Release Notes
Release Notes for all BFE Authorization Applications
Release 4.9.8
Highlights
Added logout prompt on secondary authorization screens.
Details
Fixes for dual PIN screens on force logout.
Moved dismissKeyguard to the activity onResume, only if interactive.
Changed verification screens to single instance to reduce blinking when turning the screen on (e.g. screen already up, being recreated).
Fixed an issue with Verify Barcode losing ability to scan during repeated on/off cycles.
Updated the current session object upon successful reauth.
Added logging to determine if user-initiated cancel or direct method call.
Added capability for LDAP Auth to use shared credentials for NFC+Pin login.
Added logout prompt dialog if secondary auth required is true and user clicks on Logout button.
Release 4.9.5
Released March 2024
Highlights
Ability to customize OIDC authorize parameters, fixes for MSAL logout and Quick Start icons
Details
Added configuration 'addlAuthorizeParams' which appends key/value pairs to the authorize calls using config and/or session attributes.
Fixed issue where MSAL in shared device mode does not fully logout on reboot.
Fixed issue where configured Quick Start icons in the PIN entry screen are not displayed in Android 11
Release 4.9.2
Released January 2024
Highlights
Updated logic to resign the access token being sent to Zebra Profile Manager (PFM).
Details
Updated the PIN Verify timeout to 1 second, which appears to work fine for Demo and OIDC PIN Verify.
Updated the IdP Demo Auth to support reauth hint values.
Added ability for LDAP to cache credentials for downstream apps.
Implemented token refresh in MSAL auth.
Updated PTT Pro access token to include sub and upn claims.
Added logic to regenerate the PFM access token if the extended attribute pfm_resign_accessToken is true. The new token will only have upn, sub, and unique_name claims.
Updated the JWT Token helper to use the new 2024 signing cert.
Updated base controller to pass configuration information to the Profile Manager Setup logic.
Updated the JWT Helper to accept a certificate version number based on Launcher Setting authBrokerCertVersion.
Updated the logic to pass the desired certificate version for signing Profile Manager access tokens.
Updated auth to use the latest Launcher Provider AAR.
Updated logic to add the certVersion to the token claims.
Release 4.8.34
Released December 2023
Highlights
Handled additional MSAL exceptions, OIDC group fix, and re-authentication fixes.
Details
Added logic to handle scenarios where the MSAL SDK throws a auth_cancelled_by_sdk error.
Fixed issue where re-authentication can be dismissed when useSecondaryAuth is set to "none".
Updated the OIDC parsing of the user information to accept a 'string' version of the groups.
Release 4.8.31
Released November 2023
Highlights
Various enhancements and fixes for MSAL. General fixes for reauth crashes. Additional languages supported.
Details
Added an optional config option 'ignoreAccountChangeBroadcast' for MSAL. This will cause MSAL Auth to ignore change account broadcasts from MS Authenticator while using the InTune shared device mode.
Added logic to remove MSAL data files on logout and login.
Updated the refresh token logic to ensure it has the current session object.
Updated the PIN training logic to use the application context if the parent activity is not available.
Updated MSAL build to allow an Organization to configure the alternateResource to allow generation of a non-encrypted access token.
Added a check for null parent Activity, if null, use Activity "New Task" flag.
Updated MSAL build to use an internal forked version of MSAL 4.6.1.
Fixed logout issue when the Logout button is pressed on NFC reauth screen.
Masked potentially secure credentials in provider.
Reverted MSAL back to 4.6.1 due to issues discovered.
Updated MSAL controller to automatically restart login if cleanup of previous accounts is required.
Added try catches around key MSAL calls.
Removed debug logging of values in auth provider.
Added changes to support getting employeeId field.
Updated graph user info call to include employeeId attribute.
Updated the MSAL gradle file to upload IdP-MSAL AAR.
Various fixes for Reauth and MSAL crash.
Fixed issue where the reauth screen (PIN, NFC or barcode) intermittently gets dismissed on screen on.
Fixed issue where Auth crashes when MS authenticator throws an unknown_error code.
Changed the header layout for NFC, PIN and barcode to use left-aligned layout to account for translations.
Updated base manifest to include Android 13 requirement for Post notification permission.
Added info logging for additional information within MSAL login.
Added logic to request for a different access if alternateResource is set in the configuration.
Added alternateResource to success event.
Added gradle commands to upload IdP-OIDC-Azure AAR.
Added a change to force close the Chrome Custom Tab if the post logout redirect does not occur.
Fixed issue where credentials are not cleared if there is an error at the end of the logout process.
Added the ability for individual IdP to recognize/honor the 'Verify IdP' on Reauth setting. By default, Demo Auth does not honor the setting.
Added ability to use a browsable intent to launch Chrome's Custom Tab.
Added password into Demo Auth session for Staylinked testing.
Fix issue where alternating between barcode and PIN reauth causes a crash.
Fixed an issue where reauth text is colliding in smaller screen (MC93) devices.
Added additional error messages in LDAP auth.
Added localization support for fr-ca and es languages.
Updated the Crash Handler library to 3.0.1.
Release 4.8.9
Released July 28, 2023
Highlights
Added support for remembering previous logged-in user, display password expiration and other fixes/performance improvements.
Details
Fixed crash occurring after login on several scenarios.
Updated Support library for A11+ log uploads.
Updated MSAL Auth to be able to pass a login hint.
Lazy load Android keychain as needed to improve performance.
Capture last password set time to be able to calculate password expiration.
Added ability to cache the previous logged-in user, if enabled.
Updated to specify the client secret on the token refresh to get the device secret.
Release 4.8.0
Released June 22, 2023
Highlights
Updated SDK for MSAL and support for BF Browser with MSAL.
Details
If authorization_user_agent is set to browser, attempt to use BF Browser as preferred browser.
Updated to use MSAL SDK 4.6.1
Release 4.7.20
Released June 9, 2023
Highlights
Updated the PFM Login to set the password field to a default setting.
Release 4.7.19
Released June 6, 2023
Highlights
Updated Google OIDC Support.
Details
Allow for setting the client_secret header during token request for Google OIDC.
Fixed logic to not overwrite the logout URL with what is returned from the wellknown API.
Release 4.7.16
Released May 25, 2023
Highlights
Group handling updated in MSAL and added NFC logout.
Details
Fixed MSAL group handling to support large number of groups.
Update to apply configuration setting
limit_to_launcher_groupsto MSAL auth.Added capability to force a logout by tapping on pre-configured NFC tag.
Release 4.7.15
Released May 9, 2023
Highlights
Bug fix for Auth crashing if useSecondaryAuth was set to none or if reauthentication training was skipped.
Release 4.7.14
Released April 26, 2023
Highlights
Configurability of multiple LDAP connections, which avoids manually prepending domains to the username during login.
Details
Added the ability to generate a unique JWT token when authenticating using LDAP for additional verification/security using a customer's own signing key.
Added the ability to use multiple LDAP connections and domains so that users do not need to enter their domains during login.
Added the ability to perform a Launcher "force logout" from a webpage using Javascript.
Added the ability to use the userId and username from the Azure access token if Graph API access is not available.
Implemented support for auth_default_group configuration setting when using the MSAL Auth.
Release 4.7.11
Released April 13, 2023
Highlights
Users will now be redirected back to the application they were using previously after reauthentication verification.
Details
Introduced
secondaryAuthWhenScreenOffinsettings, which will by default open the reauthentication screen during screen-off, allowing an application that was open before sleeping a device to still be displayed after reauthentication. This behavior also requires Launcher 3.19.4, and will require Draw Over permissions for Auth.Added support for token response type when performing the authorization call in the OIDC flow (previously, only code response type was supported).
Updated ACS logout flow to use the same browser used during the login flow.
Release 4.6.3
Released March 17, 2023
Highlights
Introduces LDAP version 4 and support for Chrome Custom Tab.
Details
Upgraded LDAP Auth to version 4.
Added support for Chrome Custom Tab (CCT) implementation from other browsers (not limited to Chrome).
Updated MSAL Auth to limit groups to direct membership only (e.g. no transitive groups).
Added functionality to prevent user from tapping the Back button during reauth verification.
Release 4.5.14
Released February 10, 2023
Highlights
Workaround to an MSAL issue where the Microsoft Graph directory object APIs fail on first token call after a reboot or install.
Release 4.5.12
Released January 27, 2023
Highlights
Supports Azure MSAL login with Shared Device mode.
Details
Implemented full support for Azure MSAL using InTune in Shared Device mode.
Fixed reauthentication issue for scenarios where PIN or NFC entry is not required.
Release 4.5.9
Released December 21, 2022
Highlights
Bug fixes.
Details
Fixed an issue where the maximum PIN attempt counter was not getting reset.
Fixed an issue with ACS login when using the BlueFletch Browser for authentication.
Release 4.5.4
Released November 30, 2022
Highlights
Additional functionality to support Android 12.
Release 4.5.1
Released November 18, 2022
Highlights
Bug fix to prevent a crash from occurring upon receiving an invalid configuration.
Release 4.4.1
Released September 14, 2022
Highlights
Device secret is available for native SSO.
Details
Added support for device_sso scope for Okta and made the Okta device secret available for apps to perform native SSO.
Added ability to perform a silent authorization with the IDP after reauthentication verification
Release 4.3.19
Released August 30, 2022
Highlights
A major push forward for BlueFletch Authorization support, combining different flavors of OIDC applications into standard OIDC and Azure OIDC binaries.
Many features added, inlcuding support for mulitple secondary reauthorization paths and support for frictionless authorization.
Details
Added missing EditBadgeActivity to Datawedge profile.
Fixed an issue with incorrect extra constant for PIN activity result.
Ensured that FastLoginController data is cleared out on initial login and login cleanup.
Refactored the Fast Login logic to be cleaner.
Created new controller specifically for Fast Login flow.
Moved Fast Login related logic into new Fast Login controller.
Updated ReauthController to disable alternate reauth if using Fast Login.
Updated central auth file names to better reflect contents.
Made GetPinActivity reusable via new GetPinController.
Added the ability to reset a badge via separate ResetBadgeActivity.
Added the ability to edit a badge.
Started logic to be able to switch reauth methods during training.
Added new configuration option 'alternateSecondaryAuth' which can either be NFC, PIN or face as an alternative to the useSecondaryAuth method.
Updated the build pipeline to build EMM versions for Demo, OIDC and OIDC-Azure.
Updated profile manager support for backward compatibility with Auth3.
Applied fixes for face recognition and ET5x barcode scanning.
Added check for face secondary auth in auth controller.
Created a Datawedge status listener in BarcodeAuthController to handle disconnect/connected status from ET5x scanners.
Added a fix for badge login on password change.
Added a check against persisted credentials before and after login in case the user had to update their password during login.
Added logic to prevent error message if password manager data is null/empty.
Moved timber.d log to prevent multiple getEncryptedCredential calls.
Added logic to allow customer defined applications to call SessionActivity. Must be specified in config extended attribute "authSessionClients".
Added support for Force Logout from the PIN Training UI.
Added additional logging to OIDC Post Callback activity.
Fixed code to set the parent activity during reauth processing.
Removed duplicate set of auth parent as not needed.
Reverted back to cleanupAndSendResponse with correct Force Logout action.
Refactored onVerificationCancelled to distinguish between a home/back press vs logout/cancel button tap during verify.
Reverted back initial force logout fixes as not needed.
Added support for new IdP that relies on an external/customer-built auth activity.
Added resolution check for external activity and added callback for errors.
Updated login-silent to always revert to regular login for external IdP.
Updated logic that when verification prompt is shown, user can hit cancel or logout, and then the Launcher will take action based on configuration setting.
Updated logic so that when verification prompt is shown and user taps back or home button, should revert back to Launcher lock screen.
Fixed verification cancel logic on NFC.
Fixed a crash on barcode verification due to unregistered scan receiver.
Updated code to match the cancel/logout button with the current theme, if present.
Applied changes to allow login via browser provider.
Made onLoginCancelled and onLoginFailure public to allow other activities to cancel auth.
Updated OIDC Auth to set the Session Location based on Config Site Id.
Created a new CredentialContentProvider for storing encrypted credentials.
Added AzureAD OIDC support.
Added logic to check for missing authorization configuration object to prevent exceptions.
Added a try / catch around the Theme fetching config logic, but still having issues on Android 11 with get provider info.
Added barcode to central auth login.
Added a barcode capability for reauth.
Moved CredentialProviderHelper and CryptoHelper to separate central auth provider module/aar.
Added a try catch back to BaseActivity get theme.
Fixed an issue where initialization vector is null during encryption.
Added face recognition support (must use version 1.5.+ of EMS Vision).
Fixed an issue where we need to return the reauth flag otherwise the Launcher's custom login intent keeps getting called on successful reauth.
Added try-catch around provider access in the helper.
Reimplemented the session activity for apps and Velocity.
Fixed PIN reauth cancel issues.
Changed provider to signature-level protection.
Fixed null pointer exception crash if epmConfig is not present in the configuration.
Fixed an issue where credential provider is not getting cleared on logout.
Added ability to use the keyboard on the PIN entry screens.
Updated build in an attempt to fix module resolution when using individual AARs.
Removed the NO_HISTORY flag to allow OidcAuthActivity to receive activity results.
Release 3.9.15
Released December 2, 2021
Highlights
Quick start icons available on the Pin Code verification screen and MSAL fixes.
Details
Updated logic to only do a silent auth on reauthentication, otherwise always force entering credentials.
Enhancement to display an icon for quick start application package (secondaryAuthQuickStartPackage) on the Pin verification screen and use the the quick start icon (secondaryAuthQuickStartIcon) if supplied.
Release 3.9.12
Released October 27, 2021
Highlights
Updates for LDAP authentication.
Details
Added support for config replacement for LDAP host and domain.
Added support for switching domains if username contains domain notation, e.g. DOMAIN\username.
Release 3.9.10
Released October 20, 2021
Highlights
Various bug fixes within the PIN Training UI when rendered within landscape orientation.
Details
Updated APK to use the new Crash Handler version.
Added logic to clear Okta and AppAuth preferences on logout.
Removed the dialog theme option on the PIN Training UI.
Added a method to allow custom auth to define it's own OAuth2 configurations.
Fixed an issue with Face Reauth where it was not getting triggered during re-authentication flow because of missing reauth data.
Updated the App Auth Library, removing portrait orientation settings.
Fixed bug so that during user re-authentication, if the user has not set a PIN code, then user is forced to the login UI.
Release 3.8.35
Released September 1, 2021
Highlights
Additional logging within Token Refresh, updates to language translations, and various bug fixes.
Details
Added additional checks in checkForSecondaryAuthFlow function to ensure auth data is provided in the current session.
Added EMS exception handler library to report errors to Support Dashboard.
Updated translations.
Ensured the package version is reported in the device logs, not just the AAR version.
Added error log for unable to load banner image, and added permission request for read external storage.
Added Addtional Token Refresh logging.
Release 3.8.28
Released August 25, 2021
Highlights
Changes around Profile Manager and Reporting.
Details
Removed setupProfileManager in login flow. Now for ACS/PFM login, must declare it in launcher.json as a custom intent.
Updated builds to use latest support library that fixes Android 10 log reporting via device Id.
Release 3.8.26
Released June 24, 2021
Highlights
Changes around Profile Manager and OKTA.
Details
Fix pin screen layout when using on smaller landscape devices
Adjust PFM token refresh to -15 minutes prior to expiration (instead of -5 minutes)
Add additional delays between Okta, PFM logout broadcast and ACS browser logout to help ensure ACS/keycloak cookies are cleared out
Release 3.8.18
Released April 27, 2021
Highlights
Changes around Profile Manager and OKTA.
Details
Attempt to retry when Chrome Custom Tab hangs when calling PFM/ACS authorize
Cleanup Pin/NFC training/verification flow
Release 3.8.9
Released April 8, 2021
Highlights
Changes around logout from Profile Manager and OKTA.
Details
Added application version to the log file.
Changed the ACS Refresh timer flow, fixed the building of the Pending intent
Added Notification to the ACS Refresh token service and made Sticky.
Updated OKTA Token refresh to NOT rebuild the session, but to update the Provider extended Attributes.
Within ACS Token refresh, logged out the condition where ACS Refresh token is not returned from ACS endpoint
Updated logic to NOT send a REFRESH Token message to launcher
Moved the ACS Auth Activity finish logic to the onPause method, in order to allow CCT to start up
Look for user information PARAMS, if there, add to the extended attributes
Adding new com.bluefletch.ems.auth://logout redirect url for Okta logout
Ensure that stopForeground applies to all OS versions.
Fix the HOME button press during PIN Training. Will now log the user out of current session if home button pressed during training and secondaryAuthRequired is true.
Release 3.8.8
Released April 7, 2021
Highlights
Changes for closer integration with Zebra Profile Manager (PFM) during Login flow.
Details
Changes to support BlueFletch Browser with PFM ACS login
Updates to build pipelines.
Fixed incorrect checking for null pfm_acs_browser config
Use the browser specified during login to perform ACS profile manager authentication.
In the event the configuration changes, removes the auth browser shared preference.
Fixed issue where cancelled PIN training is resulting in previous session being reused if secondaryAuth is required.
Will call PFM logout first then call the logout URL if it is available.
Fixes issue on PFM logout where stored ID token was getting cleared before the logout occurred. General logic cleanup, will now logout PFM before clearing ACS cookies.
Prevents auth crashing if specified browser is not installed (falls back to CCT).
Added self-contained token refresh alarm and service for PFM's ACS server.
Added a default refresh timeout of 45 minutes, and changed to perform refresh 15 minutes from expiration.
Release 3.8.4
Released February 24, 2021
Highlights
Changes for closer integration with Zebra Profile Manager (PFM) during Login flow.
Release 3.8.0
Released February 22, 2021
Highlights
Fixes for screen rotation within AppAuth, and updates to formatting of PIN/NFC when in landscape.
Release 3.7.0
Released February 12, 2021
Highlights
OKTA updates to session object.
Details
If 'custom_fields' exist in OTKA user object, will place a copy in the Session Objects Extended Attributes
Release 3.6.2
Released February 11, 2021
Highlights
PIN code enhancements
Details
Set a fixed # of PIN digits
Prevent usage of more than 3 consecutive digits
Prevent usage of more than 3 sequential digits
Prevent usage of PINs that belong in a user configured comma-delimited list.
Forcibly log out currently logged in user if # of maximum PIN retries were exceeded.
Release 3.5.1
Released January 13, 2021
Highlights
Bug Fixes related to OKTA Token refresh and improved Profile manager integration.
Details
During logout of LOCAL ADMIN, OKTA Logout is not completing. As not logged into OKTA, logout logic is now bypassed.
Launcher properly notified of OKTA Refresh token update.
OKTA code to allow login by authenticating directly with Profile Manager ACS server.
Release 3.4.7
Released December 2020
Highlights
Bug Fixes
Details
Fixes issue with Okta error message on logout
Fixes issue where PIN entry fails using a different language
Okta groups now supported within the AppAuth module
Release 3.4.1
Released December 2020
Highlights
Support for Zebra Profile Manager integration.
Details
Per Launcher configuration setting, upon login or logout, will notify Zebra Profile Manager of action.
Fix for auto token refresh.
Fix for OKTA Session Auth when only one multi factor auth requirement option is available.
Support for Android 10 Device Id.
Release 3.3.6
Released November 2020
Highlights
Common logging support and start of Internationalization.
Details
Internationalization for Auth apk
Update German translations from external review
Passing the cookie retrieved from login
Okta Session support for Multi Factor auth question, sms, okta verify
Passing of Access Token to Profile Manager
Fix Okta auth setting within Pref utils, to support Profile Manager
Release 3.2.2
Released September 8, 2020
Highlights
NFC as secondary authentication, MSAL fix
Details
Officially supports NFC tags as secondary auth, useSecondaryAuth="nfc"
Fix issue for MSAL auth in Android 9 devices preventing logout/cleanup.
Release 3.1.2
Released August 30, 2020
Highlights
Pin changes, MSAL and OAuth2 Enhancements/Fixes, UI improvements, BF Browser support, Logging
Details
Changed MSAL token generation to allow third party signature validation
Updated MSAL to use $top parameter to retrieve large group memberships
Secondary Auth may now be set to required
Fixes group retrieval for some LDAP configurations
Add option to perform a logout if the user cancels the secondary auth training.
Add option to change the minimum pin length (minimum of 4, default of 6).
Pin pad now follows the font style and light/dark theme set in the configuration
Fix AppAuth issue where user receives an invalid code error if the user cancels the secondary auth pin creation screen.
Fix AppAuth issue where the user is not prompted to re-enter credentials if they cancel the pin reauth screen.
Added configuration option to use BF Browser instead of CCT
Release 3.0.3
Released June 23, 2020
Highlights
Custom CA support, support for https redirect, Android X, bug fixes
Details
OAuth2 auth changes to support use of a self-signed/custom CA user certificate installed on the device
Ability to support https callback redirect URL (for some IdPs that require https protocol)
Fixes for losing pin credentials in some scenarios when using Okta auth
Upgraded code to use Android X libraries
Release 1.8.1
Released March 30, 2020
Highlights
Null pointer checks during Secondary Authorization flow
Details
Null pointer checks during Secondary Authorization flow
Release 1.7.1
Released February 20, 2020
Highlights
OKTA Pie Bug fix.
Details
Tweaks to OTKTA Auth check on PIE OS
Logic checks when starting the service broker
Release 1.6.2
Released February 18, 2020
Highlights
Enhancements to PIN secondary auth functionality and bug fixes.
Details
PIN Re-authentication now does not require a separate binary, and is now built into the base Auth apk.
Set minimum pin entry to 6 digits.
Fixes issue where LDAP Auth would crash if no groups were returned.
Fixes for OKTA Groups within OKTA Rest.
Android 9 foreground service fix
Release 1.4.3
Released January 22, 2020
Highlights
Builds for OKTA Rest APK's now going to production. After OKTA Logout, go to HOME Launcher.
Details
Start building OKTA REST Auth Clients. Our pipeline has been building them, but we have been removing prior to deploying to GCP.
Use correct logout function for demo auth.
After Logout, force to go to HOME launcher
Release 1.3.7
Released December 2, 2019
Highlights
Added Force Logout support for OKTA logouts. This is to ensure clearing the cookies within Chrome.
Details
Force OKTA logout URL Support
Added a Flag to stop onResume processing during LOGOUT Tab display
Release 1.3.5
Released November 19, 2019
Highlights
Changes to the Session Token Refresh logic and updates to OKTA Auth, including warming up the Custom Tab browser for quicker logoff.
Details
Updated the app icons
Support for new OAUTH field within Session object
Hide the OKTA logout page
Modified the code to WARM UP the Chrome tab browser.
Updated logic to warm up the browser before logout. seems to fix the display of the error message
Additional changes for Session Token Refresh
Release 1.2.1
Released November 5, 2019
Highlights
Additional changes for Session Activity.
Details
Changed Session activity to better support Velocity
If an Error dialog is being displayed, do not attempt to display another one
Release 1.1.4
Released November 5, 2019
Highlights
Updates to the Session Activity and UI / Theming changes.
Details
Changed Session activity to better support Velocity
If an Error dialog is being displayed, do not attempt to display another one
Updated the OKTA Rest Logic to allow for Overriding Client Info via Config or * Strings in custom APK's
Updated logic to make startLogin abstract.
Added providerSettingsAvailable method that needs implemented. Have changed all the auth providers to implment providerSettingsAvailable
More UI tweaks. Default Login input text now follows accent color, and can use new transparent/wallpaper functionality from Launcher.
Fixed NFC background issue. added error message dialog within one Login update positioning of alert. changed text
When detecting an Error condition within OKTA / ONE LOGIN, display a message
Removed NFC Background
Added ROLE logic
For Okta, display a default background if not provided from new launcher
Added new Session Activity. Purpose is to allow for getting the Session Data from the start Activity for Result.
Fixed Background and Banner display
Updated logic and added new Logo Image. fixed display of the logo
OKTA Cache busting logic on User info
Release 1.0.60
Released October 8, 2019
Highlights
Initial release of ADFS support
Details
Removed the Configuration setting overrides within the AUTH logic.
Added Store Manager login . store, stpass
Initial check-in for using ADAL on ADFS 3.0
Added a way to default the Domain
Fixed issue where user taps on home button to cancel
Added trust all SSL option for LDAP authentication; updated to newer unboundid ldap sdk.
Added support for new Auth settings
Added backward compatibility for ADAL with older launchers.
Release 1.0.57
Released August 7, 2019
Highlights
Fix for building User Session Groups.
Details
Changed the comma to a BAR, which is what Launcher is looking for in the groups separation
Last updated