- v1.0.0-latest-prod
|
Tip
|
The 2.x versions are Spring Boot 3 compatible. |
JDK 17 is required for Broadleaf release trains 2.0.0-GA, and beyond.
Spring Authorization Server 1.5.6+ is required for this version of AuthenticationServices, and beyond
AuthenticationServices is built upon and customizes various functionality from Spring Authorization Server.
In typical release cycles, the underlying version of Spring Authorization Server is upgraded via the standard Broadleaf base dependencies upgrades, and does not necessarily result in any changes to AuthenticationServices itself.
In this release, however, a multitude of classes in AuthenticationServices have been updated to reach full parity with the recently released Spring Authorization Server 1.5.6 version.
The overwhelming majority of changes around this are just simple internal refactorings to align with similar changes in Spring Authorization Server itself. From a functional perspective, there should be no significant differences in the behavior of the application.
With that being said, there are a handful of new features in Spring Authorization Server (SAS) such as OAuth2 Demonstrating Proof of Possession (DPoP) and Pushed Authorization Requests (PAR). While Broadleaf does not explicitly leverage or customize these flows, at the very least, the changes in this release give the relevant Broadleaf components the foundation for future support.
Below is a list of key affected classes. In all of them, there have been changes made to respond to SAS’s refactoring and eliminate redundant code.
OIDAwareOAuth2RefreshTokenAuthenticationProvider
DPoP support
PublicRefreshOAuth2AuthorizationCodeAuthenticationProvider
Updated comments/Javadocs to explain the customizations in context of the new SAS
DPoP support
ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
PAR support
Native OIDC prompt support
ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
DPoP support
The base SAS class introduced a new authenticationValidator concept to validate scopes, but our customizations require a different approach, so this is disabled by default.
PublicRefreshPublicClientAuthenticationProvider
Aligns with stricter PKCE enforcement around codeVerifier from newer SAS versions
PublicRefreshCodeVerifierAuthenticator
Aligns with stricter PKCE enforcement around codeVerifier from newer SAS versions
Aligns with fail-fast behavior from SAS when code was missing in an authorization_code flow
AdvancedOAuth2RefreshTokenConfigurerUtils
SAS introduced some new 'default' token customizers relate to DPoP and Token Exchange delegation, which are now successfully registered in addition to the standard token customizers from Broadleaf.
DefaultClientScopeAuthorizationCodeRequestConverter
PAR support
DefaultOAuth2AuthorizationCodeRequestAuthenticationValidator
Updated with new methods matching changes in SAS for use in other components
EmbeddedLoginCodeAuthenticationProvider
Updated to maintain full parity with updates in PublicRefreshOAuth2AuthorizationCodeAuthenticationProvider and the latest SAS
Property broadleaf.auth.token.support-refresh-token-rotation was removed and whether refresh token support is enabled is now solely based on AuthorizedClient/RegisteredClient grant types(REFRESH_TOKEN)
For example: registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)
Property broadleaf.auth.token.support-refresh-token-cleanup removed.
Introduced the new property broadleaf.auth.token.enable-oauth2-authorization-cleanup. This property would default to true. This property controls whether a clean-up job to prune obsolete OAuth2Authorizations (runs periodically) is enabled.
This property supersedes the now-removed broadleaf.auth.token.support-refresh-token-cleanup property.
Added an event listener that will prune the blc_password_token table as it can grow large over time.
Added official support for Caffeine and Ehcache as alternative caching providers for many microservices.
This includes new auto-configuration and properties for managing heap and off-heap budgets, as well as weights and estimated sizes for various service components.
For more details on configuring these providers, see the Caching Configuration documentation.
Updated scheduled jobs to support more user-friendly duration formats (e.g., 2d, 12h) in addition to ISO-8601.
Additionally, these jobs now emit started and completed events to provide better visibility into their execution status.
Introduced lots of new diagnostic trace logs in OAuth2 flows to make it easier to identify the root cause that failed a request.
You can now enable TRACE logs in any of the following classes, and more detailed information will appear as the request moves through the flow.
|
Note
|
This is primarily intended only for use in lower environments, and in scenarios where testing a new integration may temporarily require extra diagnostic output. It’s not recommended to enable these logs in production, as they will be very noisy. |
|
Note
|
The API responses returned to the external caller have not changed - the messages there still remain vague to prevent leaking information to potential attackers. |
com.broadleafcommerce.auth.authorization.security.embedded.code.EmbeddedLoginCodeAuthenticationConverter
com.broadleafcommerce.auth.authorization.security.embedded.code.EmbeddedLoginCodeAuthenticationProvider
com.broadleafcommerce.auth.authorization.security.spring.OIDAwareOAuth2RefreshTokenAuthenticationProvider
com.broadleafcommerce.auth.authorization.security.spring.PublicRefreshCodeVerifierAuthenticator
com.broadleafcommerce.auth.authorization.security.spring.PublicRefreshOAuth2AuthorizationCodeAuthenticationProvider
com.broadleafcommerce.auth.authorization.security.spring.PublicRefreshPublicClientAuthenticationProvider
com.broadleafcommerce.auth.authorization.security.spring.ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
com.broadleafcommerce.auth.authorization.security.spring.ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
RestrictedPermission, RestrictedRole, and Restriction are now accountId-discriminated.
When a user acts within the scope of an account, the effective "restrictions" will be global (accountId = null) and associated with that account.
Added permissions/scopes for the pricingclient and notificationclient to read order and order fulfillment data.
Granted the pricingclient the ORDER_FULFILLMENT scope and READ_ORDER_FULFILLMENT permission.
Granted the notificationclient the ORDER and ORDER_FULFILLMENT scopes and READ_ORDER and READ_ORDER_FULFILLMENT permissions.
AuthServiceUserWebAutoConfiguration.addResourceHandlers was previously misconfigured with invalid resource paths, which caused failures starting in Spring Boot 3.5 due to stricter Spring validations.
The resource configuration has been reworked with corrected syntax and more granular mappings.
From an external perspective, nothing has changed, and resources can still be accessed at the same paths as before (so templates will be unaffected).
Fixed a compilation issue related to the Thymeleaf upgrade.
Fixed a channel name typo in PurgePasswordTokenJobListener.
Fixed an error when the AccountMemberRoleChangeRequest#userId or AccountMemberRestrictionUpdateEvent#userId is null.
The database schema has changed as part of this version.
Create/update changes (new tables, new columns, etc) are automatically included in the updated *changelog-master.xml after you upgrade to the new Authentication Services JAR.
The new changesets inside will run automatically to migrate existing data.
| Database Platform | Create/Update Changelog File Name |
|---|---|
PostgreSQL |
|
MariaDB |
|
MySQL |
|
Oracle |
|