September 28, 2023
Highlights
More Control Over Password Security - New Flows Possible
We have introduced Mandatory Password Reset and Change Flags to the Identity Pools APIs, enhancing the security and manageability of user credentials. Admins can now set a password expiration period within the Identity Pool configuration using APIs, thereby enforcing a routine password update, which is a crucial step toward maintaining system security.
Additionally, we have incorporated a feature to enforce a minimum number of lowercase characters in a password policy. This new functionality allows for the enforcement of more robust password policies, ensuring a higher level of security through preventing the use of overly simplistic or easily guessable passwords. Together, these updates significantly bolster the security posture by allowing more granular control over password policies and user credential management.
Breaking Changes
[ AUT-9904 ] Fixed /users
API not working correctly. The fix required DB schema change and
migration of data related to user’s identifiers and addresses. The bigger volumes of identifiers and
addresses, the longer time migration script spends on that data migration.
If migration of a data is a step during deployment process that executes before updating application there would be a state that new DB schema is used by old version of application which is not compatible with new DB schema.
As a consequence of it users with unverified addresses might have issues with login flow or operations related to unverified addresses (e.g. ‘verify address’ action). Issue does not occur if the DB schema migration is a step during application deployment and migration of data is the last step of it.
[ AUT-9819 ] Change admin / developer create application APIs to not assign hybrid response modes by default when the client is created using the single page, server_web, mobile/desktop application purpose.
[ AUT-9825 ] Performance improvements of the workspace-level promotion APIs.
As a side effect there is a change that PATCH APIs can not create new workspaces which is in line with PATCH definition.
Alpha API
Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.
Major additions and changes
[ AUT-9527 ] Added missing swagger definitions for the GET /open-banking-brasil/payment/v3/{login}
endpoint.
Minor enhancements
[ AUT-8950 ] Added support for OIDC ?prompt=select_account
functionality.
If a user with an active
Cloudentity SSO session (previously logged in) is directed to login with prompt=select_account
,
the user is taken to a selection screen. They can choose to login using their
original account, given a hint about their username; or they can choose to return to the sign-in
page to enter a different account’s credentials.
[ AUT-9715 ] Ability to see and edit Select-Account page from theme editor view.
[ AUT-9782 ] Added new tenant-level analytics API’s to get metrics that were previously available only for workspaces.
New APIs are clones of the existing ones and the only difference is that the results for a whole tenant are returned.
API’s are protected with the tenant_read_analytics
permission.
[ AUT-9842 ] Add ability to mark password as must be reset and must be changed.
[ AUT-9846 ] It is now possible to set password expiration period in Identity Pool configuration.
[ AUT-9855 ] Added support for acr``, and
amr`` claims in the pre-token minting extension like:
module.exports =
async function(ctx)
{ return
{
"amr":["secret-melody"],
"acr":"so.secret.1000",
"access_token": {
"server_claim":
"value1"
}
};
}
Propagate amr
and acr
claims returned from the pre-token minting extension to
returned tokens
Sample extension:
module.exports = async function(ctx){ return
{"amr":["secret-melody"],"acr":"so.secret.1000","access_token":{"server_claim": "value1"}}; }
[ AUT-9864 ] Added 4 new root/system level APIs for fetching statistics for a tenant of choice:
- GET /{tenantID}/access-tokens
- GET /{tenantID}/access-tokens/{group}
- GET /{tenantID}/http-requests
- GET /{tenantID}/http-requests/{group}
[ AUT-9869 ] Added new workspace profile – Generic Open Banking along with a demo option (try out button when creating a workspace).
When launching the demo, a new Go Bank Demo workspace is created based on FAPI 2.0 security profile.
After following the qucikstart guide, a new workspace Hyperscale Bank is provisioned.
Both workspaces showcase how Generic Open Banking can be build with Cloudentityauthorization server with external consent storage.
[ AUT-9878 ] Add audit event for system revoke tokens API.
[ AUT-9882 ] Implemented backwards compatibility adjustments from the Brazil Open Finance specification for the payment consent APIs.
GET /open-banking/payments/v2/consents/{consentID}
does not allow retrieval of a consent created with the v3 endpoint. In this case an error code ofUSO_NAO_COMPATIVEL_VERSAO
is returned with HTTP status 400.GET /open-banking/payments/v3/consents/{consentID}
allows consents created with v2 endpoint to be queried
[ AUT-9883 ] ability to not renew SSO session as part of the user info and introspect endpoints
using the SSO-Session-Extend:false
header
[ AUT-9886 ] Set created_at
, updated_at
automatically to current date for Identity Schema if not provided explicitly.
[ AUT-9970 ] Ability to enforce min number of lowercase characters in password policy.
Bug Fixes
[ AUT-9785 ] Preserve idp
and idpm
claims in the id token after token exchange.
[ AUT-9786 ] Make identity_pool object available as input to pre-token minting script for token exchange flow
[ AUT-9791 ] Identity Pools on workspace lvl (organizations) are properly translated and cloned when workspace is cloned. It fixes all promote workspace/tenant API’s.
[ AUT-9811 ] Add response_types to developer get server API
[ AUT-9858 ] Remove token exchange client on gateway/authorizer removal (if token exchange has been enabled previously)
[ AUT-9900 ] Fix a bug for token exchange flow where if may act is used it was incorrectly returned under act
claim in the introspection response. Now it’s returned under may_act
.
[ AUT-9908 ] Added audit events for service creation, modification, and deletion.
[ AUT-9960 ] Fix a bug where scripts could not be executed on fission if the workspace id contains underscore.