LinOTP 3.3 and SelfService 1.2

Date

netgo software GmbH is pleased to announce the availability of the following product release:

On July 15th we released LinOTP 3.3 (including patch release 3.3.2) and SelfService 1.2 to the Debian repositories.

LinOTP 3.3 (patch 3.3.2)

LinOTP 3.3 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Improved logging configuration
  • New API endpoints with a more modern interface in preparation for the Manage UI Overhaul
  • Improved authentication API for the SAML and OpenIDConnect LinOTP IdP
  • Policies are now validated when saved in Manage-UI
  • Tokens can be imported in disabled state
  • LinOTP 3.3 is the first fully supported Container-based release for our customers.

LinOTP SelfService 1.2

SelfService 1.2 brings improvements and new features, fixes and bugfixes. The following list contains the most important changes. Please also refer to the complete changelog at the end of this newsletter.

Highlights:

  • Warning of potential lockout if user has no active token but MFA login is active
  • Display and of token limits set by policies
  • Token dialogs show the token info as references now
  • If usage time stamps are enabled in LinOTP, we warn users to not leave the selfservice without a verified token
  • Improved enrollment workflows for HOTP, TOTP and password tokens
  • SelfService is no-longer embedding CDN-hosted fonts.

Download

LinOTP 3.3.2 and SelfService 1.2 are available as Debian packages from www.linotp.org.

Users of the LinOTP Smart Virtual Appliance will receive the release via the integrated auto-update mechanism.

We are happy to assist our support customers in upgrading their environment to the latest release. Please contact us at support@linotp.de

The LinOTP team

--
netgo software GmbH
https://www.linotp.de
Strong MFA solution by netgo
Branch office Darmstadt, Pallaswiesenstr. 174a, 64293 Darmstadt
Main office, Sachsendamm 63-64, 10829 Berlin
Registerd Office: Amtsgericht Berlin-Charlottenburg, HRB 243718 B
Board of Directors: Matthias Nietz, Constantin Wehmschulte
Germany

Sales Hotline: +49 6151 86086-277, Fax: -299
Email: sales@linotp.de

Changelog LinOTP 3.3.2

Fix:

  • migration to 3.0.0 no longer fails (due to missing arg)

Changelog LinOTP 3.3.1

Fix:

  • fix unbound variable in containers `entrypoint.sh`

Changelog LinOTP 3.3

Breaking Changes:

  • Renamed the following config variables and some changed their defaults:
    • `LOGGING_FILE_LEVEL` -> `LOG_FILE_LEVEL`
    • default: `WARNING` -> `DEBUG`
    • `LOGGING_CONSOLE_LEVEL` -> `LOG_CONSOLE_LEVEL`
    • default: `WARNING` -> `DEBUG`
    • `LOGGING_SQLALCHEMY_LEVEL` -> `LOG_LEVEL_DB_CLIENT`
    • `LOGGING` -> `LOG_CONFIG`
  • default of `LOGGING_LEVEL` changed from `INFO` to `WARNING`
  • when migrating from LinOTP 2.x, the audit log is no longer truncated to circumvent issues with privileges in different database handlers. Old audit log entries that are not truncated now, are reported to have a failing signature check because the method has changed with LinOTP version 3.0.

Deprecations:

  • In the future, config variable `LOGGING_LEVEL` will be replaced by `LOG_LEVEL`. `LOG_LEVEL` can and should be used from now on. `LOG_LEVEL` defaults to `WARNING`.

Features:

  • new API endpoints to retrieve tokens:
    • /api/v2/tokens
      • accepts query parameters `userId` and `resolverName` to filter tokens by
      • accepts query parameter `searchTerm` to filter all other columns
    • /api/v2/tokens/<serial>
  • new API endpoint to retrieve realms:
    • /api/v2/realms
  • new API endpoint to retrieve users of a realm:
    • /api/v2/realms/<realm_name>/users
      • accepts any field of a user as query parameter to filter by
      • accepts query parameter `searchTerm` to filter users where one field matches the given value
  • new API endpoint to retrieve resolvers:
    • /api/v2/resolvers
  • new API endpoint to retrieve users of a resolver:
    • /api/v2/resolvers/<resolver_name>/users
      • accepts any field of a user as query parameter to filter by
      • accepts query parameter `searchTerm` to filter users where one field matches the given value
      • sortable by fields
    • /api/v2/resolvers/<resolver_name>/users/<user_id>
      • shows the single user info
  • new API endpoint to retrieve AuditLog:
    • /api/v2/auditlog
      • accepts most fields of an AuditEntry as query parameter to filter by
  • new API endpoint to retrieve all currently reported token statuses:
    • /system/getReportedStatuses
      • accepts query parameter `realms` to filter by realms. Use `realms=*` to get all realms including `/:no realm:/`.
  • new API endpoint to retrieve context information for manage ui (similar to /userservice/context)
    • /manage/context
  • the new API endpoints all return dates in ISO 8601-compliant format
  • limit info-box height in manage-ui. Notifications are scrollable, if combined size exceeds newly limited height.
  • Server-side invalidation of admin sessions on logout to prevent re-using a JWT after a user dropped its session
  • tokens can be imported as disabled tokens
  • when triggering a challenge, the token description is returned to help identify the token
  • password token now supports the 'onetime' parameter as the former SPASS token type did
  • added validation for policy actions. The validation is based on the policy definitions and saving a policy with an invalid action is rejected
  • policies detail_on_success and detail_on_fail apply to all /validate endpoints
  • /validate endpoints return user information (e.g. given name, phone) when detail_on_success is set
  • /userservice/context now returns whether usage timestamp logging is enabled in LinOTP
  • improved audit log messages for /admin/ API
  • support for MySQL databases that are run with lower_case_table_names=1 (default on Windows)

Fixes:

  • Removed: LinOTP no longer supports truncated transaction ids or checking partial transaction id matches
  • Upon user logout, admin sessions weren't properly invalidated, allowing to re-use JWTs of logged-out users
  • when using pagination, /admin/userlist would not return the last user of the page, if the list of users for that page is greater or equal to the value of `rp` (default: 16)
  • forward token with an empty pin now supports forwarding to push tokens (was broken since 3.2.4)
  • filtering for active/inactive token works correctly
  • legacy selfservice qr and push token enrollment breaks with strings in otppin policy
  • legacy selfservice customisation not working in login screen
  • drop ability to define autoassignment policy with values, it is now only acting as a boolean policy
  • an admin could use `reporting/delete_before` for realms they did not have access to
  • AdminController and UserserviceController did trigger reporting on unauthorized requests
  • AdminController was not triggering reporting for the correct realms in some circumstances
  • UserserviceController was not triggering reporting for the correct realms in some circumstances
  • requests to userservice API are logging the username in the audit-log instead of the User-Object
  • replace deprecated `DATA_DIR` with `CACHE_DIR`. Mako template cache now uses `CACHE_DIR`.
  • trim excessive error logging when accessing `/static` files without a valid session

Changelog LinOTP SelfService 1.2

Features:

  • Users get warned and have to confirm their action, if that action would prevent them from logging into Selfservice.
  • Display number of enrolled tokens.
  • Display the number of remaining tokens that the user is still allowed to enroll.
  • Users are prevented from enrolling a token, if the token limit has been reached. They're informed instead.
  • Harmonize form behaviour. E.g. all forms can now be submitted by pressing the `enter` key.
  • Error messages and notifications have different styles
  • Dockerfile has been improved in outlook of LinOTPs containerization
  • Display info about selected token in action dialogs
  • Show links and recommend the usage of LinOTP Authenticator app for OATH Tokens
  • Improved enrollment for HOTP and TOTP tokens
  • Removed non-public dependencies. LinOTP Selfservice can now be build by everyone.
  • Dynamically change the theme based on the device's color scheme, without requiring a browser refresh.
  • Display warnings about not verified tokens
  • Improved enrollment for password tokens

Fix:

  • Show correct error messages after session timeout