January 31, 2023
Highlights
Financial Data Exchange 5.1
Secure data exchange between financial institution is increasingly becoming a hot topic as users expect to be empowered when managing their financial data. Thankfully, Cloudentity is here to help.
This release adds the set of APIs required for Dynamic Client Registration for Financial Data Exchange in accordance with the FDX 5.1 specification. Check our FDX API documentation for more details.
Possession-Based Authentication with Identity Pools
Passwordless authentication is a way of protecting the user credentials by replacing the traditional, knowledge-based authentication (such as entering a password you know) to a possession-based authentication (such as confirming the login with your fingerprint on a device you own). The possession-based approach has a number of advantages, primarily:
- There is no password so you can’t give it away to a phishing site
- Your credentials are never stored on the server, in fact, they never leave the device used for authentication
The FIDO alliance is an organization trusted with maintaining the standards for passwordless authentication.
When authenticating with Cloudentity Identity Pools, you have the option to use a Passkey instead of relying on passwords.
Breaking Changes
[ AUT-7854 ] Pagination has been introduced when calling the List Identity Pools
API. Callers
can filter by id
or name
of
the Identity Pool, search before or after its id
, sort by id
or name
, order ascending or descending,
and limit the number of returned results.
Callers who wish to use this API to return all Identity Pools should either set a high limit or enable pagination in their UI.
[ AUT-7898 ] Token endpoint authentication signing algorithms are now configurable on the server
level via the token_endpoint_auth_signing_alg_values
parameters, for example:
{
"token_endpoint_auth_signing_alg_values":
[
"HS256",
"RS256",
"ES256",
"PS256"
]
}
Depending on the server security profile, only specific
algorithms are allowed, for instance, for FAPI-based profiles the only supported algorithms are
ES256
and PS256
.
When a client is dynamically registered in Open Banking Brazil workspace with the insurance
industry, if
the token_endpoint_auth_signing_alg
is not explicitly provided, it is set automatically to PS256
.
token_endpoint_auth_signing_alg
on the client side should no longer use none
value as per the OIDC
specification.
Instead of none
, the value should be empty or set to one of the algorithms supported by the server
(see token_endpoint_auth_signing_alg_values_supported
in the well-known page). none
is still accepted
but it’s converted to an empty string.
Major Additions and Changes
[ AUT-7762 ] Implemented Dynamic Client Registration for FDX
All request and response parameters are adjusted in accordance with the FDX specification. This API
is hidden behind FDXDCR
feature flag.
[ AUT-7172 ] Introduced Passkey Device registration, so the user can register without having a
password, using a device like a smartphone or yubikey instead. The feature is hidden behind
the webauthn
feature flag.
[ AUT-4170 ] Allow to send encrypted request object when request object encryption is not enforced on Cloudentity’s side.
[ AUT-7803 ] Improved compliance for the CDR refresh metadata endpoint in accordance with the CDR specification.
x-v
header is now required when calling this endpoint (currently supporting version 1)- Error messages have been refactored to match what is in the specification
[ AUT-7946 ] Improved SQL client connection handling for improved product stability.
[ AUT-8103 ] x5c (X.509 certificate chain) certificate for server-side JWKS is no longer mandatory.
Minor Enhancements
[ AUT-7352 ] Changed the validity of x5c certificate in Cloudentity server JWKS endpoint from 1 month to 10 years.
Additionally, we now set the certificate CN to server’s issuer URL.
When a server signing key is generated, it also includes the x5c
self-signed certificate in JWKS
endpoint. This certificate is issued for localhost and valid for one month.
x5c
is optional and should not be returned.
[ AUT-7356 ] Default font used in templated pages changed from Roboto to Inter.
[ AUT-7579 ] Enabled uid-formatted identifiers to be used for password authentication.
[ AUT-7586 ] Added support for CDR register api version 1.20.0
Previously, only version 1.16.1
was supported. Users can select which version to use under Auth
Settings > OAuth > General.
[ AUT-7754 ] Identity Pool creation form improvements - added more configuration options during the pool creation step.
[ AUT-7765 ] When listing an Identity
Pool, the cached
number of users in the pool is added to the response with the number_of_users
parameter.
[ AUT-7850 ] Improved the latency of the List Users API.
[ AUT-7853 ] Added badge colors to Identity Pools, improving the ability to distinguish between different Identity Pools in the UI.
[ AUT-7950 ] Added audit events for granting and revoking roles. This includes both tenant roles and workspace roles.
[ AUT-7976 ] Add new field requested_redirect_uri
to System Authorization API.
[ AUT-7990 ] Improved Identity Pool settings view - gathered advanced settings in a single tab to improve options management. Improved schemas and metadata pages in Identity Pools.
[ AUT-8039 ] Extended the List customer clients
API
with the ability to filter CDR customer clients search results by accounts
in addition to customer_id
.
[ AUT-8040 ] Cloudentity now generates Audit
Events when an Extension Script
executes, with the Event Subject script
and
Event Action executed
. In addition, it is possible to temporarily enable greater detail in
the audit events, to assist in debugging.
Bug Fixes
[ AUT-8024 ] Fixed a missing select IDP cookie when using scripting extension discovery.
[ AUT-6136 ] Quickstart page for Open Banking UK FAPI Advanced profile is now disabled.
[ AUT-7237 ] Solved the issue with Refresh Token being active for ~30s after consent revocation.
[ AUT-7740 ] Fixed a problem where the CDR refresh
endpoint
threw error 500 when the server’s
industry was set to energy/telco. Register client implementation for 1.16.1 is now set to only use
banking
industry, as this is the
only accepted industry by that version of the CDR register.
[ AUT-7875 ] Fix a bug where under special conditions a user token could be used to manage a dynamically registered OAuth 2.0 client.
[ AUT-7886 ] In Permissions APIs, READ and DELETE operations for relationships no longer share incorrect request body parameters descriptions.
[ AUT-7897 ] Scopes from service are now correctly displayed in consent preview instead of hardcoded scopes.
[ AUT-7925 ] If DCR is used with an initial access token, a single-use access token with
dcr_register
scope is required to register a new client.
By default dcr_register
scope was designed to be used only
for machine flow (for instance client_credentials
) but still, it was possible to use it in
authorization code flow.
Right now, the dcr_register
scope by default has a block policy set
up, so it won’t be possible to request it in the authorization flow anymore.
[ AUT-8048 ] Adjusted cdr_arrangement_revocation
endpoint in Cloudentity tenant’s
well-known endpoint to use mTLS URL.
Cloudentity now accepts mTLS issuer_url
+ arrangements/revoke
as a valid aud
claim for client authentication to CDR arrangement revocation
endpoint.
Recommended Database Versions
Database | Version |
---|---|
CockroachDB | 22.1.1 |
Redis | 6.2.8 |
TimescaleDB | 2.8.0 (with Postgres 14.5) |