Skip to content

What's new for Domino REST API v1.1.3.1

Domino REST API v1.1.3.1 supersedes and should be used in place of v1.1.3.

Release date: April 30, 2025

New features

  • Added the option to use Proof Key for Code Exchange (PKCE) as the authentication method for the created OAuth app on the Application Management page in the Admin UI. PKCE enhances security by ensuring that only the intended client can obtain an access token, providing a strong defense against potential security threats.

For more information, see Add an application.

  • Added OpenAPI schema and Swagger page for the Web Application Open Platform Interface or WOPI protocol that provides a set of endpoints enabling seamless online collaborative editing of document attachments in Domino.

  • Added the capability of setting the WebDAV and WOPI session durations and lock durations using the following configuration parameters:

  • WopiSessionSeconds

  • WebdavSessionSeconds
  • WopiLockSeconds
  • WebdavLockSeconds

For more information, see Configuration parameters for details of the configuration parameters and Modify configuration of Domino REST API for the procedure on modify the Domino REST API configuration.

  • New option for logging in to the Admin UI

You can now log in to the Admin UI using the Log in with OIDC option. This option enables the use of Domino REST API IdP and implements the OAuth process requiring user consent to log in. It also enables the use of external IdP to log in to the Admin UI that uses authorization code flow with PKCE.

For more information, see Log in options.

Improvements

  • Cache ACL Lookups for faster operations.
  • Enhanced POST v1/run/formula to support forms array and form alias.
  • Improved error handling when an error occurs while saving a configured form by still making the field editor accessible.
  • Improved error handling for failed calls when initiating PKCE authorization or token refresh.

Resolved issues

  • Fixed the issue where calling an endpoint with an HTTP Method that isn't supported with this endpoint would return an HTTP 204. Fixed to return HTTP 404 in this case.
  • Fixed the issue where the creation of a document via a POST method succeeded even when the field, set as required by the Required toggle in the Field Setting, was missing from the request payload.
  • Fixed the issue with the POST pim-v1/message endpoint related to a sent message not being received when multiple recipients were in the To, CC, or BCC field.

Breaking changes

CORS is now using Regex

Browser-based applications that are hosted on a different host need CORS link image support. Until Domino REST API v1.1.2, this was done by providing a plain string that a domain would need to end on. Starting Domino REST API v1.1.3, this is replaced with a regular expression (Regex) link image.

Old:

{
  "CORS": {
    "localhost": true,
    ".local": true
  }
}

New:

{
  "CORS": {
    "^https?:\\/\\/localhost(?:\\:\\d+)?$": true,
    "^https?:\\/\\/.*\\.local(?:\\:\\d+)?$": true
  }
}

A few pointers:

  • ^ → beginning of the string
  • http → the literal string http
  • s? → optional the string s
  • \\/ → double escape the string /
  • .* → one or more characters of any type
  • \\. → double escape the string .
  • (?:\\:\\d+)? → double escaped optional colon and port number
  • $ → end of string

Tip

  • Inside JSON, the \ of Regex gets escaped to \\.

  • Use a Regex tool.

    Regex can be hard to decipher and understand due to their syntax and flexibility. To test if a Regex does what you want, use an online interactive tool for validation. Make sure to pick the Java flavor.

This enables greater flexibility, but requires an update to your CORS variable if you have made changes in keepconfig.d to your CORS configuration.

Example:

Change mycompany.com to https:\\/\\/.*\\.mycompany\.com:8000$ to allow only https on port 8000 for mycompany.com.

You need to include your host

The new CORS implementation is designed to be restrictive, any HTTP request presenting an origin header will be checked against your configuration and denied if no match can be found. The CORS specification states:

Ultimately server developers have a lot of freedom in how they handle HTTP responses and these tactics can differ between the response to the CORS-preflight request and the CORS request that follows it

We decided on the side of caution, and fail any request that is not a match for a presented origin header. As a result you have to include your DRAPI host in your CORS setup.

See the full details here

Note

The CORS update may affect logging in to and using the Admin UI. For more information on addressing the issue, see Configure CORS for AdminUI, OAuth and your applications.

Others

  • Installer jar files:
  • For Domino 14: restapiInstall-r14.jar
  • For Domino 12: restapiInstall-r12.jar
  • Docker image version for docker compose .env file (CONTAINER_IMAGE):
  • For Domino 14: domino-rest-api:1.1.3.1-r14
  • For Domino 12: domino-rest-api:1.1.3.1-r12
  • Docker image version for docker compose .env file from Harbor:
  • For Domino 14: hclcr.io/domino/restapi:1.1.3.1-r14
  • For Domino 12: hclcr.io/domino/restapi:1.1.3.1-r12