We are proud to announce Topicus KeyHub 48. This release enhances the OAuth2 device authorization grant for authenticating input-constrained devices such as command-line tools, significantly expands the AFAS integration with write-back support for attributes, and extends Separation of Duties with a formal review workflow for group exclusion requests. As always, this release also contains a large number of improvements and bug fixes.
TKH-3731 The OAuth2 device authorization grant is disabled by default on all existing and newly created OAuth2 applications. Administrators must explicitly enable the "Allow device authorization grant" option on each application that is intended to use this grant type.
TKH-3749 Topicus KeyHub now supports HTTP/3 over QUIC, with post-quantum key exchange enabled by default for TLS. QUIC uses UDP rather than TCP, so the relevant UDP port must be opened in any firewall between the appliance and its clients. Clients that cannot reach the UDP port fall back transparently to HTTP/2 over TCP.
With the inclusion of the latest operating system updates, this release fixes the Copy Fail vulnerability. For more information on the impact of the Copy Fail vulnerability on Topicus KeyHub, read our blog post on this topic.
Topicus KeyHub supports the OAuth2 device authorization grant as specified in RFC 8628. This grant type allows users to authenticate applications running on input-constrained devices — such as smart TVs, IoT hardware, and command-line tools — by completing the authorisation on a separate, trusted device such as a phone or laptop. In this release, the user flow has been hardened substantially to better protect against phishing attacks.
TKH-3731 A new "Allow device authorization grant" option has been added to the OAuth2 application configuration. Only when enabled, the application can initiate the device authorization flow and obtain tokens after the user approves the request in their browser.
TKH-3733 When approving a device request, the location and IP address of both the requesting device and the approving browser are shown to the user. Recognised locations and networks can be trusted on first use, streamlining subsequent approvals from the same environment without compromising oversight.
TKH-3732 Dedicated audit record types have been added for the device authorization grant, recording when a device code is issued, verified and approved, or rejected. This provides a clear audit trail for device-based authentications, including cases where approval is declined by the user.
TKH-3776 Audit records for token signing are now emitted at the moment the token is actually signed rather than at the authentication endpoint. This eliminates spurious entries when a user declines a consent prompt, and removes duplicate records that previously appeared in the device-code flow where user verification redirects back through the authentication endpoint.
Approving a device authorization request
This release significantly expands how account attributes flow between Topicus KeyHub and the systems it integrates with. Attributes can now travel bidirectionally where the source system supports it, and connected systems gain richer attribute coverage.
TKH-3566 Account attributes can now be written back to AFAS. Administrators select which KeyHub account attributes are pushed to the AFAS identity source, enabling bidirectional attribute synchronisation for fields managed in Topicus KeyHub but also required in AFAS. A dedicated AFAS URL validator has been added to catch common configuration mistakes during setup.
TKH-3584 Custom attributes can now be provisioned to Microsoft Entra ID (Azure AD) tenants. Administrators can define additional user attributes to be populated during account provisioning, extending the range of information that is synchronised to Entra ID beyond the built-in set of fields.
TKH-3381 LDAP source directories now support configurable account matching. When an existing account cannot be located by its distinguished name, Topicus KeyHub can fall back to matching on a selected account attribute against a corresponding LDAP attribute. This makes provisioning resilient to DN changes and other directory restructurings that would previously break the link between accounts. It can also help with the initial roll-out if the directory does not use a uniform and predictable naming scheme.
AFAS write-back attribute configuration
Building on the Separation of Duties (SoD) capability introduced in version 47, this release adds a formal review step for group exclusion requests and makes the group removal flow more transparent about the consequences of a deletion.
TKH-3747 Accepting a group exclusion connect request now includes a review step that shows the full impact before the exclusion takes effect. The manager sees which accounts would be removed from the excluded group as a consequence, giving a clear picture of the change before it is confirmed. Disconnect requests retain the simple accept/reject flow.
TKH-3697 The modification request report shown when removing a group now lists the access profiles and other groups that will lose access to applications and provisioned systems currently owned or administered by the group. Administrators can see the full knock-on effect of a deletion before confirming it.
TKH-3692 The group selection page in the bulk group removal flow now shows the organisational unit of the groups.
TKH-3671 The bulk group removal selection flow has been refined. Selected groups are pinned at the top of the list and a single, prominent counter shows the current selection total, making large batch operations easier to track.
Several of the most important account and access profile screens have been rebuilt on Topicus KeyHub's modern flextable infrastructure. This brings consistent searching, sorting and filtering to screens that previously used older, more limited layouts.
TKH-3601 The access profile attributes page has been rewritten. The new layout offers filtering by validation status, making it straightforward to locate accounts whose attributes are out of sync with the profile rules, and scales to access profiles with large numbers of members.
TKH-3664 The members overview of an access profile has been rewritten as a searchable flextable. Administrators can now sort and filter members by their account attributes, making large access profiles far easier to inspect.
TKH-3482 The administrative accounts overview has been redesigned with the same flextable layout, improving filtering and visibility when managing large numbers of accounts.
TKH-3602 A "Synchronise now" action has been added to the access profile details page. Managers with update permissions on the profile can trigger an immediate recalculation of the profile rules without waiting for the scheduled synchronisation task.
Redesigned access profile attributes
TKH-3540 TKH-3792 TKH-3807 TKH-3809 TKH-3817 Appliance updates are now delivered as signed update bundles that are fetched automatically from a configured repository. This replaces the previous mechanism based on separate operating-system repositories. It makes the whole update system more reliable as the integrity of the entire bundle can be verified upfront.
TKH-3694 Cluster management has migrated from salt-ssh to a multi-master salt architecture. This improves reliability and scalability of node management.
TKH-3763 The legacy Android-specific service contract module has been removed from the distribution.
TKH-3786 The internal appliance test framework now supports KVM as a hypervisor backend alongside VirtualBox. This results in more stable builds and allows us to deliver QCOW2 images in the future.
The following improvements and bug fixes both large and small were made:
TKH-3673 Scheduled maintenance tasks are now documented in a dedicated appendix of the manual, and the default schedules have been reviewed and aligned for consistency.
TKH-3709 The public and private key file upload fields for vault recovery now offer a download action when a current key is present, allowing administrators to verify the active public key.
TKH-3710 Long support-dump names no longer break the layout of the support-dump overview. Names that exceed the column width are now truncated with an ellipsis.
TKH-3711 The administrative web session no longer expires during lengthy initial installations. The session timeout is extended during the installation phase, preventing setup from being interrupted by a login prompt.
TKH-3716 The administrative configuration pages for backup and KeyHub user settings now clearly indicate when certain settings are not configurable in node-specific (single-node) mode, instead of displaying a half-populated form.
TKH-3719 Disabled directories are no longer tested during automatic connection tests, which reduces noise in the test output and avoids unnecessary errors for deactivated directories.
TKH-3720 Test coverage has been extended for account re-registration scenarios where the account's distinguished name or display name changes but its username in the directory stays the same.
TKH-3723 Concurrent updates to account attribute values are now serialised using pessimistic locking, preventing rare race conditions that could cause unique-constraint violations under heavy load.
TKH-3727 A race condition in the IDP keystore regeneration process has been resolved. The regenerated keystore is now fully written and locked before it is replicated to cluster nodes, avoiding the possibility of a node receiving an empty or corrupt keystore.
TKH-3730 Review links in modification request notification e-mails now work correctly. Previously, following such a link from an e-mail could lead to an error page.
TKH-3734 Numerous grammar, spelling, and consistency issues across both the English and Dutch manuals have been corrected.
TKH-3736 A large number of translation issues in the Dutch and German user-interface strings have been corrected, including terminology and punctuation inconsistencies introduced by machine translation.
TKH-3740 A malformed OAuth2 client identifier submitted by an automated scanner no longer produces a stack trace in the logs. All client-error responses from the internal client lookup are now handled uniformly as "client not found".
TKH-3741 Error messages containing illegal characters are now sanitised before being reported, preventing a cascading exception when the original error is reported back to the caller.
TKH-3742 A race condition between a user logging in and a concurrent session cleanup has been resolved. Session tokens are now properly locked during cleanup, and missing tokens during validation return a clean 401 response rather than an internal server error.
TKH-3746 A bottleneck in the account directory service has been removed. Authentication operations that were previously serialised across the entire appliance now run in parallel, reducing login latency under concurrent load.
TKH-3750 Users viewing the administrative details page for their own account now see their own groups and access profiles correctly reflected in the effective permissions.
TKH-3751 Administrators can now manually mark a cluster node as ready or not ready even when the node is not currently live. This makes it easier to recover from node outages without waiting for the node to come back online.
TKH-3752 When assigning a predefined attribute definition to an application attribute, any previously configured script value is now correctly cleared on form submission, preventing stale scripts from being silently retained.
TKH-3766 Performing a test on a linked system with custom attributes no longer triggers an error due to the test account not being saved.
TKH-3767 The URL reachability test now always uses a combined trust store of system defaults and custom certificate authorities, regardless of whether a proxy is configured. Previously, custom certificate authorities were only applied when the connection did not traverse a proxy.
TKH-3772 The installation error shown when the virtual machine has insufficient memory now states the correct minimum requirement of 8 GB.
TKH-3773 Dashboard notifications for access profile modification requests now always include the access profile name.
TKH-3774 The shell session timeout variable (TMOUT) is now marked read-only in the appliance shell environment, preventing it from being accidentally or deliberately overridden.
TKH-3775 An OAuth2 token introspection request without authentication no longer produces a null pointer exception. Such requests are now correctly rejected with a 401 response.
TKH-3806 Parse errors of invalid attribute values, such as a malformed telephone number, no longer lead to an error at login.
Here you can find the complete manual to the latest version of Topicus KeyHub.