Changelog
Cloudentity Platform Changelog
Get Verified Claims
Added support for verified claims in admin portal.
401 Status Returned When No IDP Able to Handle ROPC Flow
When in the workspace there are no IDPs that can handle the resource owner password grant flow authentication, change status code from 500 to 401.
Enable Beta Features for Tenants
Added the Beta Features view to the Admin workspace of a tenant. You can now enable and disable beta features for the whole tenant.
List Clients With Access API improvements
GET /clients clients listClientsWithAccess
API returns now granted claims per Client for a requested subject.
Password Setting is Hidden if Authentication with Password Not Possible for Pool
Hide password setting option in user create modal if password is not one of available authentication methods for the user pool.
Implicit Scopes - Grant Chosen Scopes to Client Apps Automatically
Added new advanced scope setting Implicit Grant
. When selected, the user is not prompted for consent for the target scope as it is granted automatically.
In other words, when the implicit grant scopes are requested they are not displayed on the consent page alongside other scopes. The consent page is skipped altogether if every requested scope is implicitly granted.
Users Land on Recently Used Workspace
Returning users now land on the recently used workspace.
AWS Authorizer Runtime Changes
Switching AWS Authorizer to provided.al2023
runtime.
Get Started View for New Tenants
Replaced Welcome Workspaces view with the Get Started flow for new tenants enabling new users to quickly get value from Cloudentity.
Enabled Users to Set Passwords in Self-Service View
Users can self set passwords in the User Self-Service view.
Claims Request Taken Into Account During Identity Assurance
Claim request is taken into account when deciding if the consent page display should be skipped.
List of technical
claims is returned to consent page to allow the consent page to decide if technical
claims should be displayed.
Identity assurance is currently behind a feature flag. If you wish to test it, contact Cloudentity Sales Team.
Account Activation Flow Improvements
Improved selection of enforced credentials setup during self registration - now one of the allowed methods is just confirming address for code verification.
Users Provisioned Automatically when there is Single Pool in Workspace
Just-In-Time User Provisioning is enabled by default for any external provider if there is a single identity pool configured for the workspace.
Setting Up Password Skipped When Verification Codes are Used
Before, even if Verification Code was the only (or preferred) authentication method, a user was forced to set password upon activation. Now in such cases, setting up password is skipped.
Patch APIs Improvements (Alpha)
Before: It was impossible to delete entities, i.e. Clients using patch APIs (Rfc6902 and Rfc7396) The request returned success but no removal was performed.
Now: It it is possible to delete entities, i.e. Clients using patch APIs (Rfc6902 and Rfc7396) The request returned success and removal is performed.
All mentioned APIs are marked as Alpha version – they can be a subject to breaking changes and removal without any notice.
Hierarchy View for Organizations
Added Organizations Hierarchy View to enable previewing the relations between organizations.
Authenticate Using UID
It is now possible to authenticate with a verification code using uid
as an identifier.
Client Apps No Longer Deleted in Okta Workspaces when IDP is Deleted
This changes fixes a bug where deleting any IDP in {{< product-name acp >}} — even a non-Okta one — deletes client applications from the synced Okta workspace.
Now, only the delete of an Okta IDP in {{< product-name acp >}} modifies the synced Okta workspace. Furthermore, only Okta client applications associated with the given IDP is deleted.
Removed Cancel Button From Login Page Templates
Cancel button is no longer included by default in the Login Page template.
DPoP-Related Improvements to PAR Endpoint
If a client has dpop_bound_access_token: true
configured, the DPoP proof header or dpop_jwk
must be now provided to the Pushed Authorization Request (PAR) endpoint.
Refresh Tokens TTL Changes for Open Finance Brazil Workspaces
Open Finance Brazil workspaces now issue refresh tokens with expirations that match the bound consent. Additionally, refresh tokens do not expire for consents that have been extended indefinitely.
Cloning Workspaces Correctly Sets Parent Workspace
Fixed the issue where Parent ID was missing in cloned workspace/organization.
Parent ID is present in cloned workspace and points to the same workspace as in original workspace.
Retry After No Credentials in Session Error
Adding a Retry button when doing a credential reset on WebAuthn fails with “no credentials in session”.
Purpose for Authorization Requests
Added support for the purpose
parameter in /authorize
and /par
endpoints. Purpose is a text description that provides context to the Resource Owner about the authorization request.
The consent page has also been extended to show this functionality.
Changed Indent for Extension Scripts Editor
Changed indent in the script editor to 2 spaces.
Open Finance Brazil /extends API Returns Correct Status Code
Fixes for the latest breaking changes in Open Finance Brazil conformance tests.
Changes for POST /open-banking/consents/v2/consents/{consentID}/extends
:
- when one of required headers
x-fapi-interaction-id
,x-fapi-customer-ip-address
, orx-customer-user-agent
are missing, return status code 400 instead of 401
Invalidate SAML Metadata Cache After Cert Validation Fail
Invalidate the SAML metadata cache if certificate validation fails. This means the upstream certificate may have changed and it is better to immediately clear it than wait for the cache to expire.
OAuth2C Redirect URI in Demo App
Add oauth2c redirect_uri: http://localhost:9876/callback
to the demo app.
Workspace Clones with Correct ID
Before, the Clone workspace API created clients for the userinfo endpoint with random id.
Currently, the Clone workspace API creates clients for the userinfo endpoint with an ID that is identical to the new workspace identifier.
ES256 Signing Algorithm for DPoP
Add ES256 as Demonstrating Proof of Possession (DPoP) supported signing algorithm.
CVE-2023-39323 Fix
Fix rego-env CVE-2023-39323 vulnerability.
Open Finance Brazil DCR Improvements
Implemented DCR adjustments to be compliant with the latest changes to the Open Finance Brazil specification:
recurringPayments
scope added to Open Finance Brazil workspaces.credit-fixed-incomes
,exchanges
,bank-fixed-incomes
,variable-incomes
,treasure-titles
, andfunds
added for the regulatoryDADOS
rolerecurringPayments
added for the regulatoryPAGTO
role
Verify SSO Session Validity
Adding a simple API that verifies if an SSO session is valid.
Example usage:
curl https://{tenant-id}.{region-id}.authz.cloudentity.io/{tenant-id}/{workspace-id}/sso/verify -H "Cookie: acp|sso|{tenant-id}|{workspace-id}=e9c8f1946e8440f9b581e8f8c6800cdc"
Responses:
-
200 with empty body if valid
-
401 with error body if invalid:
{"status_code":401,"error":"no SSO session found","details":null}
Reject Brasil Open Banking Payment Consents Upon Exceeding Timelimit
Add a new mechanism to reject OBBR payment consents that has not been authorized within 5 minutes.
This feature has to be enabled in the server configuration:
server:
obbr_reject_orphaned_payment_consent_using_scheduled_job: true
Client IDs in URL Format Support
Allow to register clients with an identifier in the URL format, for example: https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a
FAPI 2.0 & ConnectID Workspaces Improvements
Change FAPI 2.0 security and ConnectID workspace configurations to not block the code
response type with query
response mode.
Request Access to Claims
As part of the identity assurance, it is possible to request claims as part of the consent screen. Before, it was possible to request only scopes.
The change makes it possible to request access to verifiable claims.
The new behavior is hidden behind the identity_assurance
feature flag.
Kong Authorizer's Token Exchange Improvements
If token exchange is enabled for Kong authorizer, return exchanged tokens based on the token exchange configuration in the response body of the authorize endpoint.
token_exchange:
enabled: true
inject:
mode: "InjectExchangedToken"
SAML Metadata Read from Cache
SAML metadata is now read from cache when imported from url. This ensures that the metadata being referenced stays up-to-date without any user intervention.
Propagating Istio Authorizer Headers in REGO Policies
For Istio authorizer, there is a possibility to add a “headers” value to the REGO policy output which is a map of HTTP headers that should be passed without base64 encoding and without adding a prefix as it happens for other headers.
New Library Dependencies Available in Extension Scripts
Add node-env/5 dependencies and make timeouts configurable.
New libraries:
Additionally, bumped the axios library to the newest version.
Token Authentication Methods Fallback Method
Set clients' token_authn_method fallback based on the allowed server methods. Before, token_authn_method was always set to “client_secret_basic” regardless of the server configuration. Now, if “client_secret_basic” is not enabled, the token_authn_method is set to the first allowed token_authn_method from the server configuration.
Authorization Server Related Events
Added audit events for authorization server creation, modification, and deletion.
Missing Introspection and Revocation Endpoints Added to Well Known Page
Add missing introspection_endpoint_auth_signing_alg_values_supported
and revocation_endpoint_auth_signing_alg_values_supported
to the well known page.
Generic Open Banking Solution for Security Profile Compliance
Added new workspace profile – Generic Open Banking along with a demo option (try out button when creating a workspace).
When launching the demo, a new Go Bank Demo workspace is created based on FAPI 2.0 security profile.
After following the qucikstart guide, a new workspace Hyperscale Bank is provisioned.
Both workspaces showcase how Generic Open Banking can be build with CE authorization server with external consent storage.
Enforce Minimal Number of Lowercase Characters in Passwords
Added an ability to enforce minimal number of lowercase characters in a password policy.
Executing Scripts Fixed for Workspaces with Underscores in IDs
Fixed a bug where the extension scripts could not be executed if the workspace id contained an underscore character.
Controlling SSO Session Renewal via SSO-Session-Extend Header
Added an ability to not renew an SSO session as part of the user info and introspect endpoints using the SSO-Session-Extend:false
header.
Expire Passwords
It is now possible to set a password expiration period in Identity Pool configuration using APIs.
New Audit Events for Services
Added audit events for service creation, modification, and deletion.
Enforce Mandatory Password Resets & Changes
Introduced Mandatory Password Reset & Change Flags to Identity Pools APIs.
Brasil Open Banking Payment APIs Adjustments
Implemented backwards compatibility adjustments from the Brasil Open Finance Specification for the payment consent APIs.
GET /open-banking/payments/v2/consents/{consentID}
does not allow retrieval of a consent created with the v3 endpoint. In this case, an error code ofUSO_NAO_COMPATIVEL_VERSAO
is returned with HTTP status 400.GET /open-banking/payments/v3/consents/{consentID}
allows consents created with the v2 endpoint to be queried.
created_at and updated_at Params Set Automatically for Identity Pools
Set created_at
, updated_at
automatically to current date for Schema if not provided explicitly.
Added Audit Event for Revoking Tokens
Add audit event for the system-level revoke tokens API.
Token Exchange System Client Removed Upon Gateway/Authorizer Removal
Token exchange client is now removed on gateway/authorizer removal (if the token exchange capability was enabled).
Select Account Page Brandable
Added the ability to see and brand the Select Account page in the theme editor view.
AMR and ACR Claims Propagated in Claim Enrichment Extensions
Returned tokens are propagated with the amr
and acr
claims returned from the pre-token minting extension.
Sample extension:
module.exports = async function(ctx){ return {"amr":["secret-melody"],"acr":"so.secret.1000","access_token":{"server_claim": "value1"}}; }
Workspace-Level Configuration Promotion APIs Performance Improvements
Performance improvements of workspace-level Tenant Configuration Promotion APIs:
- GET “/promote/config”,
- POST “/promote/config”,
- PATCH “/promote/config-rfc6902”
- PATCH “/promote/config-rfc7396”
- POST “/clone”
As a side effect, there is a change that PATCH APIs cannot create new workspaces which is in line with the PATCH definition.
Alpha API: Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.
Identity Pools Available as Input for Token Claim Enrichment Extensions
Made identity_pool object available as an input to pre-token minting script for the token exchange flow.
IDP and IDPM Claims Preserved after Exchanging Tokens
Preserve idp
and idpm
claims in the ID token after a token exchange.
Improvements to Adding Applications
Changed the admin- / developer-level Create OAuth/SAML Client API to not assign hybrid response modes by default when the application is created using the single_page / server_web / mobile_desktop application types.
Get Authorization Server API Includes Response Types in Response Schema
Add response_types
to the Get Authorization Server developer-level API response schema.
Improvements to Well-Known Endpoint
If the well-known endpoint is accessed using the mTLS domain, Cloudentity returns issuer = mtls_issuer
.
To avoid introducing a breaking change, it happens only for new authorization servers, or those explicitly migrated to version 3.
Fixed Missing Swagger Definition to Open Banking Brasil Payments Login Endpoint
Added missing swagger definitions for the GET /open-banking-brasil/payment/v3/{login}
endpoint.
SSO Replaces Authentication Context Caching
Single Sign-On (SSO) Capabilities replaces the authentication context caching. If your organization used this mechanism, switch to Persistent User Sessions (SSO) in Identity Providers settings.
FDX Dynamic Client Registration (DCR) Available Globally
FDX DCR available globally. From now on, the registration_endpoint
points to the /fdx/dcr/register
instead of the regular /oauth2/register
DCR endpoint.
Open Finance Consent APIs v2.1 Support
Added support for the stable 2.1 release of the Open Finance Brazil Consents API.
Improved Default Policies for Passwordless Authentication
Previously, pwd
(authentication with a password) was the only allowed amr
(authentication method reference) for the NIST-AAL-1/2/3
authorization policies.
Now, the NIST-AAL-1/2/3
authorization policies include otp
(One Time Passwords – Verification Codes) and pop
(passkeys) as the allowed amr
allowing users to authenticate using these other mechanisms.
Note
The change applies only to new tenants. If you want to use passwordless authentication on your already existing tenant, be sure to check the contents of the
NIST-AAL-1/2/3
policies to include additionalamr
values.
SSO Globally Available
Single Sign-On (SSO) capabilities are now globally available for all Cloudentity tenants.
If needed, enable SSO in your workspace Identity Providers settings (Identity Providers » Single Sign-On » Persistent Session (SSO mode)).
Passkey Login Improvements
When attempting a passkey login for a nonexisting user or user without WebAuthn credentials setup, Cloudentity returns a fake credential ID instead of null
to obfuscate user existence.
authorization_details Without Scopes for Authorization Code Flow
Allow to request authorization_details (RAR) without scopes for authorization code flow.
Before, if the authorization_details
were sent and the scope parameter was empty/omitted, the default set of scopes (openid email profile
) was assigned to client application.
DCR and authorization_details_types
Clients can now use dynamic client registration and provide authorization_details_types
as defined in the RFC9396 specification.
Improved UI Scaling
Improved Cloudentity UI scaling across multiple devices.
Open Finance Brazil Payment v3 APIs Support
Extended the Open Finance Brazil Consent Management APIs to support requests including v3 payments:
POST /servers/{wid}/open-banking-brasil/consents
DELETE /servers/{wid}/open-banking-brasil/consents
POST /servers/{wid}/open-banking-brasil/consents/{consentID}/consume
DELETE /servers/{wid}/open-banking-brasil/consents/{consentID}
GET /servers/{wid}/open-banking-brasil/consents/{consentID}
When a v3 payment consent is targeted with the delete APIs, it receives a rejection reason JSON:
{
"rejectionReason": {
"code": "REJEITADO_USUARIO",
"details": "O usurio rejeitou a autorizao do consentimento"
}
}
Deprecated Users self/me APIs
Deprecated the following Identity Pool APIs:
Instead, OIDC-compliant userinfo API should be used to get information about the user, and the System Level Identity Pool Users APIs for backend applications should be used to update the user’s data.
Deprecated Brazil Open Finance Introspect Endpoints
Older iterations of the Brazil Open Finance Introspection endpoints (POST /open-banking-brasil/open-banking/payments/v1/consents/introspect
and POST /open-banking-brasil/open-banking/payments/v2/consents/introspect
) have been marked as deprecated.
The new API should be used instead.
Brazil Open Finance Introspection v3 API for Payments
Added introspection endpoint for Open Finance v3 payments located at POST /open-banking-brasil/open-banking/payments/v3/consents/introspect
. This endpoint is backwards compatible and can be used to introspect previous versions as well.
Open Finance Brazil v3 Consent APIs
Added support for the rejectionReason
field for Open Finance Brazil v3 payment consents. This includes:
- Updates to the
POST /open-banking-brasil/payment/{login}/reject
endpoint. The consent page application can explicitly pass thecode
anddetails
fields as a JSON object in the request.
Example:
{
"rejection_reason": {
"code": "VALOR_INVALIDO",
"details": "O valor enviado não é válido para o QR Code informado"
}
}
When a rejection reason is not supplied, Cloudentity sets a default rejection reason to the following:
{
"rejection_reason": {
"code": "REJEITADO_USUARIO",
"details": "O usurio rejeitou a autorizao do consentimento"
}
}
- Updates to Open Finance Brazil cron jobs that reject consents.
Unauthorized consents, which expire before the user is able to confirm them, receive a code of TEMPO_EXPIRADO_AUTORIZACAO
. Authorized consents that had expired, receive a code of TEMPO_EXPIRADO_CONSUMO
.
Kong Authorizer Configuration Adjustments
In order to avoid configuration issues where the Kong authorizer’s configuration differs too much from the helm chart values,
certificate details need to be provided as part of the httpServer.certificate
setting instead of the httpServer
setting to closely match what Kong Authorizer supports.
With this change, support for httpServer.certificate.generated_key_type
and httpServer.certificate.password
settings was also introduced.
Configuration Promotion New API
Added a new API for cloning existing workspace within one tenant.
POST /{tid}/workspaces/{wid}/promote/config-clone
As a parameter, a new workspace ID is required. Optionally, an RFC7396 patch can be passed to be applied on new workspace.
Alpha API. Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.
Password Security Improvement
Identity Pool user’s password cannot be the same as any of their identifier or address (case insensitive).
OpenSSL Security Fixes
Security fixes for the two following vulnerabilities:
- CVE-2023-1255
- CVE-2023-2650
Both related to openssl.
403 Status Default Response for Standalone Authorizer
By default, Cloudentity Standalone Authorizer now returns the HTTP 403 Access Forbidden response.
Policies Available Per Authorization Details
Tenants with RAR enabled may now be configured with authorization policies assigned per authorization details.
UK Open Banking Payment Initiation v3 Consent Endpoints Update
Added support for payment initiation v3 consent endpoints from the UK Open Banking specification:
POST /open-banking/payments/v3/consents
GET /open-banking/payments/v3/consents/{consentID}
Mongoose and Semver Dependencies Updated
Updated the Mongoose dependency to fix CVE-2023-9696
and the transient semver
dependency affected by CVE-2022-25883.
Subscribe Clients to Authorization Details Types
Clients can now subscribe to RAR-related authorization details types. Feature currently behind the feature flag and available only on demand.
Automated User Provisioning
Just in Time automated User Provisioning is now globally available.
FDX Service Scopes Updates
Update FDX service scopes as defined in the FDX 5.3 release. The change is applied only for new FDX workspaces.
MFA Code Lifetime Change Correctly Resets Save Button
Fixed a bug where changes in the MFA verification code lifetime settings would not reset the save button.
Fixed Error Messages for Expired Passwords
A proper error message is displayed on the login page if a password expires. The message is displayed when:
-
The provided password is correct but the expiration date is in the past.
-
The expiration date is in the past and password is not set (this is especially needed for user migration without passwords)
Theme Preview Fixed for Custom Domains
Fixed a bug where it was not possible to preview custom theme changes on {{< product-name acp >}} exposed behind a custom (vanity) domain.
New Organization-Related APIs
Customers that have the organizations
feature enabled are provided with new system level organization management APIS:
-
GET /organizations
-
POST /organizations
-
DELETE /organizations/{wid}
-
GET /organizations/{wid}
-
PUT /organizations/{wid}
These endpoints function identically to the ones listed in the admin APIS, however it requires a token issued by the system workspace with the manage_organizations
scope.
Extended RAR Support
Added new set of APIs (create, get, update, delete and list) for new entity authorization details. Learn more.
Feature currently behind the feature flag and available only on demand
Improved Generate Code of Specific Type API
Improved the Generate Code of Specific Type API with an ability to request user codes for authentication, challenge, and reset password without address provided.
Extension Scripts Removed Upon Workspace Deletion
All Extension Scripts are upon workspace deletion. This fixes the issue with the import/export APIs where dangling scripts caused imports to fail.
Client Registration URI Fixes
Fixed a bug where if the registration_endpoint
from the mtls_aliases
was used to call the DCR endpoint, the response contained registration_client_uri
pointing to regular registration_endpoint
instead of mtls_aliases
one.
Identity Pools New API
Added a new Identity Pool system-level API for getting user by their identifier or verified email address.
Password History
Fixed account password history enforcement for users stored in Identity Pools. Now, the current password is correctly taken into account.
Extension Libraries Version Bumps
Updated the following libraries versions for Cloudentity Extensions:
- aws-sdk - 2.1306.0 -> 2.1404.0
- mongodb - 5.0.0 -> 5.6.0
- mongoose - 6.9.0 -> 7.3.1 (major version bump)
- xml2js - 0.4.23 -> 0.6.0
Superagent Removed from Fission Dependencies
Superagent removed from the Fission dependencies because of the vulnerability problems. Instead, use Axios in Cloudentity Extensions.
Open Finance Brazil APIs updated
Updated swaggers and models in accordance with the newest release candidate for the Open Finance Brasil consents API.
Token Exchange Available Generally
Token exchange is no longer behind feature flags. No adjustments in your tenant are needed.
SAML IDP Improvements
The SAML SP Metadata label is renamed to Entity ID. Additional ACS URL is introduced to enable easier integration of Cloudentity as a Service Provider at Identity Providers. Both labels are added to the SAML IDP create wizard.
user_id added to Extended OTP Endpoint Response
Added user_id to the inspect extended OTP endpoint response. It allows to fetch user information when processing the code.
Identity Pool APIs without SSO Fixed
Request to Identity Pools APIs without SSO enabled fail with interaction_required error message.
Migration APIs Improvement
Dynamic_client_registration settings were not exported in tree dump and default values were presented instead. Now, dynamic_client_registration settings are exported properly.
Migration APIs Improvement
Private JWKS is not returned for workspace migration.
Migration APIs Improvement
Policy execution points are now presented in the place where policy is applied: servers, scopes, clients. Policy execution points which target is scope use scope names instead of the scope identifiers to identify scope in a tree dump structure.
Modify Workspace View from Workspace
It is now possible to switch workspace themes in workspace’s Appearance view.
User Identifier Case Insensitive by Default
Newly created Identity Pools have the Identifier case-insensitive option enabled by default.