Topicus KeyHub 20.2
We are proud to announce Topicus KeyHub 20.2. In time for the summer, we caught up on a number of smaller issues from our backlog. With this release, we add a number of capabilities to OAuth2 clients for KeyHub. Additionally, we implemented features to require group activation to use an SSO application or read a vault record. Lastly, we implemented RFC 8707 and 9068 to allow KeyHub to serve as a general purpose authorization server.
As usual, a number of assorted smaller changes and bug fixes are included.
New and updated client permissions
We added and improved a number of client permissions, for OAuth2 clients that use KeyHub's REST API to read or write from/to KeyHub. This enables us to better support integration with third-party systems that might need to read or write secrets in vaults, configure new OAuth2 clients or group-on-systems or even create new KeyHub groups.
TKH-1777OAuth2 client permissions for groups are auto accepted if the requester is also a manager of the group.
TKH-2126You can now nest a KeyHub group under another group as part of the create call. It is also possible to assign multiple initial managers in this request.
TKH-2127There is a new permission that enables a client to create applications (OAuth2, OIDC, SAML2 or LDAP). OIDC and SAML applications can be linked to groups as part of the call, to enable those groups to access the application.
TKH-2147When creating a new KeyHub group, the client can directly assign client permissions on this group to existing clients (including themselves).
TKH-2138Clients can revoke their own permissions.
TKH-2148There is a new client permission that enables clients to query for existing applications.
TKH-2205A client with the permission to create new group on systems on an existing system, can now also read all provisioning groups for existing groups on system on that system. This avoids errors when trying to read a group on system they have created themselves.
Require group activation
TKH-1501 We implemented functionality to require a group be activated in order to use an associated SSO application or read a record from the group's vault. The group's activation can be further restricted as normal, for instance by requiring another group to approve activation, or requiring the user to provide a reason which will be recorded in the audit log.
General purpose authorization server
TKH-2140 We implemented RFC 8707 (resource indicators) to allow KeyHub to serve as a general purpose authorization server. KeyHub can now give out access tokens for other servers, when requested. This can be configured on an OIDC application. The resulting OAuth 2.0 access token will be in the format described in RFC 9068.
Note that access tokens for other resource servers cannot be used on the backend of Topicus KeyHub itself.
The following smaller improvements and bug fixes were made:
TKH-1518We added an explanation to the manual of how a vault record's URI-field is used to match the record to the current webpage.
TKH-1639The account details screens now show an overview of all groups the user is a member of.
TKH-1655The displaying of long lists of tasks in the appliance manager, such as during an upgrade over multiple nodes, has been improved by grouping the tasks and collapsing where appropriate.
TKH-1657We improved the documentation on how to query for vault records using the KeyHub CLI.
TKH-1748The cluster coordinator's allowlist is now checked against the ip adresses of (new) nodes to avoid configuration errors.
TKH-1761KeyHub now warns when leaving or closing a screen with a new vault record without saving it first.
TKH-1778We improved the feedback message if there is no one available to handle a request.
TKH-1781The error message when trying to save a vault record without a secret now reflects that a comment is also a secret.
TKH-1803We improved the readability of certain yes/no fields by updating their descriptions and/or changing them to on/off fields.
TKH-1828Accounts will now get a stable pseudo random identifier when used to login on an SSO application. Existing accounts retain the existing identifier for applications they've already used.
TKH-1830We fixed some corner cases related to changing your KeyHub password and errors provisioning this new password to linked systems.
TKH-1859The About-page now shows KeyHub's version number and a link to our issue portal.
TKH-1941The "username copied" message should no longer run off the screen if the username is long.
TKH-1942The account activation code for new accounts in an internal directory are now also available from the GUI, in case mail delivery can not be guaranteed.
TKH-1957An info melding now clarifies why a group on system can not be removed.
TKH-1987Members of the helpdesk group for a directory, can now see the accounts for that directory (via the administration menu) and can now cancel recovery requests, disable 2FA and trigger reregistration for those accounts.
TKH-2001It is now possible to configure a group to not require approval for extended access (> 12 hours).
TKH-2101Group managers can now also edit their own membership (within limits) and for instance demote themselves to normal member or change their own nesting type.
TKH-2034The maintenance admin ("keyhub" user) should now be properly filtered out of most screens.
TKH-2102The newer v3 licenses are now properly displayed on the About-page.
TKH-2105The 'Add' button should now always be properly visible on an OAuth2 client application's "permissions" page, even for clients with a long name.
TKH-2106When trying to find an existing group to request membership of, KeyHub will now also search in groups' descriptions in addition to their names.
TKH-2114Group nesting requests are now auto-accepted if the user is manager of both groups.
TKH-2116We removed the "license limit reached" message from the dashboard for being spammy. The warning is also sent via mail so it won't get lost.
TKH-2121The dashboard will now show a message if you don't see any groups to activate because of your license type.
TKH-2122Business users will no longer see links to combine groups into folders for activation if they can't activate any groups.
TKH-2142Topicus KeyHub's main colors have been slightly tweaked to bring them in line with the product site.
TKH-2145Every release now uses a different cache identifier, to avoid conflicts while upgrading a cluster. This was a manual process and is now automated.
TKH-2152When creating the request for an OAuth2 client's first client permission, the table's header will no longer duplicate itself.
TKH-2153Adding a manager to a private group via the "admin override" will no longer result in an error.
TKH-2156Searching for (part of) a UUID should now work consistently across all fields/resources.
TKH-2158Password recovery for an unknown user will no longer result in an internal error.
TKH-2163You can now change the VM's disk partitioning on every node, not just the cluster coordinator.
TKH-2164Databases that have wrongly been marked as down by Pgpool, can now be recognized and reattached from the appliance manager.
TKH-2165You can now once again authenticate with known WebAuthn security keys during reregistration.
TKH-2169Our HSTS headers now also set the
TKH-2170Our reverse proxy now also supports TLS 1.3. Additionally, we updated our supported cipher suites in compliance with the NCSC's guidelines.
TKH-2172Configuring your local date to be in the future will now lead to a relevant error message, instead of an internal error.
TKH-2174We removed the 'owner' attribute of OAuth2 and LDAP clients. These don't provide any rights or permissions to users/groups, so there is no real reason for an owner group. They still have application administrator groups.
TKH-2186We updated our storage controller so importing a new OVA should once again work on VMWare.
TKH-2202Broken LDAP connections (to linked systems) will now get cleaned up instead of possibly accumulating over time, leading to errors.
TKH-2203We extended our support for disks to be more compatible with AWS.