Neptune DXP - SAP Edition 24.14.1 release notes

A general table for customizing security-related HTTP response headers was introduced, without any length restrictions of the header values. With this, the dedicated settings for Content-Security-Policy, Strict-Transport-Security, Permissions-Policy, and Referrer-Policy have been deprecated and removed. The installation check report after upgrade migrates any such existing settings into the new table.

When you protect an app with the SAP Authorization setting in the App Designer, the app returns a 403 Forbidden error. This is the case when the view is requested (within a launchpad or mobile client or as a standalone app) but also on the Ajax calls. Even though the Ajax calls returned a 403 Forbidden error, the response body still showed the empty JSON structure of the AJAX_ID call. Now an empty response body is returned when the AJAX_ID call returns a 403 Forbidden error.

The minimum system requirements check for using OAuth authentication for PWAs and mobile clients was corrected. The correct minimum system requirement is SAP_BASIS 740 SP10. When this requirement is not met, OAuth will not be available as an authentication method in the Cockpit for PWAs and mobile clients.

When assigning the role /NEPTUNE/READ_ONLY to an SAP user, it is expected that this user can see all tools in the Neptune Cockpit. This was not the case as the user saw a Not authorized dialog when opening the Cockpit with no option to continue. The role is now properly evaluated and the user can browse the Cockpit in read-only mode as expected.

After applying a policy to a mobile client, when refreshing the page, or going back to the tool and re-opening the mobile client, the policies did not appear.

The PIN code screen includes an area for error messages. This area had a fixed height taking up too much space on smaller devices. The message area is now dynamic and only takes up as much space as needed.

When building a mobile client with custom fonts, those were not embedded in the mobile client ZIP. They were thus not usable in mobile client scenarios.

When using an OAuth provider that issues ID tokens with an email field, we compare in the relog flow if the user actually reauthenticating is the correct user. If this comparison happens through the email property of the ID token, this would have failed.

When using the Neptune DXP - Proxy OAuth flow provider in a mobile client authentication setting and that mobile client also had CSRF protection turned on, it was not possible to authenticate. The user was caught in an endless loop: "PIN code screen → launchpad → errors → PIN code screen". Errors displayed as message toasts with 403 forbidden because of a failed CSRF check.

The new Neptune DXP - Proxy allows to securely run mobile clients through SAP BTP and SAP Cloud Connector. All endpoints against SAP are secured by CIS so each call requires a Bearer token to be present. With this change we enhanced the mobile client logic for /neptune/public/…​ and /neptune/server/…​ XMLHttpRequest calls to include the Bearer token even though in normal mobile client scenarios those endpoints would not require any authentication as they are serving static assets. As the i18n message bundle files are reloaded when the user logs into the mobile client and as they are served via the /neptune/public/…​ ICF node, they do require the Bearer token to be present in order to work for the Neptune DXP - Proxy. With this change, the i18n files can now successfully be loaded in such a mobile client scenario.

When using the Neptune DXP - Proxy OAuth flow provider in a mobile client authentication setting and this mobile client has the PIN code enabled, the reauthentication after the user selects Lock did not work and the user was forced to reauthenticate at BTP CIS. The reason why this happened is that on the lock flow, we revoke the current access token via calling the corresponding OAuth endpoint. There might be OAuth Flow Providers that cannot revoke only an access token but would revoke all tokens within a revocation call (see https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/call-identity-authentication-revoke-token-endpoint as an example). So in such cases, we need to disable the token revocation call on the mobile client lock event. We now introduced a new checkbox in the OAuth settings of the mobile client to disable the access token revocation call on Lock so the refresh token stays intact and can be used in a later PIN code reauthentication flow, not requiring the user to log in again from scratch.

Setting the Icon Display Shape in a tile layout caused an error in the launchpad.

When the relog authentication flow in OAuth fails due to an expired refresh token, the user is prompted with a new authorization login window. After the user successfully authorized there, we need to ensure that the authorization took place as the same user that is actually saved for the PIN code with which the user tried to log in from the outset. This happens in function AppCacheLogonOAuth._isValidTokenToPinUser. For now, we used name, email, and alias as verification elements. This verification logic is now enhanced to also compare the SubjectNameIdentiefer (oToken_Id.sub field) with the SAP Username (AppCache.CurrentUname, which is SY-UNAME).

If browsertype Native was selected for OAuth authentication, the logon screen was always displayed. The logon screen should be skipped if there are no options for the user, other than to select Logon. This means, the logon screen is only displayed if there are options for selecting language, SAP client, or if a custom login page has been assigned to the mobile client. This can be done to display a welcome message or add branding to the logon screen.

The badge aggregation for sap.m.TileInfo, linkTileContents aggregation for sap.m.LinkTileContent, and actionButtons aggregations are now supported in the sap.m.GenericTile UI5 control. This allows developers to add additional information to tiles, enhancing the user experience and providing more context.

By using the wizard Insert Fields (Edit/Display), field labels and table headers are now read from the metadata description and inserted into the text property.

The /neptune/api/ ICF node comes with a custom ICF login sequence to give basic authentication priority over other authentication mechanisms (like session cookies). This custom ICF login sequence was missing authentication mechanisms: SAML Bearer Token, OIDC Bearer Token, OIDC-Anmeldung. This might have led to authentication issues when OpenID Connect is configured in interactive mode, for example. These are now added into their default sequence places from SAP Standard.

Proxy version 1 is marked as "deprecated" and should not be used for new OData Services anymore.