78.12.0

What's Changed

Fixes

• Fix UAA start with legacy key setup by @strehle in #3837
• Move signingKey back to legacy structure by @strehle in #3839

Dependency Bumps

• build(deps): bump jasmine-core from 6.1.0 to 6.2.0 in /uaa by @dependabot[bot] in #3832
• build(deps): bump jasmine from 6.1.0 to 6.2.0 in /uaa by @dependabot[bot] in #3831

Full Changelog: v78.11.0...v78.12.0

78.11.0

What's Changed

Known Issue

• UAA may fail to start with some legacy key setups

New Feature

• OpenAPI document endpoints by @joemahady-comm in #3689

Fixes

• Fallback to client_id when cid is missing by @duanemay in #3790
• Restrict HTTP Methods returned by OPTIONS Call to Login Endpoint by @adrianhoelzl-sap in #3804
• Handle custom issuer configuration in getTokenEndpointUrl method by @duanemay in #3815
• Resolve session concurrency issues with static resources by @duanemay in #3817
• Add OpenSaml work around for FIPS initialization by @strehle in #3809
• Fix Issuer URI Configuration for Default Identity Zone by @duanemay in #3823
• Allow configuration of logged_out page content by @duanemay in #3824
• Revert "Add OpenSaml work around for FIPS initialization" by @strehle in #3826
• OAuth Group Mapping Behavior - Combine #3814 and #3820 by @fhanik in #3821
• Run boot war on standalone Apache Tomcat by @fhanik in #3825
• Fix Apache Http Client dependency by @strehle in #3830
• Add OpenSaml work around for FIPS initialization by @strehle in #3829

Misc

• Remove unused Kubernetes configurations and custom matchers by @duanemay in #3784

Dependency Bumps

• build(deps): bump versions.braveVersion from 6.3.0 to 6.3.1 by @dependabot[bot] in #3799
• build(deps): bump versions.springBootVersion from 3.5.12 to 3.5.13 by @dependabot[bot] in #3801
• build(deps): bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 2.7.0 to 2.8.16 by @dependabot[bot] in #3802
• build(deps): bump brace-expansion from 5.0.2 to 5.0.5 in /uaa by @dependabot[bot] in #3803
• build(deps): bump rack from 2.2.22 to 2.2.23 in /uaa/slate by @dependabot[bot] in #3806
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 10.8 to 10.9 by @dependabot[bot] in #3807
• build(deps): bump org.passay:passay from 1.6.6 to 2.0.0 by @dependabot[bot] in #3808
• build(deps): bump addressable from 2.8.7 to 2.9.0 in /uaa/slate by @dependabot[bot] in #3816
• build(deps): bump versions.seleniumVersion from 4.41.0 to 4.42.0 by @dependabot[bot] in #3818
• build(deps): bump versions.seleniumVersion from 4.42.0 to 4.43.0 by @dependabot[bot] in #3828
• build(deps): bump org.barfuin.gradle.jacocolog:gradle-jacoco-log from 4.0.1 to 4.0.2 by @dependabot[bot] in #3834
• build(deps): bump org.springdoc:springdoc-openapi-starter-webmvc-ui from 2.8.16 to 2.8.17 by @dependabot[bot] in #3833

Full Changelog: v78.10.0...v78.11.0

78.10.0

What's Changed

New Feature

• Path based Identity Zone by @fhanik in #3730
• AI generated configuration reference by @fhanik in #3768

Fixes

• Cleanup dependabot configuration by removing redundant Gradle entries… by @duanemay in #3770
• Fix unbound variable issues by @duanemay in #3786
• Use single boot start check logic by @duanemay in #3787

Misc

• Update password change audit events to include principal name by @joemahady-comm in #3760
• Change userDatabase autowired type to UaaUserDatabase by @gdgenchev in #3789
• Remove scripts by @duanemay in #3783
• Remove unused tail_uaa_log script by @duanemay in #3785
• Improve rerun flaky tests by @duanemay in #3788

Dependency Bumps

• Update Bouncy Castle FIPS dependency versions by @strehle in #3763
• Update Gradle wrapper to version 9.4.0 by @strehle in #3765
• Update nimbus-jose-jwt library version to 10.8 by @strehle in #3766
• Update joda-time dependency to version 2.14.1 by @strehle in #3764
• Update commons-io version to 2.21.0 by @strehle in #3769
• build(deps): bump org.json:json from 20250517 to 20251224 by @dependabot[bot] in #3772
• build(deps): bump com.unboundid.product.scim:scim-sdk from 1.8.26 to 2.0.0 by @dependabot[bot] in #3777
• build(deps): bump org.jacoco:org.jacoco.agent from 0.8.13 to 0.8.14 by @dependabot[bot] in #3780
• build(deps): bump versions.guavaVersion from 33.4.8-jre to 33.5.0-jre by @dependabot[bot] in #3775
• build(deps): bump com.icegreen:greenmail from 2.1.5 to 2.1.8 by @dependabot[bot] in #3776
• build(deps): bump versions.seleniumVersion from 4.40.0 to 4.41.0 by @dependabot[bot] in #3778
• build(deps): bump org.eclipse.jgit:org.eclipse.jgit from 7.3.0.202506031305-r to 7.6.0.202603022253-r by @dependabot[bot] in #3771
• build(deps): bump org.barfuin.gradle.jacocolog:gradle-jacoco-log from 3.1.0 to 4.0.1 by @dependabot[bot] in #3774
• build(deps): bump org.sonarsource.scanner.gradle:sonarqube-gradle-plugin from 7.0.1.6134 to 7.2.3.7755 by @dependabot[bot] in #3773
• build(deps): bump commons-codec:commons-codec from 1.19.0 to 1.21.0 by @dependabot[bot] in #3781
• chore(deps): update ubuntu docker tag to v24 by @strehle in #3782
• Bump Gradle to 9.4.0 by @duanemay in #3791
• build(deps): bump k8s.io/client-go from 0.35.2 to 0.35.3 in /k8s by @dependabot[bot] in #3793
• build(deps): bump gradle-wrapper from 9.4.0 to 9.4.1 by @dependabot[bot] in #3796
• build(deps): bump versions.springBootVersion from 3.5.11 to 3.5.12 by @dependabot[bot] in #3797

Full Changelog: v78.9.0...v78.10.0

78.9.0

What's Changed

Security

• Addresses CVE-2026-22724

Fixes

• Add ProxyRestriction Validator by @mikeroda in #3758
• fix saml and invitations beans by @fhanik in #3762

Misc

• Rerun flaky tests in integration tests pipeline by @duanemay in #3752

Dependency Bumps

• build(deps): bump k8s.io/client-go from 0.35.1 to 0.35.2 in /k8s by @dependabot[bot] in #3754
• build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #3756
• build(deps): bump minimatch from 10.2.2 to 10.2.4 in /uaa by @dependabot[bot] in #3757
• build(deps): bump docker/login-action from 3 to 4 by @dependabot[bot] in #3759

Full Changelog: v78.8.0...v78.9.0

78.8.0

What's Changed

Security

• Addresses CVE-2026-22723.

Fixes

• Fix token revocation logic by @duanemay in #3743
• Use entityBaseURL for URLs when generating SAML Metadata by @georgikpetrov00 in #3739
• Limit /RateLimitingStatus to default zone and only use token authentication by @fhanik in #3744
• fix: log at debug when openid scope not included by @mikeroda in #3727

Misc

• Logged Out Page by @adrianhoelzl-sap in #3717
• CSS Trimming by @lhardt in #3737
• Refactor time comparison test assertions by @duanemay in #3725

Dependency Bumps

• Bump Gradle to 9.3.0 by @duanemay in #3728
• Bump Gradle to 9.3.1 by @duanemay in #3732
• build(deps): bump k8s.io/client-go from 0.35.0 to 0.35.1 in /k8s by @dependabot[bot] in #3740
• Bump Selenium version to 4.40.0 by @strehle in #3734
• build(deps): bump github.com/onsi/gomega from 1.39.0 to 1.39.1 in /k8s by @dependabot[bot] in #3733
• build(deps): bump rack from 2.2.20 to 2.2.22 in /uaa/slate by @dependabot[bot] in #3745
• build(deps): bump versions.springBootVersion from 3.5.10 to 3.5.11 by @dependabot[bot] in #3746
• build(deps): bump nokogiri from 1.18.9 to 1.19.1 in /uaa/slate by @dependabot[bot] in #3747
• build(deps): bump minimatch and glob in /uaa by @dependabot[bot] in #3748
• build(deps): bump jasmine from 6.0.0 to 6.1.0 in /uaa by @dependabot[bot] in #3750
• build(deps): bump jasmine-core from 6.0.1 to 6.1.0 in /uaa by @dependabot[bot] in #3751

New Contributors

• @lhardt made their first contribution in #3737
• @georgikpetrov00 made their first contribution in #3739

Full Changelog: v78.7.0...v78.8.0

78.7.0

What's Changed

Fixes

• Fix a ConcurrentModificationException within updateClientDetails by @duanemay in #3719
• fix: include NameID Format in SAML LogoutRequest by @mikeroda in #3718
• remove jti from the required claims for jwt client authentication by @strehle in #3577

Misc

• Add Java 25 and Ubuntu 24.04 support in CI tests by @duanemay in #3704
• Streamline Gradle commands in test jobs by @duanemay in #3703
• add flag omitIdTokenHintOnLogout in OIDC config by @strehle in #3711
• Flyway upgrade by @duanemay in #3698
• Reduce private_key_jwt expiry by @strehle in #3720
• Expose StatsDClient as a Bean by @duanemay in #3716
• Flyway upgrade refactor by @strehle in #3712

Dependency Bumps

• build(deps): bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #3702
• build(deps): bump k8s.io/client-go from 0.34.3 to 0.35.0 in /k8s by @dependabot[bot] in #3706
• build(deps): bump versions.springBootVersion from 3.5.8 to 3.5.9 by @dependabot[bot] in #3709
• build(deps): bump github.com/onsi/gomega from 1.38.3 to 1.39.0 in /k8s by @dependabot[bot] in #3715
• build(deps): bump jasmine-core from 5.13.0 to 6.0.1 in /uaa by @dependabot[bot] in #3723
• build(deps): bump versions.springBootVersion from 3.5.9 to 3.5.10 by @dependabot[bot] in #3724
• build(deps): bump jasmine from 5.13.0 to 6.0.0 in /uaa by @dependabot[bot] in #3722

Full Changelog: v78.6.0...v78.7.0

78.6.0

What's Changed

Fixes

• Fix SAML Metadata when EntityID is a URL by @fhanik in #3662
• Fix SCIM DateTime Filter Timezone Parsing by @neddp in #3700
• Add index on group_membership(identity_zone_id, origin) by @tack-sap in #3679

Misc

• Cargo migration & Upgrade Gradle to version 9.0.0 by @ireneGonzalezRuiz in #3648
• Debug test failures by @duanemay in #3654
• Increase boot timeout from 60 to 300 by @strehle in #3657
• Update memory settings on the integration test script by @duanemay in #3658
• Update Integration Test Params by @duanemay in #3659
• Revert to legacy behavior of showing passcode as a prompt in /info JSON response. by @fhanik in #3660
• Adjust JVM memory settings in integration test script by @duanemay in #3665
• [bc-212-test]: testing memory pressure issues by @joemahady-comm in #3666
• Adjust test settings to gather timing data by @duanemay in #3683
• Eliminate test setup on skipped tests by @duanemay in #3690
• Add debug mode with -Pdebug and -Pdebugs by @duanemay in #3678
• Restore UaaWebApplicationInitializer by @duanemay in #3677
• Add optional UaaTokenEnhancer injection by @gdgenchev in #3686
• Relax URL match assertion in ResetPasswordIT test by @duanemay in #3693
• Increase timeout and polling constants for WebDriverWait by @duanemay in #3682

Dependency Bumps

• build(deps): bump versions.springBootVersion from 3.5.6 to 3.5.7 by @dependabot[bot] in #3651
• build(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #3653
• Bump Selenium version to 4.38.0 by @duanemay in #3664
• build(deps): bump jasmine-core from 5.12.0 to 5.12.1 in /uaa by @dependabot[bot] in #3656
• build(deps): bump k8s.io/client-go from 0.34.1 to 0.34.2 in /k8s by @dependabot[bot] in #3673
• build(deps): bump glob from 10.4.5 to 10.5.0 in /uaa by @dependabot[bot] in #3676
• build(deps): bump versions.springBootVersion from 3.5.7 to 3.5.8 by @dependabot[bot] in #3680
• build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in #3681
• Bump Gradle to 9.2.1 by @duanemay in #3685
• build(deps): bump github.com/onsi/gomega from 1.38.2 to 1.38.3 in /k8s by @dependabot[bot] in #3694
• build(deps): bump jasmine-core from 5.12.1 to 5.13.0 in /uaa by @dependabot[bot] in #3688
• build(deps): bump jasmine from 5.12.0 to 5.13.0 in /uaa by @dependabot[bot] in #3687
• build(deps): bump k8s.io/client-go from 0.34.2 to 0.34.3 in /k8s by @dependabot[bot] in #3697

New Contributors

• @ireneGonzalezRuiz made their first contribution in #3648
• @neddp made their first contribution in #3700

Full Changelog: v78.5.0...v78.6.0

78.5.0

What's Changed

Fixes

• Fix broken OAUTH2.0 authorization_code flow. by @fhanik in #3643
• Remove ThreadLocal for Origin in ExternalOAuthAuthenticationManager by @adrianhoelzl-sap in #3636
• Change nonce and state to length 22 by @cweibel in #3645
• Add env vars for Gradle commands in test scripts by @duanemay in #3649

Misc

• Update database matrix to include PostgreSQL 17, remove 11 by @duanemay in #3629
• Delete "remove.me" by @adrianhoelzl-sap in #3632
• Boot Migration - Backwards compatible request mappings (end with slash) by @fhanik in #3635
• Add Comments to Authentication Managers !minor by @adrianhoelzl-sap in #3608
• Explicitly set up instrumentation for inline mocking by @duanemay in #3637
• Update database matrix to include MySQL 8.4 and 9, remove MySQL 5 by @duanemay in #3611
• Refactor ExternalLoginAuthenticationManager by @adrianhoelzl-sap in #3607

Dependency Bumps

• build(deps): bump jasmine-core from 5.10.0 to 5.11.0 in /uaa by @dependabot[bot] in #3634
• build(deps): bump rack from 2.2.17 to 2.2.18 in /uaa/slate by @dependabot[bot] in #3631
• build(deps): bump jasmine from 5.10.0 to 5.11.0 in /uaa by @dependabot[bot] in #3633
• build(deps): bump jasmine-core from 5.11.0 to 5.12.0 in /uaa by @dependabot[bot] in #3639
• build(deps): bump jasmine from 5.11.0 to 5.12.0 in /uaa by @dependabot[bot] in #3638
• build(deps): bump rack from 2.2.18 to 2.2.19 in /uaa/slate by @dependabot[bot] in #3640
• build(deps): bump versions.tomcatCargoVersion from 10.1.46 to 10.1.47 by @dependabot[bot] in #3641
• build(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #3642
• build(deps): bump rack from 2.2.19 to 2.2.20 in /uaa/slate by @dependabot[bot] in #3646
• build(deps): bump versions.tomcatCargoVersion from 10.1.47 to 10.1.48 by @dependabot[bot] in #3647

New Contributors

• @cweibel made their first contribution in #3645

Full Changelog: v78.4.0...v78.5.0

78.4.0

What's Changed

Fixes

• [TNZ-27070]: Fix UAA on standard ports by @joemahady-comm in #3621
• Clear Origin ThreadLocal after AuthN in ExternalOAuthAuthenticationManager by @adrianhoelzl-sap in #3619

Misc

• Update dependabot by @strehle in #3599
• Simplify dependency versions defined in spring-boot-dependencies by @duanemay in #3604
• Add to PR #3622 by @fhanik in #3623
• Enable LDAP integration tests based on profile by @duanemay in #3627
• add userinfo test case by @fhanik in #3622

Dependency Bumps

• build(deps): bump versions.springBootVersion from 3.5.5 to 3.5.6 by @dependabot[bot] in #3625
• build(deps): bump versions.tomcatCargoVersion from 10.1.44 to 10.1.45 by @dependabot[bot] in #3615
• build(deps): bump versions.tomcatCargoVersion from 10.1.45 to 10.1.46 by @dependabot[bot] in #3620
• update dependency redcarpet to v3.6.1 by @strehle in #3592
• build(deps): bump github.com/onsi/gomega from 1.38.1 to 1.38.2 in /k8s by @dependabot[bot] in #3600
• build(deps): bump k8s.io/client-go from 0.33.4 to 0.34.0 in /k8s by @dependabot[bot] in #3603
• build(deps): bump jasmine-core from 5.9.0 to 5.10.0 in /uaa by @dependabot[bot] in #3606
• build(deps): bump jasmine from 5.9.0 to 5.10.0 in /uaa by @dependabot[bot] in #3605
• build(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in #3610
• build(deps): bump k8s.io/client-go from 0.34.0 to 0.34.1 in /k8s by @dependabot[bot] in #3616
• update dependency org.sonarsource.scanner.gradle:sonarqube-gradle-plu… by @strehle in #3612
• update dependency com.nimbusds:nimbus-jose-jwt to v10.5 by @strehle in #3613
• build(deps): bump rexml from 3.3.9 to 3.4.2 in /uaa/slate by @dependabot[bot] in #3624

Full Changelog: v78.3.0...v78.4.0

78.3.0

What's Changed

Fixes

• Fix dependabot by @strehle in #3596
• Fix StaleUrlCache test by @fhanik in #3567
• Fix 3428 saml bug by @fhanik in #3593

Misc

• Refactor ExternalOAuthAuthenticationManager by @adrianhoelzl-sap in #3575
• Revert "fix flaky test" by @strehle in #3557
• Add "urn:ietf:params:oauth:grant-type:token-exchange" as a grant by @fhanik in #3552
• parse JWK from RSA public key value only if exists by @mikeroda in #3571
• The jwt-bearer grant confuses internal/external groups by @fhanik in #3582

Dependency Bumps

• Bump versions.springBootVersion from 3.5.4 3.5.5 by @dependabot[bot] in #1732
• build(deps): bump commons-codec:commons-codec from 1.18.0 to 1.19.0 by @dependabot[bot] in #3565
• build(deps): bump org.bouncycastle:bc-fips from 2.1.0 to 2.1.1 by @dependabot[bot] in #3572
• build(deps): bump github.com/onsi/gomega from 1.37.0 to 1.38.0 in /k8s by @dependabot[bot] in #3566
• build(deps): bump k8s.io/client-go from 0.33.3 to 0.33.4 in /k8s by @dependabot[bot] in #3585
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 10.4.1 to 10.4.2 by @dependabot[bot] in #3588
• build(deps): bump com.icegreen:greenmail from 2.1.4 to 2.1.5 by @dependabot[bot] in #3578
• Update middleman by @strehle in #3576
• build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #3581
• build(deps): bump versions.seleniumVersion from 4.34.0 to 4.35.0 by @dependabot[bot] in #3583
• Update dependencies by @strehle in #3590
• build(deps): bump versions.byteBuddyVersion from 1.17.6 to 1.17.7 by @dependabot[bot] in #3591
• build(deps): bump nokogiri from 1.18.8 to 1.18.9 in /uaa/slate by @dependabot[bot] in #3564
• build(deps): bump actions/setup-java from 4 to 5 by @dependabot[bot] in #3594
• build(deps): bump github.com/onsi/gomega from 1.38.0 to 1.38.1 in /k8s by @dependabot[bot] in #3597
• build(deps): bump com.nimbusds:nimbus-jose-jwt from 10.4 to 10.4.1 by @dependabot[bot] in #3574

Full Changelog: v78.2.0...v78.3.0