Deployment and Operations

6 mins read

Release Notes: Cloudentity 2.11.0

This article is a summary of new features and changes in Cloudentity Cloudentity version 2.11.0.

February 28, 2023


FDX Dynamic Client Registration

We’re excited to announce that Cloudentity’s FDX implementation now supports offline approval of Dynamic Client Registration.

With our DCR offline approval feature, you can register a client app even if it’s currently inactive. This is ensured by the fdx_client_status parameter. Its values are mapped with the FDX client_status values, whereas mapping is based on the client app’s ability to perform token flows. The mapping is as follows:

fdx_client_status client_status Notes
Approved, Tentative active The client app can perform token flows
Pending, Rejected, Inactive inactive The token cannot be issued for the client app

Initially, the FDX client app status is set to Active.

Cloudentity’s enhanced FDX implementation and DCR support provide ways for a faster, more secure integration between financial institutions and third-party providers. Benefit from the convenience and security of Cloudentity’s FDX and DCR solutions providing compliance with FAPI standards for secure API interaction with consumer consent.

Passkey Authentication Enhanced

The previous version introduced the PasskeyCloudentity’s mechanism designed to revolutionize the sign-in experience. Version 2.11.0 brings additional options catering to your needs.

Administrators can set up passkey authentication for the required identity pool and invite users to register using this option. Meanwhile, users have control over their passkey setup and recovery options.

Experience the convenience and security of Cloudentity passkey authentication—the ultimate solution for secure and hassle-free sign-ins.

Administrator Capabilities

Version 2.11.0 includes a pile of improvements for administrators. It covers managing users with a new intuitive interface and dynamic tables, identity pool setup options, and more advanced FDX support for client configuration.

Breaking Changes

[ AUT-5198 ] Updated Fission dependencies.

This update can impact your extension scripts.

The updated major versions of Fission JS dependencies are as follows:

Dependency Updated to version
Axious 1.3.0
jsonwebtoken 9.0.0
MongoDB 5.0.0
UUID 9.0.0

The following deprecated packages are removed:

  • request

  • request-promise-native

[ AUT-8133 ], [ AUT-8113 ] Response types for client applications are configured on the workspace (server) level.

Major Additions and Changes

[ AUT-7398 ] Added the option to request the openid scope and issue ID tokens using the Token Exchange grant type.

This option is available with the token_exchange_issue_id feature flag ON. It’s applicable for exchange tokens with the openid scope issued by Cloudentity only.

[ AUT-8032 ] The /authorize request parameters are validated at the start of the authorization flow. The additional validation after the login and consent granting steps is removed.

This change resolves the expiry error for requests with objects that feature TTL less than login max age when validated at the login and consent granting steps.

[ AUT-7873 ] FDX compliance.

Dynamic client registration with offline approval is available. With it, users can perform DCR with the inactive client application. For registration approval and client app activation, a non-FDX endpoint is introduced.

The fdx_client_status parameter is implemented for the FDX server. It includes the statuses for an FDX client app. The following status mapping is applied:

fdx_client_status client_status Notes
Approved, Tentative active The client app can perform token flows
Pending, Rejected, Inactive inactive The token cannot be issued for the client app

Initially, the FDX client app status is set to Active.

You can change the initial client status on UI within the Cloudentity tenant under the required workspace OAuth » Authorization Server » Client Registration » Enable Dynamic client registration: ON » DCR Client’s Initial State:

DCR Client’s Initial State

You can also change the status of the registered client app with the new Update FDX Client’s Status PUT endpoint.

This endpoint requires an access token with the update_client_status scope. Pass the required status in the request body, for example: {update_client_status: "Approved"}. No restrictions to status transition are applied.

Minor Enhancements

[ AUT-4093 ] Open Finance Brazil workspaces enforce the following acr claim values, when requested during authorization:


This option is configurable and can be deactivated in Auth Settings > Advanced > Enforce ACR Values.

[ AUT-6193 ] Added support for the Invalidate Consents and Cleanup Registration Data Holder responsibilities, according to CDR Standards.

[ AUT-6231 ] Added audit events for arrangement consent withdrawal. These events are used to track the history of notifying ADRs about arrangement revocation.

The event action is withdrawn. The rest of the payload is the same as in other CDR audit events.

An audit event is emitted when Cloudentity successfully notifies a CDR Data Recipient of arrangement revocation.

[ AUT-7751 ] Updated the Identity Pools list. The following options are added:

  • Card view / table view

  • Search

[ AUT-7752 ] The dynamic table with adjustable visible columns under the identity pool users view. The following options are available:

  • Add column

  • Remove column

  • Reorder columns

[ AUT-7755 ] Improved user details creation and editing under the identity pool user view.

[ AUT-7855 ] Added the backend pagination for the Identity Pools list. The card view now features the infinite scroll.

[ AUT-7902 ] Post Authentication custom application option is supported for the user authentication process.

[ AUT-8075 ] Implemented user interface for Administrator management.

[ AUT-8104 ] New FDX-related attributes are implemented for Administrator API to create, get, list, and update clients:

  • Contacts

  • DurationType

  • DurationPeriod

  • LookbackPeriod

  • RegistryReferences

  • Intermediaries

  • FDXClientStatus

Every created client gets the following implicit values:

  • DurationPeriod - 365 (days)

  • LookbackPeriod - 365 (days)


[ AUT-8254 ] New FDX-related fields in the client configuration view:

  • Duration Period (days)

  • Lookback Period (days)

  • Duration Type (multiple choice available): ONE TIME, TIME BOUND, PERSISTENT

[ AUT-8199 ] In Open Finance workspaces, the consent:* scope is implicitly assigned to client apps during dynamic client registration if the software statement has roles of PAGTO or DADOS.

[ AUT-8217 ] New capabilities for an administrator:

  • Request a password reset for users.

  • Request address verification for users.

  • Request an OTP challenge.

  • Verify an OTP challenge.

[ AUT-8299 ] Improved the Delete confirmation dialogs.

Bug Fixes

[ AUT-8141 ] Fixed the probability of creating an invalid client with Admin POST /client API, resulting in the 500 error.

[ AUT-6206 ] Fixed the Go Bank–CDR connection failure in OB quickstart CDR Financroo.

[ AUT-8123 ] Improved the Create Client error message. The generic error message is replaced with a detailed description.

[ AUT-8188 ] Fixed the passkey authentication launching with the action button led to the blank page.

Now, the Passcode option isn’t applied for user authentication when several authentication mechanisms are set up for an identity pool (for example, Password and OTP) unless it’s enabled explicitly.

With the inactive WebAuthn feature flag, the administrator cannot set Passkey as an authentication mechanism for the identity pool either using UI or API. The option applies to an identity pool creation and update. In this case, the Passkey option is also unavailable for user activation.

[ AUT-8211 ] Design inconsistency updates.

Database Version
CockroachDB 22.2.3
Redis 6.2.8
TimescaleDB 2.8.0 (with Postgres 14.5)
Updated: Nov 2, 2023