Changes to the OA4MP server by version.


Release date 2023-04-23

  • CIL-1069: Emails are sent ontheir own thread now.
  • CIL-1638: Missing header in user info endpoint response.
  • CIL-1655: added refresh_token_lifetime and refresh_token_iat to refresh endpoint repsonse. These are not standard, but sufficiently many places do it now (and it's a really good idea) so we will too. If there is ever a standard for this, we will support it.
  • CIL-1667: The openid scope now will have the acr (authentication class reference) returned if present.
  • CIL-1668: QDL acl_add function will not throw an exception if the added identifier is invalid, it will merely log it. Optionally, it may be requested to fail hard and fast with a flag.
  • CIL-1671: Admin clients, if approved to do so, may either mint identifiers in their own namespace or request specific identifiers.
  • CIL-1677: Monitor last accessed times for various objects. This includes clients, admin clients, virtual organizations and (in CILogon) users. This permits tracking across time. As the system ages and scales up, being able to track which objects are in use is becoming critical.


Release date 2023-03-07

  • CIL-1266: Allow grace period on refresh.
  • CIL-1379: Revision of documentation for using self-signed cert with Tomcat 9+.
  • CIL-1604: Incorporate various fixes from the RCAuth group.
  • CIL-1608: Store the id token in the client's asset, rather than forcing the client to reget it.
  • CIL-1625: Expired auth grant giving wrong error message.
  • CIL-1629: Allow more units in configuration: hours and days are now supported.
  • CIL-1639: Edge case that the user info endpoint was not returning the right status code or header if a completely bogus bearer token was used.
  • CIL-1640: Errant debug stack trace too chatty.
  • QDL Issue 6: Document command line switches.
  • QDL Issue 8: Add a fork function. This is not permitted in server mode.
  • QDL Issue 9: Add a sleep(ms) function. Mostly this is an iad to testing.
  • QDL Issue 10: add optional module supporting various formats such as XML, YAML, HOCON.

Release date 2023-02-07

  • CIL-627: Migrate to Java 11, split off MyProxy code.
  • CIL-630: Retire CILogon archived user table.
  • CIL-869: Documentation for dynamic client registration additional attributes.
  • CIL-1014: Explicit creation of memory stores does not work.
  • CIL-1088: Compact logging of expired access or refresh token.
  • CIL-1178: Shorter LDAP timeouts. These were set to 10 seconds, but since OA4MP was running Java 8, a known bug there prevented this from being effective. As of this release, it should work.
  • CIL-1327: NCSA QDl scripts should be invoked in post_userinfo but not post_exchange phases.
  • CIL-1330: Related to CIL-1342.
  • CIL-1339: Simple configuration for clients using a QDL driver script.
  • CIL-1342: Custom redirects added in cases of error. QDL supports throwing an basic error now, a specific OAuth 2 error and a CILogon specific error in the course of running server scripts.
  • CIL-1346: Certain returned errors in CILogon were not OAuth 2 compliant.
  • CIL-1347: Side effect of CIL-1348.
  • CIL-1348: Debug print for clients with custom short IDs did not work right, resulting in an error rather than a log entry.
  • CIL-1354: Remove OAuth 1 references from documentation.
  • CIL-1366: exec_phase post_all was not working.
  • CIL-1388: CILogon did not get custom error uri in DBService layer.
  • CIL-1419: Proxy client sending extra scopes. It should request the exact same scopes the user has granted.
  • CIL-1423: metadata tag is officially ignored any place in a client cfg element. This allows management of clients by external systems (e.g. COManage) to insert their own accounting information.
  • CIL-1426: XRAS client errors. This was, in fact, a manisfestation of a provisioning error from COManage.
  • CIL-1464: Disable clipboard use by Command Line Client when used as a proxy.
  • CIL-1490: Scope matching for templates was too simple-minded, assuming every scope was a uri or ignored. With scopes like compute.modify, better matching is needed.
  • CIL-1493: Remove non standard cid claim in SciTokens.
  • CIL-1498: is_defined failing on stem elements in QDL.
  • CIL-1507: Simplify setting cfg attribute in the CLI.
  • CIL-1518: (CILogon specific) raising error results in default status of -1 if not explicitly set. Return QDL error status as default.
  • CIL-1536: Modernize interface between token exchange and QDL.
  • CIL-1538: Preserve debug_on flag in client when using the REST API.
  • CIL-1541: Multiple scripts in a token handler only have very first one run. Run all in sequence.
  • CIL-1550: Java serialization issue with OA4MP managed claim sources. Fix is to quit using java serialization completely.
  • CIL-1553: Allows specifying subtree search scope in QDL.
  • CIL-1556: Improved online documentation to the CLI.
  • CIL-1582: Really badly formed post to token endpoint should return status of 400.
  • CIL-1584: Improve handling of scopes sent to proxy server.
  • OA4MP issue 44: Dynamic query of clients is documented here.
  • OA4MP issue 81: Clients that upload a string of scopes to the CM endpoint should get back a string, not a JSON array.
  • OA4MP issue 84: Client Management API should return code 201 not 200 on create. Note: CILogon still returns 200.
  • OA4MP issue 85: Improve RFC 7591 compliance.
  • QDL issue 1: starts_with not processing sparse lists.
  • QDL issue 2: diff function for stems added.
  • QDL issue 3: args() added to replace script_args().
  • QDL issue 4: allows stem called state. to be returned with raise_error().
  • QDL issue 5: Input form of empty stem is incorrect.

Note that QDL issues now have a new system for tracking them directly and hence start with 1.


Release date 2022-07-18

  • CIL-1081: Ersatz clients.
  • CIL-1277: Server-wide client configuratioins.
  • CIL-1288: Bad example in CLI search documentation.
  • CIL-1296: Allow for arbitrary LDAP search filters. See documentation here (last example)
  • CIL-1301: Added inclusive pre_all, post_all phases for QDL scripts. post_all means the script would be called at post_auth, post_token, post_refresh, post_exchange and post_user_info. This allows for letting the script decide what to do.
  • CIL-1302: Set default that QDL code blocks are rejected in client configurations. For admin clients to upload raw QDL, they must be granted explicit permission.
  • CIL-1306: LDAP error messages should be more informative.
  • CIL-1307: Null pointer returned rather than useful message if bad parameters in a code challenge are passed. Return something informative.
  • CIL-1308: Do not do any initialization with the email system if it is disabled.
  • CIL-1310: CILogon CLI can now compute the DN for a certificate at the command line.
  • CIL-1312: Discovery servlet should return response modes and all grant types.
  • CIL-1313: QDL module loading bug. Java modules were prevented from loading in server mode.
  • CIL-1318: JDBC drivers updates for MariaDB and MySQL are not compatible.
  • CIL-1319: Bump mysql connector version.
  • CIL-1321: Inheritance of client configurations via prototypes.
  • CIL-1324: OA4MP should log better errors for missing QDL scripts
  • CIL-1328: OA4MP not running user metadata refresh consistently in user info endpoint
  • CIL-1332: QDL error codes for CILogon database service
  • CIL-1333: Client configurations with arrays of configurations not read right. Regression from previous versions of OA4MP.
  • CIL-1334: Support for error uris in QDL's scripting sys_err. See server scripts.


Release date 2022-05-10

  • CIL-1221:Add proxy_claims_list attributes support to the client management endpoint.
  • CIL-1225:Prevent mail util from throwing an exception in certain cases if mail has been completely disabled.
  • CIL-1253:introspect endpoint should not require token_type_hint.
  • CIL-1267:fail_on_error inLDAP configurations not getting passed along consistently.
  • CIL-1268: More graceful recovery from certain types of errors. If, for instance, a client's LDAP is misconfigured, token operations (such as refresh) will fail, but can be resumed rather than invalidating the flow.


Release date 2022-03-29

  • issue #44: Document querying client management endpoint for all clients associated with a given admin client.
  • CIL-771: (experimental) token info endpoint.
  • CIL-869: Documented extra parameters for the dynamic client registration endpoint.
  • CIL-1145: All references to log 4 java have been removed.
  • CIL-1146: Client server proxying has been implemented. Read up on it here
  • CIL-1166: Python library interoperability issue,
  • CIL-1184: Wrong entry in listing the cleanup interval property in the server properties table.
  • CIL-1187: Errors in setTransactionState should be more descriptive
  • CIL-1193: Support for CRT (Chinese Remainder Theorem) when generating public/private key pairs.
  • CIL-1206: QDL state serialization bug involving whitespace for token exchange records.
  • CIL-1208: Dependabot alerts for PostGreSQL version. Does not impact us, but there is no update to the version they require for Java 8 libraries.
  • CIL-1211: Garbage collection race condition. If a user starts an auth flow, their code is invalid until they log in. If the garbage collector runs between the time the flow starts and they finish their login, the transaction will have been garbage collected.


Release date 2022-02-01

  • issue #16: Remove GPG signing for maven.
  • issue #17: Fix scope documentation.
  • issue #40:Dynamic registration for oidc-agent
  • CIL-1088: Better log message in case of an invalid refresh token.
  • CIL-1112: Support for generic access tokens as per RFC 9068
  • CIL-1117: XML bug in Corretto workaround.
  • CIL-1122: Garbage collect abandoned flows.
  • CIL-1124: Userinfo endpoint should reject revoked tokens.
  • CIL-1132: Allow "ANY" scope (as a special value that is a string) in SciTokens.
  • CIL-1137: ID tokens unique identifier is not asserted as "jti" not as "token_id."
  • CIL-1147: remove all references to log for java (log4j).
  • CIL-1148: Update list of stores in the documentation.
  • CIL-1153: removed and deprecated old unused flie store configuration
  • CIL-1159: Better handling of missing attributes in dynamic client registration


Release Date 2021-11-02

  • CIL-1101: Allow device flow as explicit type in dynamic client registration.
  • CIL-1102: device code is now base 32 encoded in device flow
  • CIL-1104: Require openid scope for user info endpoint.


Release Date 2021-09-28

  • CIL-1041: Per client lifetime and interval for device flow.
  • CIL-1058: Database versions updated.
  • CIL-1061: PKCE support.
  • CIL-1067: A JSON Webkey store with a single entry does not require a default ID to be set.
  • CIL-1072: Consistent update of ID token timestamps.
  • CIL-1074: Independent QDL server mode logging.


Release Date 2021-08-31

  • CIL-1057: Derby support added.
  • CIL-1051: Track device flow transactions better in database.


Release date 2021-08-03

  • CIL-1029: Check RFC 8725 for JWT best practices. By and large we follow them.
  • CIL-1030: CILogon specific. Too many serial strings are made.
  • CIL-1035: Clients with refresh tokens disabled are getting long-lived entries in the transaction table. There should be nothing there for them.
By and large the major innovation in 5.2.0 and above is support for RFC 8628 -- the device flow.


Release date 2021-07-14

  • CIL-961: Reduced scopes supported in token exchange.
  • CIL-971: Token exchange does not update returned token id for compound refresh tokens.
  • CIL-974: Complete VO support for refresh and token exchange endpoints.
  • CIL980: Support for RFC 8707, the audience and resource standard.
  • CIL-998: WLCG groups supported.
  • CIL-1002: logging per client supported.
  • CIL-1012: offline_access scope supported.
  • CIL-1019: preferred_username claim asserted if found for profile scope.


Release date 2021-06-10

  • CIL-958: CIlogon now asserts the cilogon_uid claim, which is a shortened version of the unique identifier.
  • CIL-962: Support for WLCG wlcg.credkey claim.
  • CIL-971: In certain cases, token exchange does not update the actual token.
  • CIL-974: User info endpoint needs to ensure correct signing keys are used for custom issuers.
  • CIL-976: Discovery paths for custom issuers need to be resolved better.
  • CIL-980: RFC 8707 is supported
  • CIL-985: Errant cast in revocation servlet caused unrecoverable error.
  • CIL-986: Support for custom token issuers in the introspection and revocation endpoints.


Release date 2021-04-14

  • CIL-697: Improve error messages to include a description.
  • CIL-708: review of token exchange endpoint.
  • CIL-824: Making all demo clients at CILogon distinct.
  • CIL-833: Better enforcement of response_type.
  • CIL-841: Fix returned claims for NCSA client.
  • CIL-843: Some NCSA clients require a flat list for the isMemberOf claim, some require a JSON object that has group ids. Amend QDL script to accept a parameter to set this.
  • CIL-845: Allow basic versioning of objects in stores (clients, users, admin clients) with the CLI.
  • CIL-848: Add access control to QDL scripts on server based on client/admin id.
  • CIL-855: Review and set policy for unrecognized scopes.
  • CIL-871: OA4MP rejects wildcards in callbacks everywhere, both at registration and using the client management API.
  • CIL-872: OA4MP servers will now, by default, only garbage collect tokens that they have created. There is a new server configuration flag to have all expired tokens removed too.
  • CIL-882: Expired or invalid refresh tokens return an error of invalid_grant, not invalid_token.
  • CIL-884: Client Management API allows updating public clients except for changing a public client to a confidential one -- that would require a new secret and secrets are only created at registration. Therefore, you must register a new client if you need a confidential one.
  • CIL-889: Admin clients may now have a flag set that will allow them to reference QDL scripts. If this is disabled (default) any configuration with a QDL block will be rejected.
  • CIL-892: Missing documentation for the client well known URI tag. This can be found here.
  • CIL-906: In id tokens, the auth_time claim must be a number. It was being returned as a string.
  • CIL-911: Return the state parameter with errors consistently.
  • CIL-915: Review and update the scopes documentation for clients.
  • CIL-917: Improved client registration templates to include more information.
  • CIL-922: Base 32 encode all non-JWT tokens. This is because some libraries (in PHP) were unable to reliably url encode the new tokens. Base 32 tokens are case insensitive to boot.
  • CIL-931: The client management API needs to return strict_scopes when GETting a client.
  • CIL-936: Public clients were being rejected for access tokens.


Release date 2020-09-30

  • CIL-675, CIL-631::SciTokens/WLCG support.
  • CIL-696: Code management. Bottom line is that the wars and jars are huge because we have dependencies that use IBM's international character support. Actual OA4MP code runs at about 7% or less of what is in a given war or jar.
  • CIL-708, CIL-689: Verify RFC 8693 (token exchange endpoint) compliance.
  • CIL-720: Update dynamic client registration webpage to list required parameters.
  • CIL-725: (RFC 7592) Allow admin clients to set the scopes of clients they administer.
  • CIL-729: Limited support for ISO 6429. This affects command line clients and utilities only.
  • CIL-737: Allow for prompt = select_login. Henceforth we accept all standard prompts except "none" and "consent".
  • CIL-738: Implement subset of RFC 7662, the token introspection endpoint.
  • CIL-739: Restrict to absolute URIs callbacks only.
  • CIL-836, GitHub #19 : Make QDL support official.
  • CIL-850 Error in reading old configuration by new configuration.


Release date 2020-06-22

  • CIL-733: (RFC 7591/7592) token_endpoint_auth_method missing on GET
  • CIL-734: (RFC 7591/7592) client metadate returned inside cfg object
  • CIL-735: (RFC 7591/7592) cannot delete cfg object


Release date 2020-05-29

  • CIL-683: CLI should update issuer for admin clients when asked to do so.
  • CIL-684: Admin clients should have max_clients settable from CLI.
  • CIL-685: CLI should ask for confirmation when deleting objects.
  • CIL-701: Incorrect grant type should return status code of 400.


Release date 2020-04-23.

  • Github issue 5: Support multiple response modes I.e., the callback may optionally have its authorization response parameters encoded as a fragment, not a query.
  • Github issue 8: support for public clients
  • Github issue 13, CIL-646: Implement rfc 7009 for token revocation.
  • Github issue 15: OA4MP may be turned in to an OIDC compliant service by setting the OIDCEnabled flag
  • Github issue 19:Added QDL support.
  • CIL-525: More refresh token tests
  • CIL-540:(CIlogon only) Relax requirements for user attributes. as long as a user is only requesting a scope of openid (so no certs or extended information such as groups) and has an idp and an identifier CILogon will accept the user.
  • CIL-639:Allow users to specify roles. In particular now, OA4MP will accept certain scoped additional request parameters and, depending on the client, act upon them.
  • CIL-646: Support token introspection. There is now an /introspect endpoint available. First cut is very, very basic and merely allows for a client to query if a given access token is valid. Since we are moving to self-describing tokens it is unclear if we should support the other operations which are basically reading the token back to a service.
  • CIL-648: Recheck claims at token refresh. There is also scripting support now for this.
  • CIL-649: Support pairwise id and subject id (in CILogon).
  • CIL-666: Command Line Interface improvements. Please see the cli manual for details.
  • CIL-695: issuing the rm command in the CLI should prompt.
  • CIL-693: Claim sources created via introspection need to have their state injected.


Release date 2019-11-20.

  • CIL-352: CILogon previous subject issue. In some cases in CILogon, the country should be US and is not archived this way when updating. This really is just a minor annoyance.
  • CIL-493: Extra scopes that have not been approved for a client are ignored, as per the spec.
  • CIL-503: Creating a new user results in a serial string with the same index.
  • CIL-518: Remove zero length files. This now has a flag to enable/disable this in the configuration. It is only an issue if a server is using file storage. Look at the file store documentation to learn more.
  • CIL-525: Added a file-based claim source in addition to claim sources from LDAP, headers and such. This allows server to manage either all their claims or have a repository for very specific ones.
  • CIL-566: Fire email for admin client registration. NOTE: the reason this failed at one point was because of an upgrade from Java 8 to Java 11. Please see the email configuration documentation for the details of getting this to work. Basically you need to include on more file.
  • CIL-567: Support for RFC 7592, updating and removing client information.
  • CIL-570: Better return codes when creating a transaction fails.
  • CIL-575: List of failure codes from create transaction failure.
  • CIL-576: The CLI should use the same logic as the registration form for callback URLs. This means allowing for calls to http://localhost, e.g.
  • CIL-579: Last modified date added to all clients. When a client is saved, this is updated. Note that this will update database tables autoamtically.
  • CIL-586: return list of scopes if different from what is requested. As per the spec. if a client requests a set of scopes but the server does not honor any of them, a list of what the server will honor is returned.
  • CIL-609: remove blank lines in callback uri list when registering a new client.
  • CIL-612: Limit number of OAuth clients than an admin can register.

Other things to note in this release is the the CLI now supports setting environment variables both in a file (either a Java properties file or a JSON object in a file) and from the command line.


Release date 2019-05-15.

  • Added support for turning on/off OIDC abilities in the configuration file with the OIDCEnabled flag.
  • CIL-467:Eliminate init endpoint (this was very specific to CILogon).
  • CIL-490: Added a check box on the client registration form to allow marking a client as public. Note that this will automatically set the scopes to only "openid".
  • CIL-506: Support for the OAuth dynamic client registration specification is added.
  • CIL-515:demo client will now show the id token and information about it
  • CIL-532: eduPersonEntitlement support. Generally all additional attributes that Shibboleth sends are now returned as claims unless specifically omitted.
  • CIL-535: configuration snippets are now stored and may be accessed generally in other client configurationd. This allows for the practical inheritance of configurations.
  • CIL-545:Accept a wider range of redirects during client registration. Redirect URIs may be to any domain if the scheme is https. If the scheme is http then only redirects to localhost or a reserved private range such as 192.168.x.x are allowed. If the scheme is not http or https, any domain is allowed. This last feature is needed for mobile device support.


Release date 2018-10-29.

  • CIL-476: Allow for setting reply-to header in email notifications
  • CIL-491: Public clients get a trivial ID token when they get an access token. This allows certain services like kubernetes to check the timestamps and the ID token.
  • CIL-499: Check that certain claims are present before returning them. This prevents an unruly script from creating an unsuable claims object.
  • CIL-501: CLI displays multiple attributes when fully listing a client.
  • CIL-505: (in the DB service) Return a better error message if a request times out.
  • CIL-508: CLI should be able to list all clients for a given admin. In the admin module, this is the list_clients command.
  • CIL-512: Support for LIGO Robot DNs added
  • CIL-513: HTTP headers claim source should be configurable to ignore certain returned claims, since in a proxying situation, these may be for the proxy, not for the requesting client.
  • CIL-517: Requests to the service using POST should be refused unless the encoding is only form URL.
  • CIL-519: Client Management should return an uploaded cfg object when querying the client's attributes.


This is a major upgrade and rewrite of the OA4MP system and is the result of a great deal of feedback and experience.

  • CIL-332: Error esponses should be JSON format with HHTP status 400.
  • CIL-365: Setting scope = org.cilogon.userinfo should return an oidc claim if there is one.
  • CIL-408: OAuth 1 command line client should not look for admin client stores on startup.
  • CIL-417: Set subject claim to EPPN in certain cases
  • CIL-422: Restrict access based on group membership.
  • CIL-425: More flexible scope handling
  • CIL-435: Return group number with group information
  • CIL-436: LSST isMemberOf validation endpoint. See the doc here
  • CIL-443: CILogon isMemberOf should parse the NCSA's LDAP information into a standard format
  • CIL-448: Odd claims from surge. This requires checking eppn by domain and restricting access accordingly.
  • CIL-460: Admin service rejects attempts by clients to update themselves.
  • CIL-462: Get acr claim and return in id token
  • CIL-464: Allow for customizing identifier scheme via configuration.
  • CIL-467: Eliminate init endpoint for OIDC version.
  • CIL-477: Set voPersonExternalID. This may be done with server-side scripting now.
  • CIL-479: Issue isMemberOf claim based on IDP and SAML attributes.
  • CIL-494: Allow public clients to access user information endpoint. The response is trivial since they are only allowed the openid scope.
  • CIL-498: After error on cleitn registration page, no scopes displayed.
  • github #10: Allow CLI to edit scopes
  • Support for functors in client configurations.

Many updates, including the introduction of functor-based scripting. There is also a document relating to CIL-436 and a JWT token parsing endpoint. The major change is allowing for a full scripting language to configure client behaviors. This is what effectively solved most of the above issues.

The command line interface (CLI) now supports exporting and importing records from a file with the serialize and deserialize commands. For SQL stores, there is also a new search function that allows for limited but very useful searches. Most of the unit tests have been improved or rewritten.


  • CIL-430: Credentials sent in authorization header are to be URL encoded.


Release date 2017-11-29.

  • Support for public clients.
  • CIL-409: Missing cert request in OIDC getcert call causes empty certificate to be returned.
  • CIL-414: Bug prevented accurately counting number of pending approvals.
  • CIL-426: Send admins an email when there are too many pending approvals.
  • CIL-427: Improve handling of approvals so that unapproved, pending and revoked approvals can be tracked.

Release Notes

Public clients are supported. It is assumed that the identifier is published publicly so that, for instance a user can get a refresh token and then access tokens. No secret is needed to use a public client, however access by a public client is severely restricted, almost exclusively to the openid scope for a user.


Release date 2017-08-28.

  • OAUTH-203: Clients may request supported scopes at registration time.
  • OAUTH-212: PEM encodings broken by change to Apache base 64 codec.
  • OAUTH-213: Make TLS version configurable in the SSL configuration.
  • OAUTH-217: Added discovery, in a server/.well-known/openid_configuration.
  • CIL-339: EPTID mismatch handled as a separate case.
  • CIL-344: Client management API created. Sample scripts created as well.
  • CIL-356: Clients may have individual LDAP configurations.
  • CIL-371: added claim for cert_subject_dn to be returned for the org.cilogon.userinfo scope.
  • CIL-378: Clients with same creation timestamp are not all displayed in CLI.
  • CIL-388: Server wars now include more meta information in the META-INF/MANIFEST.MF file about the build.
  • CIL-396: More client information in email notification at registration for OIDC clients.
  • CIL-404: Errors in the getCert servlet should throw an exception.
  • CIL-405: Default for all new clients at registration is to enable ID token signing.
  • Java object serialization issue: Updated dependencies on Apache commons-collections to 3.2.2.
  • Removed legacy unused Java object serialization from backend file store.

3.4 Release notes

Note that in this release of OA4MP there are two new tables that are required if the server uses SQL -based storage. One for admin clients and another for permissions. If the user (i.e., as defined in the configuration file that accesses the data) has create permission in the database, then the tables will be automatically created. If not, then you must create them manually using one of the scripts found here.

You must also create signing keys for OIDC. This is done with the command line tool

Signing of ID tokens is now the default on the server. However, since older clients may not support this, the default is to disable signing of ID tokens for all clients. Older OA4MP clients will break if signing is enabled and they are at an earlier version (3.3 and before). Also, some installations of the mod_auth_openidc client that cache the .well-known file have been known to break when talking to a 3.4 server. Please upgrade the .well-known file to the latest version on the server.


Release date 2016-09-22.

  • CIL-252: Scope handler which queries LDAP for user attributes.
  • CIL-264: Document examples using the cURL command.
  • CIL-268: Added sample OA4MP OIDC configuration to web documentation.
  • CIL-273: LDAP support for OA4MP.
  • CIL-286: Failed client registration not cleaned up.
  • CIL-299: "Max retries exceeded" message from MariaDB connection pool. This was because the method in question was only partially synchronized.
  • CIL-309: Refresh token fixes and improvements.
  • CIL-312: Null pointer exception when parsing URIs. The built-in parser for URIs is rather stupid in certain cases and would throw an NPE when parsing. This is now being handled better to prevent this.
  • CIL-317: exception setting transaction state if use waits to finish exchange until after initial grant has expired and garbage collected.
  • CIL-319: Indicate in DN if the user is from and InCommon or eduGain IDP.
  • CIL-320: DB Service fix to get information to resolve CIL-319.
  • CIL-324: Attempting to send many email notifications at once causes failures.
  • CIL-359: ID tokens must be signed by the server.
  • OAUTH-189: Invalid nonce causes reloadof authorization page to fail.
  • OAUTH-191: Defer connecting to MyProxy until the getCert call, if possible.
  • OAUTH-194: OIDC token endpoint should return error with status of 400.
  • OAUTH-196: Documentation needs updating after file name change internally.
  • OAUTH-197: Testing from the command line documentation shows sending the secret to the authorization endpoint, which is not in the specification.
  • OAUTH-198: Pass the HTTPServletRequest to the basic scope handler. This allows implementors more flexibility.
  • OAUTH-199: Pass HttpServlet request to custom scope handlers.
  • OAUTH-200: Connection pooling does not clean out stale connections.
  • OAUTH-201: Username incorrectly flagged as the primary key for the asset table, causing and error on updates.
  • OAUTH-202: Tomcat 6 is not supported for this release of OA4MP. You must have at least version 7 or higher.
  • OAUTH-206: Refresh token lifetime limited. A logic bug made the lifetime of refresh tokens decrease on refresh, eventually yielding invalid refresh tokens. All refresh tokens now are valid for the full requested time.
  • OAUTH-208: Remove dependeny on one-jar plug in for building executable jars, since it is no longer supported.
  • OAUTH-209: Remove dependency on Google Code's maven repository.
  • OAUTH-215: default secret key length for new OIDC clients set to 512 bytes.
  • Added new command line client for testing purposes.


Release date 2016-01-28.

  • CIL-101: (reopened with an additional parameter for the overloaded myproxy username)
  • CIL-210: Return CILogon specific claims fromthe getUserInfo endpoint.
  • CIL-211: New attributes for the user, affiliation, display name and organizational unit.
  • CIL-227: Refresh token lifetimes should be ignored if not enabled on the server.
  • CIL-231: EPPN and EPTID no longer omitted from X509v3 extension.
  • CIL-234: Fermi National Lab specific distinguished names, along with a configuration option for the server to disable generation of these.
  • CIL-240: update for items from command line not working.
  • CIL-257: Unwanted serial string changes on user updates
  • CIL-258: Allow OGS CA to omit versio number from certification requests since MyProxy accepts these.
  • CIL-260: Allow for restoring archived users from command line.
  • OAUTH-184:Additional claims returned from the getToken endpoint.
  • OAUTH-192: Enabling use of the remote user header from an external authorization module could allow a user to change their name.
  • OAUTH-193: Empty responses to cert request.


Release date 2015-09-14.

  • OAUTH-181: Updated server walkthrough.
  • OAUTH-183: Update documentation for using remote user.
  • OAUTH-184: Plugin capability for additional IODC claims.
  • OAUTH-185: Support for custom scopes and additional claims.
  • OAUTH-188: Fixed broken links in the getting-started page.
  • CIL-194: Searching for MyProxy servers in CILogon now uses standard OA4MP libraries.
  • CIL-196: ServerDN option in configuration now can be over-ridden in the MyProxy tag.
  • CIL-197: Propagating MyProxy changes to CILogon.
  • Added PKCS 7 encoding support to the certificate utility


Released 2015-08-18

  • OAUTH-180: Support OIDC servers that do not use a nonce.
  • CIL-101: Add setTransaction state call.
  • CIL-136: Documenting the OAuth 2.0 authorized servlet.
  • CIL-141: Improve pinging servers
  • CIL-170, CIL-171: Missing log4j properties restored.
  • CIL-172: Multiple LIGO IdPs supported.
  • CIL-173: Fix handling of incorrect password.


Release date 2015-08-15.

  • CIL-194: CILogon server only returns cert from last Myproxy server
  • CIL-196: server DN override in myproxy configuration not read.


Release date 2015-06-18


Release date 2015-04-08.

  • Java 8 support: Due to internal changes to Java, this release requires Java 8 and will not work with previous versions of Java.
  • OAUTH-164: Support for id_tokens in OAuth 2 module
  • OAUTH-165: Passing the skin parameter in with the initial request.
  • OAUTH-168: Making OA4MP for OAuth 2.0 spec. compliant.
  • OAUTH-169: Removed "error url" from the OAuth 2 registration page
  • OAUTH-170: Typo in online documentation. Examples had tags corrected to <service>
  • OAUTH-171: MyProxy Logon now supports setting the socket timeout.
  • OAUTH-172: Expose MyProxy socket timeout in OA4MP configuration.
  • OAUTH-173: Improved error message on session timeout.
  • OAUTH-174: Error handling in OAuth 2 component.
  • OAUTH-175: Possible concurrency issue with MariaDB connections.
  • OAUTH-176: Specify DN (distinguished name) for MyProxy server(s).
  • OAUTH-177: Documentation for the new server DN option.


  • OAUTH-162: Client secret must be sent on access token request but not on authorization request.
  • OAUTH-163: State must be returned in OAuth 2 component with authorization response callback.


Release date 2014-04-11.

  • OAUTH-127: MyProxyLogon website updated to point to current release.
  • OAUTH-129: Sorting entries with the the CLI ls command. Before there was no sorting, now it is done by client ID or date, where applicable.
  • OAUTH-134: Updating documentation on how to run a monitor.
  • OAUTH-154: Removed possible redundant/conflicting maven dependencies.
  • OAUTH-156: Turn off default logging for MyProxyLogon. This permits use of the MyProxyLogon module as a library without getting logging messages to the console (the previous default).
  • OAUTH-157: Client registration page not saving client secret under OAuth 1.0a protocol.
  • OAUTH-158: Updated links on generic client registration page to current documentation.
  • OAUTH-159: Update documentation for this release.
  • OAUTH-160: Regularize and improve version reporting at component (CLI, client, server) startup.


Release date 2014-10-29.

  • OAUTH-131: Improved client registration for OAuth 2 servers.
  • OAUTH-149: Remove support for MyProxyLogon to use SSL version 3. (This mitigates the POODLE attack.)
  • OAUTH-152: Do not show detailed MyProxy error message if authorization fails.
  • OAUTH-153: Improved logging for MyProxy errors and successes.
  • OAUTH-155: Updated documentation to explain new OAuth 2 client registration process.


Release date 2014-09-30.

  • OAUTH-139: CLI might return an incorrect list of items after several updates.
  • OAUTH-140: MyProxy component didn't quite log completely to the configured log file.
  • OAUTH-141: Improved client/server walkthough. This is documentation that permits an administrator to deploy both a client and server locally with a self-signed cert for testing purposes.
  • OAUTH-143: Enabling the Globus DN option should have had better documentation pointing at the server requirements for JGlobus.
  • OAUTH-144: Jetty version was incorrect, causing certain build issues. This was standardized on version 6.1.26 to ensure consistent builds.
  • OAUTH-147: Potential cleanup thread failure with a filestore. If a filestore is used and one of the files is corrupted (e.g. due to a system crash at the time of writing it) then the cleanup thread would fail to start. Now such corrupted files are simply logged in catalina.out and ignored otherwise.
  • OAUTH-148: Maria DB support added.


Release date 2014-07-31.

  • OAUTH-112: Servlet initialization is injected now, decoupling it more from Tomcat startup.
  • OAUTH-113: MyProxy does not handle PAM challenges. The documentation has been updated with a link to the appropriate page on the MyProxy website where this is discussed.
  • OAUTH-117: Server install walkthrough updated and improved to reflect changes (in particular, it now makes us of the resolution of OAUTH-110).
  • OAUTH-118. Build error in maven caused OAuth2 command line tools to issue an NPE in certain cases.
  • OAUTH-119: Loading objects into the CLI that do not have identifiers caused an NPE. This could only arise really if someone directly edited an entry in a text editor (e.g. if the installation was backed by a filestore). In that case it would not be possible to load any objects from that store into the CLI, preventing editing of them.
  • OAUTH-120: The new -component flag allows an administrator to start the CLI with the named component as an argument. E.g. rather than start the CLI and use the approval component, just issue
    ./oa4mp-cli -component approvals
  • OAUTH-125: "About" and "Overview" links on website were broken.
  • OAUTH-126: Website now lists the version number with the "latest" link.
  • OAUTH-130: Documentation amended to clarify which version of OA4MP (based on OAuth 1.0a or OAuth 2.0) to use.
  • OAUTH-133: Configuration option to convert standard DN to (legacy) Globus identifiers. This is mostly useful for installations that have been using Globus for a very long time.
  • OAUTH-135: Failure in authentication were not displaying the correct message. They should route the user back to the login page for another attempt.


  • OAUTH-105:Added support for file includes to configuration files.
  • OAUTH-105: Added checks to prevent cycles in aliases and files
  • OAUTH-106: Adding fully qualified host name to client approval notifications.


  • OAUTH-47 Now supports building with maven 3.0+ There was an issue with earlier an pom version that prevented this.
  • Support for OAuth 2 protocol. This includes full server and client support as well as various supported stores (mysql, postgres, files) and admin tools.
  • OAUTH-94: Fix for passthrough of Shibboleth attributes. A username transformation interface has been created. This will be invoked immediately before the call to MyProxy. Users that wish to customize this may do so by implementing the interface and setting it in the environment at server startup.
  • OAUTH-96: Check for a bad PKCS10 CSR (missing version number which must be set to 0) created by pyOpenSSL is now in place and an informative message is now issued. Earlier the Bouncy Castle code allowed for this, Sun does not.
  • OAUTH-99: Old documentation at Science Gateway Security site removed. Everything is redirected to this site now.
  • OAUTH-102: No username returned with cert in certain cases. Fixed.


Release date 2013-08-16.

  • Added support to make using log 4j optional. It had been disabled which interfered with some installations.
  • Fixed bug OAUTH-90.
  • Fixed bug OAUTH-94. This adds a configuration option to return the DN of the user's cert as the username.
  • All new command line tools that allow for managing clients and approvals.
  • Changed client index page to be more up to date.
  • Removed all explicit references to Bouncy Castle. This should prevent future jar pollution from incompatible versions. JGlobus still uses this though....
  • Set mysql and postgres jars to be provided rather than included in the release so that projects that need only a single type of storage are not required to install both of these.


Release date 2012-08-31

  • Version number is now printed to the console whenever the server starts up.
  • Support for authentication using the REMOTE_USER (or any other) header.
  • Improved error handling on the server, especially in cases where the MyProxyLogon client encounters a runtime exception.
  • OAUTH-80: errors resulting from JGlobus broken build will be resolved by their conforming to standard maven practices
  • Fix for OAUTH-83 documentation error in configuring mail addresses
  • OAUTH-84 failure to return a complete certificate chain from MyProxy in a certain case
  • OAUTH-85 failure to configure logging could result in an error. Default is to dump everything into the tomcat logs.
  • Use of new JGlobus release 2.0.5.
  • Bouncy Castle version set to 1.43 to support JGlobus release 2.0.5.
  • Added signatures for the lastest downloadable war.


  • Support for limited proxy generation. Allows the server to generate a public/private keypair and issue a limited proxy. The result is a certificate chain.
  • Deny HTTP header. This sets the HTTP header to "deny" which prevents clickjacking attacks.
  • Added logging support. Standard Java logging is now available and configurable.
  • Default MyProxy server on localhost. If no MyProxy server is specified, one is assumed to be running on localhost.
  • Improved admin tools. In particular, improved the CLI to give more readable messages.
  • Improved SQL install scripts.
  • Links in the documentation to the latest versions of these scripts.
  • More and better documentation.