Client change log

Here is the log for changes to the OA4MP client.


  • CIL-1608: Store the current id token in the client asset.


  • Added a ew configuration option for OIDCEnabled. If set to true then OIDC is enabled for this client. The default is true.


  • OAUTH-216: Secret key block displayed on OIDC test client page.

3.4 Release notes

As of version 3.4, all ID tokens for new OIDC clients will be signed. Older clients will still be issued unsigned tokens. If you have an older client, you should upgrade it as soon as is practical and notify the server administrators to start issuing your client signed tokens, since unsigned tokens should be rejected by the new client.


  • OAUTH-213: Allow for configuration of TLS version in configuration.
  • OAUTH-212: Updating dependencies for OAUTH-207 caused teh Apache base 64 codec to upgrade. This changed its behavior and broke interoperability with several cryptographic tools (e.g. OpenSSL).
  • OAUTH-207: Update maven dependency versions.


  • OAUTH-185: Support for custom scopes and additional claims.
  • OAUTH-186: Improved error handling and validation in client registration form.
  • OAUTH-188: Fixed broken links in the getting-started page.
  • CIL-216: Updated documentation for registration and clarified what the refresh token lifetime field means.


  • OAUTH-178: document setting endpoints in the configuration.


  • OAUTH-167: Change keypair default lifetime to 0.


  • Updated documentation to accurately reflect OAuth 2 client registration process.
  • OAUTH-150: Added support to configuration for secret element.


  • OAUTH-142: Clients can now specify how often to generate a keypair to be used in generating certification requests. Until now, every such request was generated using a fresh keypair. However, if clients are put under very heavy load generating such keypairs can slow response times drastically. It is now configurable how often to re-generate the keypair. The option of setting it to zero will cause a new keypair to be generated every time, as per previous versions. The default is to regenerate the keypair once every 24 hours which should be adequate for all installations.
  • OAUTH-145, OAUTH-146: Session cross-over bug. If a user started to get a certificate repeatedly but did not finish, then JSP would create a new JSESSIONID for each attempt. Subsequent attempts might have returned an incorrect session (browser dependant) which may or may not be valid. This gave extremely intermittent failures that were hard to reproduce.
  • OAUTH-147: Potential cleanup thread failure with a filestore. If a filestore is used and one of the files is corrupted (e.g. due to a system crash at the time of writing it) then the cleanup thread would fail to start. Now such corrupted files are simply logged in catalina.out and ignored otherwise.
  • OAUTH-148: Maria DB support is now implemented.


  • OAUTH-128: Java SNI (Server Name Indication) is supported in Java 7 (required for this release of OA4MP) but the underlying Apache SSL libraries did not support it. These have been upgraded.
  • OAUTH-135: Failure in authentication were not displaying the correct message. They should route the user back to the login page for another attempt.
  • OAUTH-137: Documentation for cert lifetime configuration parameter was incorrect and the default of zero has been changed to 12 hours.


  • Added an FAQ section to the website.
  • OAUTH-105:Added support for file includes to configuration files.
  • OAUTH-105: Added checks to prevent cycles in aliases and files
  • OAUTH-107: An exception is thrown on the client side if the protocol is not https. The fixes a low-level OAuth bug that would happen if the server redirected from http to https.
  • OAUTH-110: All clients may now specify a keystore (or more) to use when connecting to an OA4MP server.


  • Added support to make showing redirect optional for clients.
  • Added ability to specify pages in the client servlet via configuration. There are three of them. A general error page, a page showing the successful completion of getting a cert and finally a page where the redirect -- if showing the redirct page is enabled -- is located. All of these are paths relative to the web app itself.


Added support to make using log 4j optional. It had been disabled that interfered with some installations.


  • Fixed OAUTH-77: Added the ability to override the callback URI on a per request basis
  • Storage support, either via the file system or a database which allows for persistent storage so that delegated credentials may be used in other applications.
  • Improved handling of errors
  • Version number is printed at each server startup.
  • Added support for automatically cleaning up the asset store
  • Many documentation updates to 1.0.6.
  • Added signatures for the lastest downloadable war.


  • The sample client now shows the generated private key on the redirect page.
  • Due to limited proxy support being added in the 1.0.5 server, the client now can display a complete certificate chain rather than a single cert.