id)
SELECT roleid, '-852' FROM data
ON CONFLICT do nothing;