Deployment and Operations

6 mins read

Release Notes: Cloudentity 2.10.0

This article is a summary of new features and changes in Cloudentity Cloudentity version 2.10.0

January 31, 2023

Highlights

Financial Data Exchange 5.1

Secure data exchange between financial institution is increasingly becoming a hot topic as users expect to be empowered when managing their financial data. Thankfully, Cloudentity is here to help.

This release adds the set of APIs required for Dynamic Client Registration for Financial Data Exchange in accordance with the FDX 5.1 specification. Check our FDX API documentation for more details.

Possession-Based Authentication with Identity Pools

Passwordless authentication is a way of protecting the user credentials by replacing the traditional, knowledge-based authentication (such as entering a password you know) to a possession-based authentication (such as confirming the login with your fingerprint on a device you own). The possession-based approach has a number of advantages, primarily:

There is no password so you can’t give it away to a phishing site
Your credentials are never stored on the server, in fact, they never leave the device used for authentication

The FIDO alliance is an organization trusted with maintaining the standards for passwordless authentication.

When authenticating with Cloudentity Identity Pools, you have the option to use a Passkey instead of relying on passwords.

Breaking Changes

[ AUT-7854 ] Pagination has been introduced when calling the List Identity Pools API. Callers can filter by id or name of the Identity Pool, search before or after its id, sort by id or name, order ascending or descending, and limit the number of returned results.

Callers who wish to use this API to return all Identity Pools should either set a high limit or enable pagination in their UI.

[ AUT-7898 ] Token endpoint authentication signing algorithms are now configurable on the server level via the token_endpoint_auth_signing_alg_values parameters, for example:

{
"token_endpoint_auth_signing_alg_values":
  [
    "HS256",
    "RS256",
    "ES256",
    "PS256"
  ]
}

Depending on the server security profile, only specific algorithms are allowed, for instance, for FAPI-based profiles the only supported algorithms are ES256 and PS256. When a client is dynamically registered in Open Banking Brazil workspace with the insurance industry, if the token_endpoint_auth_signing_alg is not explicitly provided, it is set automatically to PS256.

token_endpoint_auth_signing_alg on the client side should no longer use none value as per the OIDC specification.

Instead of none, the value should be empty or set to one of the algorithms supported by the server (see token_endpoint_auth_signing_alg_values_supported in the well-known page). none is still accepted but it’s converted to an empty string.

Major Additions and Changes

[ AUT-7762 ] Implemented Dynamic Client Registration for FDX

All request and response parameters are adjusted in accordance with the FDX specification. This API is hidden behind FDXDCR feature flag.

[ AUT-7172 ] Introduced Passkey Device registration, so the user can register without having a password, using a device like a smartphone or yubikey instead. The feature is hidden behind the webauthn feature flag.

[ AUT-4170 ] Allow to send encrypted request object when request object encryption is not enforced on Cloudentity’s side.

[ AUT-7803 ] Improved compliance for the CDR refresh metadata endpoint in accordance with the CDR specification.

x-v header is now required when calling this endpoint (currently supporting version 1)
Error messages have been refactored to match what is in the specification

[ AUT-7946 ] Improved SQL client connection handling for improved product stability.

[ AUT-8103 ] x5c (X.509 certificate chain) certificate for server-side JWKS is no longer mandatory.

Minor Enhancements

[ AUT-7352 ] Changed the validity of x5c certificate in Cloudentity server JWKS endpoint from 1 month to 10 years.

Additionally, we now set the certificate CN to server’s issuer URL. When a server signing key is generated, it also includes the x5c self-signed certificate in JWKS endpoint. This certificate is issued for localhost and valid for one month. x5c is optional and should not be returned.

[ AUT-7356 ] Default font used in templated pages changed from Roboto to Inter.

[ AUT-7579 ] Enabled uid-formatted identifiers to be used for password authentication.

[ AUT-7586 ] Added support for CDR register api version 1.20.0

Previously, only version 1.16.1 was supported. Users can select which version to use under Auth Settings > OAuth > General.

[ AUT-7754 ] Identity Pool creation form improvements - added more configuration options during the pool creation step.

[ AUT-7765 ] When listing an Identity Pool, the cached number of users in the pool is added to the response with the number_of_users parameter.

[ AUT-7850 ] Improved the latency of the List Users API.

[ AUT-7853 ] Added badge colors to Identity Pools, improving the ability to distinguish between different Identity Pools in the UI.

[ AUT-7950 ] Added audit events for granting and revoking roles. This includes both tenant roles and workspace roles.

[ AUT-7976 ] Add new field requested_redirect_uri to System Authorization API.

[ AUT-7990 ] Improved Identity Pool settings view - gathered advanced settings in a single tab to improve options management. Improved schemas and metadata pages in Identity Pools.

[ AUT-8039 ] Extended the List customer clients API with the ability to filter CDR customer clients search results by accounts in addition to customer_id.

[ AUT-8040 ] Cloudentity now generates Audit Events when an Extension Script executes, with the Event Subject script and Event Action executed. In addition, it is possible to temporarily enable greater detail in the audit events, to assist in debugging.

Bug Fixes

[ AUT-8024 ] Fixed a missing select IDP cookie when using scripting extension discovery.

[ AUT-6136 ] Quickstart page for Open Banking UK FAPI Advanced profile is now disabled.

[ AUT-7237 ] Solved the issue with Refresh Token being active for ~30s after consent revocation.

[ AUT-7740 ] Fixed a problem where the CDR refresh endpoint threw error 500 when the server’s industry was set to energy/telco. Register client implementation for 1.16.1 is now set to only use banking industry, as this is the only accepted industry by that version of the CDR register.

[ AUT-7875 ] Fix a bug where under special conditions a user token could be used to manage a dynamically registered OAuth 2.0 client.

[ AUT-7886 ] In Permissions APIs, READ and DELETE operations for relationships no longer share incorrect request body parameters descriptions.

[ AUT-7897 ] Scopes from service are now correctly displayed in consent preview instead of hardcoded scopes.

[ AUT-7925 ] If DCR is used with an initial access token, a single-use access token with dcr_register scope is required to register a new client.

By default dcr_register scope was designed to be used only for machine flow (for instance client_credentials) but still, it was possible to use it in authorization code flow.

Right now, the dcr_register scope by default has a block policy set up, so it won’t be possible to request it in the authorization flow anymore.

[ AUT-8048 ] Adjusted cdr_arrangement_revocation endpoint in Cloudentity tenant’s well-known endpoint to use mTLS URL. Cloudentity now accepts mTLS issuer_url + arrangements/revoke as a valid aud claim for client authentication to CDR arrangement revocation endpoint.

Recommended Database Versions

Database	Version
CockroachDB	22.1.1
Redis	6.2.8
TimescaleDB	2.8.0 (with Postgres 14.5)

Updated: Aug 10, 2023