We are proud to announce the 18.0 release of Topicus KeyHub. This release brings a completely new way of authorizing clients to act on their own, allowing further automation with KeyHub without compromising your security. We've also worked hard to further improve the stability of our high availability solution. This release also brings many small usability improvements. As usual, a number of smaller improvements have been made and several issues have been fixed.

Client permissions

TKH-1650 TKH-1677 Traditionally, OAuth2 clients using the client credentials grant only had a limited set of fixed permissions in Topicus KeyHub. It was possible to grant access to vaults and to some details about groups. With 18.0, this has become a lot more flexible. It is now possible to grant clients permissions ranging from queries on accounts or groups to deleting accounts or creating groups. Naturally, it is still possible to grant access to vaults. All previously granted permissions are automatically converted to the new model.

In the future we expect to add many more permissions to this model. If you have specific needs for permissions, please contact us.

granted permissions to applications

Webhooks for group managers

TKH-752 Webhooks for groups no longer fall under the domain of KeyHub administrators. These webhooks are now managed by the groups themselves. A group manager can easily create a webhook to deliver all audit records relevant for that group to a certain endpoint.

Webhooks for group managers

Add claims to the id_token

TKH-1689 The OpenID Connect protocol by default only puts a very limited number of claims in the id_token. Some applications incorrectly assume that claims that reside in the userinfo endpoint are automatically also placed in the id_token. It is now possible to configure KeyHub to add these claims to the id_token, even when the application does not explicitly request them. This makes it possible to use OIDC with some applications that do not strictly comply with the standard.

Improvements to the appliance

We've received a lot of feedback on our appliance and the configuration of high availability. In 18.0, we've made many smaller and bigger improvements to enhance the stability of a cluster and to prevent accidental data loss. The following issues were resolved for our appliance:

  • TKH-1630 The docker containers now run with read-only filesystems making it much harder to exploit a potential vulnerability.
  • TKH-1652 The appliance manager no longer reads the settings from Topicus KeyHub itself. This could cause the appliance manager to become unresponsive in the event of a problem with the application itself.
  • TKH-1659 When applying configuration changes in a cluster, the appliance manager will no longer stop on the first error but will continue to apply the configuration on other nodes. This makes it possible to repair a cluster when one node is unresponsive.
  • TKH-1662 An action button was added to synchronize the configuration of a single node in the cluster.
  • TKH-1663 When adding a new node to the cluster, the new node is now always configured last. Previously, existing nodes in the cluster could refuse the connection of the new node, because they did not yet get the new keys.
  • TKH-1664 Let's Encrypt certificates are now correctly renewed when synchronizing the configuration.
  • TKH-1665 Synchronizing the configuration on new nodes in a cluster no longer results in an error when some required information was not yet gathered on that node.
  • TKH-1679 It is no longer required to specify ports in the firewall configuration for the monitoring zone. If no ports are specified, only TCP port 9443 is exposed.
  • TKH-1680 Specifying TCP port 9443 for the monitoring zone no longer gives a error.
  • TKH-1684 An error was fixed when upgrading an older version of KeyHub to 17.2 or later.
  • TKH-1691 When restoring a database on a node in the cluster, the appliance manager now warns when it detects potential data loss, such as when trying to restore an empty database over a non-empty one.
  • TKH-1693 The appliance will no longer automatically restore snapshots that are over 4 hours old. This prevents data loss when a snapshot was not properly removed on a previous update. It is still possible to manually restore such a snapshot.
  • TKH-1694 Trying to restore a backup that lacks certain configuraton files should no longer result in an error.
  • TKH-1698 Pgpool was updated to the latest version, 4.2.2.
  • TKH-1706 Rewinding on failover is now more reliable, reducing the chance on the need for a full base backup.

Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1578 When using multiple directories, Topicus KeyHub will now automatically ensure usernames are unique by adding a number suffix when usernames would otherwise conflict.
  • TKH-1584 It is now possible to navigate between the source and target vault of a shared vault record if you have the permissions to view both.
  • TKH-1623 When copying or moving a vault record to a vault where you don't have the permission to remove it, you are now asked for confirmation first.
  • TKH-1635 The documentation on expired vault records was updated with more screenshots.
  • TKH-1640 Several improvements were made throughout Topicus KeyHub to make the application easier to use with a screen reader for visually impaired users.
  • TKH-1641 The button to share, copy or move a vault record is made much more prominent to make it easier to find.
  • TKH-1644 The installation guide for Topicus KeyHub on Azure was revised.
  • TKH-1645 Many improvements were made to our testing infrastructure to greatly reduce the duration of the build while at the same time improve the reliability.
  • TKH-1656 The feedback on badly formulated queries via the CLI has been improved.
  • TKH-1658 Some styling improvements were made to the launchpad.
  • TKH-1666 An error was fixed that prevented KeyHub administrators from accessing the list of accounts for private groups.
  • TKH-1667 The vaults page will now correctly always load all appropriate entries when changing the filtering.
  • TKH-1674 It is now possible to create multiple provisioning groups in one call when creating a group on system via the API.
  • TKH-1678 An error was fixed that prevented the dashboard from loading when a private group requested authorization.
  • TKH-1682 The Feature-Policy/Permission-Policy header was updated to prevent warnings in some browsers.
  • TKH-1683 Several irrelevant options are no longer displayed when configuring the first directory during installation.
  • TKH-1686 The documentation for importing vault records via the CLI was fixed.
  • TKH-1688 Passwords are now copied directly to the clipboard using the new async clipboard API. This works in all major browsers, with the exception of Safari.
  • TKH-1690 A textual error was fixed when displaying audit records about expired vault records.
  • TKH-1695 The manual about restoring backups was revised.
  • TKH-1697 The application server was upgraded to WildFly 23.0.1.
  • TKH-1703 It is now possible to store files up to 2MB in the vault.
  • TKH-1708 The vault write command with the --file parameter now correctly uploads the contents of the file, instead of the file name.