Skip to content

Bump com.sap.cloud.security.xsuaa:token-client from 3.5.7 to 4.0.7 in /sdm#525

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/maven/sdm/com.sap.cloud.security.xsuaa-token-client-4.0.7
Open

Bump com.sap.cloud.security.xsuaa:token-client from 3.5.7 to 4.0.7 in /sdm#525
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/maven/sdm/com.sap.cloud.security.xsuaa-token-client-4.0.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown

Bumps com.sap.cloud.security.xsuaa:token-client from 3.5.7 to 4.0.7.

Release notes

Sourced from com.sap.cloud.security.xsuaa:token-client's releases.

4.0.7

  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

Update dependencies Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14 Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18 Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10 Caffeine: 3.2.0 → 3.2.4 SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

  • Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

    • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
    • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
    • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally
  • Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

    • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
    • The app_tid is extracted from the incoming access token and included when present

4.0.4

improve domain validation handling

4.0.3

Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

  • Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
  • Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

4.0.0

Major release upgrading to Spring Boot 4.x and Jakarta EE 10. Spring Boot 3.x compatibility modules provided.

Breaking Changes

Framework Upgrades:

  • Spring Boot 3.x → 4.0.3
  • Spring Framework 6.x → 7.0.5
  • Spring Security 6.x → 7.0.3
  • Jakarta Servlet API 6.0.0 → 6.1.0

Token Client HTTP Change:

... (truncated)

Changelog

Sourced from com.sap.cloud.security.xsuaa:token-client's changelog.

4.0.7

  • Fix mTLS handshake regression in SSLContextFactory
    • Initialize the SSLContext with an explicit TrustManagerFactory backed by the system default trust store instead of passing null, fixing (certificate_unknown) No X509TrustManager implementation available failures observed on certain runtime configurations
  • Add missing no-arg constructor to DefaultOAuth2TokenService
    • The class lacked the no-arg constructor that the migration documentation (token-client/CUSTOM_HTTPCLIENT.md) advertised
    • The sibling services DefaultOAuth2TokenKeyService and DefaultOidcConfigurationService already had it; this restores symmetry
    • The new constructor obtains a SecurityHttpClient via SecurityHttpClientProvider.createClient(null) and delegates to the existing (SecurityHttpClient) constructor
  • Fix multi-tenant XSUAA token exchange in DefaultXsuaaTokenExtension
    • The IAS-to-XSUAA exchange used the provider subdomain endpoint, which caused XSUAA to resolve the provider tenant instead of the tenant carried in the X-zid header (app_tid)
    • Token exchange now targets a tenant-agnostic endpoint built from the uaadomain binding property, so XSUAA resolves the tenant via X-zid
    • For X.509 credentials the host's authentication. segment is replaced with authentication.cert. (analogous to the Node.js library), e.g. authentication.eu10.hana.ondemand.comauthentication.cert.eu10.hana.ondemand.com
    • Falls back to the existing subdomain-bearing endpoint when uaadomain is missing, preserving behavior for legacy bindings

4.0.6

  • Update dependencies to address known vulnerabilities:
    • Spring Boot (legacy 3.x modules): 3.5.9 → 3.5.14
    • Spring Framework (legacy 3.x modules): 6.2.15 → 6.2.18
    • Spring Security (legacy 3.x modules): 6.5.7 → 6.5.10
    • Caffeine: 3.2.0 → 3.2.4
    • SpotBugs Maven Plugin: 4.9.8.2 → 4.9.8.3

4.0.5

  • Restore deprecated HttpClientFactory.services field and ServiceLoader-based factory discovery for backward compatibility

    • Custom HttpClientFactory implementations registered via META-INF/services are discovered again
    • A deprecation warning is logged when a custom factory is used, guiding users to migrate to SecurityHttpClientFactory with SecurityHttpClientProvider
    • Token services with default (no-arg) constructors continue to use the new SecurityHttpClientProvider internally
  • Fix multi-tenant IAS token exchange by adding app_tid parameter to the token exchange request in DefaultIdTokenExtension

    • In multi-tenant applications, IAS requires app_tid in addition to client_id to uniquely identify the application
    • The app_tid is extracted from the incoming access token and included when present

4.0.4

  • Improve domain validation handling in JwtValidatorBuilder for IAS tokens

4.0.3

  • Fix multi-tenant IAS token exchange to use token issuer URL instead of provider IAS URL from configuration in DefaultIdTokenExtension

4.0.2

  • Fix token exchange credential handling to use getClientIdentity() instead of manually checking for certificate vs client secret
  • Add IAS certificate properties (certificate, key, credential-type, certurl) to IdentityServicesPropertySourceFactory to properly map X.509 credentials for IAS service bindings

4.0.1

  • Fix IAS token exchange to use getUrl() instead of getCertUrl() in DefaultIdTokenExtension

... (truncated)

Commits
  • fb4e8bf chore: Release 4.0.7
  • 66177c8 fix: Replace authentication. with authentication.cert. for X.509 uaadomain
  • 843ba02 fix: Use tenant-agnostic XSUAA token endpoint when exchanging IAS to XSUAA
  • 3ac8356 Merge pull request #1966 from SAP/chore/remove-nvd-api-key
  • 2461312 chore: Remove unused NVD_API_KEY secret from CI workflow
  • 6e79587 Chore/update dependencies (#1958)
  • 80dd972 Build(deps): Bump the prod-deps-ver group across 1 directory with 31 updates ...
  • 3b27d81 Set explicit workflow permissions (#1952)
  • 2f9e42e Feature/restore httpclientfactory services (#1948)
  • eddb3a9 Bugfix/add app tid to id token exchange (#1949)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [com.sap.cloud.security.xsuaa:token-client](https://github.com/SAP/cloud-security-xsuaa-integration) from 3.5.7 to 4.0.7.
- [Release notes](https://github.com/SAP/cloud-security-xsuaa-integration/releases)
- [Changelog](https://github.com/SAP/cloud-security-services-integration-library/blob/main/CHANGELOG.md)
- [Commits](SAP/cloud-security-services-integration-library@3.5.7...4.0.7)

---
updated-dependencies:
- dependency-name: com.sap.cloud.security.xsuaa:token-client
  dependency-version: 4.0.7
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants