You can find the source of this version on GitHub at cloudfoundry/uaa-release. It was created based on the commit
This release updates to UAA release 3.12.0
This is a security release which addresses CVE-2017-4960: UAA OAuth DOS via lockout feature
This release re-introduces the JWT based Refresh Tokens. Refresh tokens are no longer opaque and revocable by default. This has been done to take care of the revocable_tokens table filling up with large deployments of UAA.
The format of the refresh token can now be set at an Identity Zone level via the API and can be boot strapped from the spec file for the default zone.
uaa.jwt.refresh.unique: description: "If true, uaa will only issue one refresh token per client_id/user_id combination" default: false uaa.jwt.refresh.format: description: "The format for the refresh token. Allowed values are `jwt`, `opaque`" default: jwt
You can reference this release in your deployment manifest from the
- name: "uaa" version: "27" url: "https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=27" sha1: "e935b37f1860a885046eab7dcb4a57a1de683ee1"
Or upload it to your director with the
bosh upload-release --sha1 e935b37f1860a885046eab7dcb4a57a1de683ee1 \ https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=27