October 31, 2023
Highlights
Deploying Cloudentity with Ease
We adjusted the way you can deploy the Cloudentity platform on Kubernetes (K8s) using Helm’s Charts. For streamlined infrastructure management, we’ve adopted the GitOps approach, centralizing configurations in a Git repository.
Try it now
Clone the repo, choose your deployment mode, deploy Cloudentity! See reference configurations for Cloudentity and infrastructure live and working.
You can easily deploy Cloudentity and its infrastructure with our three deployment modes, tailored for your convenience:
- Dev: Quick setup for testing Cloudentity
- Base: Deploys Cloudentity and dependencies in a High Availability configuration.
- Full: Extends the base mode by adding observability features, including traces, logs, and metrics.
Learn more by reading our brand new articles:
Explore New Navigation
Activate the admin_portal_face_lifting feature flag for your deployment to explore the upcoming
release of a rejuvenated Cloudentity platform navigation. We’ve reimagined the
navigation to be simpler and more intuitive ensuring a user-friendly experience that
enhances your interaction with the platform. This is a fantastic opportunity to familiarize yourself
with the improved interface and the seamless navigation experience awaiting you in the forthcoming
release.
Take a moment to enable this feature flag and discover the refined, user-centric navigation that will soon be an integral part of the Cloudentity platform. Your early exploration is a step towards seamlessly transitioning to the updated platform once it rolls out.
Alternatively, create a free Cloudentity SaaS tenant – all new tenants have the new navigation enabled.
Prepare for Organizations
Activate the organizations feature flag if you haven’t done so already, and acquaint yourself with
the latest enhancements integrated into Cloudentity. Delve into the B2B Delegated
Administration Portal to manage organizations effortlessly. Now, you can extend organization
management capabilities to your business customers and partners, empowering them to handle
organization accounts, add user populations, manage users, and much more with ease.
We’ve tailored these updates to foster a more collaborative and delegated administration environment, ensuring smooth operations and enriched interactions among your business network. The upcoming global release of this feature underscores its pivotal role in fortifying B2B interactions and administrative delegation within Cloudentity.
Prepare to leverage these robust functionalities by enabling the organizations feature flag now.
With a global rollout slated for the next release, now is the opportune time to familiarize yourself
with these new features, ensuring a seamless transition and readiness to harness the full potential
of the enhanced B2B Delegated Administration capabilities. Your proactive engagement with these
updates will position you well for the enriched administrative experience that awaits.
Feature Flags Cleanup
We reviewed and cleaned up all feature flags used in Cloudentity configuration. For the
most up to date reference on all feature flags available, see the Configuration Reference
(features configuration).
We removed the following flags:
-
cdr_follower_reads -
planet_scale_authorization -
ciba -
integration_endpoints -
extended_audit_events_retention -
open_admin_apis -
tree_dump -
quick_access -
pyron_on_prem -
script_transformer -
login_with_select_account
The removal of the aforementioned feature flags does not impact any Cloudentity deployments. Most of these flags were either unused or their features have been made accessible for use.
Breaking Changes
[ AUT-9991 ] If token exchange is enabled for Kong Authorizer return exchanged tokens based on token exchange configuration in the response body of authorize endpoint.
token_exchange:
enabled: true
inject:
mode: "InjectExchangedToken" # one of: InjectOriginalToken | InjectExchangedToken | InjectBothTokens
headers:
original_token: "Authorization"
exchanged_token: "CE-Authorization"
strip_bearer: false
With such configuration, the Cloudentity Kong Plugin can pass the returned headers to the upstream service.
As part of this change, we removed the feature_response_info_from_policy_execution feature flag.
If a REGO policy has a headers variable defined, the headers are returned by the authorizer and passed
to the upstream service.
Minor Enhancements
[ AUT-9872 ] Decreased Cloudentity authorizers chattiness during heavy loads.
[ AUT-9894 ] Added the RP-Initiated Logout endpoint, according to the OIDC spec. This endpoint logs out a user’s SSO session, validating the ID token, client ID, and other request parameters as provided.
The URL can be found in the end_session_endpoint response parameter of the OIDC Discovery API.
Its value is {issuerURL}/oidc/logout. The endpoint supports both GET and POST HTTP
methods.
Post-logout redirection is supported through the workspace’s SSO settings.
[ AUT-10002 ] Added the Generic Open Banking Try Demo button on the workspace creation screen.
[ AUT-10037 ] Added missing introspection_endpoint_auth_signing_alg_values_supported and
revocation_endpoint_auth_signing_alg_values_supported to the well known page.
[ AUT-10067 ] Added endpoints for compliance with the Open Finance Brazil’s new Consent Renewal specification.
GET /open-banking/consents/v2/consents/{consentID}/extendsPOST /open-banking/consents/v2/consents/{consentID}/extends
[ AUT-10140 ] Set clients' token_authn_method fallback based on the allowed server methods.
Before, token_authn_method was always set to “client_secret_basic” regardless of the server configuration.
Now, if “client_secret_basic” is not enabled, the token_authn_method is set to the first allowed token_authn_method from the server configuration.
[ AUT-10147 ] Adding convenient link to the Demo App to try out RP-Initiated Logout. It’s available in a new dropdown on the Logout button.
This link automatically includes the ID token in the id_token_hint parameter of the /oidc/logout endpoint, if it exists.
[ AUT-10219 ] Add a new mechanism for rejecting OBBR orphaned and authorized consent (if expired). This feature requires server-level flag enabled:
server:
obbr_reject_consent_using_scheduled_job: true
When enabled, it replaces the old mechanism for consent rejection based on cron jobs with scheduled tasks.
To run scheduled task more frequently adjust the queue polling_interval:
queue:
polling_interval: 1s
[ AUT-10235 ] Implemented DCR adjustments to be compliant with the latest changes to the Open Finance Brazil specification:
recurringPaymentsscope added to Open Finance Brazil workspaces.credit-fixed-incomes,exchanges,bank-fixed-incomes,variable-incomes,treasure-titles, andfundsadded for the regulatoryDADOSrolerecurringPaymentsadded for the regulatoryPAGTOrole
[ AUT-10237 ] Allow to register client with id in url format, example: https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a
[ AUT-10251 ] Changed the FAPI 2.0 security and ConnectID workspace configurations to not block the code response type with query response mode.
[ AUT-10257 ] Added Support for silent authentication with SAML
[ AUT-10281 ] Added an API that verifies if an SSO session is valid.
Example usage:
curl https://{tenant-id}.{region-id}.authz.cloudentity.io/{tenant-id}/{workspace-id}/sso/verify -H "Cookie: acp|sso|{tenant-id}|{workspace-id}=e9c8f1946e8440f9b581e8f8c6800cdc"
Responses:
-
200 with empty body if valid
-
401 with error body if invalid:
{"status_code":401,"error":"no SSO session found","details":null}
[ AUT-10310 ] Added policy validation results to prometheus metrics and opentelemetry traces in Cloudentity authorizers.
[ AUT-10332 ] Add ES256 as Demonstrating Proof of Possession (DPoP) supported signing algorithm.
Bug Fixes
[ AUT-9929 ] Added audit events for authorization server creation, modification, and deletion.