This release updates to UAA release 3.12.0
This is a security release which addresses CVE-2017-4960: UAA OAuth DOS via lockout feature
This release re-introduces the JWT based Refresh Tokens. Refresh tokens are no longer opaque and revocable by default. This has been done to take care of the revocable_tokens table filling up with large deployments of UAA.
The format of the refresh token can now be set at an Identity Zone level via the API and can be boot strapped from the spec file for the default zone.
uaa.jwt.refresh.unique: description: "If true, uaa will only issue one refresh token per client_id/user_id combination" default: false uaa.jwt.refresh.format: description: "The format for the refresh token. Allowed values are `jwt`, `opaque`" default: jwt
Upload this release version to the Director:
$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=27 --sha1 e935b37f1860a885046eab7dcb4a57a1de683ee1
Modify deployment manifest to use this release in addition to any other used releases:
releases: - name: uaa version: "27"
Finally add needed deployment jobs and specify values for required properties.
Optionally download sha1: e935b37f1860a885046eab7dcb4a57a1de683ee1 release tarball locally:
# ...or download it directly using curl $ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=27 # or with wget... $ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=27