4.20.0

Stories included in this release are prepared by @wc22222

Features

• Refer to https://www.pivotaltracker.com/story/show/160211643
• cloudfoundry/uaa #843: SCIM Groups Endpoint: only query members if needed
• Default identity provider redirect configuration on identity zone when discovery enabled
• Add JKU header to token header
• ID Token Refresh Grant Flow
• Refer to https://www.pivotaltracker.com/story/show/159375499
• Refer to https://www.pivotaltracker.com/story/show/159090211
• For password grant, if the default provider does not support password grant, treat this as if no default were configured
• OIDC provider password grant flow should take into account allowed_providers and default configurations
• Default identity provider redirect configuration UAA.yml and release
• Default identity provider redirect configuration on identity zone when discovery disabled
• https://www.pivotaltracker.com/story/show/159174812
• Refer to https://www.pivotaltracker.com/story/show/153566482
• Refer to https://www.pivotaltracker.com/story/show/158846330
• Allow configuring the default provider on the identity zone
• Allow provider passwordGrantEnabled through uaa.yml and uaa-release spec
• OIDC provider should forward prompts list
• Document config.prompts[] for provider

Bug Fixes

• Unable to get tokens using authorization code grant flow with stored attributes
• Error message for provider being used for password grant flow single allowed provider should be more explicit instead of returning a generic error.
• Error message for provider being used for password grant flow should distinguish between not allowed provider and provider that can't be used for password grant
• Multiple allowed provider with login hint causes nothing to show up on login page if login hint isn't part of allowed providers for authorization code/implicit flows
• cloudfoundry/uaa #809: Authorization code token response (/oauth/token) is not compliant with OpenID connect 1.0 by not including "id_token"
• Account chooser/IDP discovery forces saved accounts with undiscoverable email domains to only login with internal user store
• External Provider KID signature validation is failing
• Access tokens are not being accepted by CATS
• OIDC External Group Mappings should not require ExternalGroupWhitelist set to take effect
• For chained authentication, chained authentication should only try allowed providers
• cloudfoundry-incubator/uaa-cli #7: Upgrade client lib to 0.0.8
• No example in the API docs of what should go into identity zone config.defaultIdentityProvider
• cloudfoundry/uaa #773: cloudfoundry-identity-client-lib should not depend on org.slf4j:slf4j-log4j12
• OIDC API docs don't show examples of config.prompts[] in request/response
• Document Origin parameter for info endpoint as part of API docs

Known issues

• When performing rolling upgrade of UAA from v4.19.0 to v4.20.0, the refresh token may not being respected when doing refresh_token grant type, a 401 error would be expected during the rolling deployment but not after.