Release notes
Access Token: 2.5.0
2022-09-09
Add scopes to filter access token permissions
permission-filter-include-org
permission-filter-include-unit:{unitName}
See access token documentation for details.
IMSG: 17.8.3
2022-09-09
Upgrade internal dependencies
IMSG: 17.8.2
2022-06-28
Upgrade internal dependencies
Access Token: 2.4.2
2022-06-28
Upgrade internal dependencies
IMSG: 17.8.1
2022-06-22
Upgrade internal dependencies
Access Token: 2.4.1
2022-06-22
Upgrade internal dependencies
Access Token: 2.4.0
2022-06-16
Wildcard unit scope puts permissions into units if not allowed in org
Consider the following permissions:
Before this update, requesting a token with scope permission:*:writer:access
would result in an error since writer:access
is not present in the org permissions.
Now, requesting the same scope will result in the following permissions:
Access Token: 2.3.0
2022-04-28
Cache private keys to avoid exceeding SSM limit
IMSG: 17.8.0
2022-03-28
Default to less strict validation of cookie payload
Hapi, the web server framework used by IMSG, defaults to a strict validation of cookies according to rfc6265
(https://datatracker.ietf.org/doc/html/rfc6265). This includes not allowing raw JSON as the cookie value. With this change, a less strict validation of cookies will be the default behaviour.
This will solve issues caused by other services setting cookies on infomaker.io or navigacloud.com that do not adhere to rfc6265
. The less strict validation is the default behaviour of most other servers as well as all major browsers.
Environment variable changes
This can be overridden by setting env variable STRICT_COOKIE_MODE
to true.
IMSG: 17.7.1
2022-03-28
Internal maintenance
IMSG: 17.7.0
2022-03-28
For access tokens, use the permissions claim in the token instead of resolving permissions based on groups
There are two different kind of tokens in Naviga ID that can be used to access services behind an IMSG reverse proxy.
When you log in to CCT in the browser, an ID token (sometimes called session token) is stored as a cookie in your browser. This token does not hold any permissions. Instead, the groups that you belong to are stored in the token. When you access a CCT service, the IMSG will translate the groups into permissions (based on the current latest organization configuration). The permissions are then forwarded to the service.
The second type of token is access tokens. Access-tokens are fetched from the access token service using either an ID-token or client credentials. When an access token is created, it is populated with the resolved permissions from the start. Hence there’s no need for IMSG to try to resolve them again.
Up until this release, IMSG ignored any permission claim the access tokens and only used the list of groups to resolve the permissions. With this change in place, IMSG will always use the permissions claim in access tokens and forward those permissions to the service.
IMSG: 17.6.1
2021-05-07
Internal maintenance release. No changes to service.
IMSG: 17.6.0
2021-05-07
Upgrade of Node from 10 to 14.
Upgrade of dependencies
Access Token: 1.4.0
2021-03-01
Access tokens obtained through client credentials are now counted as internal access in the billing API
IMSG: 17.5.1
2021-02-04
Bugfix: validate IMSG service callback against correct cookie domain when using full URL in service callback
IMSG: 17.5.0
2021-01-29
Support for allowing any headers during CORS requests
IMSG can now allow any headers in CORS requests. Enabling this feature reflect the value of access-control-request-headers
into the response access-control-allow-headers
. Use with care.
Environment variable changes
CORS_ALLOW_ANY_HEADERS
has been added.
Set to true
to enable.
IMSG: 17.4.0
2021-01-20
Support for multiple domains
IMSG can now serve and set cookies on multiple domains. To enable multiple domains, set the IMID_COOKIE_DOMAINS
environment variable to the domains you want to access IMSG on.
ex. IMID_COOKIE_DOMAINS="infomaker.io, navigacloud.com"
Environment variable changes
IMID_COOKIE_DOMAIN
has changed name to IMID_COOKIE_DOMAINS
and changed type from sting
to CSV
. The legacy name will continue to be supported.
IMSG: 17.3.0
2020-12-17
Legacy mode feature flag for units