Athenz v1.12.43 Release

What's Changed

• Bump axios from 1.15.2 to 1.16.0 in /clients/nodejs/zts by @dependabot[bot] in #3379
• config option to validate san uri schemes in certificate requests by @havetisyan in #3380
• Bump axios from 1.15.2 to 1.16.0 in /ui by @dependabot[bot] in #3381
• Support user-cert-bound JAG issue for public client local agents by @ctyano in #3384
• support validation for svc cert request key id value by @havetisyan in #3382
• ui - add tf icons to tf-managed roles, services, policies; show zms-cli command. by @ArtjomsPorss in #3373
• maintain token type when parsing oauth2 tokens by @havetisyan in #3387
• jag token integration changes with okta tests by @havetisyan in #3389
• Bump @opentelemetry/core, @opentelemetry/auto-instrumentations-node, @opentelemetry/exporter-logs-otlp-grpc, @opentelemetry/exporter-metrics-otlp-grpc, @opentelemetry/exporter-trace-otlp-grpc, @opentelemetry/resources, @opentelemetry/sdk-logs, @opentelemetry/sdk-metrics, @opentelemetry/sdk-node and @opentelemetry/sdk-trace-node in /ui by @dependabot[bot] in #3393
• Bump multer from 2.1.1 to 2.2.0 in /ui by @dependabot[bot] in #3396
• Bump @babel/core from 7.23.9 to 7.29.6 in /ui by @dependabot[bot] in #3395
• Bump form-data from 4.0.5 to 4.0.6 in /ui by @dependabot[bot] in #3394
• Allow zms-cli to use default mTLS credentials by @ctyano in #3392
• Migrate athenzutils and zmscli from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @karnick in #3397
• Add SPIFFE claim support to ZTS ID token exchange by @ctyano in #3254
• add test case for zts server by @havetisyan in #3400
• Feat: Support Delegation Claims act & may_act in ID_JAG=>AT Exchange (RFC 8693) by @mlajkim in #3388
• Feat: Support Delegation Claimsmay_act in AT=>AT Delegated Token Exchange (RFC 8693) by @mlajkim in #3390
• ui - fix zms-cli url to not be hardcoded in resource ownership suggestion by @ArtjomsPorss in #3399
• ui - fix otel config after dependency update by @ArtjomsPorss in #3398
• update java/go/js dependencies to their latest releases by @havetisyan in #3401

New Contributors

• @karnick made their first contribution in #3397

Full Changelog: v1.12.42...v1.12.43

Athenz v1.12.42 Release

What's Changed

• switch ui docker image to node22 + oat token by @havetisyan in #3360
• configure default Strict-Transport-Security header response by @havetisyan in #3361
• fix tls protocol/cipher log with jetty 1.12.x by @havetisyan in #3362
• extend role cert san-dns validation check by @havetisyan in #3363
• update dependencies in java zts/zms client examples by @havetisyan in #3364
• uplift next.js to version 16.2.6 by @tsultanov00 in #3367
• Bump next from 14.2.35 to 16.2.6 in /ui by @dependabot[bot] in #3358
• Bump js-cookie from 3.0.1 to 3.0.7 in /ui by @dependabot[bot] in #3368
• log principal name for usercert api by @havetisyan in #3369
• fix POC and security POC not loading on non role/group domain tabs by @chandrasekhar1996 in #3370
• Bump qs, body-parser and express in /ui by @dependabot[bot] in #3374
• add validation for selfRenew in ZMS by @chandrasekhar1996 in #3371
• add external cert data validator for san dns entries by @havetisyan in #3375
• Bump @xmldom/xmldom and xml-crypto in /ui by @dependabot[bot] in #3323
• Bump uuid from 9.0.0 to 14.0.0 in /ui by @dependabot[bot] in #3324
• Bump axios from 1.12.2 to 1.15.2 in /ui by @dependabot[bot] in #3347
• support fetching access tokens based on rfc7523 by @havetisyan in #3377
• update java/go/nodejs dependencies to their latest releases by @havetisyan in #3378

Full Changelog: v1.12.41...v1.12.42

Athenz v1.12.41 Release

What's Changed

• extract ui functional tests values to config by @ArtjomsPorss in #3338
• return service feature flags for jws domain response by @havetisyan in #3342
• Support parallel domain fetch and upload in CloudZmsSyncer by @gyakami in #3326
• Handle empty file for athenz-accesstoken by @ycw2 in #3343
• only log unsigned tokens in debug mode by @havetisyan in #3345
• Add support for IAM role path for SIA EC2, Fargate, EKS by @Bhuff1 in #3346
• Bump axios from 1.15.0 to 1.15.2 in /clients/nodejs/zts by @dependabot[bot] in #3348
• add validation for user principals after auth by @havetisyan in #3351
• support certificate timeouts per requested key id by @havetisyan in #3350
• Add automated schema migration runner by @gjoranv in #3349
• update usercert default callback uri to match client library by @havetisyan in #3354
• replace free-disk-space step with pinned version by @havetisyan in #3355
• add costCenter attribute to domain object by @havetisyan in #3357
• updated java/go/nodejs dependencies to their latest releases by @havetisyan in #3359

This release requires a schema update:
https://github.com/AthenZ/athenz/blob/master/servers/zms/schema/updates/update-20260513.sql

New Contributors

• @ycw2 made their first contribution in #3343

Full Changelog: v1.12.40...v1.12.41

Athenz v1.12.40 Release

What's Changed

• [skip ci] Adding property description for athenz.zts.k8s_provider_gcp_attr_validator_factory_class by @psasidhar in #3322
• disallow * member in roles if filters are configured by @havetisyan in #3327
• extend user-cert support to allow timeout configuration based on role membership by @havetisyan in #3328
• support role based configurable timeout for user id tokens by @havetisyan in #3331
• [skip ci] update zts token documentation to document id token exchange requirements by @havetisyan in #3333
• correct callback port to be int instead of string by @havetisyan in #3334
• use of config.ClientTLSConfig for consistent tls config by @havetisyan in #3335
• extend zts provider to read allowed members from a role by @havetisyan in #3332
• add comments to clarify the use of cert issuer validator by @havetisyan in #3336
• implement getRole method for roles provider in zts by @havetisyan in #3339
• add single flight to ZTSClient token fetches by @t4niwa in #3330
• update java/go/js dependencies to their latest releases by @havetisyan in #3341

New Contributors

• @esolitos made their first contribution in #3247

Full Changelog: v1.12.39...v1.12.40

Athenz v1.12.39 Release

What's Changed

• consistent use of TYPE_PRINCIPAL_NAME type when validating principal names by @havetisyan in #3302
• support pkce when fetching user certificates by @havetisyan in #3304
• feat: add Spacelift OIDC inbound provider for service identity authentication by @esolitos in #3247
• make usercert.Run to return error so it can be used as library call by @havetisyan in #3305
• update "go" version to 1.26.2 by @arnej27959 in #3306
• Bump follow-redirects from 1.15.6 to 1.16.0 in /ui by @dependabot[bot] in #3303
• Bump axios from 1.12.0 to 1.15.0 in /clients/nodejs/zts by @dependabot[bot] in #3300
• fix token validation for k8s provider by @havetisyan in #3312
• strict validation for instance id san dns name in certs by @havetisyan in #3310
• introduce retry logic when reading gcp metadata by @havetisyan in #3307
• missing resource ownership checks for delete public keys and assertions with policy version by @havetisyan in #3313
• enforce role cert san dns validation by @havetisyan in #3315
• Allow wrapper-controlled init to fix jwk_uri backward compatibility (Issue #3054) by @sh1myama in #3198
• Provide per-service/domain capability to skip boot start time check for AWS and GCP Providers by @havetisyan in #3317
• Add OIDCAuthority for authenticating end users via external OIDC ID tokens by @gjoranv in #3314
• update go/java/nodejs dependencies to their latest releases by @havetisyan in #3321
• enforce tls 1.2 for our go client connections by @havetisyan in #3320
• fix healthcheck filter when path starts with / by @havetisyan in #3319

This release requires a schema update:
https://github.com/AthenZ/athenz/blob/master/servers/zms/schema/updates/update-20260421.sql

New Contributors

• @esolitos made their first contribution in #3247
• @arnej27959 made their first contribution in #3306

Full Changelog: v1.12.38...v1.12.39

Athenz v1.12.38 Release

What's Changed

• extract the external domain prefix before calling validatMember method by @havetisyan in #3268
• Handle missing group gracefully in role page by @t4niwa in #3274
• Add group consistency check to domain template deletion by @t4niwa in #3275
• Make service page Instances, Providers, and Microsegmentation configurable by @MartinTrojans in #3278
• Allow MySQL test image to be configured via env var by @Bhuff1 in #3280
• Assembly k8s by @abvaidya in #3281
• S3ClientFactoryTest unit test fails to receive default us-west-2 by @Bhuff1 in #3283
• fix AwsDomainStoreTest test exception, aws.disableEc2Metadata true by @Bhuff1 in #3287
• Bump lodash from 4.17.23 to 4.18.1 in /ui by @dependabot[bot] in #3284
• Bump path-to-regexp and express in /ui by @dependabot[bot] in #3269
• Add scope parameter to zts-usercert OIDC authorization request by @t4niwa in #3291
• wrong domain name used for external member validation check by @havetisyan in #3295
• Configurable domain page details by @MartinTrojans in #3294
• API changes to support external FQDN in MSD by @psasidhar in #3297
• update go/java/npm dependencies to their latest releases by @havetisyan in #3299

New Contributors

• @t4niwa made their first contribution in #3274
• @Bhuff1 made their first contribution in #3280

Full Changelog: v1.12.37...v1.12.38

Athenz v1.12.37 Release

What's Changed

• user certificate support in zts by @havetisyan in #3239
• domain filter support in S3 ChangeLogStore by @havetisyan in #3241
• support sni_host_check and sni_required flags within port-uri json by @havetisyan in #3244
• make zms/zts metric name configurable by @havetisyan in #3246
• libs/go/sia/util: fix dropped error by @alrs in #3243
• Feat: support downscoping for ID-JAG assertions by @mlajkim in #3225
• handle http server close gracefully in idp by @havetisyan in #3251
• re-add invalid email cert test cases by @havetisyan in #3253
• add new external member validator attribute for domains by @havetisyan in #3256
• UI: show the role when trying to create a policy from the role page. … by @chandrasekhar1996 in #3257
• support for exteral member validator manager by @havetisyan in #3258
• libs/go/sia/file: error handling by @alrs in #3259
• support external members in roles and groups by @havetisyan in #3263
• update go/java/npm dependencies to their latest relases by @havetisyan in #3264

Full Changelog: v1.12.36...v1.12.37

This release requires a schema update:
https://github.com/AthenZ/athenz/blob/master/servers/zms/schema/updates/update-20260323.sql

Athenz v1.12.36 Release

What's Changed

• fix help message for set-policy-resource-ownership by @chandrasekhar1996 in #3211
• Defining snapshop api for MSD by @psasidhar in #3210
• extend oidc token exchange to support id tokens by @havetisyan in #3212
• expose get oidc token optioin for github sia by @havetisyan in #3218
• Add server-aws-common to ZMS/ZTS assembly tarballs by @gjoranv in #3219
• Use DefaultCredentialsProvider for RDS IAM auth by @gjoranv in #3216
• Bump multer from 2.0.2 to 2.1.0 in /ui by @dependabot[bot] in #3213
• Removing ETag for getTransportPolicySnapshot api by @psasidhar in #3221
• Bump multer from 2.1.0 to 2.1.1 in /ui by @dependabot[bot] in #3223
• add option to delete old versions when storing identity in gcp secret manager by @havetisyan in #3224
• [skip ci] Doc: Typo fixed in OIDC AWS EKS by @mlajkim in #3227
• [skip ci] Docfix: Clarify partial scope behavior for ID-JAG token exchange in zts_token_exchange_requirements.md by @mlajkim in #3228
• add support for principal_issuer claim in id/access tokens by @havetisyan in #3230
• allow domain admins to enable/disable domains by @havetisyan in #3234
• support multiple dn and key values for principal issuers json by @havetisyan in #3235
• expose oidc key type argument for sia github by @havetisyan in #3236
• update go/java/nodejs dependencies to their latest releases by @havetisyan in #3237

Full Changelog: v1.12.35...v1.12.36

Athenz v1.12.35 Release

What's Changed

• Include OIDC token endpoint to ZTS OIDC Discovery metadata by @ctyano in #3200
• A utility to retrieve and report authorization history dependencies by @havetisyan in #3201
• Doc: typo fixed id-token => id_token for rfc 8693 token exchange specification by @mlajkim in #3206
• provide option to return jwt id token with x.509 instead of ntoken by @havetisyan in #3208
• provide option for target role arn when storing lambda idenitty in se… by @havetisyan in #3204
• update java/go/nodejs dependencies to their latest releases by @havetisyan in #3209

Full Changelog: v1.12.34...v1.12.35

Athenz v1.12.34 Release

What's Changed

• expose add-temporary-group-member command in zms-cli by @havetisyan in #3184
• log all db error opertions that don't update any rows by @havetisyan in #3185
• domain-dependency-list - return 404 for unknown domains by @havetisyan in #3186
• Add support for S3 compatible storage by @gyakami in #3188
• extend resource validator to check policy assertions by @havetisyan in #3192
• extensible Issuer support for tokens by @havetisyan in #3193
• update java/go dependencies to their latest releases by @havetisyan in #3195
• Adding support to filter requests based on port-uri combination by @psasidhar in #3190

Full Changelog: v1.12.33...v1.12.34