Changelog
Cloudentity Platform Changelog
Generic Open Banking Solution for Security Profile Compliance
Added new workspace profile – Generic Open Banking along with a demo option (try out button when creating a workspace).
When launching the demo, a new Go Bank Demo workspace is created based on FAPI 2.0 security profile.
After following the qucikstart guide, a new workspace Hyperscale Bank is provisioned.
Both workspaces showcase how Generic Open Banking can be build with CE authorization server with external consent storage.
Enforce Minimal Number of Lowercase Characters in Passwords
Added an ability to enforce minimal number of lowercase characters in a password policy.
Executing Scripts Fixed for Workspaces with Underscores in IDs
Fixed a bug where the extension scripts could not be executed if the workspace id contained an underscore character.
Controlling SSO Session Renewal via SSO-Session-Extend Header
Added an ability to not renew an SSO session as part of the user info and introspect endpoints using the SSO-Session-Extend:false
header.
Expire Passwords
It is now possible to set a password expiration period in Identity Pool configuration using APIs.
New Audit Events for Services
Added audit events for service creation, modification, and deletion.
Enforce Mandatory Password Resets & Changes
Introduced Mandatory Password Reset & Change Flags to Identity Pools APIs.
Brasil Open Banking Payment APIs Adjustments
Implemented backwards compatibility adjustments from the Brasil Open Finance Specification for the payment consent APIs.
GET /open-banking/payments/v2/consents/{consentID}
does not allow retrieval of a consent created with the v3 endpoint. In this case, an error code ofUSO_NAO_COMPATIVEL_VERSAO
is returned with HTTP status 400.GET /open-banking/payments/v3/consents/{consentID}
allows consents created with the v2 endpoint to be queried.
created_at and updated_at Params Set Automatically for Identity Pools
Set created_at
, updated_at
automatically to current date for Schema if not provided explicitly.
Added Audit Event for Revoking Tokens
Add audit event for the system-level revoke tokens API.
Token Exchange System Client Removed Upon Gateway/Authorizer Removal
Token exchange client is now removed on gateway/authorizer removal (if the token exchange capability was enabled).
Select Account Page Brandable
Added the ability to see and brand the Select Account page in the theme editor view.
AMR and ACR Claims Propagated in Claim Enrichment Extensions
Returned tokens are propagated with the amr
and acr
claims returned from the pre-token minting extension.
Sample extension:
module.exports = async function(ctx){ return {"amr":["secret-melody"],"acr":"so.secret.1000","access_token":{"server_claim": "value1"}}; }
Workspace-Level Configuration Promotion APIs Performance Improvements
Performance improvements of workspace-level Tenant Configuration Promotion APIs:
- GET “/promote/config”,
- POST “/promote/config”,
- PATCH “/promote/config-rfc6902”
- PATCH “/promote/config-rfc7396”
- POST “/clone”
As a side effect, there is a change that PATCH APIs cannot create new workspaces which is in line with the PATCH definition.
Alpha API: Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.
Identity Pools Available as Input for Token Claim Enrichment Extensions
Made identity_pool object available as an input to pre-token minting script for the token exchange flow.
IDP and IDPM Claims Preserved after Exchanging Tokens
Preserve idp
and idpm
claims in the ID token after a token exchange.
Improvements to Adding Applications
Changed the admin- / developer-level Create OAuth/SAML Client API to not assign hybrid response modes by default when the application is created using the single_page / server_web / mobile_desktop application types.
Get Authorization Server API Includes Response Types in Response Schema
Add response_types
to the Get Authorization Server developer-level API response schema.
Improvements to Well-Known Endpoint
If the well-known endpoint is accessed using the mTLS domain, Cloudentity returns issuer = mtls_issuer
.
To avoid introducing a breaking change, it happens only for new authorization servers, or those explicitly migrated to version 3.
Fixed Missing Swagger Definition to Open Banking Brasil Payments Login Endpoint
Added missing swagger definitions for the GET /open-banking-brasil/payment/v3/{login}
endpoint.
SSO Replaces Authentication Context Caching
Single Sign-On (SSO) Capabilities replaces the authentication context caching. If your organization used this mechanism, switch to Persistent User Sessions (SSO) in Identity Providers settings.
FDX Dynamic Client Registration (DCR) Available Globally
FDX DCR available globally. From now on, the registration_endpoint
points to the /fdx/dcr/register
instead of the regular /oauth2/register
DCR endpoint.
Open Finance Consent APIs v2.1 Support
Added support for the stable 2.1 release of the Open Finance Brazil Consents API.
Improved Default Policies for Passwordless Authentication
Previously, pwd
(authentication with a password) was the only allowed amr
(authentication method reference) for the NIST-AAL-1/2/3
authorization policies.
Now, the NIST-AAL-1/2/3
authorization policies include otp
(One Time Passwords – Verification Codes) and pop
(passkeys) as the allowed amr
allowing users to authenticate using these other mechanisms.
Note
The change applies only to new tenants. If you want to use passwordless authentication on your already existing tenant, be sure to check the contents of the
NIST-AAL-1/2/3
policies to include additionalamr
values.
SSO Globally Available
Single Sign-On (SSO) capabilities are now globally available for all Cloudentity tenants.
If needed, enable SSO in your workspace Identity Providers settings (Identity Providers » Single Sign-On » Persistent Session (SSO mode)).
Passkey Login Improvements
When attempting a passkey login for a nonexisting user or user without WebAuthn credentials setup, Cloudentity returns a fake credential ID instead of null
to obfuscate user existence.
authorization_details Without Scopes for Authorization Code Flow
Allow to request authorization_details (RAR) without scopes for authorization code flow.
Before, if the authorization_details
were sent and the scope parameter was empty/omitted, the default set of scopes (openid email profile
) was assigned to client application.
DCR and authorization_details_types
Clients can now use dynamic client registration and provide authorization_details_types
as defined in the RFC9396 specification.
Improved UI Scaling
Improved Cloudentity UI scaling across multiple devices.
Open Finance Brazil Payment v3 APIs Support
Extended the Open Finance Brazil Consent Management APIs to support requests including v3 payments:
POST /servers/{wid}/open-banking-brasil/consents
DELETE /servers/{wid}/open-banking-brasil/consents
POST /servers/{wid}/open-banking-brasil/consents/{consentID}/consume
DELETE /servers/{wid}/open-banking-brasil/consents/{consentID}
GET /servers/{wid}/open-banking-brasil/consents/{consentID}
When a v3 payment consent is targeted with the delete APIs, it receives a rejection reason JSON:
{
"rejectionReason": {
"code": "REJEITADO_USUARIO",
"details": "O usurio rejeitou a autorizao do consentimento"
}
}
Deprecated Users self/me APIs
Deprecated the following Identity Pool APIs:
Instead, OIDC-compliant userinfo API should be used to get information about the user, and the System Level Identity Pool Users APIs for backend applications should be used to update the user’s data.
Deprecated Brazil Open Finance Introspect Endpoints
Older iterations of the Brazil Open Finance Introspection endpoints (POST /open-banking-brasil/open-banking/payments/v1/consents/introspect
and POST /open-banking-brasil/open-banking/payments/v2/consents/introspect
) have been marked as deprecated.
The new API should be used instead.
Brazil Open Finance Introspection v3 API for Payments
Added introspection endpoint for Open Finance v3 payments located at POST /open-banking-brasil/open-banking/payments/v3/consents/introspect
. This endpoint is backwards compatible and can be used to introspect previous versions as well.
Open Finance Brazil v3 Consent APIs
Added support for the rejectionReason
field for Open Finance Brazil v3 payment consents. This includes:
- Updates to the
POST /open-banking-brasil/payment/{login}/reject
endpoint. The consent page application can explicitly pass thecode
anddetails
fields as a JSON object in the request.
Example:
{
"rejection_reason": {
"code": "VALOR_INVALIDO",
"details": "O valor enviado não é válido para o QR Code informado"
}
}
When a rejection reason is not supplied, Cloudentity sets a default rejection reason to the following:
{
"rejection_reason": {
"code": "REJEITADO_USUARIO",
"details": "O usurio rejeitou a autorizao do consentimento"
}
}
- Updates to Open Finance Brazil cron jobs that reject consents.
Unauthorized consents, which expire before the user is able to confirm them, receive a code of TEMPO_EXPIRADO_AUTORIZACAO
. Authorized consents that had expired, receive a code of TEMPO_EXPIRADO_CONSUMO
.
Kong Authorizer Configuration Adjustments
In order to avoid configuration issues where the Kong authorizer’s configuration differs too much from the helm chart values,
certificate details need to be provided as part of the httpServer.certificate
setting instead of the httpServer
setting to closely match what Kong Authorizer supports.
With this change, support for httpServer.certificate.generated_key_type
and httpServer.certificate.password
settings was also introduced.
Configuration Promotion New API
Added a new API for cloning existing workspace within one tenant.
POST /{tid}/workspaces/{wid}/promote/config-clone
As a parameter, a new workspace ID is required. Optionally, an RFC7396 patch can be passed to be applied on new workspace.
Alpha API. Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.
Password Security Improvement
Identity Pool user’s password cannot be the same as any of their identifier or address (case insensitive).
OpenSSL Security Fixes
Security fixes for the two following vulnerabilities:
- CVE-2023-1255
- CVE-2023-2650
Both related to openssl.
403 Status Default Response for Standalone Authorizer
By default, Cloudentity Standalone Authorizer now returns the HTTP 403 Access Forbidden response.
Policies Available Per Authorization Details
Tenants with RAR enabled may now be configured with authorization policies assigned per authorization details.
UK Open Banking Payment Initiation v3 Consent Endpoints Update
Added support for payment initiation v3 consent endpoints from the UK Open Banking specification:
POST /open-banking/payments/v3/consents
GET /open-banking/payments/v3/consents/{consentID}
Mongoose and Semver Dependencies Updated
Updated the Mongoose dependency to fix CVE-2023-9696
and the transient semver
dependency affected by CVE-2022-25883.
Subscribe Clients to Authorization Details Types
Clients can now subscribe to RAR-related authorization details types. Feature currently behind the feature flag and available only on demand.
Automated User Provisioning
Just in Time automated User Provisioning is now globally available.
FDX Service Scopes Updates
Update FDX service scopes as defined in the FDX 5.3 release. The change is applied only for new FDX workspaces.
MFA Code Lifetime Change Correctly Resets Save Button
Fixed a bug where changes in the MFA verification code lifetime settings would not reset the save button.
Fixed Error Messages for Expired Passwords
A proper error message is displayed on the login page if a password expires. The message is displayed when:
-
The provided password is correct but the expiration date is in the past.
-
The expiration date is in the past and password is not set (this is especially needed for user migration without passwords)
Theme Preview Fixed for Custom Domains
Fixed a bug where it was not possible to preview custom theme changes on {{< product-name acp >}} exposed behind a custom (vanity) domain.
New Organization-Related APIs
Customers that have the organizations
feature enabled are provided with new system level organization management APIS:
-
GET /organizations
-
POST /organizations
-
DELETE /organizations/{wid}
-
GET /organizations/{wid}
-
PUT /organizations/{wid}
These endpoints function identically to the ones listed in the admin APIS, however it requires a token issued by the system workspace with the manage_organizations
scope.
Extended RAR Support
Added new set of APIs (create, get, update, delete and list) for new entity authorization details. Learn more.
Feature currently behind the feature flag and available only on demand
Improved Generate Code of Specific Type API
Improved the Generate Code of Specific Type API with an ability to request user codes for authentication, challenge, and reset password without address provided.
Extension Scripts Removed Upon Workspace Deletion
All Extension Scripts are upon workspace deletion. This fixes the issue with the import/export APIs where dangling scripts caused imports to fail.
Client Registration URI Fixes
Fixed a bug where if the registration_endpoint
from the mtls_aliases
was used to call the DCR endpoint, the response contained registration_client_uri
pointing to regular registration_endpoint
instead of mtls_aliases
one.
Identity Pools New API
Added a new Identity Pool system-level API for getting user by their identifier or verified email address.
Password History
Fixed account password history enforcement for users stored in Identity Pools. Now, the current password is correctly taken into account.
Extension Libraries Version Bumps
Updated the following libraries versions for Cloudentity Extensions:
- aws-sdk - 2.1306.0 -> 2.1404.0
- mongodb - 5.0.0 -> 5.6.0
- mongoose - 6.9.0 -> 7.3.1 (major version bump)
- xml2js - 0.4.23 -> 0.6.0
Superagent Removed from Fission Dependencies
Superagent removed from the Fission dependencies because of the vulnerability problems. Instead, use Axios in Cloudentity Extensions.
Open Finance Brazil APIs updated
Updated swaggers and models in accordance with the newest release candidate for the Open Finance Brasil consents API.
Token Exchange Available Generally
Token exchange is no longer behind feature flags. No adjustments in your tenant are needed.
SAML IDP Improvements
The SAML SP Metadata label is renamed to Entity ID. Additional ACS URL is introduced to enable easier integration of Cloudentity as a Service Provider at Identity Providers. Both labels are added to the SAML IDP create wizard.
user_id added to Extended OTP Endpoint Response
Added user_id to the inspect extended OTP endpoint response. It allows to fetch user information when processing the code.
Identity Pool APIs without SSO Fixed
Request to Identity Pools APIs without SSO enabled fail with interaction_required error message.
Migration APIs Improvement
Dynamic_client_registration settings were not exported in tree dump and default values were presented instead. Now, dynamic_client_registration settings are exported properly.
Migration APIs Improvement
Private JWKS is not returned for workspace migration.
Migration APIs Improvement
Policy execution points are now presented in the place where policy is applied: servers, scopes, clients. Policy execution points which target is scope use scope names instead of the scope identifiers to identify scope in a tree dump structure.
Modify Workspace View from Workspace
It is now possible to switch workspace themes in workspace’s Appearance view.
User Identifier Case Insensitive by Default
Newly created Identity Pools have the Identifier case-insensitive option enabled by default.