Apereo CAS 7.2 – Release Announcement

The Apereo CAS community is pleased to announce the latest release of the Central Authentication Service platform, CAS 7.2! This release represents months of collaboration from dedicated contributors around the world. With enhancements to the platform’s core, improved security and traceability, and refined support for modern protocols, this release continues to demonstrate CAS’s commitment to providing a robust, scalable, and forward-looking open source authentication solution.

We invite you to explore the highlights of this release below:

Major Platform & Framework Updates

• Spring Boot 3.4 Migration
  The entire codebase has been migrated to Spring Boot 3.4, aligning CAS with the latest advancements in the Spring ecosystem.
• OpenRewrite Recipes
  New and enhanced OpenRewrite recipes simplify in-place upgrades between CAS versions, helping to automate modernization efforts.
• Graal VM Native Image Support
  Ongoing improvements make it easier to build and run CAS as a Graal VM native image, with targeted Puppeteer tests ensuring native functionality.

Testing & Traceability

• Expanded End-to-End Testing
  Our Puppeteer-based browser testing suite now spans approximately 512 distinct scenarios, with overall test coverage reaching 94%.
• Jaeger Distributed Tracing
  Built-in support for Jaeger enables detailed tracing and metrics for distributed authentication flows.

Ticket Registry Enhancements

• Redis Performance Optimization
  Enhancements reduce classloading, locking, and JSON serialization overhead for improved Redis registry performance.
• Kafka Ticket Registry Support
  Apache Kafka can now function as a distributed ticket registry, broadcasting ticket events across clustered nodes.

Security & Protocol Improvements

• OAuth2/OIDC Scoping Rules
  Strict enforcement ensures that refresh_token and authorization_code grant types only allow requested scopes that are subsets of granted scopes.
• Extended CAPTCHA Options
  CAS now supports Friendly CAPTCHA as an alternative to reCAPTCHA.
• Dynamic CSP Nonces
  Content Security Policy headers now include randomized nonces per request to enhance defense against injection attacks.
• OIDC Response Mode Fixes
  Improved handling of token and id_token response types in redirects and URL fragments.
• Zero-Expiry Token Blocking
  Access tokens with zero expiration are now explicitly denied, preventing misuse.
• SAML2 AuthnContext Attributes
  SAML2 responses may include a new attribute that reflects the fulfilled authentication context class.

REST API & Consent Management

• RESTful Consent Storage
  Consent decisions for attributes are now handled via RESTful APIs for better consistency and flexibility.
• REST Password Management
  Password reset and synchronization processes are redesigned to follow REST principles, including a new dedicated password-sync endpoint.

Configuration & Admin Console

• External Static Resource Support
  CAS will now look for static files in file:/etc/cas/static and file:/etc/cas/public by default.
• Cookie Max-Age as Duration
  The max-age setting for cookies can now be defined using a duration format for more intuitive configuration.
• Duo Security Username Mapping
  Admins can configure a principal attribute to serve as the username sent to Duo Security for MFA.
• Palantir Admin Console Enhancements
  Trusted MFA devices can now be removed directly through the administrative console.
• Delegated Auth SSO Toggle
  When SSO is disabled for a delegated authentication service, CAS now properly instructs the external IdP to prompt for user credentials.
• JDBC Audit Column Updates
  Column sizes for audit logs have been increased to accommodate larger entries and support more extensive tracking.

We thank all contributors and community members who made this release possible. Your continued support ensures that CAS remains a cornerstone of secure, open source identity management.

For full release notes, documentation, and upgrade instructions, please visit https://apereo.github.io/cas.