November Release – 23.R2
  • 22 Oct 2024
  • 6 Minutes à lire
  • Sombre
    Lumière

November Release – 23.R2

  • Sombre
    Lumière

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

Deprecated components and services

SOAP interface: end of support

As of December 31, 2023, OneSpan will end support for the SOAP interface in OneSpan Cloud Authentication.

We recommend customers who are using OneSpan Cloud Authentication with SOAP to switch to the standard REST interface.

New features and enhancements—supported use cases

Third-party licenses

For information on third-party dependencies associated with OneSpan Cloud Authentication, see Third-party licenses and Third-party notices.

New policy: TID Activation for Multi-Device Licensing

A new policy has been added, TID Activation for Multi-Device Licensing to facilitate activating an authenticator instance in multi-device licensing (MDL) mode. This policy provides settings to allow the activation of all types of authenticators and/or authenticator instance types. It completes the authenticator provisioning by validating a signature that is generated by the newly activated authenticator instance.

For more information, see TID Activation for Multi-Device Licensing (Policy).

Also, a new field has been added to the TID Provisioning for Multi-Device Licensing policy, dp_types. With this new field you can indicate which authenticator types are permitted. For more information, see TID Provisioning for Multi-Device Licensing (Policy).

FIDO2 Bank Demo Web App

The FIDO2 Bank Demo Web App is a stand-alone component hosted in the Sandbox environment that allows you to test and simulate basic capabilities of the FIDO2 ceremonies.

Once FIDO2 has been enabled, you can access the FIDO2 Bank Demo Web App via https://yourtenant.sdb.tid.onespan.cloud/v1/mybank-fido.

For more information about the FIDO2 Bank Demo Web App, see FIDO2 Bank Demo Web App.

For more information on the FIDO2 Bank Demo Web App interaction with the web browser and the OneSpan Trusted Identity platform API, see Test User Registration with the FIDO2 Bank Demo Web App and Test User Authentication with the FIDO2 Bank Demo Web App. The code samples demonstrate how to use the WebAuthn API for the registration and authentication flows.

For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.

Check user account existence

OneSpan Cloud Authentication now supports the option to check if a user account exists in OneSpan Trusted Identity platform. This basic check enables you to verify the existence of an account without the need to fetch any additional details about this user.

Check if a user account exists endpoint. A new endpoint has been added for this operation:

HEAD /users/{userId@domain}

The responses include:

  • 204: User account exists.

  • 400: The input is invalid.

  • 403: The command is prohibited for the tenant admin account.

  • 404: User account not found.

  • 500: Internal error, sub service failure, server crash.

Improved communication between OneSpan Cloud Authentication web services

With an overall application improvement, the internal communication between the OneSpan Cloud Authentication web services has been improved, resulting in reduced communication and response times.

Fixes and other changes

Issues OAS-16263, OAS-16443, OAS-16822—OAS-16826, OAS-17246, OAS-17375, OAS-18015, and OAS-18195: Fixed vulnerabilities

This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:

  • CVE-2023-29491 (ncurses vulnerability)

  • CVE-2023-23914 (Curl vulnerability)

  • CVE-2023-20873 (Spring Boot vulnerability)

  • CVE-2023-20862 (Spring Security vulnerability)

  • CVE-2023-20860 (Spring Framework vulnerability)

  • CVE-2023-1436 (Jettison vulnerability)

  • CVE-2023-1370 (JSON vulnerability)

  • CVE-2023-0464 (OpenSSL vulnerability)

  • CVE-2023-0286 (OpenSSL vulnerability)

  • CVE-2023-0215 (OpenSSL vulnerability)

  • CVE-2022-41853 (HyperSQL vulnerability)

  • CVE-2022-31692 (Spring Security vulnerability)

  • CVE-2022-31197 (PostgreSQL vulnerability)

  • CVE-2022-25647 (Gson vulnerability)

  • CVE-2022-23221 (H2 vulnerability)

  • CVE-2022-22978 (Spring Security vulnerability)

  • CVE-2022-22971 (Spring framework vulnerability)

  • CVE-2022-22970 (Spring framework vulnerability)

  • CVE-2022-22968 (Spring framework vulnerability)

  • CVE-2022-4450 (OpenSSL vulnerability)

  • CVE-2022-1471 (SnakeYaml vulnerability)

  • CVE-2021-46848 (GNU Libtasn1 vulnerability)

  • CVE-2021-42392 (H2 vulnerability)

  • CVE-2021-36159 (libfetch vulnerability)

  • CVE-2020-11612 (zlib vulnerability)

  • CVE-2018-1000873 (Fasterxml Jackson vulnerability)

  • CVE-2016-1000344 (Bouncy Castle vulnerability)

Issue OAS-16295: authenticatorAttachment field no longer has default value

When no authenticator attachment is provided in OneSpan Trusted Identity platform for the FIDO2 Sample Relying Party Web App, the client app automatically selects platform as the default option.

Status: This issue has been fixed. The authenticatorAttachment field for the POST /users/{userID@domain}/generate-fido-registration-request endpoint no longer has a default value. If this field is not provided, the client app will then select all platform and cross-platform authenticators that are allowed.

Issue OAS-16704: Orchestration error messages (Documentation)

When integrating orchestration with OneSpan Cloud Authentication, it was difficult to correctly handle error messages that originated from the cloud web services. The error messages that were provided were unclear.

Status: This issue has been fixed. A list of relevant error messages for orchestration has been added to the OneSpan Cloud Authentication Integration Guide. See Error Handling in Orchestration for this list.

Issue OAS-17129: Data store entries deleted during update

The method used to update a data store entry causes the library to delete the entry before recreating it. This results in short periods where the relevant record is not available and leads to unexpected errors for certain flows. Instead of a valid entry, the users receive a 404 Element_NOT_FOUND error.

Status: This issue has been fixed. The data store is now updated with a different method.

Issue OAS-17217 (Support Case CS0121382): CORS issue for authenticator provisioning in the Sandbox environment

When the POST /registrations/{registrationID}/add-device is called with an HTTP OPTIONS request method, a CORS (Cross-Origin Resource Scripting) error 403 occurs, thus preventing the user to send requests to this API endpoint.

Status: This issue has been fixed. The endpoint has been adapted to include access control in the response header.

Issue OAS-17335: Grace period does not expire after MDL activation

In previous versions, the grace period of an authenticator (instance) only expired automatically after a successful authentication with a one-time password (OTP) but not after a multi-device licensing (MDL) activation.

Status: This issue has been fixed. Now, the grace period automatically expires after the user authenticates with an OTP, or activates an authenticator in MDL mode using either an OTP or a signature validation, since all of these indicate that the authenticator has been correctly activated and is working properly.

Issue OAS-17340 (Support Case INC0011794): Incorrect information in the TID openAPI definition

The openAPI definition of the TID GET /users endpoint contains the following incorrect information:

  • The UserOutput object incorrectly specifies that the lastPasswordUpdate and mdcProfile fields are required.

  • The response of the GET /users endpoint was incorrectly wrapped in an array.

Status: This issue has been fixed.

Issue OAS-17501 (Support Case INC0011984): Incorrect default timeout for Secure Channel-based authentication and transaction data signing operations

The default timeout for the Secure Channel-based authentication and transaction data signing operations in OneSpan Cloud Authentication is incorrectly set to 60 seconds.

Status: This issue has been fixed. The default timeout for the Secure Channel-based authentication and transaction data signing operations is now set to 180 seconds.

Contact OneSpan Support if you need to change this configuration.

Issue OAS-17617 (Support Case CHG0032270): Manual changes to policy parameters not updated after redeploying OneSpan Cloud Authentication

The manual changes for the policy values regarding the minimum lock duration, lock duration multiplier, and the maximum unlock tries are not updated or reset to default values after OneSpan Cloud Authentication is redeployed.

Status: This issue has been fixed. Additional fields for these policy values have been added to the relevant OneSpan Cloud Authentication microservice. With this, after OneSpan Cloud Authentication is redeployed, these fields are updated to the values configured for the customer, or reset to their default values.

Issue OAS-17693: Virtual one-time password (OTP) incorrectly retrieved from failed authentication session

OneSpan Cloud Authentication incorrectly retrieved a virtual one-time password (OTP) that was provided with a custom delivery when the authentication session failed.

Status: This issue has been fixed. OneSpan Cloud Authentication now correctly retrieves the OTP only for successful authentication sessions.

Known issues

Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number

The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.

Orchestration SDK—supported versions

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

  • 5.7.0

  • 5.5.1

  • 5.4.4

  • 5.4.2

  • 5.4.0

  • 5.3.1

  • 5.3.0

  • 5.2.0

  • 5.0.2

  • 4.24.4

  • 4.24.2

  • 4.23.0

  • 4.21.1

Issue OAS-17129: Data store entries deleted during update

The method used to update a data store entry causes the library to delete the entry before recreating it. This results in short periods where the relevant record is not available and leads to unexpected errors for certain flows. Instead of a valid entry, the users receive a 404 Element_NOT_FOUND error.

Status: This issue has been fixed. The data store is now updated with a different method.


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle