Sven Haster 1/08/2022 10 min read

Topicus KeyHub 20.2

We are proud to announce Topicus KeyHub 20.2. In time for the summer, we caught up on a number of smaller issues from our backlog. With this release, we add a number of capabilities to OAuth2 clients for KeyHub. Additionally, we implemented features to require group activation to use an SSO application or read a vault record. Lastly, we implemented RFC 8707 and 9068 to allow KeyHub to serve as a general purpose authorization server. As usual, a number of assorted smaller changes and bug fixes are included.



New and updated client permissions

We added and improved a number of client permissions, for OAuth2 clients that use KeyHub's REST API to read or write from/to KeyHub. This enables us to better support integration with third-party systems that might need to read or write secrets in vaults, configure new OAuth2 clients or group-on-systems or even create new KeyHub groups.

  • TKH-1777 OAuth2 client permissions for groups are auto accepted if the requester is also a manager of the group.
  • TKH-2096 TKH-2126 You can now nest a KeyHub group under another group as part of the create call. It is also possible to assign multiple initial managers in this request.
  • TKH-2125 TKH-2127 There is a new permission that enables a client to create applications (OAuth2, OIDC, SAML2 or LDAP). OIDC and SAML applications can be linked to groups as part of the call, to enable those groups to access the application.
  • TKH-2129 TKH-2147 When creating a new KeyHub group, the client can directly assign client permissions on this group to existing clients (including themselves).
  • TKH-2138 Clients can revoke their own permissions.
  • TKH-2148 There is a new client permission that enables clients to query for existing applications.
  • TKH-2205 A client with the permission to create new group on systems on an existing system, can now also read all provisioning groups for existing groups on system on that system. This avoids errors when trying to read a group on system they have created themselves.


Require group activation

TKH-637 TKH-1501 We implemented functionality to require a group be activated in order to use an associated SSO application or read a record from the group's vault. The group's activation can be further restricted as normal, for instance by requiring another group to approve activation, or requiring the user to provide a reason which will be recorded in the audit log.



General purpose authorization server

TKH-2139 TKH-2140 We implemented RFC 8707 (resource indicators) to allow KeyHub to serve as a general purpose authorization server. KeyHub can now give out access tokens for other servers, when requested. This can be configured on an OIDC application. The resulting OAuth 2.0 access token will be in the format described in RFC 9068.

Note that access tokens for other resource servers cannot be used on the backend of Topicus KeyHub itself.


Small improvements

The following smaller improvements and bug fixes were made:

  • TKH-1518 We added an explanation to the manual of how a vault record's URI-field is used to match the record to the current webpage.
  • TKH-1639 The account details screens now show an overview of all groups the user is a member of.
  • TKH-1655 The displaying of long lists of tasks in the appliance manager, such as during an upgrade over multiple nodes, has been improved by grouping the tasks and collapsing where appropriate.
  • TKH-1657 We improved the documentation on how to query for vault records using the KeyHub CLI.
  • TKH-1748 The cluster coordinator's allowlist is now checked against the ip adresses of (new) nodes to avoid configuration errors.
  • TKH-1761 KeyHub now warns when leaving or closing a screen with a new vault record without saving it first.
  • TKH-1778 We improved the feedback message if there is no one available to handle a request.
  • TKH-1781 The error message when trying to save a vault record without a secret now reflects that a comment is also a secret.
  • TKH-1803 We improved the readability of certain yes/no fields by updating their descriptions and/or changing them to on/off fields.
  • TKH-1828 Accounts will now get a stable pseudo random identifier when used to login on an SSO application. Existing accounts retain the existing identifier for applications they've already used.
  • TKH-1830 We fixed some corner cases related to changing your KeyHub password and errors provisioning this new password to linked systems.
  • TKH-1859 The About-page now shows KeyHub's version number and a link to our issue portal.
  • TKH-1941 The "username copied" message should no longer run off the screen if the username is long.
  • TKH-1942 The account activation code for new accounts in an internal directory are now also available from the GUI, in case mail delivery can not be guaranteed.
  • TKH-1957 An info melding now clarifies why a group on system can not be removed.
  • TKH-1987 Members of the helpdesk group for a directory, can now see the accounts for that directory (via the administration menu) and can now cancel recovery requests, disable 2FA and trigger reregistration for those accounts.
  • TKH-2001 It is now possible to configure a group to not require approval for extended access (> 12 hours).
  • TKH-2004 TKH-2101 Group managers can now also edit their own membership (within limits) and for instance demote themselves to normal member or change their own nesting type.
  • TKH-2034 The maintenance admin ("keyhub" user) should now be properly filtered out of most screens.
  • TKH-2102 The newer v3 licenses are now properly displayed on the About-page.
  • TKH-2105 The 'Add' button should now always be properly visible on an OAuth2 client application's "permissions" page, even for clients with a long name.
  • TKH-2106 When trying to find an existing group to request membership of, KeyHub will now also search in groups' descriptions in addition to their names.
  • TKH-2114 Group nesting requests are now auto-accepted if the user is manager of both groups.
  • TKH-2116 We removed the "license limit reached" message from the dashboard for being spammy. The warning is also sent via mail so it won't get lost.
  • TKH-2121 The dashboard will now show a message if you don't see any groups to activate because of your license type.
  • TKH-2122 Business users will no longer see links to combine groups into folders for activation if they can't activate any groups.
  • TKH-2142 Topicus KeyHub's main colors have been slightly tweaked to bring them in line with the product site.
  • TKH-2145 Every release now uses a different cache identifier, to avoid conflicts while upgrading a cluster. This was a manual process and is now automated.
  • TKH-2152 When creating the request for an OAuth2 client's first client permission, the table's header will no longer duplicate itself.
  • TKH-2153 Adding a manager to a private group via the "admin override" will no longer result in an error.
  • TKH-2156 Searching for (part of) a UUID should now work consistently across all fields/resources.
  • TKH-2158 Password recovery for an unknown user will no longer result in an internal error.
  • TKH-2163 You can now change the VM's disk partitioning on every node, not just the cluster coordinator.
  • TKH-2164 Databases that have wrongly been marked as down by Pgpool, can now be recognized and reattached from the appliance manager.
  • TKH-2165 You can now once again authenticate with known WebAuthn security keys during reregistration.
  • TKH-2169 Our HSTS headers now also set the includesubdomains option.
  • TKH-2170 Our reverse proxy now also supports TLS 1.3. Additionally, we updated our supported cipher suites in compliance with the NCSC's guidelines.
  • TKH-2172 Configuring your local date to be in the future will now lead to a relevant error message, instead of an internal error.
  • TKH-2174 We removed the 'owner' attribute of OAuth2 and LDAP clients. These don't provide any rights or permissions to users/groups, so there is no real reason for an owner group. They still have application administrator groups.
  • TKH-2186 We updated our storage controller so importing a new OVA should once again work on VMWare.
  • TKH-2202 Broken LDAP connections (to linked systems) will now get cleaned up instead of possibly accumulating over time, leading to errors.
  • TKH-2203 We extended our support for disks to be more compatible with AWS.