November 30, 2023

Highlights

Exchange Tokens in Kong Authorizer

Cloudentity Kong Authorizer is now fully capable of returning exchanged access tokens based on the authorizer’s token exchange configuration. The authorizer can inject original token, exchanged token, or both tokens (with an additional, configurable response header).

Additionally, we updated instructions on how to integrate Cloudentity with Kong Gateway.

Conceptual documentation:

• Kong GW and Authorizer Overview
• Integration Pattern Overview
• CL Kong Plugin Overview

How-tos:

• Kong GW and Authorizer on K8s with Helm - including information on Token Exchange in Kong Authorizer

• Kong and Authorizer with Docker

Breaking Changes

[ AUT-10526 ] Remove Cancel button from the login templates. Make sure it does not affect your login page appearance.

[ AUT-10542 ] Tenant branding is no longer used for the Admin workspace.

[ AUT-10573 ] Currently, even if verification codes are the only (or preferred) sign-in method, the user is forced to set password upon account activation. Now, the user skips this step.

Major Additions And Changes

[ AUT-9993 ] Added Organizations Hierarchy View to enable previewing the relations between organizations.

[ AUT-10449 ] Error messages improved for SQL errors. The main goal is to make configuration import API’s more descriptive when an import fails.

[ AUT-10630 ] Just-In-Time User Provisioning is enabled by default for any external provider if there is a single identity pool configured for the workspace.

Minor Enhancements

[ AUT-9814 ] Added three quickstart routes – Identity for SaaS apps, Open Finance enablement, and Authorization for Apps, APIs, and Data. The quickstarts are available after setting up a new tenant allowing to rapidly get started with getting value from Cloudentity.

[ AUT-9827 ] Add search for organizations in IDP creation view.

[ AUT-9985 ] SAML metadata is now read from cache when imported from url. This ensures that the metadata being referenced stays up-to-date without user intervention.

Invalidate the SAML metadata cache if certificate validation fails, as this means the upstream certificate may have changed and it is better to immediately clear it than wait for the cache to expire.

[ AUT-9991 ] If token exchange is enabled for Kong authorizer, return exchanged tokens based on the token exchange configuration in the response body of the authorize endpoint.

token_exchange:
  enabled: true
  inject:
    mode: "InjectExchangedToken" # one of: InjectOriginalToken | InjectExchangedToken | InjectBothTokens
    headers:
      original_token: "Authorization"
      exchanged_token: "CE-Authorization"
      strip_bearer: false

[ AUT-10160 ] Requested claims are rendered on the consent page, not only the scopes as it was before. The new behavior is hidden behind identity_assurance feature flag.

[ AUT-10168 ] Open Finance Brazil workspaces now issue refresh tokens with expirations that match the bound consent. Additionally, refresh tokens do not expire for consents that have been extended indefinitely.

[ AUT-10172 ] Added a new field to client applications: post_logout_redirect_uris. This is configurable in the Admin Portal wherever Redirect URIs are configurable.

This field is only used for the OIDC Logout endpoint. If the corresponding client application has at least one value in post_logout_redirect_uris, it takes priority for post-logout redirect enforcement (over SSO logout URLs).

1. If a post_logout_redirect_uri request parameter is supplied to the OIDC Logout endpoint, and the client has at least one post_logout_redirect_uris, then the requested URI is validated for an exact match against one of the client’s post_logout_redirect_uris.
2. If no post_logout_redirect_uri request parameter is supplied, but the client still has at least one post_logout_redirect_uris, then the first one in the list is used for a redirect.
3. If there are no post_logout_redirect_uris set for the client, then the SSO logout URLs are used as a fallback as before.

[ AUT-10239 ] Organizations management view.

[ AUT-10256 ] Added MVP for Open Finance Brazil payment consents version 4.

[ AUT-10266 ] 400 Bad Request with message The requested claim is invalid, unknown, or malformed is returned when a claim that is not configured in server is requested. The change is present behind IdentityAssurence feature flag.

[ AUT-10286 ] Added support for the purpose parameter in the /authorize and /par endpoints. Purpose is a text description that provides context to the Resource Owner about the authorization request.

The consent page is extended to show this functionality.

[ AUT-10328 ] Adding a new advanced flag to workspaces. If enabled, post-logout redirection for OIDC RP-Initiated Logout rules are followed strictly:

• If no post_logout_redirect_uri was provided in the request, a simple “You have logged out” page is displayed. Cloudentity’s default redirect back to ${issuerURL}/app is ignored, and the SSO post-logout redirect configs are also ignored.
• If a post_logout_redirect_uri was provided in the request, it is only validated against the Client’s post_logout_redirect_uris config; Cloudentity’s normal allowance for SSO post-logout redirect URLs is ignored.

[ AUT-10329 ] Fix rego-env CVE-2023-39323 vulnerability.

[ AUT-10358 ] Add oauth2c redirect_uri: http://localhost:9876/callback to the demo app.

[ AUT-10399 ] Fixes for the latest breaking changes in Open Finance Brazil conformance tests.

Changes for POST /open-banking/consents/v2/consents/{consentID}/extends:

• when one of required headers x-fapi-interaction-id, x-fapi-customer-ip-address, or x-customer-user-agent is missing, return status code 400 instead of 401 Copied

[ AUT-10401 ] Allow authentication using Verification Code with unverified address (currently only verified address is accepted).

[ AUT-10418 ] Any proof of possession (like authentication using Verification Code, verification of OTP challange, successful reset password) of unverified address in Identity Pools marks that address as verified (if not someone else verified address already).

[ AUT-10462 ] Change indent in the script editor to 2 spaces.

Bug Fixes

[ AUT-10349 ] Before: Clone workspace API creates client for userinfo with random ID.

Now: Clone workspace API creates client for userinfo with ID that is identical to new workspace ID.

[ AUT-10402 ] It is now possible to authenticate using Verification code using uid ad identifier.

[ AUT-10422 ] Adding Retry link when doing a credential reset on WebAuthn fails with “no credentials in session”.

[ AUT-10438 ] Parent ID is no longer missing for cloned workspaces.

[ AUT-10519 ] This changes fixes a bug where deleting any IDP in Cloudentity — even a non-Okta one — deletes client applications from the synced Okta workspace.

Now, only the delete of an Okta IDP in Cloudentity modifies the synced Okta workspace. Furthermore, only Okta client applications associated with the given IDP is deleted.

[ AUT-10521 ] Before: It was impossible to delete entities, i.e. Clients using patch APIs (Rfc6902 and Rfc7396) The request returned success but no removal was performed.

Now: It it is possible to delete entities, i.e. Clients using patch APIs (Rfc6902 and Rfc7396) The request returned success and removal is performed.

All mentioned APIs are marked as Alpha version – they can be a subject to breaking changes and removal without any notice.

[ AUT-10571 ] Improved selection of enforced credentials setup during self registration - now one of the allowed methods is just confirming address for code verification.