2.3 Changelogs#

v2.3.0#

Released: Upcoming

Improved error message in response when a client attempts to use a JSON_LD context that is blocked by the allow/deny list configuration on the Access Grant service.
Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

When sending a verifiable credential without subject or type to the /verify endpoint of the Access Grant service, a proper verification response with status 200 will now be returned instead of the previously returned error response with status 500.
When a malformed request is sent to the /issue endpoint, the resulting log message from the JSON-LD parsing library is now set at DEBUG level instead of WARN.

Supports RFC 9457 in all of the error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

The Query service has been updated to handle claims in the JWT access token that have an invalid format and will now respond with a 401 error response.

The Query service has been updated to support HEAD requests in an UMA authorization flow.

Supports RFC 9457 in all of the error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

Supports RFC 9457 in all of the error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
Changed an invalid URI log message that was previously set at ERROR level to now be at DEBUG.

Additional fields have been added to error responses. As they are only additions this is not considered a breaking change, but if a client parses the error responses it is advised that they are checked against the new format. See Error Response documentation for more details.

Additional fields have been added to error responses. As they are only additions this is not considered a breaking change, but if a client parses the error responses it is advised that they are checked against the new format. See Error Response documentation for more details.
Improved validation of client-supplied HTTP request bodies at the registration endpoint.

Supports RFC 9457 in all of the error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
The provision endpoint performs additional validation on client-supplied URIs.

Supports RFC 9457 in all of the error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

Supports RFC 9457 in all of the error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.

Set securityContext.runAsNonRoot to true on all ESS services (Deployment, CronJobs and Jobs) in deployment definitions to prevent the containers starting as the root user.
Set securityContext.runAsNonRoot to true on all non-ESS services (Deployment, CronJobs and Jobs) in deployment definitions to prevent the containers starting as the root user. In the ESS Standalone overlay, Postgres and Minio containers have been changed to run as non root users.

Support for configuring an ESS installation via environment variables has been removed. Configuration via inputs remains the supported approach.
The descheduler has been removed from ESS deployment bases. Customers should access it directly from the descheduler project <https://github.com/kubernetes-sigs/descheduler>_.
Support for old Kafka messages encrypted with the AES/CBC/PKCS5Padding cipher, which was replaced and deprecated since 2.2 has now been removed.