Get Verified Claims

Added support for verified claims in admin portal.

401 Status Returned When No IDP Able to Handle ROPC Flow

When in the workspace there are no IDPs that can handle the resource owner password grant flow authentication, change status code from 500 to 401.

Enable Beta Features for Tenants

Added the Beta Features view to the Admin workspace of a tenant. You can now enable and disable beta features for the whole tenant.

List Clients With Access API improvements

GET /clients clients listClientsWithAccess API returns now granted claims per Client for a requested subject.

Password Setting is Hidden if Authentication with Password Not Possible for Pool

Hide password setting option in user create modal if password is not one of available authentication methods for the user pool.

Implicit Scopes - Grant Chosen Scopes to Client Apps Automatically

Added new advanced scope setting Implicit Grant. When selected, the user is not prompted for consent for the target scope as it is granted automatically.

In other words, when the implicit grant scopes are requested they are not displayed on the consent page alongside other scopes. The consent page is skipped altogether if every requested scope is implicitly granted.

Users Land on Recently Used Workspace

Returning users now land on the recently used workspace.

AWS Authorizer Runtime Changes

Switching AWS Authorizer to provided.al2023 runtime.

Get Started View for New Tenants

Replaced Welcome Workspaces view with the Get Started flow for new tenants enabling new users to quickly get value from Cloudentity.

Enabled Users to Set Passwords in Self-Service View

Users can self set passwords in the User Self-Service view.

Claims Request Taken Into Account During Identity Assurance

Claim request is taken into account when deciding if the consent page display should be skipped. List of technical claims is returned to consent page to allow the consent page to decide if technical claims should be displayed.

Identity assurance is currently behind a feature flag. If you wish to test it, contact Cloudentity Sales Team.

Account Activation Flow Improvements

Improved selection of enforced credentials setup during self registration - now one of the allowed methods is just confirming address for code verification.

Users Provisioned Automatically when there is Single Pool in Workspace

Just-In-Time User Provisioning is enabled by default for any external provider if there is a single identity pool configured for the workspace.

Setting Up Password Skipped When Verification Codes are Used

Before, even if Verification Code was the only (or preferred) authentication method, a user was forced to set password upon activation. Now in such cases, setting up password is skipped.

Patch APIs Improvements (Alpha)

Before: It was impossible to delete entities, i.e. Clients using patch APIs (Rfc6902 and Rfc7396) The request returned success but no removal was performed.

Now: It it is possible to delete entities, i.e. Clients using patch APIs (Rfc6902 and Rfc7396) The request returned success and removal is performed.

All mentioned APIs are marked as Alpha version – they can be a subject to breaking changes and removal without any notice.

Hierarchy View for Organizations

Added Organizations Hierarchy View to enable previewing the relations between organizations.

Authenticate Using UID

It is now possible to authenticate with a verification code using uid as an identifier.

Client Apps No Longer Deleted in Okta Workspaces when IDP is Deleted

This changes fixes a bug where deleting any IDP in {{< product-name acp >}} — even a non-Okta one — deletes client applications from the synced Okta workspace.

Now, only the delete of an Okta IDP in {{< product-name acp >}} modifies the synced Okta workspace. Furthermore, only Okta client applications associated with the given IDP is deleted.

Removed Cancel Button From Login Page Templates

Cancel button is no longer included by default in the Login Page template.

DPoP-Related Improvements to PAR Endpoint

If a client has dpop_bound_access_token: true configured, the DPoP proof header or dpop_jwk must be now provided to the Pushed Authorization Request (PAR) endpoint.

Refresh Tokens TTL Changes for Open Finance Brazil Workspaces

Open Finance Brazil workspaces now issue refresh tokens with expirations that match the bound consent. Additionally, refresh tokens do not expire for consents that have been extended indefinitely.

Cloning Workspaces Correctly Sets Parent Workspace

Fixed the issue where Parent ID was missing in cloned workspace/organization.

Parent ID is present in cloned workspace and points to the same workspace as in original workspace.

Retry After No Credentials in Session Error

Adding a Retry button when doing a credential reset on WebAuthn fails with “no credentials in session”.

Purpose for Authorization Requests

Added support for the purpose parameter in /authorize and /par endpoints. Purpose is a text description that provides context to the Resource Owner about the authorization request. The consent page has also been extended to show this functionality.

Changed Indent for Extension Scripts Editor

Changed indent in the script editor to 2 spaces.

Open Finance Brazil /extends API Returns Correct Status Code

Fixes for the latest breaking changes in Open Finance Brazil conformance tests.

Changes for POST /open-banking/consents/v2/consents/{consentID}/extends:

• when one of required headers x-fapi-interaction-id, x-fapi-customer-ip-address, or x-customer-user-agent are missing, return status code 400 instead of 401

Invalidate SAML Metadata Cache After Cert Validation Fail

Invalidate the SAML metadata cache if certificate validation fails. This means the upstream certificate may have changed and it is better to immediately clear it than wait for the cache to expire.

OAuth2C Redirect URI in Demo App

Add oauth2c redirect_uri: http://localhost:9876/callback to the demo app.

Workspace Clones with Correct ID

Before, the Clone workspace API created clients for the userinfo endpoint with random id.

Currently, the Clone workspace API creates clients for the userinfo endpoint with an ID that is identical to the new workspace identifier.

ES256 Signing Algorithm for DPoP

Add ES256 as Demonstrating Proof of Possession (DPoP) supported signing algorithm.

CVE-2023-39323 Fix

Fix rego-env CVE-2023-39323 vulnerability.

Open Finance Brazil DCR Improvements

Implemented DCR adjustments to be compliant with the latest changes to the Open Finance Brazil specification:

• recurringPayments scope added to Open Finance Brazil workspaces.
• credit-fixed-incomes, exchanges, bank-fixed-incomes, variable-incomes, treasure-titles, and funds added for the regulatory DADOS role
• recurringPayments added for the regulatory PAGTO role

Verify SSO Session Validity

Adding a simple API that verifies if an SSO session is valid.

Example usage:

curl https://{tenant-id}.{region-id}.authz.cloudentity.io/{tenant-id}/{workspace-id}/sso/verify -H "Cookie: acp|sso|{tenant-id}|{workspace-id}=e9c8f1946e8440f9b581e8f8c6800cdc"

Responses:

• 200 with empty body if valid

• 401 with error body if invalid:

{"status_code":401,"error":"no SSO session found","details":null}

Reject Brasil Open Banking Payment Consents Upon Exceeding Timelimit

Add a new mechanism to reject OBBR payment consents that has not been authorized within 5 minutes.

This feature has to be enabled in the server configuration:

server:
  obbr_reject_orphaned_payment_consent_using_scheduled_job: true

Client IDs in URL Format Support

Allow to register clients with an identifier in the URL format, for example: https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a

FAPI 2.0 & ConnectID Workspaces Improvements

Change FAPI 2.0 security and ConnectID workspace configurations to not block the code response type with query response mode.

Request Access to Claims

As part of the identity assurance, it is possible to request claims as part of the consent screen. Before, it was possible to request only scopes.

The change makes it possible to request access to verifiable claims.

The new behavior is hidden behind the identity_assurance feature flag.

Kong Authorizer's Token Exchange Improvements

If token exchange is enabled for Kong authorizer, return exchanged tokens based on the token exchange configuration in the response body of the authorize endpoint.

token_exchange:
  enabled: true
  inject:
    mode: "InjectExchangedToken"

SAML Metadata Read from Cache

SAML metadata is now read from cache when imported from url. This ensures that the metadata being referenced stays up-to-date without any user intervention.

Propagating Istio Authorizer Headers in REGO Policies

For Istio authorizer, there is a possibility to add a “headers” value to the REGO policy output which is a map of HTTP headers that should be passed without base64 encoding and without adding a prefix as it happens for other headers.

New Library Dependencies Available in Extension Scripts

Add node-env/5 dependencies and make timeouts configurable.

New libraries:

• async-lock
• axios-retry

Additionally, bumped the axios library to the newest version.

Token Authentication Methods Fallback Method

Set clients' token_authn_method fallback based on the allowed server methods. Before, token_authn_method was always set to “client_secret_basic” regardless of the server configuration. Now, if “client_secret_basic” is not enabled, the token_authn_method is set to the first allowed token_authn_method from the server configuration.

Authorization Server Related Events

Added audit events for authorization server creation, modification, and deletion.

Missing Introspection and Revocation Endpoints Added to Well Known Page

Add missing introspection_endpoint_auth_signing_alg_values_supported and revocation_endpoint_auth_signing_alg_values_supported to the well known page.

Generic Open Banking Solution for Security Profile Compliance

Added new workspace profile – Generic Open Banking along with a demo option (try out button when creating a workspace).

When launching the demo, a new Go Bank Demo workspace is created based on FAPI 2.0 security profile.

After following the qucikstart guide, a new workspace Hyperscale Bank is provisioned.

Both workspaces showcase how Generic Open Banking can be build with CE authorization server with external consent storage.

Enforce Minimal Number of Lowercase Characters in Passwords

Added an ability to enforce minimal number of lowercase characters in a password policy.

Executing Scripts Fixed for Workspaces with Underscores in IDs

Fixed a bug where the extension scripts could not be executed if the workspace id contained an underscore character.

Controlling SSO Session Renewal via SSO-Session-Extend Header

Added an ability to not renew an SSO session as part of the user info and introspect endpoints using the SSO-Session-Extend:false header.

Expire Passwords

It is now possible to set a password expiration period in Identity Pool configuration using APIs.

New Audit Events for Services

Added audit events for service creation, modification, and deletion.

Enforce Mandatory Password Resets & Changes

Introduced Mandatory Password Reset & Change Flags to Identity Pools APIs.

Brasil Open Banking Payment APIs Adjustments

Implemented backwards compatibility adjustments from the Brasil Open Finance Specification for the payment consent APIs.

• GET /open-banking/payments/v2/consents/{consentID} does not allow retrieval of a consent created with the v3 endpoint. In this case, an error code of USO_NAO_COMPATIVEL_VERSAO is returned with HTTP status 400.
• GET /open-banking/payments/v3/consents/{consentID} allows consents created with the v2 endpoint to be queried.

created_at and updated_at Params Set Automatically for Identity Pools

Set created_at, updated_at automatically to current date for Schema if not provided explicitly.

Added Audit Event for Revoking Tokens

Add audit event for the system-level revoke tokens API.

Token Exchange System Client Removed Upon Gateway/Authorizer Removal

Token exchange client is now removed on gateway/authorizer removal (if the token exchange capability was enabled).

Select Account Page Brandable

Added the ability to see and brand the Select Account page in the theme editor view.

AMR and ACR Claims Propagated in Claim Enrichment Extensions

Returned tokens are propagated with the amr and acr claims returned from the pre-token minting extension.

Sample extension:

module.exports = async function(ctx){ return {"amr":["secret-melody"],"acr":"so.secret.1000","access_token":{"server_claim": "value1"}}; }

Workspace-Level Configuration Promotion APIs Performance Improvements

Performance improvements of workspace-level Tenant Configuration Promotion APIs:

• GET “/promote/config”,
• POST “/promote/config”,
• PATCH “/promote/config-rfc6902”
• PATCH “/promote/config-rfc7396”
• POST “/clone”

As a side effect, there is a change that PATCH APIs cannot create new workspaces which is in line with the PATCH definition.

Alpha API: Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.

Identity Pools Available as Input for Token Claim Enrichment Extensions

Made identity_pool object available as an input to pre-token minting script for the token exchange flow.

IDP and IDPM Claims Preserved after Exchanging Tokens

Preserve idp and idpm claims in the ID token after a token exchange.

Improvements to Adding Applications

Changed the admin- / developer-level Create OAuth/SAML Client API to not assign hybrid response modes by default when the application is created using the single_page / server_web / mobile_desktop application types.

Get Authorization Server API Includes Response Types in Response Schema

Add response_types to the Get Authorization Server developer-level API response schema.

Improvements to Well-Known Endpoint

If the well-known endpoint is accessed using the mTLS domain, Cloudentity returns issuer = mtls_issuer. To avoid introducing a breaking change, it happens only for new authorization servers, or those explicitly migrated to version 3.

Fixed Missing Swagger Definition to Open Banking Brasil Payments Login Endpoint

Added missing swagger definitions for the GET /open-banking-brasil/payment/v3/{login} endpoint.

SSO Replaces Authentication Context Caching

Single Sign-On (SSO) Capabilities replaces the authentication context caching. If your organization used this mechanism, switch to Persistent User Sessions (SSO) in Identity Providers settings.

FDX Dynamic Client Registration (DCR) Available Globally

FDX DCR available globally. From now on, the registration_endpoint points to the /fdx/dcr/register instead of the regular /oauth2/register DCR endpoint.

Open Finance Consent APIs v2.1 Support

Added support for the stable 2.1 release of the Open Finance Brazil Consents API.

Improved Default Policies for Passwordless Authentication

Previously, pwd (authentication with a password) was the only allowed amr (authentication method reference) for the NIST-AAL-1/2/3 authorization policies.

Now, the NIST-AAL-1/2/3 authorization policies include otp (One Time Passwords – Verification Codes) and pop (passkeys) as the allowed amr allowing users to authenticate using these other mechanisms.

Note

The change applies only to new tenants. If you want to use passwordless authentication on your already existing tenant, be sure to check the contents of the NIST-AAL-1/2/3 policies to include additional amr values.

SSO Globally Available

Single Sign-On (SSO) capabilities are now globally available for all Cloudentity tenants.

If needed, enable SSO in your workspace Identity Providers settings (Identity Providers » Single Sign-On » Persistent Session (SSO mode)).

Passkey Login Improvements

When attempting a passkey login for a nonexisting user or user without WebAuthn credentials setup, Cloudentity returns a fake credential ID instead of null to obfuscate user existence.

authorization_details Without Scopes for Authorization Code Flow

Allow to request authorization_details (RAR) without scopes for authorization code flow.

Before, if the authorization_details were sent and the scope parameter was empty/omitted, the default set of scopes (openid email profile) was assigned to client application.

DCR and authorization_details_types

Clients can now use dynamic client registration and provide authorization_details_types as defined in the RFC9396 specification.

Improved UI Scaling

Improved Cloudentity UI scaling across multiple devices.

Open Finance Brazil Payment v3 APIs Support

Extended the Open Finance Brazil Consent Management APIs to support requests including v3 payments:

• POST /servers/{wid}/open-banking-brasil/consents
• DELETE /servers/{wid}/open-banking-brasil/consents
• POST /servers/{wid}/open-banking-brasil/consents/{consentID}/consume
• DELETE /servers/{wid}/open-banking-brasil/consents/{consentID}
• GET /servers/{wid}/open-banking-brasil/consents/{consentID}

When a v3 payment consent is targeted with the delete APIs, it receives a rejection reason JSON:

{
	"rejectionReason": {
		"code": "REJEITADO_USUARIO",
		"details": "O usurio rejeitou a autorizao do consentimento"
	}
}

Deprecated Users self/me APIs

Deprecated the following Identity Pool APIs:

• Self Get User Profile

• Selft Update User Profile

Instead, OIDC-compliant userinfo API should be used to get information about the user, and the System Level Identity Pool Users APIs for backend applications should be used to update the user’s data.

Deprecated Brazil Open Finance Introspect Endpoints

Older iterations of the Brazil Open Finance Introspection endpoints (POST /open-banking-brasil/open-banking/payments/v1/consents/introspect and POST /open-banking-brasil/open-banking/payments/v2/consents/introspect) have been marked as deprecated.

The new API should be used instead.

Brazil Open Finance Introspection v3 API for Payments

Added introspection endpoint for Open Finance v3 payments located at POST /open-banking-brasil/open-banking/payments/v3/consents/introspect. This endpoint is backwards compatible and can be used to introspect previous versions as well.

Open Finance Brazil v3 Consent APIs

Added support for the rejectionReason field for Open Finance Brazil v3 payment consents. This includes:

• Updates to the POST /open-banking-brasil/payment/{login}/reject endpoint. The consent page application can explicitly pass the code and details fields as a JSON object in the request.

Example:

{
	"rejection_reason": {
		"code": "VALOR_INVALIDO",
		"details": "O valor enviado não é válido para o QR Code informado"
	}
}

When a rejection reason is not supplied, Cloudentity sets a default rejection reason to the following:

{
	"rejection_reason": {
		"code": "REJEITADO_USUARIO",
		"details": "O usurio rejeitou a autorizao do consentimento"
	}
}

• Updates to Open Finance Brazil cron jobs that reject consents.

Unauthorized consents, which expire before the user is able to confirm them, receive a code of TEMPO_EXPIRADO_AUTORIZACAO. Authorized consents that had expired, receive a code of TEMPO_EXPIRADO_CONSUMO.

Kong Authorizer Configuration Adjustments

In order to avoid configuration issues where the Kong authorizer’s configuration differs too much from the helm chart values, certificate details need to be provided as part of the httpServer.certificate setting instead of the httpServer setting to closely match what Kong Authorizer supports.

With this change, support for httpServer.certificate.generated_key_type and httpServer.certificate.password settings was also introduced.

Configuration Promotion New API

Added a new API for cloning existing workspace within one tenant.

POST /{tid}/workspaces/{wid}/promote/config-clone

As a parameter, a new workspace ID is required. Optionally, an RFC7396 patch can be passed to be applied on new workspace.

Alpha API. Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.

Password Security Improvement

Identity Pool user’s password cannot be the same as any of their identifier or address (case insensitive).

OpenSSL Security Fixes

Security fixes for the two following vulnerabilities:

• CVE-2023-1255
• CVE-2023-2650

Both related to openssl.

403 Status Default Response for Standalone Authorizer

By default, Cloudentity Standalone Authorizer now returns the HTTP 403 Access Forbidden response.

Policies Available Per Authorization Details

Tenants with RAR enabled may now be configured with authorization policies assigned per authorization details.

UK Open Banking Payment Initiation v3 Consent Endpoints Update

Added support for payment initiation v3 consent endpoints from the UK Open Banking specification:

• POST /open-banking/payments/v3/consents
• GET /open-banking/payments/v3/consents/{consentID}

Mongoose and Semver Dependencies Updated

Updated the Mongoose dependency to fix CVE-2023-9696 and the transient semver dependency affected by CVE-2022-25883.

Subscribe Clients to Authorization Details Types

Clients can now subscribe to RAR-related authorization details types. Feature currently behind the feature flag and available only on demand.

Automated User Provisioning

Just in Time automated User Provisioning is now globally available.

FDX Service Scopes Updates

Update FDX service scopes as defined in the FDX 5.3 release. The change is applied only for new FDX workspaces.

MFA Code Lifetime Change Correctly Resets Save Button

Fixed a bug where changes in the MFA verification code lifetime settings would not reset the save button.

Fixed Error Messages for Expired Passwords

A proper error message is displayed on the login page if a password expires. The message is displayed when:

• The provided password is correct but the expiration date is in the past.

• The expiration date is in the past and password is not set (this is especially needed for user migration without passwords)

Theme Preview Fixed for Custom Domains

Fixed a bug where it was not possible to preview custom theme changes on {{< product-name acp >}} exposed behind a custom (vanity) domain.

New Organization-Related APIs

Customers that have the organizations feature enabled are provided with new system level organization management APIS:

• GET /organizations

• POST /organizations

• DELETE /organizations/{wid}

• GET /organizations/{wid}

• PUT /organizations/{wid}

These endpoints function identically to the ones listed in the admin APIS, however it requires a token issued by the system workspace with the manage_organizations scope.

Extended RAR Support

Added new set of APIs (create, get, update, delete and list) for new entity authorization details. Learn more.

Feature currently behind the feature flag and available only on demand

Improved Generate Code of Specific Type API

Improved the Generate Code of Specific Type API with an ability to request user codes for authentication, challenge, and reset password without address provided.

Extension Scripts Removed Upon Workspace Deletion

All Extension Scripts are upon workspace deletion. This fixes the issue with the import/export APIs where dangling scripts caused imports to fail.

Client Registration URI Fixes

Fixed a bug where if the registration_endpoint from the mtls_aliases was used to call the DCR endpoint, the response contained registration_client_uri pointing to regular registration_endpoint instead of mtls_aliases one.

Identity Pools New API

Added a new Identity Pool system-level API for getting user by their identifier or verified email address.

Password History

Fixed account password history enforcement for users stored in Identity Pools. Now, the current password is correctly taken into account.

Extension Libraries Version Bumps

Updated the following libraries versions for Cloudentity Extensions:

• aws-sdk - 2.1306.0 -> 2.1404.0
• mongodb - 5.0.0 -> 5.6.0
• mongoose - 6.9.0 -> 7.3.1 (major version bump)
• xml2js - 0.4.23 -> 0.6.0

Superagent Removed from Fission Dependencies

Superagent removed from the Fission dependencies because of the vulnerability problems. Instead, use Axios in Cloudentity Extensions.

Open Finance Brazil APIs updated

Updated swaggers and models in accordance with the newest release candidate for the Open Finance Brasil consents API.

Token Exchange Available Generally

Token exchange is no longer behind feature flags. No adjustments in your tenant are needed.

SAML IDP Improvements

The SAML SP Metadata label is renamed to Entity ID. Additional ACS URL is introduced to enable easier integration of Cloudentity as a Service Provider at Identity Providers. Both labels are added to the SAML IDP create wizard.

user_id added to Extended OTP Endpoint Response

Added user_id to the inspect extended OTP endpoint response. It allows to fetch user information when processing the code.

Identity Pool APIs without SSO Fixed

Request to Identity Pools APIs without SSO enabled fail with interaction_required error message.

Migration APIs Improvement

Dynamic_client_registration settings were not exported in tree dump and default values were presented instead. Now, dynamic_client_registration settings are exported properly.

Migration APIs Improvement

Private JWKS is not returned for workspace migration.

Migration APIs Improvement

Policy execution points are now presented in the place where policy is applied: servers, scopes, clients. Policy execution points which target is scope use scope names instead of the scope identifiers to identify scope in a tree dump structure.

Modify Workspace View from Workspace

It is now possible to switch workspace themes in workspace’s Appearance view.

User Identifier Case Insensitive by Default

Newly created Identity Pools have the Identifier case-insensitive option enabled by default.