Deployment and Operations

Release Notes: Customer Deployed Cloudentity Platform 2.7.0

This article is a summary of new features and changes in Cloudentity version 2.7.0


September 30, 2022


v2.7.0 Highlights

Password Policies for Identity Pool Users are implemented, and now times when qwerty1234 was thought to be a safe password are long gone! Make sure that your users fulfill all of the requirements for safe passwords with Cloudentity password policies. Such policies enable the Identity Pool administrators to specify, for example, the minimal length of a password, number of special characters, and many more.

Integration With Kusk API Gateway is introduced. Kusk API Gateway enables developers to build, validate, deploy, and monitor REST APIs based on Envoy Proxy running on your Kubernetes cluster. Do you know what else can be run in a K8s cluster? That’s right! Cloudentity authorizers! It is now possible to integrate the Kusk Gateway with Cloudentity and protect the APIs deployed behind your gateway with advanced access control measures.

Major Additions and Changes

[ AUT-7001 ] Identity pool improvements:

  • Added the Strength meter for password inputs to the identity pool web templates. It covers the set password and registration forms.

  • Added the password policy configuration interface on the new Password settings tab and password user frontend validation to the Create User form in the identity pool settings.

[ AUT-6618 ] Cloudentity introduces the option to disable refresh token cycling. The Disable refresh token cycling is available in the OAuth Advanced settings and is ON for the CDR and Open Finance Brazil (OBBR) workspaces. With this flag ON, an authorization server at the Data Holder end doesn’t cycle refresh tokens. Instead, the existing refresh token is bound to the duration of the sharing arrangement, and the API token response contains the original refresh_token value.

[ AUT-6813 ] JS dependencies are updated in all React applications (Financroo, Admin Portal, and Self Service Portal).

[ AUT-6921 ] From now on, the PAR TTL (time-to-live) logic applies only till the user login and calls the /authorize endpoint instead of the time to issue an authorization code. As a result, Cloudentity returns no Invalid Request URI errors after login or consent provision.

[ AUT-7077 ] The new unique clients function allows access to token metrics. You can use these metrics to get the number of active OAuth2 clients per workspace.

[ AUT-7092 ] CDR compliance: The Ignore unknown scopes for DCR option is available under the workspace OAuth Advances Settings and is ON by default. Applies to CDR workspaces created with Cloudentity to meet the updated CDR requirements.

[ AUT-7150 ] Enhanced CDR Arrangement JWT to include standard claims specified in Self-Signed JWT Client Authentication

[ AUT-7155 ] The new Metadata tab is available in an identity pool settings. It contains the code editor to add, edit, or preview the pool metadata.

Breaking Changes

[ AUT-6946 ] Added the enforce_id_token_encryption configuration to a server as a replacement of enable_id_token_encryption. The encryption is allowed by default and applied only when the client has encryption and consent algorithm fields set and the proper key is configured in jwks or jwks_uri. This new flag can be used to enforce encryption for all clients.

Minor Enhancements

[ AUT-6191 ] Active statuses of legal entities and software product in the CDR register are required for dynamically registered clients to obtain a token via the authorization code grant.

Also, dcr_handler returns err instead of *fosite.RCFError.

[ AUT-6562 ] The interface is updated as follows:

  • The Delete confirmation dialogs are unified: the user must retype a name to confirm the deletion.

  • The Delete buttons in configuration are moved to the dialog footer and styled as text.

  • The Rotate option in Configure gateway is moved to the Client Secret field.

Rotate client secret

[ AUT-6619 ] CDR FAPI compliance: sharing_expires_at and refresh_token_expires_at are deprecated. The Cloudentity documentation is updated.

[ AUT-6733 ] Implemented the necessary changes to Cloudentity for compliance with Open Banking Brazil consents v2 conformance tests.

[ AUT-6769 ] The default Federal Data Exchange (FDX) workspace is now FAPI-based. Important changes:

  • PAR is enforced

  • Only private_key_jwt, self_signed, or mtls token authentication methods are allowed.

[ AUT-6852 ] Updated JS dependencies.

Major updates:

Dependency Name Previous Version Current Version
React 17.0.2 18.2.0
React Redux 7.2.6 8.0.2
History 4.10.1 5.3.0
React Testing Library 13.5.0 14.4.2
Jest 27.5.1 28.1.3
react-flow-renderer 9.7.4 10.3.14

Minor updates:

Dependency Name Previous Version Current Version
Parcel 2.6.0 2.7.0
@trivago/prettier-plugin-sort-imports 3.2.0 3.3.0

[ AUT-6864 ] Implemented API for adding and removing user identifiers.

[ AUT-6870 ] Added the new Identity Pool APIs:

  • System Add Verifiable Address to User

  • System Delete Verifiable Address from User.

These API perform the basic checks, for example, tenant, identity pool, or user existence. In particular:

  • To add a verified address, the user must lack this address.

  • Verified addresses must not be duplicated within the same identity pool.

  • For a verified address removal, the user must have it assigned.

[ AUT-6935 ] Added the possibility to pass personal_details when the login page accepts the request for CDR. This data is stored in the arrangement metadata. In particular:

auth_ctx: {
 customer_id: "{cid}",
 personal_details: {
   "user_id": "{uid}"
 }
}

arrangement_metadata: {
  revocation_channel: "online",
  personal_details: {
    "user_id: "{uid}"
  }
}

[ AUT-6993 ] Removed the FDX feature flag.

[ AUT-6994 ] Enabled Financroo for the FDX workspace in SaaS.

[ AUT-7062 ] Split Financroo and Developer third-party provider OAuth clients.

[ AUT-7025 ] Introduced ETags to solve problems with dirty reads when asynchronous batch processing for writes is in use.

[ AUT-7068 ] Improved interface for the Identity Providers section:

  • Added a collapsable Third Party Providers section and refreshed icons in the Create Connection section.

  • Added two options to Create Identity Pool: create a new pool and add identity pool IDP.

[ AUT-7101 ] Improved the Dashboard and navigation bar for the Developer Portal:

  • Added the Recent activities panel to the right of the dashboard.

  • Moved the Logs section to a standalone navigation item.

Logs in the navigation bar

[ AUT-7103 ] Fixed APIs naming: identifier means “user identifier”, not an “address”.

[ AUT-7147 ] Removed the unique constraint for the Schema name.

Bug fixes

[ AUT-6792 ] Fixed TimescaleDB, so the Analytics dashboard is loading correctly in all time ranges, and continuous aggregates jobs run properly.

[ AUT-7151 ] Personal details in CDR amending can be modified now. Now it is possible to pass the personal_details object and store it in the arrangement metadata. In particular:

arrangement_metadata: {
revocation_channel: "online",
personal_details: {
"user_id: "{uid}",
}
}

[ AUT-7028 ] Fixed the brute force block false operation upon the lack of Redis connection and after successful authentication.

[ AUT-5577 ] Added the mTLS option to predefined fields for the Attributes validator in the Policy Editor interface.

[ AUT-6618 ] The response mode in the well-known parameter of the /discovery endpoint is changed to respect disallowed. As a result, when an administrator blocks a response mode, the blocked response mode becomes unsupported.

[ AUT-6413 ] The uBlock extension enabled in a browser blocks calls to the /api/analytics/. The following notification is added: Network Error - Check your internet connection or turn off ad blocking plugin. Additionally, the notifications aren’t duplicated upon refreshing a page.

[ AUT-6872 ] When a user tries to amend a different user’s arrangement, the improved message appears: Cannot amend an arrangement that was initiated by a different user.

[ AUT-6890 ] Added a fallback for parsing redirect_uris provided as a string. So when a single redirect URI is included in the redirect_uris string, it results in normal operation.

[ AUT-6892 ] Improved the interface of the Dynamic Client Registration fields in the Configure client form.

[ AUT-6934 ] According to the CDR documentation, the openid scope is mandatory for the CDR authorization flow. So the requests with no openid scope or empty scopes are blocked.

[ AUT-6953 ] Fixed the issue with the empty time string value in the given_at parameter of scope_grants when calling the /cdr/arrangements endpoint.

[ AUT-7033 ] Fixed the error with the data/fdx-data.json missing in the FDX ZIP package.

[ AUT-7050 ] Allowed accepting strings in response_types for DCR requests sent by the CDR mock data.

[ AUT-7111 ] Brute force APIs improvements.

  • Defined brute force limits for APIs. As a result, the whole list of limits, including the default ones, is returned even when an administrator sets no limits explicitly.

  • The delete API is renamed to reset to reflect the functionality that resets the brute force limits to the default values.

Deprecated

[ AUT-7104 ] The generateCode API is deprecated and replaced with the advanced version. The new API allows using identifier rather than userID for unverified addresses. So migrated users without userID can reset password with unverified addresses.

Database Version
CockroachDB 21.2.6
Redis 6.2.7
TimescaleDB 2.8.0 (with Postgres 14.5)
Updated: Nov 9, 2022