Changelog

0 mins read

Cloudentity Platform Changelog

No posts

Generic Open Banking Solution for Security Profile Compliance

New Feature
Sep 27 2023

Added new workspace profile – Generic Open Banking along with a demo option (try out button when creating a workspace).

When launching the demo, a new Go Bank Demo workspace is created based on FAPI 2.0 security profile.

After following the qucikstart guide, a new workspace Hyperscale Bank is provisioned.

Both workspaces showcase how Generic Open Banking can be build with CE authorization server with external consent storage.

Enforce Minimal Number of Lowercase Characters in Passwords

New Feature
Sep 21 2023

Added an ability to enforce minimal number of lowercase characters in a password policy.

Executing Scripts Fixed for Workspaces with Underscores in IDs

Bug Fix
Sep 21 2023

Fixed a bug where the extension scripts could not be executed if the workspace id contained an underscore character.

Controlling SSO Session Renewal via SSO-Session-Extend Header

New Feature
Sep 21 2023

Added an ability to not renew an SSO session as part of the user info and introspect endpoints using the SSO-Session-Extend:false header.

Expire Passwords

New Feature
Sep 19 2023

It is now possible to set a password expiration period in Identity Pool configuration using APIs.

New Audit Events for Services

Enhancement
Sep 18 2023

Added audit events for service creation, modification, and deletion.

Enforce Mandatory Password Resets & Changes

New Feature
Sep 15 2023

Introduced Mandatory Password Reset & Change Flags to Identity Pools APIs.

Brasil Open Banking Payment APIs Adjustments

Enhancement
Sep 06 2023

Implemented backwards compatibility adjustments from the Brasil Open Finance Specification for the payment consent APIs.

  • GET /open-banking/payments/v2/consents/{consentID} does not allow retrieval of a consent created with the v3 endpoint. In this case, an error code of USO_NAO_COMPATIVEL_VERSAO is returned with HTTP status 400.
  • GET /open-banking/payments/v3/consents/{consentID} allows consents created with the v2 endpoint to be queried.

created_at and updated_at Params Set Automatically for Identity Pools

Enhancement
Sep 06 2023

Set created_at, updated_at automatically to current date for Schema if not provided explicitly.

Added Audit Event for Revoking Tokens

Enhancement
Sep 06 2023

Add audit event for the system-level revoke tokens API.

Token Exchange System Client Removed Upon Gateway/Authorizer Removal

Enhancement
Sep 04 2023

Token exchange client is now removed on gateway/authorizer removal (if the token exchange capability was enabled).

Select Account Page Brandable

Enhancement
Sep 01 2023

Added the ability to see and brand the Select Account page in the theme editor view.

AMR and ACR Claims Propagated in Claim Enrichment Extensions

Enhancement
Aug 31 2023

Returned tokens are propagated with the amr and acr claims returned from the pre-token minting extension.

Sample extension:

module.exports = async function(ctx){ return {"amr":["secret-melody"],"acr":"so.secret.1000","access_token":{"server_claim": "value1"}}; }

Workspace-Level Configuration Promotion APIs Performance Improvements

Enhancement
Breaking Change
Aug 31 2023

Performance improvements of workspace-level Tenant Configuration Promotion APIs:

  • GET “/promote/config”,
  • POST “/promote/config”,
  • PATCH “/promote/config-rfc6902”
  • PATCH “/promote/config-rfc7396”
  • POST “/clone”

As a side effect, there is a change that PATCH APIs cannot create new workspaces which is in line with the PATCH definition.

Alpha API: Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.

Identity Pools Available as Input for Token Claim Enrichment Extensions

Enhancement
Aug 30 2023

Made identity_pool object available as an input to pre-token minting script for the token exchange flow.

IDP and IDPM Claims Preserved after Exchanging Tokens

Enhancement
Aug 30 2023

Preserve idp and idpm claims in the ID token after a token exchange.

Improvements to Adding Applications

Enhancement
Aug 25 2023

Changed the admin- / developer-level Create OAuth/SAML Client API to not assign hybrid response modes by default when the application is created using the single_page / server_web / mobile_desktop application types.

Get Authorization Server API Includes Response Types in Response Schema

Enhancement
Aug 25 2023

Add response_types to the Get Authorization Server developer-level API response schema.

Improvements to Well-Known Endpoint

Enhancement
Aug 24 2023

If the well-known endpoint is accessed using the mTLS domain, Cloudentity returns issuer = mtls_issuer. To avoid introducing a breaking change, it happens only for new authorization servers, or those explicitly migrated to version 3.

Fixed Missing Swagger Definition to Open Banking Brasil Payments Login Endpoint

Bug Fix
Aug 23 2023

Added missing swagger definitions for the GET /open-banking-brasil/payment/v3/{login} endpoint.

SSO Replaces Authentication Context Caching

Enhancement
Breaking Change
Aug 16 2023

Single Sign-On (SSO) Capabilities replaces the authentication context caching. If your organization used this mechanism, switch to Persistent User Sessions (SSO) in Identity Providers settings.

FDX Dynamic Client Registration (DCR) Available Globally

New Feature
Breaking Change
Aug 16 2023

FDX DCR available globally. From now on, the registration_endpoint points to the /fdx/dcr/register instead of the regular /oauth2/register DCR endpoint.

Enhancement
Aug 16 2023

Added support for the stable 2.1 release of the Open Finance Brazil Consents API.

Improved Default Policies for Passwordless Authentication

Enhancement
Aug 15 2023

Previously, pwd (authentication with a password) was the only allowed amr (authentication method reference) for the NIST-AAL-1/2/3 authorization policies.

Now, the NIST-AAL-1/2/3 authorization policies include otp (One Time Passwords – Verification Codes) and pop (passkeys) as the allowed amr allowing users to authenticate using these other mechanisms.

Note

The change applies only to new tenants. If you want to use passwordless authentication on your already existing tenant, be sure to check the contents of the NIST-AAL-1/2/3 policies to include additional amr values.

SSO Globally Available

New Feature
Aug 11 2023

Single Sign-On (SSO) capabilities are now globally available for all Cloudentity tenants.

If needed, enable SSO in your workspace Identity Providers settings (Identity Providers » Single Sign-On » Persistent Session (SSO mode)).

Passkey Login Improvements

Enhancement
Aug 09 2023

When attempting a passkey login for a nonexisting user or user without WebAuthn credentials setup, Cloudentity returns a fake credential ID instead of null to obfuscate user existence.

authorization_details Without Scopes for Authorization Code Flow

Enhancement
Aug 09 2023

Allow to request authorization_details (RAR) without scopes for authorization code flow.

Before, if the authorization_details were sent and the scope parameter was empty/omitted, the default set of scopes (openid email profile) was assigned to client application.

DCR and authorization_details_types

Enhancement
Aug 08 2023

Clients can now use dynamic client registration and provide authorization_details_types as defined in the RFC9396 specification.

Improved UI Scaling

Enhancement
Aug 07 2023

Improved Cloudentity UI scaling across multiple devices.

Open Finance Brazil Payment v3 APIs Support

Enhancement
Aug 04 2023

Extended the Open Finance Brazil Consent Management APIs to support requests including v3 payments:

  • POST /servers/{wid}/open-banking-brasil/consents
  • DELETE /servers/{wid}/open-banking-brasil/consents
  • POST /servers/{wid}/open-banking-brasil/consents/{consentID}/consume
  • DELETE /servers/{wid}/open-banking-brasil/consents/{consentID}
  • GET /servers/{wid}/open-banking-brasil/consents/{consentID}

When a v3 payment consent is targeted with the delete APIs, it receives a rejection reason JSON:

{
	"rejectionReason": {
		"code": "REJEITADO_USUARIO",
		"details": "O usurio rejeitou a autorizao do consentimento"
	}
}

Deprecated Users self/me APIs

Deprecated
Aug 03 2023

Deprecated the following Identity Pool APIs:

Instead, OIDC-compliant userinfo API should be used to get information about the user, and the System Level Identity Pool Users APIs for backend applications should be used to update the user’s data.

Deprecated Brazil Open Finance Introspect Endpoints

Deprecated
Aug 04 2023

Older iterations of the Brazil Open Finance Introspection endpoints (POST /open-banking-brasil/open-banking/payments/v1/consents/introspect and POST /open-banking-brasil/open-banking/payments/v2/consents/introspect) have been marked as deprecated.

The new API should be used instead.

Brazil Open Finance Introspection v3 API for Payments

New Feature
Aug 04 2023

Added introspection endpoint for Open Finance v3 payments located at POST /open-banking-brasil/open-banking/payments/v3/consents/introspect. This endpoint is backwards compatible and can be used to introspect previous versions as well.

New Feature
Aug 02 2023

Added support for the rejectionReason field for Open Finance Brazil v3 payment consents. This includes:

  • Updates to the POST /open-banking-brasil/payment/{login}/reject endpoint. The consent page application can explicitly pass the code and details fields as a JSON object in the request.

Example:

{
	"rejection_reason": {
		"code": "VALOR_INVALIDO",
		"details": "O valor enviado não é válido para o QR Code informado"
	}
}

When a rejection reason is not supplied, Cloudentity sets a default rejection reason to the following:

{
	"rejection_reason": {
		"code": "REJEITADO_USUARIO",
		"details": "O usurio rejeitou a autorizao do consentimento"
	}
}
  • Updates to Open Finance Brazil cron jobs that reject consents.

Unauthorized consents, which expire before the user is able to confirm them, receive a code of TEMPO_EXPIRADO_AUTORIZACAO. Authorized consents that had expired, receive a code of TEMPO_EXPIRADO_CONSUMO.

Kong Authorizer Configuration Adjustments

Enhancement
Breaking Change
Aug 02 2023

In order to avoid configuration issues where the Kong authorizer’s configuration differs too much from the helm chart values, certificate details need to be provided as part of the httpServer.certificate setting instead of the httpServer setting to closely match what Kong Authorizer supports.

With this change, support for httpServer.certificate.generated_key_type and httpServer.certificate.password settings was also introduced.

Configuration Promotion New API

New Feature
Aug 01 2023

Added a new API for cloning existing workspace within one tenant.

POST /{tid}/workspaces/{wid}/promote/config-clone

As a parameter, a new workspace ID is required. Optionally, an RFC7396 patch can be passed to be applied on new workspace.

Alpha API. Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.

Password Security Improvement

Enhancement
Jul 28 2023

Identity Pool user’s password cannot be the same as any of their identifier or address (case insensitive).

OpenSSL Security Fixes

Security Vulnerability
Jul 28 2023

Security fixes for the two following vulnerabilities:

  • CVE-2023-1255
  • CVE-2023-2650

Both related to openssl.

403 Status Default Response for Standalone Authorizer

Enhancement
Jul 27 2023

By default, Cloudentity Standalone Authorizer now returns the HTTP 403 Access Forbidden response.

Policies Available Per Authorization Details

Enhancement
Jul 26 2023

Tenants with RAR enabled may now be configured with authorization policies assigned per authorization details.

Enhancement
Jul 26 2023

Added support for payment initiation v3 consent endpoints from the UK Open Banking specification:

  • POST /open-banking/payments/v3/consents
  • GET /open-banking/payments/v3/consents/{consentID}

Mongoose and Semver Dependencies Updated

Security Vulnerability
Jul 25 2023

Updated the Mongoose dependency to fix CVE-2023-9696 and the transient semver dependency affected by CVE-2022-25883.

Subscribe Clients to Authorization Details Types

Enhancement
Jul 21 2023

Clients can now subscribe to RAR-related authorization details types. Feature currently behind the feature flag and available only on demand.

Automated User Provisioning

New Feature
Jul 20 2023

Just in Time automated User Provisioning is now globally available.

FDX Service Scopes Updates

Enhancement
Jul 19 2023

Update FDX service scopes as defined in the FDX 5.3 release. The change is applied only for new FDX workspaces.

MFA Code Lifetime Change Correctly Resets Save Button

Bug Fix
Jul 19 2023

Fixed a bug where changes in the MFA verification code lifetime settings would not reset the save button.

Fixed Error Messages for Expired Passwords

Bug Fix
Jul 19 2023

A proper error message is displayed on the login page if a password expires. The message is displayed when:

  • The provided password is correct but the expiration date is in the past.

  • The expiration date is in the past and password is not set (this is especially needed for user migration without passwords)

Theme Preview Fixed for Custom Domains

Bug Fix
Jul 18 2023

Fixed a bug where it was not possible to preview custom theme changes on {{< product-name acp >}} exposed behind a custom (vanity) domain.

New Feature
Jul 18 2023

Customers that have the organizations feature enabled are provided with new system level organization management APIS:

  • GET /organizations

  • POST /organizations

  • DELETE /organizations/{wid}

  • GET /organizations/{wid}

  • PUT /organizations/{wid}

These endpoints function identically to the ones listed in the admin APIS, however it requires a token issued by the system workspace with the manage_organizations scope.

Extended RAR Support

New Feature
Jul 17 2023

Added new set of APIs (create, get, update, delete and list) for new entity authorization details. Learn more.

Feature currently behind the feature flag and available only on demand

Improved Generate Code of Specific Type API

Enhancement
Breaking Change
Jul 13 2023

Improved the Generate Code of Specific Type API with an ability to request user codes for authentication, challenge, and reset password without address provided.

Extension Scripts Removed Upon Workspace Deletion

Bug Fix
Jul 12 2023

All Extension Scripts are upon workspace deletion. This fixes the issue with the import/export APIs where dangling scripts caused imports to fail.

Client Registration URI Fixes

Bug Fix
Jul 06 2023

Fixed a bug where if the registration_endpoint from the mtls_aliases was used to call the DCR endpoint, the response contained registration_client_uri pointing to regular registration_endpoint instead of mtls_aliases one.

Identity Pools New API

Enhancement
Jul 04 2023

Added a new Identity Pool system-level API for getting user by their identifier or verified email address.

Password History

Bug Fix
Jun 30 2023

Fixed account password history enforcement for users stored in Identity Pools. Now, the current password is correctly taken into account.

Extension Libraries Version Bumps

Enhancement
Jun 29 2023

Updated the following libraries versions for Cloudentity Extensions:

  • aws-sdk - 2.1306.0 -> 2.1404.0
  • mongodb - 5.0.0 -> 5.6.0
  • mongoose - 6.9.0 -> 7.3.1 (major version bump)
  • xml2js - 0.4.23 -> 0.6.0

Superagent Removed from Fission Dependencies

Enhancement
Breaking Change
Jun 29 2023

Superagent removed from the Fission dependencies because of the vulnerability problems. Instead, use Axios in Cloudentity Extensions.

Open Finance Brazil APIs updated

Enhancement
Jun 28 2023

Updated swaggers and models in accordance with the newest release candidate for the Open Finance Brasil consents API.

Token Exchange Available Generally

Enhancement
Jun 26 2023

Token exchange is no longer behind feature flags. No adjustments in your tenant are needed.

SAML IDP Improvements

Enhancement
Jun 26 2023

The SAML SP Metadata label is renamed to Entity ID. Additional ACS URL is introduced to enable easier integration of Cloudentity as a Service Provider at Identity Providers. Both labels are added to the SAML IDP create wizard.

user_id added to Extended OTP Endpoint Response

Enhancement
Jun 23 2023

Added user_id to the inspect extended OTP endpoint response. It allows to fetch user information when processing the code.

Identity Pool APIs without SSO Fixed

Bug Fix
Jun 22 2023

Request to Identity Pools APIs without SSO enabled fail with interaction_required error message.

Migration APIs Improvement

Enhancement
Jun 21 2023

Dynamic_client_registration settings were not exported in tree dump and default values were presented instead. Now, dynamic_client_registration settings are exported properly.

Migration APIs Improvement

Enhancement
Jun 19 2023

Private JWKS is not returned for workspace migration.

Migration APIs Improvement

Enhancement
Jun 16 2023

Policy execution points are now presented in the place where policy is applied: servers, scopes, clients. Policy execution points which target is scope use scope names instead of the scope identifiers to identify scope in a tree dump structure.

Modify Workspace View from Workspace

Enhancement
Jun 15 2023

It is now possible to switch workspace themes in workspace’s Appearance view.

User Identifier Case Insensitive by Default

Bug Fix
Jun 14 2023

Newly created Identity Pools have the Identifier case-insensitive option enabled by default.