We are proud to announce Topicus KeyHub 20.2. In time for the summer, we caught up on a number of smaller issues from our backlog. With this release, we add a number of capabilities to OAuth2 clients for KeyHub. Additionally, we implemented features to require group activation to use an SSO application or read a vault record. Lastly, we implemented RFC 8707 and 9068 to allow KeyHub to serve as a general purpose authorization server. As usual, a number of assorted smaller changes and bug fixes are included.
New and updated client permissions
We added and improved a number of client permissions, for OAuth2 clients that use KeyHub's REST API to read or write from/to KeyHub. This enables us to better support integration with third-party systems that might need to read or write secrets in vaults, configure new OAuth2 clients or group-on-systems or even create new KeyHub groups.
TKH-1777
OAuth2 client permissions for groups are auto accepted if the requester is also a manager of the group.TKH-2096
TKH-2126
You can now nest a KeyHub group under another group as part of the create call. It is also possible to assign multiple initial managers in this request.TKH-2125
TKH-2127
There is a new permission that enables a client to create applications (OAuth2, OIDC, SAML2 or LDAP). OIDC and SAML applications can be linked to groups as part of the call, to enable those groups to access the application.TKH-2129
TKH-2147
When creating a new KeyHub group, the client can directly assign client permissions on this group to existing clients (including themselves).TKH-2138
Clients can revoke their own permissions.TKH-2148
There is a new client permission that enables clients to query for existing applications.TKH-2205
A client with the permission to create new group on systems on an existing system, can now also read all provisioning groups for existing groups on system on that system. This avoids errors when trying to read a group on system they have created themselves.
Require group activation
TKH-637
TKH-1501
We implemented functionality to require a group be activated in order to use an associated SSO application or read a record from the group's vault. The group's activation can be further restricted as normal, for instance by requiring another group to approve activation, or requiring the user to provide a reason which will be recorded in the audit log.
General purpose authorization server
TKH-2139
TKH-2140
We implemented RFC 8707 (resource indicators) to allow KeyHub to serve as a general purpose authorization server. KeyHub can now give out access tokens for other servers, when requested. This can be configured on an OIDC application. The resulting OAuth 2.0 access token will be in the format described in RFC 9068.
Note that access tokens for other resource servers cannot be used on the backend of Topicus KeyHub itself.
Small improvements
The following smaller improvements and bug fixes were made:
TKH-1518
We added an explanation to the manual of how a vault record's URI-field is used to match the record to the current webpage.TKH-1639
The account details screens now show an overview of all groups the user is a member of.TKH-1655
The displaying of long lists of tasks in the appliance manager, such as during an upgrade over multiple nodes, has been improved by grouping the tasks and collapsing where appropriate.TKH-1657
We improved the documentation on how to query for vault records using the KeyHub CLI.TKH-1748
The cluster coordinator's allowlist is now checked against the ip adresses of (new) nodes to avoid configuration errors.TKH-1761
KeyHub now warns when leaving or closing a screen with a new vault record without saving it first.TKH-1778
We improved the feedback message if there is no one available to handle a request.TKH-1781
The error message when trying to save a vault record without a secret now reflects that a comment is also a secret.TKH-1803
We improved the readability of certain yes/no fields by updating their descriptions and/or changing them to on/off fields.TKH-1828
Accounts will now get a stable pseudo random identifier when used to login on an SSO application. Existing accounts retain the existing identifier for applications they've already used.TKH-1830
We fixed some corner cases related to changing your KeyHub password and errors provisioning this new password to linked systems.TKH-1859
The About-page now shows KeyHub's version number and a link to our issue portal.TKH-1941
The "username copied" message should no longer run off the screen if the username is long.TKH-1942
The account activation code for new accounts in an internal directory are now also available from the GUI, in case mail delivery can not be guaranteed.TKH-1957
An info melding now clarifies why a group on system can not be removed.TKH-1987
Members of the helpdesk group for a directory, can now see the accounts for that directory (via the administration menu) and can now cancel recovery requests, disable 2FA and trigger reregistration for those accounts.TKH-2001
It is now possible to configure a group to not require approval for extended access (> 12 hours).TKH-2004
TKH-2101
Group managers can now also edit their own membership (within limits) and for instance demote themselves to normal member or change their own nesting type.TKH-2034
The maintenance admin ("keyhub" user) should now be properly filtered out of most screens.TKH-2102
The newer v3 licenses are now properly displayed on the About-page.TKH-2105
The 'Add' button should now always be properly visible on an OAuth2 client application's "permissions" page, even for clients with a long name.TKH-2106
When trying to find an existing group to request membership of, KeyHub will now also search in groups' descriptions in addition to their names.TKH-2114
Group nesting requests are now auto-accepted if the user is manager of both groups.TKH-2116
We removed the "license limit reached" message from the dashboard for being spammy. The warning is also sent via mail so it won't get lost.TKH-2121
The dashboard will now show a message if you don't see any groups to activate because of your license type.TKH-2122
Business users will no longer see links to combine groups into folders for activation if they can't activate any groups.TKH-2142
Topicus KeyHub's main colors have been slightly tweaked to bring them in line with the product site.TKH-2145
Every release now uses a different cache identifier, to avoid conflicts while upgrading a cluster. This was a manual process and is now automated.TKH-2152
When creating the request for an OAuth2 client's first client permission, the table's header will no longer duplicate itself.TKH-2153
Adding a manager to a private group via the "admin override" will no longer result in an error.TKH-2156
Searching for (part of) a UUID should now work consistently across all fields/resources.TKH-2158
Password recovery for an unknown user will no longer result in an internal error.TKH-2163
You can now change the VM's disk partitioning on every node, not just the cluster coordinator.TKH-2164
Databases that have wrongly been marked as down by Pgpool, can now be recognized and reattached from the appliance manager.TKH-2165
You can now once again authenticate with known WebAuthn security keys during reregistration.TKH-2169
Our HSTS headers now also set theincludesubdomains
option.TKH-2170
Our reverse proxy now also supports TLS 1.3. Additionally, we updated our supported cipher suites in compliance with the NCSC's guidelines.TKH-2172
Configuring your local date to be in the future will now lead to a relevant error message, instead of an internal error.TKH-2174
We removed the 'owner' attribute of OAuth2 and LDAP clients. These don't provide any rights or permissions to users/groups, so there is no real reason for an owner group. They still have application administrator groups.TKH-2186
We updated our storage controller so importing a new OVA should once again work on VMWare.TKH-2202
Broken LDAP connections (to linked systems) will now get cleaned up instead of possibly accumulating over time, leading to errors.TKH-2203
We extended our support for disks to be more compatible with AWS.