2.3 Changelogs#
v2.3.0#
Released: 2024-12-12
Access Grants#
Updates#
Validation of UMA tokens has been improved for more security.
Improved error message in response when a client attempts to use a JSON_LD context that is blocked by the allow/deny list configuration on the Access Grant service.
Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
New limit has been put on the maximum number of Client Credentials that can be created for a user in the OpenID service. The default number allowed is 10 which can be configured via: INRUPT_OPENID_CATALOG_MAX_APP_COUNT.
Bugs fixed#
Ensure that all database resources are explicitly closed.
When sending a verifiable credential without subject or type to the
/verifyendpoint of the Access Grant service, a proper verification response with status 200 will now be returned instead of the previously returned error response with status 500.When a malformed request is sent to the
/issueendpoint, the resulting log message from the JSON-LD parsing library is now atDEBUGlevel instead ofWARN.
Additions#
Purging an agent’s data from the Access Grant service is now supported.
The Access Grant service’s discovery document indicates to clients where a query endpoint can be found.
The new
/queryendpoint deprecates the/deriveendpoint, providing more flexible and performant query capabilities. See Access Grant - /query Endpoint documentation for details.
QPF#
Updates#
Validation of UMA tokens has been improved for more security.
Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
Bugs fixed#
Ensure that all database resources are explicitly closed.
To mitigate against Clickjacking, responses that produce HTML will now include a
Content-Security-Policyset toframe-ancestors: 'none'to instruct the Browser not to render this page in an iframe.The Query service has been updated to handle claims in the JWT access token that have an invalid format and will now respond with a 401 error response.
Additions#
Purging an agent’s data from the Fragments Query service is now supported.
The Query service has been updated to support HEAD requests in an UMA authorization flow.
Storage#
Updates#
Validation of UMA tokens has been improved for more security.
Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
Bugs fixed#
Ensure that all database resources are explicitly closed.
Additions#
Purging an agent’s data from the Storage service is now supported.
Audit#
Bugs fixed#
Ensure that all database resources are explicitly closed.
Removals#
Removed rsyslog base. Refer to your company’s policies regarding syslog configuration preferences and practices. In addition, the default value for
INRUPT_AUDIT_SYSLOG_PROTOCOLhas changed fromTCPtoSSL_TCP.
Updates#
Audit messages now consistently include the value ‘Application-Defined Request Metadata’ instead of ‘Application Defined Request Metadata’.
OpenID#
Bugs fixed#
Ensure that all database resources are explicitly closed.
To mitigate against Clickjacking, responses that produce HTML will now include a
Content-Security-Policyset toframe-ancestors: 'none'to instruct the Browser not to render this page in an iframe.Removed message from application registration page which suggested none were registered even when there were some.
Removals#
References to PodBrowser have been removed from the OpenID home page and Start (onboarding) application.
Additions#
Purging an agent’s data from the Openid service is now supported.
Additional fields have been added to error responses. As they are only additions this is not considered a breaking change, but if a client parses the error responses it is advised that they are checked against the new format. See Error Response documentation for more details.
Updates#
Improved validation of client-supplied HTTP request bodies at the registration endpoint.
UMA#
Bugs fixed#
Ensure that all database resources are explicitly closed.
Updates#
Additional fields have been added to error responses. As they are only additions this is not considered a breaking change, but if a client parses the error responses it is advised that they are checked against the new format. See Error Response documentation for more details.
WebID#
Bugs fixed#
Ensure that all database resources are explicitly closed.
Remediate a potential cross-site scripting error in the WebID editor.
Updates#
Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
The provision endpoint performs additional validation on client-supplied URIs.
Additions#
Purging an agent’s data from the WebID service is now supported.
Notifications#
Updates#
Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
Start#
Updates#
Supports RFC 9457 in all error responses. This is a breaking change for clients that parse ESS error responses, and they will need to be updated to use the new format. See Error Response documentation for more details.
Bugs fixed#
To mitigate against Clickjacking, responses that produce HTML will now include a
Content-Security-Policyset toframe-ancestors: 'none'to instruct the Browser not to render this page in an iframe.
Removals#
References to PodBrowser have been removed from the OpenID home page and Start (onboarding) application.
Deployment#
Removals#
Support for configuring an ESS installation via environment variables has been removed. Configuration via inputs remains the supported approach.
The
deschedulerhas been removed from ESS deploymentbases. Customers should access it directly from the descheduler project.Support for old Kafka messages encrypted with the
AES/CBC/PKCS5Paddingcipher, which was replaced and deprecated since 2.2 has now been removed.
Bugs fixed#
The
ess-verifiable-credentialsdeployment was not using the correct service certificate for inter-service communication.
Updates#
Set
securityContext.runAsNonRoottotrueon all ESS services (Deployment, CronJobs and Jobs) in deployment definitions to prevent the containers starting as the root user.Set
securityContext.runAsNonRoottotrueon all non-ESS services (Deployment, CronJobs and Jobs) in deployment definitions to prevent the containers starting as the root user. In the ESS Standalone overlay, Postgres and Minio containers have been changed to run as non root users.The applications that comprise the Enterprise Solid Server run on Java 21.
In the standalone deployment, third-party dependencies have been upgraded. Kafka to 3.8, Keycloak to 26, and PostgreSQL to 17. Note that the PostgreSQL instances will not auto-upgrade to the new version so you must either upgrade your instances following the PostgreSQL guidance or remove your existing databases and let the system create new ones.
Purger#
Additions#
An operator now has the ability to purge all user’s personal data from ESS.