Auth Release Notes for 2.1.4-GA

Table of Contents

Requirements
New Features & Notable Changes
- Remember-Me Login
- Miscellaneous
Upgrade Guide
- Liquibase Change Sets

Tip	The 2.x versions are Spring Boot 3 compatible.

Requirements

JDK 17 is required for Broadleaf release trains 2.0.0-GA, and beyond.

New Features & Notable Changes

Remember-Me Login

Important

The Remember-Me implementation requires the Liquibase schema changes defined below. Even if Remember-Me is disabled, these schema changes must be applied - they will just be dormant/unused until the functionality is enabled.

Important

To pair with these changes, clients are recommended to update their frontend projects to the latest versions described in the 2.1.4 Release Notes and Upgrade Guide. These include enhancements to frontend session management that incorporate information about Remember-Me availability for a better user experience.

With this release, AuthenticationServices now supports Remember-Me when using the Centralized Universal Login approach.

Remember-Me functionality is disabled by default, making it opt-in rather than opt-out.

Please see the full details about the Remember-Me feature.

Miscellaneous

Fixed recurring issues with Segment ID Persistence.
- Updated to store to the user attributes the last time the user was updated for a specific segment, rather than a general last updated date.
Increase JpaUser#attributes column length to 4000.
Fixed a bug where if the user doesn’t have the ALL_SANDBOX permission, the changes get deployed straight to production.
Added a new endpoint to allow Admins to send out a reset password email for another admin.
Added new pricingclient with ORDER and TENANT_CART scopes.
Added new scopes and permissions to bulkopsclient to support new category product membership functionality
Add data exchange permissions for comprehensive product and data exchange client
Fixed scope filtering to correctly account for scopes that are not named the same as permissions
Added an extra nonce validation in /consume-token endpoint to verify the current authentication matches the one specified in the signedJwt
Added support for scopes and permissions in workflow and audit flows
Fixed a bug where the BLSR cookie was not being cleared properly on requests to OAuth2 protocol endpoints. The RequestCacheAwareFilter is now ordered higher in the authorization server filter chain to ensure it applies before the protocol filters engage.
Fixed a bug where 'prompt=none' authentication failure redirects were setting the BLSR cookie, even though they were never actually going to be consumed/cleared. The OAuth2AuthenticationEntryPoint now ensures this cookie is cleared in such a case before proceeding.
Added new field DEFAULT_APPLICATION_ID to the BLC_USER table. The field value is used to pre-select application on user sign in. It overrides setting of default application on tenant level for a specific user. Makes sense only when user has access to applications and has applications assigned.
Added missing security scopes for Customer related permissions and linked the security scopes to their permissions, namely CUSTOMER_RETURN, CUSTOMER_ORDER, and CUSTOMER_ENTITLEMENT.
- The SQL inserts & updates needed for this update can be done manually if needed by running the following SQL for the auth database.

-- Insert new entries for missing security scopes for Customer operations

INSERT INTO auth.blc_security_scope (id, name, open) VALUES ('01JW66XFTCT5P7ZTSQWQ6DAS0H', 'CUSTOMER_ORDER', 'N');
INSERT INTO auth.blc_security_scope (id, name, open) VALUES ('01JW66WYS7BS6K5EWR82XDJ7MD', 'CUSTOMER_RETURN', 'N');
INSERT INTO auth.blc_security_scope (id, name, open) VALUES ('01JW66XXJZF9MFHEY3VFBFANG3', 'CUSTOMER_ENTITLEMENT', 'N');

-- Update the relevant permission scopes to be linked to the new security scopes

UPDATE auth.blc_permission_scope SET scope_id = '01JW66XFTCT5P7ZTSQWQ6DAS0H' WHERE id = '-111';
UPDATE auth.blc_permission_scope SET scope_id = '01JW66WYS7BS6K5EWR82XDJ7MD' WHERE id = '-112';
UPDATE auth.blc_permission_scope SET scope_id = '01JW66XXJZF9MFHEY3VFBFANG3' WHERE id = '-113';

+ NOTE: This requires the Liquibase schema changes defined below.

Upgrade Guide

Liquibase Change Sets

The database schema has changed as part of this version.

Creates and Updates

Create/update changes (new tables, new columns, etc) are automatically included in the updated *changelog-master.xml after you upgrade to the new Authentication Services JAR. The new changesets inside will run automatically to migrate existing data.

Database Platform Create/Update Changelog File Name

Database Platform	Create/Update Changelog File Name
PostgreSQL	`db/changelog/auth.postgresql.changelog-master.xml`
MariaDB	`db/changelog/auth.mariadb.changelog-master.xml`
MySQL	`db/changelog/auth.mysql.changelog-master.xml`
Oracle	`db/changelog/auth.oracle.changelog-master.xml` and `db/changelog/auth.oracle.short.changelog-master.xml`
YugabyteDB	`db/changelog/auth.yugabytedb.changelog-master.xml`

PostgreSQL

db/changelog/auth.postgresql.changelog-master.xml

MariaDB

db/changelog/auth.mariadb.changelog-master.xml

MySQL

db/changelog/auth.mysql.changelog-master.xml

Oracle

db/changelog/auth.oracle.changelog-master.xml and db/changelog/auth.oracle.short.changelog-master.xml

YugabyteDB

db/changelog/auth.yugabytedb.changelog-master.xml