February Release – 23.R1
  • 22 Oct 2024
  • 4 Minutes to read
  • Dark
    Light

February Release – 23.R1

  • Dark
    Light

Article summary

New features and enhancements—supported use cases

Documentation updates

The product documentation describing the FIDO-related infrastructure in OneSpan Cloud Authentication has been updated in the OneSpan Cloud Authentication User Guide.

For more information, see FIDO-based authentication.

Message-based transaction data signing via virtual signature

OneSpan Cloud Authentication now supports message-based transaction data signing via virtual signatures. With this feature, users can perform a transaction data signing operation by initiating a signature validation request to the OneSpan Trusted Identity platform API. The generated signature request contains a one-time password (OTP) and signature data fields. The OTP and the fields are sent to the user for confirmation, either via SMS, email, or voice call delivery.

  • Generate virtual signature endpoint. A new endpoint has been added for this transaction data signing operation:

    POST /users/{userID@domain}/generate-virtual-signature

    This endpoint accepts dataFields, credentials, and deliveryMethod as payload.

    The following responses are included:

    • 204: Virtual signature generated.

    • 400: The input is invalid.

    • 403: The command is prohibited for the tenant admin account.

    • 404: User account not found.

    • 409: Failed to generate or deliver a virtual signature.

    • 500: Internal error, sub-service failure, server crash.

For more information, refer to Integrate message-based transaction data signing.

Audit logging enhancement

In previous versions of OneSpan Cloud Authentication, each TID microservice had a different implementation for audit logging. The implementation has now been unified. The common aspects of the implementation have been moved to the common-auditing library, where each microservice now uses this library. The custom fields that are specific to the microservice, which were also logged prior to this change, are not affected by this enhancement.

The following TID microservices are impacted:

  • authenticator-managementv2

  • checkevent

  • fido-universal-server

  • relying-party

  • user-managementv2

Fixes and other changes

Issue OAS-13897 (Support Case INC0010788): Mobile client receives incorrect error message when using the Orchestration SDK

In certain error scenarios, mobile clients that use the Orchestration SDK and integrate it with OneSpan Cloud Authentication receive error messages that are too verbose and contain internal processing details.

The following error messages are affected:

  • The authenticator limit has been reached

  • No device added

  • No device registered

  • Wrong device code supplied

  • Wrong signature supplied

  • User account suspended due to inactivity

  • User is locked

  • User is disabled

  • No authenticators available

  • Authenticator not supported

  • Could not process encrypted message

  • Static password has expired

Status: This issue has been fixed. Correct error messages are now returned to the clients. For unspecific internal server errors, the following generic error message is now returned: An unknown error has occurred.

In addition, the following changes were implemented to improve error messaging for Orchestration SDK clients:

  • The error response of the POST /orchestration-commands endpoint now returns a log correlation ID that can be used to identify logs that belong to a certain error.

  • If an error message cannot be propagated to the onOrchestrationServerError() callback method because the error command encoding fails, the message of the original error will now be returned as part of the error response of the POST /orchestration-commands endpoint.

Issues OAS-15177, OAS-15133, OAS-15323, OAS-15337, OAS-15338, OAS-15345, OAS-15346, OAS-15347, OAS-15348, OAS-16009, OAS-16033, and OAS-16262: Fixed vulnerabilities

This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:

  • CVE-2022-42915 (curl vulnerability)

  • CVE-2022-42889 (Apache Commons Text vulnerability)

  • CVE-2022-37434 (zlib vulnerability)

  • CVE-2022-32207 (curl vulnerability)

  • CVE-2022-27404 (FreeType vulnerability)

  • CVE-2022-23806 (Go vulnerability)

  • CVE-2022-22965 (Spring MVC/Spring WebFlux vulnerability)

  • CVE-2022-2068 (OpenSSL vulnerability)

  • CVE-2022-1292 (OpenSSL vulnerability)

  • CVE-2021-45046 (Log4shell vulnerability)

  • CVE-2021-44228 (Log4shell vulnerability)

  • CVE-2021-43527 (Network Security Services (NSS) vulnerability)

  • CVE-2021-31535 (libx11 vulnerability)

  • CVE-2021-27568 (netplex json-smart vulnerability)

  • CVE-2021-20223 (SQLite vulnerability)

  • CVE-2021-3711 (OpenSSL vulnerability)

  • CVE-2020-12403 (Network Security Services (NSS) vulnerability)

  • CVE-2020-11656 (SQLite vulnerability)

  • CVE-2019-20367 (libbsd vulnerability)

  • CVE-2019-19646 (SQLite vulnerability)

  • CVE-2019-14697 (musl vulnerability)

  • CVE-2019-12900 (bzip2 vulnerability)

  • CVE-2019-8457 (SQLite vulnerability)

Issue OAS-15341 (Support Case INC0011168): API Client cannot be generated for the OneSpan Trusted Identity platform API

Due to a reference that is incorrectly listed inside the tid-api.json file for the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint, it is not possible to generate the API Client for the OneSpan Trusted Identity platform API.

Status: This issue has been fixed.

Issue OAS-16273: FIDO authenticator registration fails in certain situations

Duplicate entries in the FIDO metadata database have caused authenticator registration attempts to fail in certain situations.

Status: This issue has been fixed.

Issue OAS-16274: Secure Messaging service returned incorrect error message text

The Secure Messaging service of OneSpan Cloud Authentication incorrectly returned Failed to generate secure challenge not only for a failed call to generate a secure challenge, but also when calling the service to generate a signing request failed.

Status: This issue has been fixed. Since the error message was not stating clear enough that the cause of the error was an internal issue, the original error message was completely removed. Instead, when either of these two calls fail, OneSpan Cloud Authentication now returns the following error message: An internal error occurred while attempting to process the request.

In addition, a new error message has been created when a temporary user account has expired: Temporary user account expired. And the wording of other error messages has also been improved and streamlined.

Issue OAS-16457: Mapping issue for delivery method of virtual OTP

The User Management service, in particular the PUT /users/{userID@domain} endpoint to create users, accepted a null value as delivery method payload for sending a virtual OTP. At the same time, it was not able to map the null value to one of the expected values (Default, SMS, Email, Voice).

Status: This issue has been fixed. The service now maps the null value correctly to Default.

Known issues

Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number

The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.

Orchestration SDK—supported versions

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

  • 5.5.1

  • 5.4.4

  • 5.4.2

  • 5.4.0

  • 5.3.1

  • 5.3.0

  • 5.2.0

  • 5.0.2

  • 4.24.4

  • 4.24.2

  • 4.23.0

  • 4.21.1

  • 4.20.2

  • 4.19.3


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant