okta
diff --git a/‎CHANGELOG.md‎
Lines changed: 32 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 6 additions & 2 deletions b/‎README.md‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎api/src/main/resources/custom_templates/ApiClient.mustache‎
Lines changed: 84 additions & 8 deletions b/‎api/src/main/resources/custom_templates/ApiClient.mustache‎
Lines changed: 84 additions & 8 deletions
diff --git a/‎impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java‎
Lines changed: 32 additions & 22 deletions b/‎impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java‎
Lines changed: 32 additions & 22 deletions
diff --git a/‎impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPNonceExpiredException.java‎
Lines changed: 29 additions & 0 deletions b/‎impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPNonceExpiredException.java‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎impl/src/test/groovy/com/okta/sdk/impl/cache/DefaultCacheManagerTest.groovy‎
Lines changed: 8 additions & 8 deletions b/‎impl/src/test/groovy/com/okta/sdk/impl/cache/DefaultCacheManagerTest.groovy‎
Lines changed: 8 additions & 8 deletions
@@ -1,3 +1,35 @@
+# Release v25.0.1 - Bug Fixes and Cache Improvements
+
+## 🐛 Bug Fixes
+
+- **#1568**: Fixed `unique` property type in `UserSchemaAttribute` and `GroupSchemaAttribute` (changed from boolean to string to support values like 'UNIQUE_VALIDATED')
+- **#1608**: Fixed DPoP nonce expiration causing intermittent "Invalid session" errors after 22-24 hours - SDK now automatically refreshes access token when nonce expires
+- **#1615/#1667**: Fixed `LinksResend.resend` array type issue causing `MismatchedInputException`
+- **#1618**: Fixed cache `ClassCastException` with type validation
+- **#1619**: Fixed `OIDCApplicationBuilder` default name
+- **#1622**: Fixed `expirePasswordWithTempPassword` return type ⚠️ **Breaking Change** - now returns `TempPassword` instead of `User`
+- **#1642**: Added support for custom attributes in `OktaUserGroupProfile`
+- **#1650**: Fixed `PasswordPolicyRule.equals()` to include parent attributes
+- **#1653**: Added missing `rootSessionId` field to `LogAuthenticationContext`
+- **#1600**: Implemented resource-specific cache configuration
+- **#1657**: Upgraded Apache HttpClient5 to 5.5.1 (fixes connection pool leak)
+- **#1666**: Fixed JUnit dependency scope
+
+## � Security Updates
+
+- **#19**: Upgraded Bouncy Castle from 1.78.1 to 1.79 (fixes CVE - Excessive Allocation vulnerability in bcpkix/bcprov)
+- **#11**: Upgraded TestNG from 7.0.0 to 7.5.1 (fixes Path Traversal vulnerability)
+
+## �🔧 Cache System Improvements
+
+- Multi-cache invalidation for nested resources
+- Fixed path matching for `/federated-claims/` and `/group-push/mappings/`
+- Cross-cache invalidation for lifecycle operations
+- Defensive exception handling to prevent cache errors from masking API exceptions
+- **Result**: All 431 integration tests passing
+
+---
+
 # Release v25.0.0 - Major SDK Refactoring and Enhanced Test Coverage
 
 ## 📋 Overview
 
@@ -81,7 +81,7 @@ This library uses semantic versioning and follows Okta's [library version policy
 | 22.x.x                                                      | :heavy_check_mark: Stable ([see changes](https://github.com/okta/okta-sdk-java/releases/tag/okta-sdk-root-22.0.0))                       |
 | 23.x.x                                                      | :heavy_check_mark: Stable ([see changes](https://github.com/okta/okta-sdk-java/releases/tag/okta-sdk-root-23.0.0))                       |
 | 24.x.x                                                      | :heavy_check_mark: Stable ([see changes](https://github.com/okta/okta-sdk-java/releases/tag/okta-sdk-root-24.0.0))                       |
-| 25.x.x                                                      | :heavy_check_mark: Stable ([see changes](https://github.com/okta/okta-sdk-java/releases/tag/okta-sdk-root-25.0.0), [migration guide](MIGRATING.md#migrating-from-24xx-to-2500)) |
+| 25.x.x                                                      | :heavy_check_mark: Stable ([see v25.0.0](https://github.com/okta/okta-sdk-java/releases/tag/okta-sdk-root-25.0.0), [see v25.0.1](https://github.com/okta/okta-sdk-java/releases/tag/okta-sdk-root-25.0.1), [migration guide](MIGRATING.md#migrating-from-24xx-to-2500)) |
 
 The latest release can always be found on the [releases page][github-releases].
 
@@ -94,8 +94,12 @@ If you're upgrading from a previous version, please review the migration guide:
 | 24.x | 25.x | [MIGRATING.md](MIGRATING.md#migrating-from-24xx-to-2500) |
 | 8.x | 10.x | [MIGRATING.md](MIGRATING.md#migrating-from-8xx-to-10xx) |
 
-### Key Changes in v25.0.0
+### Key Changes in v25.x
 
+**v25.0.1 (Breaking Change)**
+- **Breaking Change**: `expirePasswordWithTempPassword` now returns `TempPassword` instead of `User` (#1622)
+
+**v25.0.0 (Major Release)**
 - **OpenAPI Spec Update**: Upgraded to v5.1.0 with 70+ new endpoints
 - **Breaking Changes**: User object schema, Authenticator APIs, Factor APIs, Policy APIs
 - **Custom Deserializers**: 9 new deserializers for proper polymorphic type handling
 
@@ -43,6 +43,7 @@ import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
 import org.apache.hc.client5.http.impl.cookie.BasicClientCookie;
 import org.apache.hc.client5.http.protocol.HttpClientContext;
+import org.apache.hc.core5.http.ClassicHttpRequest;
 import org.apache.hc.core5.http.ContentType;
 import org.apache.hc.core5.http.Header;
 import org.apache.hc.core5.http.HttpEntity;
@@ -116,6 +117,8 @@ import {{invokerPackage}}.auth.Authentication;
 {{#hasOAuthMethods}}
     import {{invokerPackage}}.auth.OAuth;
 {{/hasOAuthMethods}}
+    // Always import HttpBearerAuth for DPoP token management
+    import {{invokerPackage}}.auth.HttpBearerAuth;
 
 {{>generatedAnnotation}}
 public class ApiClient{{#jsr310}} extends JavaTimeFormatter{{/jsr310}} {
@@ -1564,10 +1567,10 @@ protected List<ServerConfiguration> servers = new ArrayList<ServerConfiguration>
 
                                                                                                 if (Objects.isNull(cacheData)) {
 
-                                                                                            try (CloseableHttpResponse response = httpClient.execute(builder.build(), context)) {
-                                                                                            T t = processResponse(response, returnType);
+                                                                                        try (CloseableHttpResponse response = executeWithDPoPRetry(builder.build(), context)) {
+                                                                                        T t = processResponse(response, returnType);
 
-                                                                                            if (Objects.nonNull(t)) {
+                                                                                        if (Objects.nonNull(t)) {
 
                                                                                                     if (t instanceof String && accept != null && accept.contains("xml")) {
                                                                                                          return t;
@@ -1606,18 +1609,91 @@ protected List<ServerConfiguration> servers = new ArrayList<ServerConfiguration>
 
                                                                                             } else {
 
-                                                                                            try (CloseableHttpResponse response = httpClient.execute(builder.build(), context)) {
-                                                                                            T t = processResponse(response, returnType);
+                                                                                        try (CloseableHttpResponse response = executeWithDPoPRetry(builder.build(), context)) {
+                                                                                        T t = processResponse(response, returnType);
 
-                                                                                            // Don't cache responses from PUT/POST/DELETE operations
-                                                                                            // Only GET requests are cacheable
-                                                                                            return t;
+                                                                                        // Don't cache responses from PUT/POST/DELETE operations
+                                                                                        // Only GET requests are cacheable
+                                                                                        return t;
                                                                                             } catch (IOException | ParseException e) {
                                                                                             throw new ApiException(e);
                                                                                             }
                                                                                             }
                                                                                             }
 
+
+    /**
+     * Execute HTTP request with automatic retry for DPoP nonce expiration.
+     * If DPoP nonce has expired, clears the access token to force refresh and retries once.
+     * 
+     * @param request the HTTP request to execute
+     * @param context the HTTP client context
+     * @return the HTTP response
+     * @throws IOException if an I/O error occurs
+     */
+    private CloseableHttpResponse executeWithDPoPRetry(ClassicHttpRequest request, HttpClientContext context) throws IOException {
+        try {
+            return httpClient.execute(request, context);
+        } catch (Exception e) {
+            // Check if this is a DPoP nonce expiration
+            if (isDPoPNonceExpired(e)) {
+                // Clear access token to force refresh on retry
+                // This will trigger a new token request which will get a fresh DPoP nonce
+                clearAccessToken();
+                
+                // Retry the request once with refreshed token/nonce
+                return httpClient.execute(request, context);
+            }
+            // Re-throw other exceptions
+            if (e instanceof IOException) {
+                throw (IOException) e;
+            }
+            throw new IOException("Request execution failed", e);
+        }
+    }
+
+    /**
+     * Check if an exception is due to DPoP nonce expiration.
+     * 
+     * @param e the exception to check
+     * @return true if the exception indicates DPoP nonce expiration
+     */
+    private boolean isDPoPNonceExpired(Exception e) {
+        if (e == null) {
+            return false;
+        }
+        
+        // Check if the exception class name contains DPoPNonceExpiredException
+        // We use string matching to avoid compile-time dependency
+        String exceptionClass = e.getClass().getName();
+        if (exceptionClass.contains("DPoPNonceExpiredException")) {
+            return true;
+        }
+        
+        // Check cause chain
+        Throwable cause = e.getCause();
+        while (cause != null) {
+            if (cause.getClass().getName().contains("DPoPNonceExpiredException")) {
+                return true;
+            }
+            cause = cause.getCause();
+        }
+        
+        return false;
+    }
+
+    /**
+     * Clear the cached access token to force refresh on next request.
+     * This is called when DPoP nonce expires to trigger a new OAuth2 token request.
+     */
+    private void clearAccessToken() {
+        // Clear the bearer token from OAuth2 authentication
+        // This forces the OAuth2RequestAuthenticator to get a new token on the next request
+        Authentication oauth2Auth = authentications.get("oauth2");
+        if (oauth2Auth != null && oauth2Auth instanceof HttpBearerAuth) {
+            ((HttpBearerAuth) oauth2Auth).setBearerToken((String) null);
+        }
+    }
                                                                                             /**
                                                                                             * Update query and header parameters based on authentication settings.
                                                                                             *
 
@@ -15,24 +15,6 @@
  */
 package com.okta.sdk.impl.oauth2;
 
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import io.jsonwebtoken.JwtBuilder;
-import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.io.Encoders;
-import io.jsonwebtoken.security.Jwks;
-import io.jsonwebtoken.security.PrivateJwk;
-import org.apache.commons.lang3.StringUtils;
-import org.apache.hc.client5.http.classic.ExecChain;
-import org.apache.hc.client5.http.classic.ExecChainHandler;
-import org.apache.hc.core5.http.ClassicHttpRequest;
-import org.apache.hc.core5.http.ClassicHttpResponse;
-import org.apache.hc.core5.http.Header;
-import org.apache.hc.core5.http.HttpException;
-import org.apache.hc.core5.http.HttpRequest;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import java.io.IOException;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
@@ -44,8 +26,27 @@
 import java.util.Date;
 import java.util.UUID;
 
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hc.client5.http.classic.ExecChain;
+import org.apache.hc.client5.http.classic.ExecChainHandler;
+import org.apache.hc.core5.http.ClassicHttpRequest;
+import org.apache.hc.core5.http.ClassicHttpResponse;
+import org.apache.hc.core5.http.Header;
+import org.apache.hc.core5.http.HttpException;
+import org.apache.hc.core5.http.HttpRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import static com.okta.sdk.impl.oauth2.AccessTokenRetrieverServiceImpl.TOKEN_URI;
 
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.io.Encoders;
+import io.jsonwebtoken.security.Jwks;
+import io.jsonwebtoken.security.PrivateJwk;
+
 /**
  * Interceptor that handle DPoP handshake during auth and adds DPoP header to regular requests.
  * It is always enabled, but is only active when a DPoP error is received during auth.
@@ -78,11 +79,20 @@ public class DPoPInterceptor implements ExecChainHandler {
     public ClassicHttpResponse execute(ClassicHttpRequest request, ExecChain.Scope scope, ExecChain execChain)
         throws IOException, HttpException {
         boolean tokenRequest = request.getRequestUri().equals(TOKEN_URI);
-        if (tokenRequest && nonce != null && nonceValidUntil.isBefore(Instant.now())) {
-            log.debug("DPoP nonce expired, will refresh it");
-            nonce = null;
-            nonceValidUntil = null;
+        
+        // Check if nonce has expired
+        if (nonce != null && nonceValidUntil.isBefore(Instant.now())) {
+            if (tokenRequest) {
+                log.debug("DPoP nonce expired on token request, will refresh it");
+                nonce = null;
+                nonceValidUntil = null;
+            } else {
+                // Nonce expired on regular API request - need to refresh access token to get new nonce
+                log.info("DPoP nonce expired on API request, triggering token refresh");
+                throw new DPoPNonceExpiredException();
+            }
         }
+        
         if (jwk != null) {
             processRequest(request, tokenRequest);
         }
 
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2024-Present Okta, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.okta.sdk.impl.oauth2;
+
+/**
+ * Exception thrown when DPoP nonce has expired on a regular API request.
+ * This signals that the access token needs to be refreshed to obtain a new nonce.
+ * The request should be retried after token refresh.
+ */
+public class DPoPNonceExpiredException extends RuntimeException {
+
+    public DPoPNonceExpiredException() {
+        super("DPoP nonce has expired. Access token refresh required.");
+    }
+
+}
@@ -90,7 +90,7 @@ class DefaultCacheManagerTest {
         mgr.setDefaultTimeToIdle(tti)
 
         def cache = mgr.getCache('foo')
-        assertEquals cache.timeToIdle.seconds, tti.getSeconds()
+        assertEquals((long) tti.getSeconds(), cache.timeToIdle.seconds)
     }
 
     @Test
@@ -110,8 +110,8 @@ class DefaultCacheManagerTest {
         def string = mgr.toString()
         def json = new JsonSlurper().parseText(string)
 
-        assertEquals json.cacheCount, 2
-        assertEquals json.caches.size(), 2
+        assertEquals 2, (int) json.cacheCount
+        assertEquals 2, (int) json.caches.size()
         assertEquals json.defaultTimeToLive, 'indefinite'
         assertEquals json.defaultTimeToIdle, 'indefinite'
 
@@ -125,11 +125,11 @@ class DefaultCacheManagerTest {
         for(def name : names) {
             def cache = caches.get(name)
             assertEquals cache.name, name
-            assertEquals cache.size, 0
-            assertEquals cache.accessCount, 0
-            assertEquals cache.hitCount, 0
-            assertEquals cache.missCount, 0
-            assertEquals cache.hitRatio, 0.0
+            assertEquals 0, (int) cache.size
+            assertEquals 0, (int) cache.accessCount
+            assertEquals 0, (int) cache.hitCount
+            assertEquals 0, (int) cache.missCount
+            assertEquals 0.0, (double) cache.hitRatio
         }
     }