September 30, 2022
v2.7.0 Highlights
Password Policies for Identity Pool Users are implemented, and now times when qwerty1234
was
thought to be a safe password are long gone! Make sure that your users fulfill all of the
requirements for safe passwords with Cloudentity password
policies.
Such policies enable the Identity Pool administrators to specify, for example, the minimal length of
a password, number of special characters, and many more.
Integration With Kusk API Gateway is introduced. Kusk API Gateway enables developers to build, validate, deploy, and monitor REST APIs based on Envoy Proxy running on your Kubernetes cluster. Do you know what else can be run in a K8s cluster? That’s right! Cloudentity authorizers! It is now possible to integrate the Kusk Gateway with Cloudentity and protect the APIs deployed behind your gateway with advanced access control measures.
Major Additions and Changes
[ AUT-7001 ] Identity pool improvements:
-
Added the Strength meter for password inputs to the identity pool web templates. It covers the set password and registration forms.
-
Added the password policy configuration interface on the new Password settings tab and password user frontend validation to the Create User form in the identity pool settings.
[ AUT-6618 ] Cloudentity introduces the option to disable refresh token cycling.
The Disable refresh token cycling is available in the OAuth Advanced settings and is ON for
the CDR and Open Finance Brazil (OBBR) workspaces. With this flag ON, an authorization server at the
Data Holder end doesn’t cycle refresh tokens. Instead, the existing refresh token is bound to the
duration of the sharing arrangement, and the API token
response contains the original
refresh_token
value.
[ AUT-6813 ] JS dependencies are updated in all React applications (Financroo, Admin Portal, and Self Service Portal).
[ AUT-6921 ] From now on, the PAR TTL (time-to-live) logic applies only till the user login and
calls the /authorize
endpoint instead of the time to issue an authorization code. As a result,
Cloudentity returns no Invalid Request URI errors after login or consent provision.
[ AUT-7077 ] The new unique clients
function allows access to token metrics. You can use these
metrics to get the number of active OAuth2 clients per workspace.
[ AUT-7092 ] CDR compliance: The Ignore unknown scopes for DCR option is available under the workspace OAuth Advances Settings and is ON by default. Applies to CDR workspaces created with Cloudentity to meet the updated CDR requirements.
[ AUT-7150 ] Enhanced CDR Arrangement JWT to include standard claims specified in Self-Signed JWT Client Authentication
[ AUT-7155 ] The new Metadata tab is available in an identity pool settings. It contains the code editor to add, edit, or preview the pool metadata.
Breaking Changes
[ AUT-6946 ] Added the enforce_id_token_encryption
configuration to a server as a replacement
of enable_id_token_encryption
. The encryption is allowed by default and applied only when the
client has encryption and consent algorithm fields set and the proper key is configured in jwks
or
jwks_uri
. This new flag can be used to enforce encryption for all clients.
Minor Enhancements
[ AUT-6191 ] Active statuses of legal entities and software product in the CDR register are required for dynamically registered clients to obtain a token via the authorization code grant.
Also, dcr_handler
returns err
instead of *fosite.RCFError
.
[ AUT-6562 ] The interface is updated as follows:
-
The Delete confirmation dialogs are unified: the user must retype a name to confirm the deletion.
-
The Delete buttons in configuration are moved to the dialog footer and styled as text.
-
The Rotate option in Configure gateway is moved to the Client Secret field.
[ AUT-6619 ] CDR FAPI
compliance:
sharing_expires_at
and refresh_token_expires_at
are deprecated. The Cloudentity
documentation is
updated.
[ AUT-6733 ] Implemented the necessary changes to Cloudentity for compliance with Open Banking Brazil consents v2 conformance tests.
[ AUT-6769 ] The default Financial Data Exchange (FDX) workspace is now FAPI-based. Important changes:
-
PAR is enforced
-
Only
private_key_jwt
,self_signed
, ormtls
token authentication methods are allowed.
[ AUT-6852 ] Updated JS dependencies.
Major updates:
Dependency Name | Previous Version | Current Version |
---|---|---|
React | 17.0.2 | 18.2.0 |
React Redux | 7.2.6 | 8.0.2 |
History | 4.10.1 | 5.3.0 |
React Testing Library | 13.5.0 | 14.4.2 |
Jest | 27.5.1 | 28.1.3 |
react-flow-renderer | 9.7.4 | 10.3.14 |
Minor updates:
Dependency Name | Previous Version | Current Version |
---|---|---|
Parcel | 2.6.0 | 2.7.0 |
@trivago/prettier-plugin-sort-imports | 3.2.0 | 3.3.0 |
[ AUT-6864 ] Implemented API for adding and removing user identifiers.
[ AUT-6870 ] Added the new Identity Pool APIs:
-
System Add Verifiable Address to User
-
System Delete Verifiable Address from User.
These API perform the basic checks, for example, tenant, identity pool, or user existence. In particular:
-
To add a verified address, the user must lack this address.
-
Verified addresses must not be duplicated within the same identity pool.
-
For a verified address removal, the user must have it assigned.
[ AUT-6935 ] Added the possibility to pass personal_details
when the login page accepts the
request for CDR. This data is stored in the arrangement metadata. In particular:
auth_ctx: {
customer_id: "{cid}",
personal_details: {
"user_id": "{uid}"
}
}
arrangement_metadata: {
revocation_channel: "online",
personal_details: {
"user_id: "{uid}"
}
}
[ AUT-6993 ] Removed the FDX feature flag.
[ AUT-6994 ] Enabled Financroo for the FDX workspace in SaaS.
[ AUT-7062 ] Split Financroo and Developer third-party provider OAuth clients.
[ AUT-7025 ] Introduced ETags to solve problems with dirty reads when asynchronous batch processing for writes is in use.
[ AUT-7068 ] Improved interface for the Identity Providers section:
-
Added a collapsable Third Party Providers section and refreshed icons in the Create Connection section.
-
Added two options to Create Identity Pool: create a new pool and add identity pool IDP.
[ AUT-7101 ] Improved the Dashboard and navigation bar for the Developer Portal:
-
Added the Recent activities panel to the right of the dashboard.
-
Moved the Logs section to a standalone navigation item.
[ AUT-7103 ] Fixed APIs naming: identifier
means “user identifier”, not an “address”.
[ AUT-7147 ] Removed the unique constraint for the Schema name.
Bug Fixes
[ AUT-6792 ] Fixed TimescaleDB, so the Analytics dashboard is loading correctly in all time ranges, and continuous aggregates jobs run properly.
[ AUT-7151 ] Personal details in CDR amending can be modified now. Now it is possible to pass
the personal_details
object and store it in the arrangement metadata. In particular:
arrangement_metadata: {
revocation_channel: "online",
personal_details: {
"user_id: "{uid}",
}
}
[ AUT-7028 ] Fixed the brute force block false operation upon the lack of Redis connection and after successful authentication.
[ AUT-5577 ] Added the mTLS option to predefined fields for the Attributes validator in the Policy Editor interface.
[ AUT-6618 ] The response mode in the well-known
parameter of the /discovery
endpoint is
changed to respect disallowed
. As a result, when an administrator blocks a response mode, the
blocked response mode becomes unsupported.
[ AUT-6413 ] The uBlock extension enabled in a browser blocks calls to the /api/analytics/
.
The following notification is added: Network Error - Check your internet connection or turn off
ad blocking plugin. Additionally, the notifications aren’t duplicated upon refreshing a page.
[ AUT-6872 ] When a user tries to amend a different user’s arrangement, the improved message appears: Cannot amend an arrangement that was initiated by a different user.
[ AUT-6890 ] Added a fallback for parsing redirect_uris
provided as a string. So when a single
redirect URI is included in the redirect_uris
string, it results in normal operation.
[ AUT-6892 ] Improved the interface of the Dynamic Client Registration fields in the Configure client form.
[ AUT-6934 ] According to the CDR documentation, the openid
scope is mandatory for the CDR
authorization flow. So the requests with no openid
scope or empty scopes are blocked.
[ AUT-6953 ] Fixed the issue with the empty time string value in the given_at
parameter of
scope_grants
when calling the /cdr/arrangements
endpoint.
[ AUT-7033 ] Fixed the error with the data/fdx-data.json
missing in the FDX ZIP package.
[ AUT-7050 ] Allowed accepting strings in response_types
for DCR requests sent by the CDR mock
data.
[ AUT-7111 ] Brute force APIs improvements.
-
Defined brute force limits for APIs. As a result, the whole list of limits, including the default ones, is returned even when an administrator sets no limits explicitly.
-
The
delete
API is renamed toreset
to reflect the functionality that resets the brute force limits to the default values.
Deprecated
[ AUT-7104 ] The generateCode
API is
deprecated and replaced with the advanced
version. The new
API allows using identifier rather than userID
for unverified addresses. So migrated users without
userID
can reset password with unverified addresses.
Recommended Database Versions
Database | Version |
---|---|
CockroachDB | 21.2.6 |
Redis | 6.2.7 |
TimescaleDB | 2.8.0 (with Postgres 14.5) |