April 13, 2023
Highlights
Third-party Authentication Apps
You can now connect a Third-party Application to Cloudentity for user authentication purposes. This application can interrupt the authorization flow after the user logs in using an IDP, redirecting the user to a custom, business-specific application hosted by the customer. The application can, for example, request the users to complete additional processes or interactions during the authentication process before they can proceed to granting their consent to the client. When the user completes this third-party flow, they are redirected back to the original authorization flow.
Passwordless Authentication with OTP
We added an Identity API that generates an authentication OTP code for a user. This code can be then either automatically sent by the client to a user’s verified address or delivered to the user in another trusted way.
This code is consumable by both token and authorization endpoints through extensions to OIDC/OAuth specifications.
Open Banking for Saudi Arabia
Open Banking standards keep spreading all around the world like wildfire. To match this trend, we added support for Open Banking standards for Kingdom of Saudi Arabia. Check the developer documentation for more details.
Open Finance Ecosystems Compliance
Following our path of compliance with Customer Data Right and Financial Data Exchange standards, we have added a number of features allowing you to keep up with both specifications.
One Token to Rule Them All
We’ve added a new dcr_manage
scope to the OAuth 2.0 service. This new scope provides clients with
access tokens containing it to access and call DCR (Dynamic Client Registration) management
endpoints. These endpoints include
GET,
PUT,
and
DELETE
methods for any dynamically registered client within the same workspace.
In simpler terms, this DCR extension is a powerful feature that enables a “one token to manage them
all” approach to dynamically registered clients. With the addition of the dcr_manage
scope, clients
can now easily access and manage all dynamically registered clients with a single access token. This
eliminates the need for multiple access tokens for different clients and allows for a more
streamlined and efficient management process.
This feature also supersedes other settings like registration access tokens. Clients can now use
their access token with dcr_manage
scope to manage registered clients without having to generate
and use multiple access tokens for different purposes.
Breaking changes
[ AUT-8375 ] CDR OAuth Token introspect endpoint now returns 200 instead of 401 when a consent/arrangement is revoked for a token.
[ AUT-8512 ] We have implemented Identity Pool authentication methods configuration for Resource Owner Password Grant. This impacts clients using Resource Owner Password Grant with Identity Pools who did not have Password (which is the default setting) enabled as a valid Authentication Method in this pool, in which case users won’t be able to log in. Enable password authentication in the Identity Pool to mitigate this problem.
[ AUT-8624 ] Cloudentity will now pass evaluated scope context to authorization
engine so it’s possible to reuse the
same policy. In the REGO policy scope is available under: input.scope
.
To access currently evaluated scope name use: input.scope.requested_name
.
Minor enhancements
[ AUT-5673 ] Implemented Accredited Data Recipient validation for CDR using cache.
[ AUT-7654 ] A technical blog describing how to create an Open Banking client app in Node.js for FDX.
[ AUT-7805 ] For servers that have more than one profile (CDR and OBUK), the Open Banking Quickstart package is now created with the proper profile. Additionally, we now use PS265 key to sign client assertion and ES256 key for signing the request object.
[ AUT-7865 ] We have made sweeping changes to the self-registration UI flow, and its
corresponding back-end
handlers in order to improve user experience. These
changes are protected by the new feature flag, user_self_registration_improved
, which is set
to “false” by default.
[ AUT-7931 ] Implemented permissions on the UI to match the assigned roles.
[ AUT-8193 ] Open Banking Saudi Arabia implementation, controlled with the openbanking_ksa
feature flag.
[ AUT-8358 ] We now advertise claims mapped to ID token and Access Token in the .well-known endpoint.
[ AUT-8359 ] In CDR workspace, if ADR validation is enabled, we added an additional flag
skip_register_url_validation
to skip the validation of registry URL. If this
flag is enabled, then admin can provide an invalid register URL without getting an error
if the URL is invalid. Registry cache is not be populated on creation or update of the server in
this case. The
errors will be shown by the recurring job that is updating the register.
{"error":"failed to get data
from cdr register: https://tes2345t.com with version: 1.20.0","level":"warning","logrus_error":"can
not add field \"traceID\"","msg":"failed to sync cdr register
https://tes2345t.com","time":"2023-02-21T14:38:05Z"}
[ AUT-8368 ] Added a fallback method to synchronize the ACCC validator if it is empty during the validation process.
[ AUT-8377 ] New CDR configuration setting allowing to skip trust anchor caching (useful for testing purposes)
[ AUT-8395 ] Added support for both password and authentication code (plain and extended) for Resource Owner Password Grant Flow.
[ AUT-8396 ] Add support for authentication_code
as a parameter to the /authorize
endpoint to support
automatic user login using “magic link / OTP”.
[ AUT-8398 ] Extend Identity Pool configuration with TTL config for authentication codes.
[ AUT-8400 ] Fixed login audit event to use the client ID that initiated the session, not the client ID from the system workspace.
[ AUT-8435 ] PAYMENT_SUPPORT Data Cluster and corresponding scope is added for FDX.
[ AUT-8489 ] Improved the user activation screen for the self-registration flow to conform to the new UX design.
[ AUT-8491 ] Cache for CDR Arrangements is now hidden behind the cdr_arrangement_cache
feature
flag.
[ AUT-8504 ] Previously DCR registration token was always valid for 30 days. Now the TTL is configurable and can be extended and optionally expiry can be disabled.
Bug fixes
[ AUT-8631 ] Fixed an error sending emails with custom SMTP configuration.
[ AUT-8365 ] Added a proper validation of FDX Client Status for create client admin API so that only FDX-specified statuses are accepted.
[ AUT-8376 ] Fixed a bug causing client authentication errors due to hardcoded audience URLs. Audience claim has been updated to invoke revocation endpoints.
[ AUT-8391 ] Fixed panic that would occur in the /token
endpoint when the Do not cache trust anchor data
flag was enabled.
[ AUT-8397 ] Extended code shared by the Generate code of a specific type API is now implemented in a more secure way.
[ AUT-8405 ] Add missing acr
, amr
claims to ID Token minted through token exchange.
[ AUT-8508 ] Improve asynchronous audit events batch processing to avoid situations where audit event payload is overridden by other events that happened around the same time.
[ AUT-8513 ] HTTP error 424 with a helpful error message is now returned when the Refresh ADR Metadata
endpoint is called and the register is either invalid or unavailable.
[ AUT-8535 ] The rate limit configuration for the events module now correctly interprets 0 as no limit value. Before, such configuration was causing errors while rate limiting
[ AUT-8569 ] client_id
is now required for Delete Arrangement API
Previously, error 500 was returned if no client_id
was provided instead of the correct 400 Invalid Request
.
[ AUT-8601 ] Modified the error response for Open Banking Brazil payment consent middleware to
return a more
helpful message in the case of invalid server or client organisation id
configuration. This change
applies to v1
and v2
payment consent creation endpoints.
Error logging was also improved to include stack traces for this middleware.
[ AUT-8635 ] Added description for LookbackPeriod
and DurationPeriod
parameters for FDX
Dynamic Client Registration
endpoint.
In both cases, the minimum value is 1
and the default value is 365
.
The default value is applied when a value is either not provided or 0
is provided.
Recommended Database Versions
Database | Version |
---|---|
CockroachDB | 22.2.3 |
Redis | 6.2.8 |
TimescaleDB | 2.8.0 (with Postgres 14.5) |