Release Notes
Document contains release notes for the BlueFletch Authorization module.
Package: com.bluefletch.ems.auth
Binaries can be found on the BlueFletch Portal Downloads page.
Release 4.7.15
Released May 9, 2023
Highlights
- Bug fix for Auth crashing if useSecondaryAuth was set to none or if reauthentication training was skipped.
Release 4.7.14
Released April 26, 2023
Highlights
Configurability of multiple LDAP connections, which avoids manually prepending domains to the username during login.
Details
- Added the ability to generate a unique JWT token when authenticating using LDAP for additional verification/security using a customer's own signing key.
- Added the ability to use multiple LDAP connections and domains so that users do not need to enter their domains during login.
- Added the ability to perform a Launcher "force logout" from a webpage using Javascript.
- Added the ability to use the userId and username from the Azure access token if Graph API access is not available.
- Implemented support for auth_default_group configuration setting when using the MSAL Auth.
Release 4.7.11
Released April 13, 2023
Highlights
Users will now be redirected back to the application they were using previously after reauthentication verification.
Details
- Introduced
secondaryAuthWhenScreenOff
insettings
, which will by default open the reauthentication screen during screen-off, allowing an application that was open before sleeping a device to still be displayed after reauthentication. This behavior also requires Launcher 3.19.4, and will require Draw Over permissions for Auth. - Added support for token response type when performing the authorization call in the OIDC flow (previously, only code response type was supported).
- Updated ACS logout flow to use the same browser used during the login flow.
Release 4.6.3
Released March 17, 2023
Highlights
Introduces LDAP version 4 and support for Chrome Custom Tab.
Details
- Upgraded LDAP Auth to version 4.
- Added support for Chrome Custom Tab (CCT) implementation from other browsers (not limited to Chrome).
- Updated MSAL Auth to limit groups to direct membership only (e.g. no transitive groups).
- Added functionality to prevent user from tapping the Back button during reauth verification.
Release 4.5.14
Released February 10, 2023
Highlights
Workaround to an MSAL issue where the Microsoft Graph directory object APIs fail on first token call after a reboot or install.
Release 4.5.12
Released January 27, 2023
Highlights
Supports Azure MSAL login with Shared Device mode.
Details
- Implemented full support for Azure MSAL using InTune in Shared Device mode.
- Fixed reauthentication issue for scenarios where PIN or NFC entry is not required.
Release 4.5.9
Released December 21, 2022
Highlights
Bug fixes.
Details
- Fixed an issue where the maximum PIN attempt counter was not getting reset.
- Fixed an issue with ACS login when using the BlueFletch Browser for authentication.
Release 4.5.4
Released November 30, 2022
Highlights
- Additional functionality to support Android 12.
Release 4.5.1
Released November 18, 2022
Highlights
- Bug fix to prevent a crash from occurring upon receiving an invalid configuration.
Release 4.4.1
Released September 14, 2022
Highlights
Device secret is available for native SSO.
Details
- Added support for device_sso scope for Okta and made the Okta device secret available for apps to perform native SSO.
- Added ability to perform a silent authorization with the IDP after reauthentication verification
Release 4.3.19
Released August 30, 2022
Highlights
A major push forward for BlueFletch Authorization support, combining different flavors of OIDC applications into standard OIDC and Azure OIDC binaries.
Many features added, inlcuding support for mulitple secondary reauthorization paths and support for frictionless authorization.
Details
- Added missing EditBadgeActivity to Datawedge profile.
- Fixed an issue with incorrect extra constant for PIN activity result.
- Ensured that FastLoginController data is cleared out on initial login and login cleanup.
- Refactored the Fast Login logic to be cleaner.
- Created new controller specifically for Fast Login flow.
- Moved Fast Login related logic into new Fast Login controller.
- Updated ReauthController to disable alternate reauth if using Fast Login.
- Updated central auth file names to better reflect contents.
- Made GetPinActivity reusable via new GetPinController.
- Added the ability to reset a badge via separate ResetBadgeActivity.
- Added the ability to edit a badge.
- Started logic to be able to switch reauth methods during training.
- Added new configuration option 'alternateSecondaryAuth' which can either be NFC, PIN or face as an alternative to the useSecondaryAuth method.
- Updated the build pipeline to build EMM versions for Demo, OIDC and OIDC-Azure.
- Updated profile manager support for backward compatibility with Auth3.
- Applied fixes for face recognition and ET5x barcode scanning.
- Added check for face secondary auth in auth controller.
- Created a Datawedge status listener in BarcodeAuthController to handle disconnect/connected status from ET5x scanners.
- Added a fix for badge login on password change.
- Added a check against persisted credentials before and after login in case the user had to update their password during login.
- Added logic to prevent error message if password manager data is null/empty.
- Moved timber.d log to prevent multiple getEncryptedCredential calls.
- Added logic to allow customer defined applications to call SessionActivity. Must be specified in config extended attribute "authSessionClients".
- Added support for Force Logout from the PIN Training UI.
- Added additional logging to OIDC Post Callback activity.
- Fixed code to set the parent activity during reauth processing.
- Removed duplicate set of auth parent as not needed.
- Reverted back to cleanupAndSendResponse with correct Force Logout action.
- Refactored onVerificationCancelled to distinguish between a home/back press vs logout/cancel button tap during verify.
- Reverted back initial force logout fixes as not needed.
- Added support for new IdP that relies on an external/customer-built auth activity.
- Added resolution check for external activity and added callback for errors.
- Updated login-silent to always revert to regular login for external IdP.
- Updated logic that when verification prompt is shown, user can hit cancel or logout, and then the Launcher will take action based on configuration setting.
- Updated logic so that when verification prompt is shown and user taps back or home button, should revert back to Launcher lock screen.
- Fixed verification cancel logic on NFC.
- Fixed a crash on barcode verification due to unregistered scan receiver.
- Updated code to match the cancel/logout button with the current theme, if present.
- Applied changes to allow login via browser provider.
- Made onLoginCancelled and onLoginFailure public to allow other activities to cancel auth.
- Updated OIDC Auth to set the Session Location based on Config Site Id.
- Created a new CredentialContentProvider for storing encrypted credentials.
- Added AzureAD OIDC support.
- Added logic to check for missing authorization configuration object to prevent exceptions.
- Added a try / catch around the Theme fetching config logic, but still having issues on Android 11 with get provider info.
- Added barcode to central auth login.
- Added a barcode capability for reauth.
- Moved CredentialProviderHelper and CryptoHelper to separate central auth provider module/aar.
- Added a try catch back to BaseActivity get theme.
- Fixed an issue where initialization vector is null during encryption.
- Added face recognition support (must use version 1.5.+ of EMS Vision).
- Fixed an issue where we need to return the reauth flag otherwise the Launcher's custom login intent keeps getting called on successful reauth.
- Added try-catch around provider access in the helper.
- Reimplemented the session activity for apps and Velocity.
- Fixed PIN reauth cancel issues.
- Changed provider to signature-level protection.
- Fixed null pointer exception crash if epmConfig is not present in the configuration.
- Fixed an issue where credential provider is not getting cleared on logout.
- Added ability to use the keyboard on the PIN entry screens.
- Updated build in an attempt to fix module resolution when using individual AARs.
- Removed the NO_HISTORY flag to allow OidcAuthActivity to receive activity results.
Release 3.9.15
Released December 2, 2021
Highlights
Quick start icons available on the Pin Code verification screen and MSAL fixes.
Details
- Updated logic to only do a silent auth on reauthentication, otherwise always force entering credentials.
- Enhancement to display an icon for quick start application package (secondaryAuthQuickStartPackage) on the Pin verification screen and use the the quick start icon (secondaryAuthQuickStartIcon) if supplied.
Release 3.9.12
Released October 27, 2021
Highlights
Updates for LDAP authentication.
Details
- Added support for config replacement for LDAP host and domain.
- Added support for switching domains if username contains domain notation, e.g. DOMAIN\username.
Release 3.9.10
Released October 20, 2021
Highlights
Various bug fixes within the PIN Training UI when rendered within landscape orientation.
Details
- Updated APK to use the new Crash Handler version.
- Added logic to clear Okta and AppAuth preferences on logout.
- Removed the dialog theme option on the PIN Training UI.
- Added a method to allow custom auth to define it's own OAuth2 configurations.
- Fixed an issue with Face Reauth where it was not getting triggered during re-authentication flow because of missing reauth data.
- Updated the App Auth Library, removing portrait orientation settings.
- Fixed bug so that during user re-authentication, if the user has not set a PIN code, then user is forced to the login UI.
Release 3.8.35
Released September 1, 2021
Highlights
Additional logging within Token Refresh, updates to language translations, and various bug fixes.
Details
- Added additional checks in checkForSecondaryAuthFlow function to ensure auth data is provided in the current session.
- Added EMS exception handler library to report errors to Support Dashboard.
- Updated translations.
- Ensured the package version is reported in the device logs, not just the AAR version.
- Added error log for unable to load banner image, and added permission request for read external storage.
- Added Addtional Token Refresh logging.
Release 3.8.28
Released August 25, 2021
Highlights
Changes around Profile Manager and Reporting.
Details
- Removed setupProfileManager in login flow. Now for ACS/PFM login, must declare it in launcher.json as a custom intent.
- Updated builds to use latest support library that fixes Android 10 log reporting via device Id.
Release 3.8.26
Released June 24, 2021
Highlights
Changes around Profile Manager and OKTA.
Details
- Fix pin screen layout when using on smaller landscape devices
- Adjust PFM token refresh to -15 minutes prior to expiration (instead of -5 minutes)
- Add additional delays between Okta, PFM logout broadcast and ACS browser logout to help ensure ACS/keycloak cookies are cleared out
Release 3.8.18
Released April 27, 2021
Highlights
Changes around Profile Manager and OKTA.
Details
- Attempt to retry when Chrome Custom Tab hangs when calling PFM/ACS authorize
- Cleanup Pin/NFC training/verification flow
Release 3.8.9
Released April 8, 2021
Highlights
Changes around logout from Profile Manager and OKTA.
Details
- Added application version to the log file.
- Changed the ACS Refresh timer flow, fixed the building of the Pending intent
- Added Notification to the ACS Refresh token service and made Sticky.
- Updated OKTA Token refresh to NOT rebuild the session, but to update the Provider extended Attributes.
- Within ACS Token refresh, logged out the condition where ACS Refresh token is not returned from ACS endpoint
- Updated logic to NOT send a REFRESH Token message to launcher
- Moved the ACS Auth Activity finish logic to the onPause method, in order to allow CCT to start up
- Look for user information PARAMS, if there, add to the extended attributes
- Adding new com.bluefletch.ems.auth://logout redirect url for Okta logout
- Ensure that stopForeground applies to all OS versions.
- Fix the HOME button press during PIN Training. Will now log the user out of current session if home button pressed during training and secondaryAuthRequired is true.
Release 3.8.8
Released April 7, 2021
Highlights
Changes for closer integration with Zebra Profile Manager (PFM) during Login flow.
Details
- Changes to support BlueFletch Browser with PFM ACS login
- Updates to build pipelines.
- Fixed incorrect checking for null pfm_acs_browser config
- Use the browser specified during login to perform ACS profile manager authentication.
- In the event the configuration changes, removes the auth browser shared preference.
- Fixed issue where cancelled PIN training is resulting in previous session being reused if secondaryAuth is required.
- Will call PFM logout first then call the logout URL if it is available.
- Fixes issue on PFM logout where stored ID token was getting cleared before the logout occurred. General logic cleanup, will now logout PFM before clearing ACS cookies.
- Prevents auth crashing if specified browser is not installed (falls back to CCT).
- Added self-contained token refresh alarm and service for PFM's ACS server.
- Added a default refresh timeout of 45 minutes, and changed to perform refresh 15 minutes from expiration.
Release 3.8.4
Released February 24, 2021
Highlights
Changes for closer integration with Zebra Profile Manager (PFM) during Login flow.
Release 3.8.0
Released February 22, 2021
Highlights
Fixes for screen rotation within AppAuth, and updates to formatting of PIN/NFC when in landscape.
Release 3.7.0
Released February 12, 2021
Highlights
OKTA updates to session object.
Details
- If 'custom_fields' exist in OTKA user object, will place a copy in the Session Objects Extended Attributes
Release 3.6.2
Released February 11, 2021
Highlights
PIN code enhancements
Details
- Set a fixed # of PIN digits
- Prevent usage of more than 3 consecutive digits
- Prevent usage of more than 3 sequential digits
- Prevent usage of PINs that belong in a user configured comma-delimited list.
- Forcibly log out currently logged in user if # of maximum PIN retries were exceeded.
Release 3.5.1
Released January 13, 2021
Highlights
Bug Fixes related to OKTA Token refresh and improved Profile manager integration.
Details
- During logout of LOCAL ADMIN, OKTA Logout is not completing. As not logged into OKTA, logout logic is now bypassed.
- Launcher properly notified of OKTA Refresh token update.
- OKTA code to allow login by authenticating directly with Profile Manager ACS server.
Release 3.4.7
Released December 2020
Highlights
Bug Fixes
Details
- Fixes issue with Okta error message on logout
- Fixes issue where PIN entry fails using a different language
- Okta groups now supported within the AppAuth module
Release 3.4.1
Released December 2020
Highlights
Support for Zebra Profile Manager integration.
Details
- Per Launcher configuration setting, upon login or logout, will notify Zebra Profile Manager of action.
- Fix for auto token refresh.
- Fix for OKTA Session Auth when only one multi factor auth requirement option is available.
- Support for Android 10 Device Id.
Release 3.3.6
Released November 2020
Highlights
Common logging support and start of Internationalization.
Details
- Internationalization for Auth apk
- Update German translations from external review
- Passing the cookie retrieved from login
- Okta Session support for Multi Factor auth question, sms, okta verify
- Passing of Access Token to Profile Manager
- Fix Okta auth setting within Pref utils, to support Profile Manager
Release 3.2.2
Released September 8, 2020
Highlights
NFC as secondary authentication, MSAL fix
Details
- Officially supports NFC tags as secondary auth, useSecondaryAuth="nfc"
- Fix issue for MSAL auth in Android 9 devices preventing logout/cleanup.
Release 3.1.2
Released August 30, 2020
Highlights
Pin changes, MSAL and OAuth2 Enhancements/Fixes, UI improvements, BF Browser support, Logging
Details
- Changed MSAL token generation to allow third party signature validation
- Updated MSAL to use $top parameter to retrieve large group memberships
- Secondary Auth may now be set to required
- Fixes group retrieval for some LDAP configurations
- Add option to perform a logout if the user cancels the secondary auth training.
- Add option to change the minimum pin length (minimum of 4, default of 6).
- Pin pad now follows the font style and light/dark theme set in the configuration
- Fix AppAuth issue where user receives an invalid code error if the user cancels the secondary auth pin creation screen.
- Fix AppAuth issue where the user is not prompted to re-enter credentials if they cancel the pin reauth screen.
- Added configuration option to use BF Browser instead of CCT
Release 3.0.3
Released June 23, 2020
Highlights
Custom CA support, support for https redirect, Android X, bug fixes
Details
- OAuth2 auth changes to support use of a self-signed/custom CA user certificate installed on the device
- Ability to support https callback redirect URL (for some IdPs that require https protocol)
- Fixes for losing pin credentials in some scenarios when using Okta auth
- Upgraded code to use Android X libraries
Release 1.8.1
Released March 30, 2020
Highlights
Null pointer checks during Secondary Authorization flow
Details
- Null pointer checks during Secondary Authorization flow
Release 1.7.1
Released February 20, 2020
Highlights
OKTA Pie Bug fix.
Details
- Tweaks to OTKTA Auth check on PIE OS
- Logic checks when starting the service broker
Release 1.6.2
Released February 18, 2020
Highlights
Enhancements to PIN secondary auth functionality and bug fixes.
Details
- PIN Re-authentication now does not require a separate binary, and is now built into the base Auth apk.
- Set minimum pin entry to 6 digits.
- Fixes issue where LDAP Auth would crash if no groups were returned.
- Fixes for OKTA Groups within OKTA Rest.
- Android 9 foreground service fix
Release 1.4.3
Released January 22, 2020
Highlights
Builds for OKTA Rest APK's now going to production. After OKTA Logout, go to HOME Launcher.
Details
- Start building OKTA REST Auth Clients. Our pipeline has been building them, but we have been removing prior to deploying to GCP.
- Use correct logout function for demo auth.
- After Logout, force to go to HOME launcher
Release 1.3.7
Released December 2, 2019
Highlights
Added Force Logout support for OKTA logouts. This is to ensure clearing the cookies within Chrome.
Details
- Force OKTA logout URL Support
- Added a Flag to stop onResume processing during LOGOUT Tab display
Release 1.3.5
Released November 19, 2019
Highlights
Changes to the Session Token Refresh logic and updates to OKTA Auth, including warming up the Custom Tab browser for quicker logoff.
Details
- Updated the app icons
- Support for new OAUTH field within Session object
- Hide the OKTA logout page
- Modified the code to WARM UP the Chrome tab browser.
- Updated logic to warm up the browser before logout. seems to fix the display of the error message
- Additional changes for Session Token Refresh
Release 1.2.1
Released November 5, 2019
Highlights
Additional changes for Session Activity.
Details
- Changed Session activity to better support Velocity
- If an Error dialog is being displayed, do not attempt to display another one
Release 1.1.4
Released November 5, 2019
Highlights
Updates to the Session Activity and UI / Theming changes.
Details
- Changed Session activity to better support Velocity
- If an Error dialog is being displayed, do not attempt to display another one
- Updated the OKTA Rest Logic to allow for Overriding Client Info via Config or * Strings in custom APK's
- Updated logic to make startLogin abstract.
- Added providerSettingsAvailable method that needs implemented. Have changed all the auth providers to implment providerSettingsAvailable
- More UI tweaks. Default Login input text now follows accent color, and can use new transparent/wallpaper functionality from Launcher.
- Fixed NFC background issue. added error message dialog within one Login update positioning of alert. changed text
- When detecting an Error condition within OKTA / ONE LOGIN, display a message
- Removed NFC Background
- Added ROLE logic
- For Okta, display a default background if not provided from new launcher
- Added new Session Activity. Purpose is to allow for getting the Session Data from the start Activity for Result.
- Fixed Background and Banner display
- Updated logic and added new Logo Image. fixed display of the logo
- OKTA Cache busting logic on User info
Release 1.0.60
Released October 8, 2019
Highlights
Initial release of ADFS support
Details
- Removed the Configuration setting overrides within the AUTH logic.
- Added Store Manager login . store, stpass
- Initial check-in for using ADAL on ADFS 3.0
- Added a way to default the Domain
- Fixed issue where user taps on home button to cancel
- Added trust all SSL option for LDAP authentication; updated to newer unboundid ldap sdk.
- Added support for new Auth settings
- Added backward compatibility for ADAL with older launchers.
Release 1.0.57
Released August 7, 2019
Highlights
Fix for building User Session Groups.
Details
- Changed the comma to a BAR, which is what Launcher is looking for in the groups separation