UAA 3.12.0 Security Release (CVE-2017-4960)

This is a security release which addresses

• CVE-2017-4960 UAA OAuth DOS via lockout feature

This release also re-introduces the JWT based Refresh Tokens. Refresh tokens are no longer opaque and revocable by default. This has been done to take care of the revocable_tokens table filling up with large deployments of UAA.

The format of the refresh token can now be set at an Identity Zone level via the API and can be boot strapped from the UAA.yml file for the default zone.

#    refresh:
#      unique: false ("If true, uaa will only issue one refresh token per client_id/user_id combination")
#      format: jwt