Skip to content

Sdk bug fixes#1670

Merged
prachi-okta merged 10 commits intomasterfrom
sdk-bug-fixes
Jan 29, 2026
Merged

Sdk bug fixes#1670
prachi-okta merged 10 commits intomasterfrom
sdk-bug-fixes

Conversation

@prachi-okta
Copy link
Copy Markdown
Contributor

@prachi-okta prachi-okta commented Jan 29, 2026
edited
Loading

Fix Issues: Schema API, DPoP Nonce Expiration, and Test Infrastructure

📋 Summary

This PR addresses bug fixes for v25.0.1 release, including schema API breaking changes, DPoP authentication issues, cache improvements, security updates, and test infrastructure fixes.

🎯 Key Issues Fixed

1. Schema API Breaking Change (#1568)

  • Problem: Schema API unique property changed from string to boolean in v25.0.0, causing deserialization errors
  • Impact: Customers unable to deserialize schema API responses with values like 'UNIQUE_VALIDATED'
  • Fix: Reverted unique property type from boolean to string in UserSchemaAttribute and GroupSchemaAttribute
  • Files: src/swagger/api.yaml

2. DPoP Nonce Expiration (#1608)

  • Problem: DPoP nonce expires after 22 hours but was only checked during token requests, causing "Invalid session" errors for hourly jobs running between hours 22-24
  • Impact: Intermittent session failures for long-running applications
  • Solution: Three-layer automatic retry mechanism (zero client-side changes required):
    1. DPoPInterceptor checks nonce on ALL requests and throws DPoPNonceExpiredException when expired
    2. ApiClient.executeWithDPoPRetry() catches exception, clears access token, and retries request
    3. OAuth2 layer automatically obtains new token with fresh nonce on retry
  • Files: DPoPInterceptor.java, DPoPNonceExpiredException.java (new), ApiClient.mustache
  • Backward Compatible: ✅ No API changes required

3. Cache System Improvements (#1618, #1600)

  • Fixed ClassCastException with proper type validation
  • Implemented resource-specific cache configuration
  • Multi-cache invalidation for nested resources (/federated-claims/, /group-push/mappings/)
  • Cross-cache invalidation for lifecycle operations
  • Defensive exception handling to prevent cache errors from masking API exceptions

4. Integration Test Improvements

  • Increased GroupsIT retry count from 10 to 15 for search operations
  • Added minimum 500ms delay for search operations to handle indexing delays
  • Reduced flaky test failures

5. Security Updates 🔒

  • Upgraded Bouncy Castle from 1.78.1 to 1.79 (fixes CVE - Excessive Allocation vulnerability)
  • Upgraded TestNG from 7.0.0 to 7.5.1 (fixes Path Traversal vulnerability)

6. Test Infrastructure Fixes

  • Fixed TestNG Parallel Configuration: Removed unsupported classesAndMethods parallel mode causing CircleCI failures
  • Fixed 20 Groovy Test Failures: Resolved TestNG assertEquals ambiguous method overloading by casting wrapper types (Integer, Long, Double) to primitives
  • Result: All 147 impl unit tests now pass ✅

🔄 Breaking Changes

None - All fixes are backward compatible

📝 Files Changed

Core Changes:

  • src/swagger/api.yaml - Schema API unique property type fix
  • impl/.../oauth2/DPoPInterceptor.java - DPoP nonce checking on all requests
  • impl/.../oauth2/DPoPNonceExpiredException.java - New exception for nonce expiration
  • api/.../custom_templates/ApiClient.mustache - Automatic retry logic for DPoP nonce expiration

Test Fixes:

  • pom.xml - Removed unsupported TestNG parallel configuration, Bouncy Castle upgrade
  • impl/src/test/groovy/**/*Test.groovy - 8 test files with assertEquals casting fixes

Documentation:

  • CHANGELOG.md - Comprehensive v25.0.1 release notes

@prachi-okta
Fix 11 issues in Okta Java SDK
a5359f0 
- Fix #1615/#1667: Change LinksResend.resend to array type (List<HrefObject>)
- Fix #1618: Add type validation for cached objects to prevent ClassCastException
- Fix #1619: Set default name for OIDCApplicationBuilder to OIDC_CLIENT
- Fix #1622: Correct expirePasswordWithTempPassword return type to TempPassword
- Fix #1642: Enable custom attributes for GroupProfile (OktaUserGroupProfile)
- Fix #1666: Change JUnit dependency scope from compile to test
- Fix #1657: Upgrade httpclient5 to 5.5.1 to fix connection pool leak
- Fix #1653: Add missing rootSessionId field to LogAuthenticationContext
- Fix #1650: Enable super.equals() call in PasswordPolicyRule for proper parent comparison
- Fix #1600: Implement resource-specific cache lookup in ApiClient
- Update SDK version to 25.0.1-SNAPSHOT

All fixes verified and tested. Resource-specific caching demonstrated with
User cache (5s TTL) showing 0ms cache hits vs 500ms API calls.
@prachi-okta
fix: resolve cache invalidation issues for nested resources (#1618, #…
75f3711 
…1600)

- Fixed cache invalidation for DELETE operations on nested resources
- Added support for FederatedClaimRequestBody cache invalidation
- Fixed path matching for /federated-claims/ and /group-push/mappings/
- Implemented multi-cache invalidation to remove from all matching caches
- Added defensive exception handling to prevent cache errors from interfering with API operations

Resolves:
- #1618: Cache ClassCastException with type validation
- #1600: Resource-specific cache configuration

All integration tests passing (431 tests, 0 failures)
@prachi-okta
chore: remove temporary test and backup files
be22d0a
@prachi-okta
Fix DPoP nonce expiration causing intermittent session errors
f88b1c8 
- Modified DPoPInterceptor to check nonce expiration on ALL requests, not just token requests
- When nonce expires during regular API calls, remove Authorization header to force token refresh
- Resolves intermittent invalid session errors after 22 hours
- Updated CHANGELOG and README for v25.0.1
@prachi-okta
Merge branch 'master' of https://github.com/okta/okta-sdk-java into s…
81345f0 
…dk-bug-fixes
@prachi-okta
Fix #1568 and #1608: Schema unique property type and DPoP nonce expir…
a1baf10 
…ation

- Fix #1568: Changed unique property from boolean to string in UserSchemaAttribute and GroupSchemaAttribute to support values like UNIQUE_VALIDATED
- Fix #1608: Added automatic DPoP nonce expiration handling with transparent token refresh
  - DPoPInterceptor now checks nonce on all requests and throws DPoPNonceExpiredException when expired
  - ApiClient automatically catches exception, clears access token, and retries with fresh token/nonce
  - Zero client code changes required - fully backward compatible
- Upgraded Bouncy Castle from 1.78.1 to 1.79 (security fix)
- Improved GroupsIT test reliability with increased retry count and delays
@prachi-okta
Merge branch 'master' of https://github.com/okta/okta-sdk-java into s…
6e4854b 
…dk-bug-fixes
@prachi-okta
Fix TestNG parallel configuration - change from unsupported 'classesA…
2014942 
…ndMethods' to 'methods'
@prachi-okta
Fix TestNG parallel configuration - change from unsupported 'classesA…
cde600d 
…ndMethods' to 'methods'
@prachi-okta
Fix Groovy test failures due to TestNG assertEquals ambiguous method …
357e5e1 
…overloading

- Cast wrapper types (Integer, Long, Double) to primitives to resolve ambiguity
- Affected 8 test files with assertEquals calls comparing wrapper objects
- All 147 tests now pass in impl module
aniket-okta
aniket-okta approved these changes Jan 29, 2026
View reviewed changes
Copy link
Copy Markdown

@aniket-okta aniket-okta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@prachi-okta prachi-okta merged commit 94a4637 into master Jan 29, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aniket-okta aniket-okta aniket-okta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prachi-okta @aniket-okta