February 28, 2023
Highlights
FDX Dynamic Client Registration
We’re excited to announce that Cloudentity’s FDX implementation now supports offline approval of Dynamic Client Registration.
With our DCR offline approval feature, you can register a client app even if it’s currently inactive.
This is ensured by the fdx_client_status parameter. Its values are mapped with the FDX
client_status values, whereas mapping is based on the client app’s
ability to perform token flows. The mapping is as follows:
fdx_client_status |
client_status |
Notes |
|---|---|---|
| Approved, Tentative | active |
The client app can perform token flows |
| Pending, Rejected, Inactive | inactive |
The token cannot be issued for the client app |
Initially, the FDX client app status is set to Active.
Cloudentity’s enhanced FDX implementation and DCR support provide ways for a faster, more secure integration between financial institutions and third-party providers. Benefit from the convenience and security of Cloudentity’s FDX and DCR solutions providing compliance with FAPI standards for secure API interaction with consumer consent.
Passkey Authentication Enhanced
The previous version introduced the Passkey—Cloudentity’s mechanism designed to revolutionize the sign-in experience. Version 2.11.0 brings additional options catering to your needs.
Administrators can set up passkey authentication for the required identity pool and invite users to register using this option. Meanwhile, users have control over their passkey setup and recovery options.
Experience the convenience and security of Cloudentity passkey authentication—the ultimate solution for secure and hassle-free sign-ins.
Administrator Capabilities
Version 2.11.0 includes a pile of improvements for administrators. It covers managing users with a new intuitive interface and dynamic tables, identity pool setup options, and more advanced FDX support for client configuration.
Breaking Changes
[ AUT-5198 ] Updated Fission dependencies.
This update can impact your extension scripts.
The updated major versions of Fission JS dependencies are as follows:
| Dependency | Updated to version |
|---|---|
| Axious | 1.3.0 |
| jsonwebtoken | 9.0.0 |
| MongoDB | 5.0.0 |
| UUID | 9.0.0 |
The following deprecated packages are removed:
-
request
-
request-promise-native
[ AUT-8133 ], [ AUT-8113 ] Response types for client applications are configured on the workspace (server) level.
Major Additions and Changes
[ AUT-7398 ] Added the option to request the openid scope and issue ID tokens using the Token
Exchange grant type.
This option is available with the token_exchange_issue_id feature flag ON. It’s applicable for
exchange tokens with the openid scope issued by Cloudentity only.
[ AUT-8032 ] The /authorize request parameters are validated at the start of the authorization
flow. The additional validation after the login and consent granting steps is removed.
This change resolves the expiry error for requests with objects that feature TTL less than login max age when validated at the login and consent granting steps.
[ AUT-7873 ] FDX compliance.
Dynamic client registration with offline approval is available. With it, users can perform DCR with the inactive client application. For registration approval and client app activation, a non-FDX endpoint is introduced.
The fdx_client_status parameter is implemented for the FDX server. It includes the statuses for
an FDX client app. The following status mapping is applied:
fdx_client_status |
client_status |
Notes |
|---|---|---|
| Approved, Tentative | active |
The client app can perform token flows |
| Pending, Rejected, Inactive | inactive |
The token cannot be issued for the client app |
Initially, the FDX client app status is set to Active.
You can change the initial client status on UI within the Cloudentity tenant under the required workspace OAuth » Authorization Server » Client Registration » Enable Dynamic client registration: ON » DCR Client’s Initial State:
You can also change the status of the registered client app with the new
Update FDX Client’s Status
PUT endpoint.
This endpoint requires an access token with the update_client_status scope. Pass the required
status in the request body, for example: {update_client_status: "Approved"}. No restrictions to
status transition are applied.
Minor Enhancements
[ AUT-4093 ] Open Finance Brazil workspaces enforce the following acr claim values, when requested
during authorization:
urn:brasil:openbanking:loa2
urn:brasil:openbanking:loa3
brasil:openinsurance:standard
urn:opinbrasil:trustframework:gold
urn:brasil:openinsurance:loa2
urn:brasil:openinsurance:loa3
This option is configurable and can be deactivated in Auth Settings > Advanced > Enforce ACR Values.
[ AUT-6193 ] Added support for the Invalidate Consents and Cleanup Registration Data Holder
responsibilities, according to
CDR Standards.
[ AUT-6231 ] Added audit events for arrangement consent withdrawal. These events are used to track the history of notifying ADRs about arrangement revocation.
The event action is withdrawn. The rest of the payload is the same as in other CDR audit events.
An audit event is emitted when Cloudentity successfully notifies a CDR Data Recipient of arrangement revocation.
[ AUT-7751 ] Updated the Identity Pools list. The following options are added:
-
Card view / table view
-
Search
[ AUT-7752 ] The dynamic table with adjustable visible columns under the identity pool users view. The following options are available:
-
Add column
-
Remove column
-
Reorder columns
[ AUT-7755 ] Improved user details creation and editing under the identity pool user view.
[ AUT-7855 ] Added the backend pagination for the Identity Pools list. The card view now features the infinite scroll.
[ AUT-7902 ] Post Authentication custom application option is supported for the user authentication process.
[ AUT-8075 ] Implemented user interface for Administrator management.
[ AUT-8104 ] New FDX-related attributes are implemented for Administrator API to create, get, list, and update clients:
-
Contacts -
DurationType -
DurationPeriod -
LookbackPeriod -
RegistryReferences -
Intermediaries -
FDXClientStatus
Every created client gets the following implicit values:
-
DurationPeriod-365(days) -
LookbackPeriod-365(days) -
DurationType-[ONE_TIME, TIME_BOUND, PERSISTENT]
[ AUT-8254 ] New FDX-related fields in the client configuration view:
-
Duration Period (days)
-
Lookback Period (days)
-
Duration Type (multiple choice available): ONE TIME, TIME BOUND, PERSISTENT
[ AUT-8199 ] In Open Finance workspaces, the consent:* scope is implicitly assigned to client
apps during dynamic client registration if the software statement has roles of PAGTO or DADOS.
[ AUT-8217 ] New capabilities for an administrator:
-
Request a password reset for users.
-
Request address verification for users.
-
Request an OTP challenge.
-
Verify an OTP challenge.
[ AUT-8299 ] Improved the Delete confirmation dialogs.
Bug Fixes
[ AUT-8141 ] Fixed the probability of creating an invalid client with Admin POST /client API,
resulting in the 500 error.
[ AUT-6206 ] Fixed the Go Bank–CDR connection failure in OB quickstart CDR Financroo.
[ AUT-8123 ] Improved the Create Client error message. The generic error message is replaced with a detailed description.
[ AUT-8188 ] Fixed the passkey authentication launching with the action button led to the blank page.
Now, the Passcode option isn’t applied for user authentication when several authentication mechanisms are set up for an identity pool (for example, Password and OTP) unless it’s enabled explicitly.
With the inactive WebAuthn feature flag, the administrator cannot set Passkey as an authentication mechanism for the identity pool either using UI or API. The option applies to an identity pool creation and update. In this case, the Passkey option is also unavailable for user activation.
[ AUT-8211 ] Design inconsistency updates.
Recommended Database Versions
| Database | Version |
|---|---|
| CockroachDB | 22.2.3 |
| Redis | 6.2.8 |
| TimescaleDB | 2.8.0 (with Postgres 14.5) |