- 22 Oct 2024
- 7 Minutes à lire
- SombreLumière
August Release – 24.R1
- Mis à jour le 22 Oct 2024
- 7 Minutes à lire
- SombreLumière
Deprecated or removed components and services
SOAP interface: end of support
In version November Release – 23.R2 (see 1.2 November Release – 23.R2), we announced the end of support for the SOAP interface in OneSpan Cloud Authentication.
As of December 31, 2023, OneSpan Cloud Authentication no longer supports the SOAP interface.
We recommend our customers using OneSpan Cloud Authentication to use the standard REST interface.
Removal of deprecated users/unregister endpoint
In Q2 2025, the deprecated POST /users/unregister endpoint will be removed from the OneSpan Cloud Authentication Adaptive Authentication API Reference service API.
For every service and endpoint that is removed, a replacement is already available in the OneSpan Trusted Identity platform API.
Issue OAS-21200: Remove obsolete code (DIGIPASS CX)
Obsolete code for DIGIPASS CX has been removed from the OneSpan Trusted Identity platform API, including endpoints, payloads, examples, and the connection to the platform hosting DIGIPASS CX.
Orchestration SDK versions
OneSpan Cloud Authentication no longer supports versions 4.19.3 and 4.20.2 of the Orchestration SDK. The minimum supported SDK version is now 4.21.1.
New features and enhancements—supported use cases
FIDO2 policy
OneSpan Cloud Authentication now provides the FIDO2 Policy. With this policy you can configure allow and disallow criteria to define which authenticators can be used for FIDO2 registration and authentication operations. Depending on your organization's needs, you can choose between using the default policy or creating a custom policy to perform FIDO2 operations.
The Default policy is automatically applied to all Relying Party resources and is designed to allow all FIDO-certified authenticators. This policy contains one match criterion in the accepted list that matches all FIDO authenticators, and another match criterion in the disallowed list that matches all authenticators that are not FIDO-certified.
The Default policy allows you to configure to allow or disallow self-attestation. Via this configuration option, you control whether the RelyingParty accepts self-signed certificates at registration instead of an attestation certificate that chains back to some root certificate.
If the default policy does not meet your security requirements, you can create a custom policy via the OneSpan Trusted Identity platform API. using the following endpoints.
Create new FIDO2 policy endpoint. A new FIDO2 policy can be created by calling the following endpoint:
with the following mandatory request body:
name: The name of the policy.
The responses for this endpoint include the following:
200: Policy created.
The UUID of the policy will be returned.
400: Input data errors.
500: Internal error, sub service failure, server crash.
For more information about how to activate the policy and assign it to a Relying Party resource, see Create and activate a new FIDO2 policy.
Update existing FIDO2 policy endpoint. An existing FIDO2 policy can be updated by calling the following endpoint:
with the following mandatory parameter:
uuid: The unique identifier of the policy.
The responses for this endpoint include the following:
200: Policy update successful.
400: Input data errors.
404: Policy not found.
500: Internal error, sub service failure, server crash.
The default policy cannot be edited, updated, or deleted.
Only include fields that you want to update.
Query all FIDO2 policies endpoint. FIDO2 policies can be queried by calling the following endpoint:
The responses for this endpoint include the following:
200: Policies retrieved successfully.
400: Input data errors.
500: Internal error, sub service failure, server crash.
Retrieve a specific FIDO2 policy endpoint. A specific FIDO2 policy can be retrieved by calling the following endpoint:
with the following mandatory parameter:
uuid: The unique identifier of the policy.
The responses for this endpoint include the following:
200: Policy retrieved successfully.
400: Input data errors.
404: Policy not found.
500: Internal error, sub service failure, server crash.
Delete a FIDO2 policy endpoint. A FIDO2 policy can be deleted by calling the following endpoint:
with the following mandatory parameter:
uuid: The unique identifier of the policy.
The responses for this endpoint include the following:
204: Delete operation successful.
400: Input data errors.
404: Policy not found.
500: Internal error, sub service failure, server crash.
It is not possible to delete the Default Policy.
An active policy cannot be deleted. You must activate another policy to be able to delete the previous active policy.
For more information about the FIDO2 policy, see the following articles:
Mobile Security Suite Notification SDK 4.31.0 support
OneSpan Cloud Authentication now supports Mobile Security Suite Notification SDK version 4.31.0. As of this version, the Android priority setting is applied, and notifications are always sent with High priority. With this, even when a device is in sleep mode, a high priority notification is received without delay and causes the screen to wake up.
For more information, refer to the Notification SDK Integration Guide in Mobile Security Suite Integration Guides.
Evaluation support for new authenticator in Sandbox environment
OneSpan will launch a new authenticator soon, DIGIPASS FX2. This new authenticator supports multi-device licensing (MDL)-based activation. This MDL license definition slightly differs from that of other MDL authenticators.
To enable the evaluation of DIGIPASS FX2 and the MDL-based activation, a new authenticator type for OneSpan Cloud Authentication is now available in the Sandbox environment, HWMDL. To evaluate this new authenticator and MDL license type, demo licenses are available when a sandbox tenant is created.
For more information about this and DIGIPASS FX2, please contact our Support team.
Relaxed restrictions on authenticator unlocking
The existing restrictions to unlock an authenticator application have been slightly relaxed. Before, OneSpan Cloud Authentication supported an unlock API but this would only work for authenticator licenses, not authenticator instances. This effectively made it impossible to use multi-device licensing (MDL) hardware authenticators with a built-in unlock functionality.
This has been changed, and it is now possible to also use MDL hardware authenticators that have such an unlock functionality.
Fixes and other changes
Issues OAS-12098, OAS-12809: Performance bottleneck in TID operation flows
In OneSpan Cloud Authentication, the default configuration of the TID services handling the following flows exhibit bottlenecks:
Registration
Provisioning
Login
Transactions
Events
Orchestration commands
This results in poor performance when many users are simultaneously trying to call the same service.
Status: This issue has been fixed. Performance for users during high-traffic spikes has been improved. A higher number of simultaneous requests can now be handled without performance impairments.
With an overall application improvement, the internal communication between the OneSpan Cloud Authentication web services has also been improved, resulting in reduced communication and response times.
Improved communication between OneSpan Cloud Authentication web services
With an overall application improvement, the internal communication between the OneSpan Cloud Authentication web services has been improved, resulting in reduced communication and response times.
Issue OAS-16715: Error in UAF authenticator deregistration when no registrations exist
When a UAF authenticator was deregistered using certain parameters, but no registrations were found, OneSpan Cloud Authentication incorrectly returned a 409 error message. The relevant parameters or parameter combinations were:
User name
User name and AAID
AAID and key ID
This applied to both FIDO deregistration endpoints:
Status: This issue has been fixed. Deregistration is successful, even if no registrations are present. There is one caveat: If a user passes a random string that does not match the AAID format, OneSpan Cloud Authentication still returns the 409 error message.
Issues OAS-17950, OAS-21506: Fixed vulnerabilities
This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:
CVE-2023-1255 (OpenSSL vulnerability)
CVE-2023-2650 (OpenSSL vulnerability)
CVE-2023-2975 (OpenSSL vulnerability)
CVE-2023-3138 (libX11 vulnerability)
CVE-2023-3316 (libtiff vulnerability)
CVE-2023-3446 (OpenSSL vulnerability)
CVE-2023-3817 (OpenSSL vulnerability)
CVE-2023-4863 (libwebp vulnerability)
CVE-2023-5678 (OpenSSL vulnerability)
CVE-2023-6129 (OpenSSL vulnerability)
CVE-2023-6237 (OpenSSL vulnerability)
CVE-2023-29491 (ncurses vulnerability)
CVE-2023-35945 (HTTP/2 vulnerability)
CVE-2023-38039 (cURL vulnerability)
CVE-2023-38545 (cURL vulnerability)
CVE-2023-38546 (libcurl vulnerability)
CVE-2023-44487 (HTTP/2 vulnerability)
CVE-2023-46218 (curl vulnerability)
CVE-2023-46219 (curl vulnerability)
CVE-2023-47038 (Perl vulnerability)
CVE-2024-0727 (OpenSSL vulnerability)
Issue OAS-18413: Interactive API Reference—improved description of schema fields
For the POST /users/{userID@domain}/transactions/validate endpoint, the description of the TransactionValidationInput and AdaptiveTransactionValidationInput schema fields Title and Subject were not clear enough and did not explain that the title and subject fields are used to display the Push Notification message in the notification drop-down menu on the mobile device.
Status: This issue has been fixed. The description now explains that title and subject are only used when the orchestrationDelivery field is set to pushNotification, and are not used when requestMessage is selected.
Issue OAS-20858 (Support Case INC0012943): Incorrect payload for fingerprintRaw in Interactive API Reference
In the Interactive API Reference, we provide payloads that serve as examples for how to implement our endpoints. Some of these endpoints contain the fingerprintRaw element in their payload. The sample payloads used an incorrect value for this element. This applied to the following endpoints:
Status: This issue has been fixed. These endpoints now have the correct sample payload.
Known issues
Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number
The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".
Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
5.9.0
5.8.1
5.8.0
5.7.0
5.6.4
5.6.3
5.6.0
5.5.1
5.4.4
5.4.2
5.4.0
5.3.1
5.3.0
5.2.0
5.0.2
4.24.4
4.24.2
4.23.0
4.21.1