Deployment and Operations

Release Notes: Customer Deployed Cloudentity Platform 2.6.0

This article is a summary of new features and changes in Cloudentity 2.6.0.

Aug 31, 2022

v2.6.0 Highlights

Event-based Notifications were added, allow you to build secure event communication between Cloudentity and third parties. For example, such communication could grant the ability to track and present information about the approved transactions or data access requests within an external client portal or provide an audit of transactions in an external CRM system.

Webhooks view

Token Exchange has been greatly improved by adding support to the delegation flow specified in OAuth 2.0 Token Exchange RFC8693.

Open Banking standards compliance is ensured by further implementation of FAPI Advanced/RW and Consumer Data Right (CDR) standards.

Major Additions and Changes

[ AUT-3799 ] Cloudentity introduces the Webhooks functionality, allowing you to set up event-based notifications for third parties. For more information, see the documentation.

[ AUT-5818 ] Cloudentity extends the support for Token Exchange. Delegation flow is now supported, as well as the exchange of tokens issued by Cloudentity. Please check the recent blog post and the Token Exchange documentation for more details.

[ AUT-6526 ] Open Banking: response_type=code and response_mode=query are now blocked for FAPI Advanced/RW Workspaces.

[ AUT-6814 ] Moved the CDR metadata refresh endpoint from the System workspace to the CDR workspace. It is now accessible under POST /admin/register/metadata. See API documentation for details.

[ AUT-6850 ] Added advanced configuration for the workspace, including the following options:

  • Configure disallowed response types,
  • Block code response type when JARM is not used.

From now on, query response mode, and single code response mode are not allowed for FAPI RW/Advaned workspaces. If this is a breaking change, you can easily change this in the advanced server configuration (Auth Settings > Advanced).

Minor Enhancements

[ AUT-5318 ] Improved the dialog windows in the admin UI

[ AUT-5765 ] Several improvements to icons in the admin UI

[ AUT-6190 ] Authentication Context attribute table is now searchable in the admin UI

[ AUT-6281 ] CDR compliance: added option to enable / disable ADR validation.

[ AUT-6414 ] Added optional consent ID to accept scope grant API. When building a generic open banking solution, this can be used to associate consent stored in an external system with minted tokens.

[ AUT-6642 ] Improved the refresh token performance by:

  • Storing refresh token in SQL asynchronously using batch mode
  • Removing refresh tokens from SQL asynchronously using batch mode
  • Using Redis as a cache for newly created refresh tokens
  • Using Redis as a cache for newly deleted refresh tokens
  • Making Redis with redisearch module the only supported deployment option.

[ AUT-6655 ] Enhanced Identity Pool user registration by addeding the ability to verify unverified user addresses using OTPs with the Request Address Verification and Complete Address Verification APIs.

[ AUT-6673 ] Manage themes and templates per tenant in Cloudentity Admin UI

[ AUT-6684 ] Added the ability to configure verify address OTP settings in the admin UI.

[ AUT-6746 ] Exposed a system API to delete users from Identity Pools.

[ AUT-6782 ] Added the ability to select the password hashing mechanism for Identity Pools.

[ AUT-6783 ] Bind/unbind server to theme UI

[ AUT-6886 ] Kong Authorizer now returns headers to Kong in case of a successful policy validation in order to support throttling requests.

[ AUT-6703 ] Allowed for using of a new certificate during Open Banking Brazil DCRM call. This certificate has to match the value set in the tls_client_auth_subject_dn parameter.

Bug Fixes

[ AUT-4801 ] Fixed an issue in Data Lineage - claims with no scopes are now correctly shown for all clients.

[ AUT-6134 ] Fixed error handling for the scenario when the user tries to create a workspace with a non-unique ID.

[ AUT-6680 ] Added correct workspace wizard closing logic. Before - after closing, the user always landed in the workspace directory), now:

  1. When wizard has been launched from the workspace directory -> close and go back to the workspace directory.

  2. When wizard has been launched from a workspace X:

    • If a new workspace is created -> close and go to a new workspace > dashboard
    • If the wizard is closed before creating a workspace -> go directly to workspace X

[ AUT-6693 ] Fix for Unsaved changes prompt being showed after delete e.g. Service when there are unsaved changes.

[ AUT-6798 ] When a CDR workspace is created, a client can now use DCR and request standard scopes (previously the common scopes were protected by a block policy).

[ AUT-6799 ] Fixed trust anchor JWKS URI for CDR workspace

[ AUT-6854 ] Added the possibility to configure acp-cd by adding reference/acp-configuration/

[ AUT-6865 ] Fixed an issue where sub claim in the exchanged token contained the Client ID for subject tokens issued using the JWT bearer flow. JWT bearer is a special flow not bound to any IDP, so the original sub must be preserved.

[ AUT-6875 ] Fixed a problem with Okta integration which caused duplicated Cloudentity applications to be created on Okta side.

Database Version
CockroachDB 21.2.6
Redis 6.2.7
Updated: Nov 9, 2022