Deployment and Operations

7 mins read

Release Notes: Cloudentity Product 2.16.0

This article is a summary of new features and changes in Cloudentity Cloudentity Product version 2.16.0.


July 31, 2023


Breaking changes

[ AUT-9304 ] Identity Pools Claim Source Type We have introduced a new claim source type for Identity Pools, enabling enhanced control over user attributes in access tokens. This feature allows users to access the identity pool with user objects if they are provisioned using Just-In-Time (JIT) or authenticated using an Identity Provider (IDP) with a connected identity pool. The following claim configuration can be used to inject the “crm_id” attribute into the access token, making it part of the user payload in the identity pool.

This configuration ensures that the “crm_id” attribute is included in the user payload of the access token, providing access to pertinent CRM-related information.

[ AUT-9434 ] Ability to Request Code for User Authentication, Challenge, and Password Reset without Address. We have improved response messages for some validation errors, providing more detailed information instead of generic errors. Additionally, new descriptive error messages offer better insights into request issues, enhancing the user experience.

[ AUT-9438 ] Admin Portal, B2B, User, and Developer Portals Updates

The Admin Portal now consistently uses Cloudentity branding, ensuring tenant/workspace branding settings no longer affect the Admin Portal. For B2B, User, and Developer portals, branding settings are applied at the Tenant level, providing a unified and consistent branding experience.

Major additions and changes

[ AUT-9173 ] Configuration Migration API Improvements

The Configuration Migration API now provides better-described errors when the payload is incorrect. The enhanced error messages offer clarity and insights during the migration process.

[ AUT-8988 ] Enabled Custom messages feature flag. Please refer to https://cloudentity.com/developers/howtos/branding/advanced-messages-customization/

[ AUT-9335 ] Removed token_exchange, token_exchange_delegation and token_exchange_issue_id_token feature flags.

[ AUT-8921 ] Removed the webauthn tenant-level feature flag. It also removes all code segments that were only reachable if the feature flag were false.

[ AUT-8922 ] Removed the tenant-level feature flag user_self_registration_improved and all unreachable code.

[ AUT-9666 ] Vulnerability fixes

[ AUT-9504 ] JIT Functionality Now Generally Available

Just-In-Time (JIT) provisioning is now generally available, allowing seamless user provisioning.

Minor enhancements

[ AUT-9077 ] Configuration promotion API’s now presents identity pools that are assigned to workspaces.

[ AUT-9120 ] When logging in using the Passkey (WebAuthn) authentication mechanism, a popup dialog gives WebAuthn credential options (device, QR scan, etc). Previously, when clicking “Cancel” on this screen, an error page would be displayed.

This change allows the user to safely click the “Cancel” button in the WebAuthn dialog to return to the previous screen, for both Login and Reset Passkey flows. This allows modification of the user’s identifier, selection of a different authn mechanism, or re-sending the OTP code in the case of credential reset.

[ AUT-9139 ] Extended the POST /servers/{wid}/open-banking-brasil/consents/{consentID}/consume endpoint with webhook notification functionality in accordance with

https://mailchi.mp/cf02db5537d8/open-banking-informa-9341652?e=2eb7798bd9 openbankingRejectExpiredConsents cron job will now send webhook notifications for Open Finance Brazil consents. openbankingRejectOrphanedConsents cron job will now send webhook notifications for Open Finance Brazil consents.

[ AUT-9163 ] Added 3 audit events for JIT provisioning:

  • jit_created - a new user has been provisioned
  • jit_updated - the user was already provisioned and logged in again (depending on the configuration some attributes/identifiers/addresses might be updated)
  • jit_failed - provisioning failed (for troubleshooting purposes: error, user_mapping, user_to_provision fields are available)

[ AUT-9229 ] New Attribute Mapping tab in workspace settings

[ AUT-9247 ] Added OtpLength in the data passed to the /mfa endpoint.

This will enable updates to the frontend UX to match OTP screens used in identity pools.

[ AUT-9352 ] Fixed incorrect password history enforcement.

[ AUT-9356 ] In import export (tree dump) API static IDPs are not exported.

[ AUT-9360 ] Displaying proper message on login page if password expired.

Message is displayed if:

  1. Provided password was correct but expiration date is int the past

  2. Expiration date is int the past and password is not set (this is especially needed for user migration without passwords)

[ AUT-9380 ] Added Import APIs for tenant and workspace promotion. It is complementary to export APIs and always override existing values. It is introduced because PATCH API can not be used for import whole configuration because issue with empty structs which are treated by PATCH not as remove operation but do nothing.

Root level APIs for exporting tenant given in parameter and its all workspaces. Security: Access token from System tenant and System workspace.

POST /api/hub/promote/config POST /api/hub/{tid}/promote/config POST /api/hub/{tid}/workspaces/{wid}/promote/config

As a payload output of GET request for appriopriate path should be used.

[ AUT-9419 ] Fix for ID token custom claims propagated by pre minting token script.

[ AUT-9422 ] Updated swaggers and models in accordance with the newest release candidate for the Open Finance Brasil consents API.

[ AUT-9460 ] Add simple client configuration examples

[ AUT-9467 ] New Identity Pool System endpoint for getting user by identifier or verified address

[ AUT-9473 ] Fix bug where if registration_endpoint from mtls_aliases was used to call DCR endpoint, the response contained registration_client_uri pointing to regular registration_endpoint instead of mtls_aliases one.

[ AUT-9478 ] Add address verification mode to JIT configuration. It defines a strategy how address should be marked in user identity pool. Admin can use static unverified OR verified modes to always mark address as unverified or verified for all users. oidc_discovery option is a smart way to figure out if email/phone is verified based on OIDC email_verified and phone_number_verified claims that are mapped from OIDC IDP to the authentication context. If those claims are not available, the fallback is to set address as unverified.

[ AUT-9496 ] Swagger API description update. No functional changes

[ AUT-9548 ] Added mode: dynamic | static to the IDP mapping configuration. The “dynamic” mode is the default mode used to map IDP attributes to the authentication context (current behaviour). The new “static” mode can be used to map static values

[ AUT-9580 ] Update FDX service scopes as defined in FDX 5.3 release. The change will be applied only for new workspaces.

[ AUT-9588 ] Before: Pools that are inside workspaces were not imported using workspace-level APIs for config migration.

Now: Pools that are inside workspaces are imported using workspace-level APIs for config migration.

[ AUT-9592 ] Support for payment initiation v3 consent endpoints from the Open Finance specification: Support for payment initiation v3 consent endpoints from the Open Finance specification:

  • POST /open-banking/payments/v3/consents
  • GET /open-banking/payments/v3/consents/{consentID}

[ AUT-9609 ] Default to forbidden status code in standalone authorizer response payload Default to forbidden status code in standalone authorizer response payload

[ AUT-9624 ] Update mongoose to fix https://nvd.nist.gov/vuln/detail/CVE-2023-3696 reported by security scan

Also update transient dependency semver affected by CVE-2022-25883 to the version that was actually installed

[ AUT-9595 ] Security improvement: user’s password cannot be same as any of its identifiers or addresses

Bug fixes

[ AUT-9157 ] This change adds more flexibility to the Allowed Logout Redirect Domains dialog:

  1. Blank rows are no longer blocked by validation. Instead, they are filtered out on save.
  2. If there is only one row, the trash button isn’t disabled. Instead, it clears the row.

[ AUT-9160 ] Allow to create identity pool from workspace pool view when there is only one pool case

[ AUT-9194 ] Improved create identity provider view

[ AUT-9376 ] Fixed ability to preview changes when editing custom theme

[ AUT-9382 ] Added validation for the server level industry field. Now, only the values banking or insurance will be accepted.

[ AUT-9429 ] Drop the requirement for the IDP discovery domain to be unique.

[ AUT-9441 ] Small UX improvements

[ AUT-9517 ] All extension scripts are now deleted on workspace deletion.

[ AUT-9545 ] Fix Application Topology scrolling when there is many items in a column

Database Version
CockroachDB 22.2.8
Redis 6.2.12
TimescaleDB 2.10.3 (with Postgres 14.5)
Updated: Oct 19, 2023