Skip to main content

FPX Sunrise

Released: 2025-10-15

Core Feature Updates

Token Filter for Bypass URLs

We have added an abstract token filter to bypass the health actuator endpoint which reduces unnecessary load on the database caused by health checks.

This change allows a certain URL, identified using wildcard pattern to bypass protected HTTP path checks. This is primarily intended for health check endpoints to reduce unnecessary database queries and improve system performance.

Improved Wallet Admin API

This change will add user level admin functions to the Wallet Admin API. This supports use cases where an external application may need to make changes to a users account in the wallet server outside of a user context.

Enhanced Client Configuration for Token Expiry

We have enhanced our existing Authorization Server and other applications to allow per-client customization of access token validity periods, rather than relying solely on the current global configuration. Admins will now be able to customize token validity period for access refresh tokens by updating token_expiry_in_seconds in the admin API.

This is a backward-compatible enhancement, existing clients using a default value will continue using the global default unless explicitly configured.

General Improvements and Bug Fixes

  • General vulnerability fixes across Authorization Server, Wallet, RSA-OIDC and RSA-FHIR.
  • For OAuth clients, we introduced max client assertion JWT lifetime configuration with key default.expiry-duration-params.maxClientAssertionLifetimeInSeconds and a default value of 3 hours. Clients must create authentication credentials within this window.
  • Authorization server now allows parameter propagation based on application.yaml from Wallet Server to the OAuth client.
    • Administrators may configure specific callback parameters to propagate from the Wallet Server to the Client applications.
  • Fixed error when same user performs multiple successive login and logout attempts.
  • Fixed the app failed to start due to oauth_client_id not found.
  • The Authorization Server provides additional localized values to the Wallet server to support display of Client information on the authorization/consent request screen.
  • Localization now returns the OAuth Provider names as expected.
  • Fixed a bug where the system does not properly handle reuse of JTI tokens at oauth2/token and transaction/token endpoints, causing incorrect error responses.