Core Updates and New Features
Admin API for configuring Resource Server Adapter - OIDC
The RSA-OIDC can now be configured using an Admin API server, offering you administrative flexibility and ease of use.
- Protected resources and the specific scopes allowed on each resource.
- OAuth relationships with the Wallet Server, Authorization Server and the downstream protected Resource Server.
- Filters, custom additions, and other manipulations of the
UserInforesponse proxied from the downstream protected Resource Server and provided to a Service Provider.
More information can be found within the RSA-OIDC chapter of the user guide.
Disable API for lifecycle management of FPX network entities
Entities within the FPX network can now be disabled (at the Authorization Server) using the new Disable API, preventing their participation in any transaction.
You can now disable the following entities:
- Service Providers
- Resource Servers
- Wallet Servers
- Capability Tickets
Refer to the Disabling/Re-enabling an Entity via API section of the user guide for more information.
Improved UMA conformance by allowing access/refresh token revocation
The Authorization Server now supports access/refresh token revocation. OAuth Clients can revoke their tokens by submitting them to the OAuth 2.0 compliant token revocation endpoint.
- Tokens provided to the Service Provider by the Authorization Server as a result of a successful UMA Capability Ticket flow can now be revoked.
- Tokens provided to the Service Provider by the Authorization Server as a result of a successful OAuth 2.0 flow can now be revoked.
- PAT tokens provided to the Resource Server by the Authorization Server can now be revoked.
The Token Revocation section of the user guide provides more information around this new capability.
New Resource Management API for retrieval of user-specific resource details
The Resource Server Adapter (RSA) now supports the new Resource Management API. This API enhances the functionality of the UserInfo endpoint and adds a new Resources endpoint, which together allow users to retrieve information about the resources that they own as well as the resources and users they have been delegated access over.
The primary use of this API will be retrieval of delegated resources. However, it can also be used to fulfill other business requirements. This API can be used independently or via the Wallet Server to offer a more streamlined resource information retrieval experience for the user.
Refer to the Resource Management API section for more details.
User-to-User Delegation at the Wallet
The FPX Wallet, through its delegation feature, now enables a Wallet account holder (delegator) to delegate the ability to grant services access to their resources, to another account holder (delegatee). This may enable the delegatee to share the delegators data with service providers or even sign in or use a permitted service on the delegator's behalf. Users can determine the particular services they wish to delegate access to and for how long the connection & delegation will stay valid. The delegation feature also enables the following functionality:
- Provides the delegator the ability to audit delegated service access.
- Allows the delegator to revoke delegated access to a service before the automatic expiry period has been reached.
- Allows an FPX Admin to restrict the ability to delegate access to sensitive resources.
For more information, refer to User to User Delegation.
Bug Fixes and General Improvements
- UMA profile & extension are now configurable through the YAML file.
- Resource Server and Authorization Server error responses now conform to UMA 2.0 standards.
- Includes a header in the client response: Warning: 199 - "UMA Authorization Server Unreachable".
- Added uniform logging and error handling. Logs are available at the Authorization Server, Wallet and Resource Server Adapter in a standardized JSON format.
- Authorization Server’s OAuth APIs now accept both application/json and application/x-www-form-urlencoded formatted requests as determined by the ‘Content-Type’ header.
- General vulnerability fixes across Authorization Server, Wallet, and RSA-OIDC.
- Implemented a database (or 3rd-party session tracking mechanism) and sprint-session-jdbc to make the Authorization Server, Wallet and Resource Server Adapter fully stateless.