Deployment and Operations

7 mins read

Release Notes: Cloudentity Product 2.12.0

This article is a summary of new features and changes in Cloudentity Cloudentity Product version 2.12.0.

April 13, 2023


Third-party Authentication Apps

You can now connect a Third-party Application to Cloudentity for user authentication purposes. This application can interrupt the authorization flow after the user logs in using an IDP, redirecting the user to a custom, business-specific application hosted by the customer. The application can, for example, request the users to complete additional processes or interactions during the authentication process before they can proceed to granting their consent to the client. When the user completes this third-party flow, they are redirected back to the original authorization flow.

Passwordless Authentication with OTP

We added an Identity API that generates an authentication OTP code for a user. This code can be then either automatically sent by the client to a user’s verified address or delivered to the user in another trusted way.

This code is consumable by both token and authorization endpoints through extensions to OIDC/OAuth specifications.

Open Banking for Saudi Arabia

Open Banking standards keep spreading all around the world like wildfire. To match this trend, we added support for Open Banking standards for Kingdom of Saudi Arabia. Check the developer documentation for more details.

Open Finance Ecosystems Compliance

Following our path of compliance with Customer Data Right and Financial Data Exchange standards, we have added a number of features allowing you to keep up with both specifications.

One Token to Rule Them All

We’ve added a new dcr_manage scope to the OAuth 2.0 service. This new scope provides clients with access tokens containing it to access and call DCR (Dynamic Client Registration) management endpoints. These endpoints include GET, PUT, and DELETE methods for any dynamically registered client within the same workspace.

In simpler terms, this DCR extension is a powerful feature that enables a “one token to manage them all” approach to dynamically registered clients. With the addition of the dcr_manage scope, clients can now easily access and manage all dynamically registered clients with a single access token. This eliminates the need for multiple access tokens for different clients and allows for a more streamlined and efficient management process.

This feature also supersedes other settings like registration access tokens. Clients can now use their access token with dcr_manage scope to manage registered clients without having to generate and use multiple access tokens for different purposes.

Breaking changes

[ AUT-8375 ] CDR OAuth Token introspect endpoint now returns 200 instead of 401 when a consent/arrangement is revoked for a token.

[ AUT-8512 ] We have implemented Identity Pool authentication methods configuration for Resource Owner Password Grant. This impacts clients using Resource Owner Password Grant with Identity Pools who did not have Password (which is the default setting) enabled as a valid Authentication Method in this pool, in which case users won’t be able to log in. Enable password authentication in the Identity Pool to mitigate this problem.

[ AUT-8624 ] Cloudentity will now pass evaluated scope context to authorization engine so it’s possible to reuse the same policy. In the REGO policy scope is available under: input.scope. To access currently evaluated scope name use: input.scope.requested_name.

Minor enhancements

[ AUT-5673 ] Implemented Accredited Data Recipient validation for CDR using cache.

[ AUT-7654 ] A technical blog describing how to create an Open Banking client app in Node.js for FDX.

[ AUT-7805 ] For servers that have more than one profile (CDR and OBUK), the Open Banking Quickstart package is now created with the proper profile. Additionally, we now use PS265 key to sign client assertion and ES256 key for signing the request object.

[ AUT-7865 ] We have made sweeping changes to the self-registration UI flow, and its corresponding back-end handlers in order to improve user experience. These changes are protected by the new feature flag, user_self_registration_improved, which is set to “false” by default.

[ AUT-7931 ] Implemented permissions on the UI to match the assigned roles.

[ AUT-8193 ] Open Banking Saudi Arabia implementation, controlled with the openbanking_ksa feature flag.

[ AUT-8358 ] We now advertise claims mapped to ID token and Access Token in the .well-known endpoint.

[ AUT-8359 ] In CDR workspace, if ADR validation is enabled, we added an additional flag skip_register_url_validation to skip the validation of registry URL. If this flag is enabled, then admin can provide an invalid register URL without getting an error if the URL is invalid. Registry cache is not be populated on creation or update of the server in this case. The errors will be shown by the recurring job that is updating the register.

{"error":"failed to get data
from cdr register: with version: 1.20.0","level":"warning","logrus_error":"can
not add field \"traceID\"","msg":"failed to sync cdr register","time":"2023-02-21T14:38:05Z"}

[ AUT-8368 ] Added a fallback method to synchronize the ACCC validator if it is empty during the validation process.

[ AUT-8377 ] New CDR configuration setting allowing to skip trust anchor caching (useful for testing purposes)

[ AUT-8395 ] Added support for both password and authentication code (plain and extended) for Resource Owner Password Grant Flow.

[ AUT-8396 ] Add support for authentication_code as a parameter to the /authorize endpoint to support automatic user login using “magic link / OTP”.

[ AUT-8398 ] Extend Identity Pool configuration with TTL config for authentication codes.

[ AUT-8400 ] Fixed login audit event to use the client ID that initiated the session, not the client ID from the system workspace.

[ AUT-8435 ] PAYMENT_SUPPORT Data Cluster and corresponding scope is added for FDX.

[ AUT-8489 ] Improved the user activation screen for the self-registration flow to conform to the new UX design.

[ AUT-8491 ] Cache for CDR Arrangements is now hidden behind the cdr_arrangement_cache feature flag.

[ AUT-8504 ] Previously DCR registration token was always valid for 30 days. Now the TTL is configurable and can be extended and optionally expiry can be disabled.

Bug fixes

[ AUT-8631 ] Fixed an error sending emails with custom SMTP configuration.

[ AUT-8365 ] Added a proper validation of FDX Client Status for create client admin API so that only FDX-specified statuses are accepted.

[ AUT-8376 ] Fixed a bug causing client authentication errors due to hardcoded audience URLs. Audience claim has been updated to invoke revocation endpoints.

[ AUT-8391 ] Fixed panic that would occur in the /token endpoint when the Do not cache trust anchor data flag was enabled.

[ AUT-8397 ] Extended code shared by the Generate code of a specific type API is now implemented in a more secure way.

[ AUT-8405 ] Add missing acr, amr claims to ID Token minted through token exchange.

[ AUT-8508 ] Improve asynchronous audit events batch processing to avoid situations where audit event payload is overridden by other events that happened around the same time.

[ AUT-8513 ] HTTP error 424 with a helpful error message is now returned when the Refresh ADR Metadata endpoint is called and the register is either invalid or unavailable.

[ AUT-8535 ] The rate limit configuration for the events module now correctly interprets 0 as no limit value. Before, such configuration was causing errors while rate limiting

[ AUT-8569 ] client_id is now required for Delete Arrangement API Previously, error 500 was returned if no client_id was provided instead of the correct 400 Invalid Request.

[ AUT-8601 ] Modified the error response for Open Banking Brazil payment consent middleware to return a more helpful message in the case of invalid server or client organisation id configuration. This change applies to v1 and v2 payment consent creation endpoints.

Error logging was also improved to include stack traces for this middleware.

[ AUT-8635 ] Added description for LookbackPeriod and DurationPeriod parameters for FDX Dynamic Client Registration endpoint. In both cases, the minimum value is 1 and the default value is 365. The default value is applied when a value is either not provided or 0 is provided.

Database Version
CockroachDB 22.2.3
Redis 6.2.8
TimescaleDB 2.8.0 (with Postgres 14.5)
Updated: Apr 27, 2023