Releases: nuts-foundation/nuts-node
v5.4.13
v6.0.6
What's Changed
- fix vdr v1 CreateDID KeyFlags by @woutslakhorst in #3615
Full Changelog: v6.0.5...v6.0.6
v6.0.5
v6.0.4
v6.0.3
v6.0.2
What's Changed
- update golang-jwt by @woutslakhorst in #3559
- fix vault key path/key by @woutslakhorst in #3558
Full Changelog: v6.0.1...v6.0.2
nuts-node-chart-0.0.4
A NUTS node Helm chart for Kubernetes
v6.0.1
v5.4.12
- Updated dependencies with vulnerabilities
- Fixed issue with failed network events giving errors at startup
Full Changelog: v5.4.11...v5.4.12
v6.0.0
Full Changelog: v5.4.0...v6.0.0
Breaking changes
- Container user has changed from root to
18081
.
When migrating from v5, change the owner of the data directory on the host to that of the container's user. (chown -R 18081:18081 /path/to/host/data-dir
) - Docker image tags have been changed: previously version tags had were prefixed with
v
(e.g.,v5.0.0
), this prefix has been dropped to better adhere to industry standards. - The VDR v1
createDID
(POST /internal/vdr/v1/did
) no longer supports thecontroller
andselfControl
fields. All did:nuts documents are now self controlled. All existing documents will be migrated to self controlled at startup. - Managed
did:nuts
DIDs are migrated to the new SQL storage. Unresolved DID document conflicts may contain an incorrect state after migrating to v6. See/status/diagnostics
if you own any DIDs with a document conflict; use/internal/vdr/v1/did/conflicted
to find the specific DIDs. - Removed legacy API authentication tokens.
New Features
The following new features have been added:
- Resolving and creating
did:web
DID documents (see the VDR v2 API reference for usage). - Resolving
did:jwk
anddid:key
DID documents. - Running a Discovery Server and Client
- Added the VDR v2 API.
- Added a Verifiable Credential system-wallet, which is used in Presentation Exchanges (e.g. OpenID4VP).
See the VCR API reference for usage. - Added a VCR API operation to list Verifiable Credentials in a local wallet.
- Added a VCR API operation to delete Verifiable Credentials from a local wallet.
- Added support in the
IssueVC
VCR API operation to issue Verifiable Credentials that don't use thenuts.nl
JSON-LD context. - Added experimental support for OpenID4VP (OpenID for Verifiable Presentations)
- Added experimental support for OpenID4VCI (OpenID for Verifiable Credential Issuance)
- Added support for Nuts RFC021, which negotiates an OAuth2 access token for a system through a Presentation Exchange using Verifiable Credentials.
- Added support for StatusList2021 as revocation means for Verifiable Credentials.
- Added support for storage in SQL databases (PostgreSQL, MySQL, SQLite and Microsoft SQL Server
- Added a Docker developer image which is useful for local development. It is built from the latest
master
build. - Added a VDR API operation to list locally managed DIDs.
Changes
- Removed support for deprecated network TLS properties. Configuring these properties will now cause the node not to start.
- Removed usage of deprecated
purposeOfUseClaim
inNutsAuthorizationCredential
. - Removed support for the UZI authentication means.
- Documentation of
did:nuts
-related features have been removed (refer to v5 documentation). - Documentation of specific use cases (e.g. health care in general or eOverdracht) has been moved to the Nuts wiki.
- Node can now be run without configuring TLS when the gRPC network isn't used (
didmethods
does not containnuts
), to cater use cases that don't usedid:nuts
. - Crypto backends store keys under a key name and are linked to the kid via the
key_reference
SQL table.
The following features have also been changed:
DID management
You no longer manage changes to DIDs but to Subjects. Each subject has multiple DIDs, one for each enabled DID method.
You're free to choose an ID for a Subject. This feature enables forwards compatibility with new DID methods.
DID methods can be enabled and disabled via the didmethods
config parameter. (Default: ['web','nuts']
).
Existing did:nuts
documents will be migrated to self-controlled at startup and the DID will be added as SubjectID together with a new did:web
DID.
HTTP interface
The HTTP interface has been reworked to make deployments simpler and more secure:
- No more dynamic binding of endpoints to ports, endpoints are now bound to the internal interface (
8081
) or the public interface (8080
). - Server-side TLS for HTTP has been dropped, since the Nuts node is always expected to be deployed behind a reverse proxy/ingress that handles TLS termination.
- API authentication is now only applied to
/internal
endpoints, since those are the only API endpoints that should be protected with authentication. - CORS support has been removed. As it is only required by user authentication endpoints that are considered to be deprecated, CORS headers can be set by a reverse proxy if still required.
Port configuration
To simplify HTTP configuration and proxying and make the default more secure, HTTP endpoints now map to 2 HTTP interfaces:
- port
8081
for all internal-facing endpoints (/internal
,/status
,/metrics
,/health
) - port
8080
for all public-facing endpoints (all others)
Note that 8081
by default maps to 127.0.0.1
only, so you might need to configure it to allow it to be accessible from other machines.
Deprecated features
The following features have been deprecated:
- The external key store API has been deprecated and will be removed in the next major release.
It was introduced to allow flexible support for other key storage backends, while reducing the number of dependencies and clients to maintain in the Nuts node.
But, in practice the secret store API is unmaintained itself and lacks features (e.g. authentication/authorization).
Starting v6, the preferred way to support other key storage backends is to directly implement it in the Nuts node itself.
This also reduces the complexity of a Nuts node deployment (one service less to configure and deploy).
Users are recommended to switch to the built-in client of their key storage backend. - Auth v1 API, replaced by Auth v2
- DIDMan v1 API, to be removed
- Network v1 API, to be removed
- VDR v1 API, replaced by VDR v2