Skip to content


You can find the source of this version on GitHub at cloudfoundry/uaa-release. It was created based on the commit 537562ee.

Release Notes

This release updates to UAA release 3.12.0

This is a security release which addresses CVE-2017-4960: UAA OAuth DOS via lockout feature

This release re-introduces the JWT based Refresh Tokens. Refresh tokens are no longer opaque and revocable by default. This has been done to take care of the revocable_tokens table filling up with large deployments of UAA.

The format of the refresh token can now be set at an Identity Zone level via the API and can be boot strapped from the spec file for the default zone.

      description: "If true, uaa will only issue one refresh token per client_id/user_id combination"
      default: false
      description: "The format for the refresh token. Allowed values are `jwt`, `opaque`"
      default: jwt


You can reference this release in your deployment manifest from the releases section:

- name: "uaa"
  version: "27"
  url: ""
  sha1: "e935b37f1860a885046eab7dcb4a57a1de683ee1"

Or upload it to your director with the upload-release command:

bosh upload-release --sha1 e935b37f1860a885046eab7dcb4a57a1de683ee1 \