2024.1 Minor Releases

 

Each update is cumulative and includes all updates provided in earlier 2024.1.x updates. 

Minor Releases:

2024.1.2

December 16, 2024

Enhancements: 2024.1.2

OAuth Client Policy enhancements

Akana introduces several enhancements to the OAuth Client Policy.

  • Support for private key JWT authentication

    To enable more robust client authentication through asymmetric cryptography, the OAuth Client Policy now supports the private key JWT authentication technique.

  • Additional parameters support

    The OAuth Client Policy now supports sending additional parameters in OAuth token requests, as per the authorization server requirement. You can add additional parameters to the token request header, form post, and private key JWT claim headers and claims.

  • OAuth Client Policy caching

    The OAuth Client Policy now allows you to specify how long the access_token will be used from the cache before requesting a new one.

    If no non-zero value is specified in the policy, the OAuth Client Policy will calculate the access_token cache expiry based on the expires_in value returned in response to a token request. The updated settings will replace the admin console cache configuration in com.akana.policy.oauth.client section.

  • OAuth Client Policy error handling and alerts

    In case if any error occurs in getting the token from the authorization server, then HTTP status code 500 will be returned to client and following error message.

    {

    "faultcode": "Server",

    "faultstring": "An internal server error occurred."

    }

    Admin can check the error details in the alerts with codes 90701, 90702, 90709.

     

In addition to the above enhancements, POST will now be the only supported method for token requests, and the GET method is disabled for security reasons.

To view the detailed instructions on updating your OAuth Client Policy configuration, see the OAuth Client Policy configuration documentation.

Case number: 01160325, 01114097, 00633295, 00798415

Certification of Windows Server 2022

Akana now supports deployment on Windows Server 2022. The certification of Windows Server 2022 ensured compatibility, reliability, and optimal performance across the Akana Platform and API Platform and its features and plugins including Microsoft SQL Server, and has successfully met standards.

Case Number: No related case

JOSE policy V2 change

iss and tan validation

JOSE Security Policy v2 (Unencoded Payload Support) rules for validating iss and tan private headers in incoming JOSE request signature have been modified to cater to different Open Banking Trust Anchor deployment scenarios.

Case number: 01209581

iat header generation

JOSE Security Policy v2 (Unencoded Payload Support) rules for generating iat private headers for outgoing JSON signature have been modified to cater to different Open Banking Trust Anchor deployment scenarios.

Case number: 01232900

Support Dynamic client registration endpoint

A new field, Client Registration Endpoint, is added to the Branding tab of the Akana OAuth/OIDC Provider to capture the URL for the externally hosted and implemented Dynamic Client Registration Endpoint. This value sets the registration_endpoint in the OIDC Discovery Document (/.well-known/openid-configuration).

Akana OAuth/OIDC Provider does not support https://datatracker.ietf.org/doc/html/rfc7591 OAuth 2.0 Dynamic Client Registration Protocol and hence it does not set registration_endpoint in the OIDC Discovery Document (/.well-known/openid-configuration) by default.

For details, see How to set up dynamic client registration with the Akana OAuth/OIDC Provider.

Case Number: 01208408

Character limit increase for container name and container key fields

When creating a container, the character limit for the container name and the container key fields is increased from 32 to 64 characters.

Case number: 00982197

Character limit increase for WebsiteAddress field

When creating or modifying an App, the WebsiteAddress field character limit is increased from 80 to 2048 characters. The WebsiteAddress field on an App OAuth Profile now also accepts 2048 characters, up from 64 characters in the UI.

Case number: 01245982

IAM DB connections on cross-account or cross-cluster failure

IAM DB connections on cross-account setup or cross-cluster did not work properly. Now, after introducing a new AWS provider STSAssumeRoleSessionCredentialsProvider, they work successfully.

For details, see Configuring IAM on Policy Manager and Community Manager containers in the Akana documentation.

Case number: 01208807

Bug Fixes: 2024.1.2

App metrics API returned zero value for totalRequestSize and totalResponseSize

Calling metrics API for an App returned zero value for the totalRequestSize and totalResponseSize fields when MongoDB is used to store audit logs.

After this fix, the API returns correct values.

Case Number: 01225443

PM Restart required complete UAT platform restart

When multiple Network Director containers were connected to the Policy Manager container(s) and the Policy Manager container(s) were restarted, the Policy Manager would go into an unresponsive state resulting in the Network Director container going to an unresponsive state. All the containers in Akana deployment required restart to make the environment work correctly.

Now, the Policy Manager container restart does not require a complete Akana deployment restart.

Case number: 00926166, 00836048

2024.1.1

October 9, 2024

Enhancements: 2024.1.1

FAPI 1.0 Advanced Profile Support

Akana OAuth provider now supports FAPI 1.0 Advanced Profile (FAPI), designed to meet the highest security and privacy requirements for financial-grade APIs.

Key Features:

  • The Akana OAuth provider domain can be configured to comply with the FAPI profile by enabling the FAPI profile flag in the domain settings. Once enabled, the OAuth authorization and token endpoints will enforce stricter security requirements in line with the FAPI profile.

  • The External OAuth provider domain such as PingFederate will also support FAPI profile compliance.

  • The Akana OAuth policy will enforce additional validations on incoming access tokens in the API requests when the FAPI profile is enabled for corresponding Akana or External OAuth domains.

Review FAPI Support in the documentation to start using the FAPI feature support in Akana.

Case numbers: 01041266, 00620513

PingFederate 12 support

Akana now supports PingFederate 12 integration. PingFederate 12 can be integrated with the Akana platform as an External OAuth Provider, OIDC relying party domain, or a SAML SSO Login domain.

Case number:No related case

New configuration option in Admin Console for Jetty to manage its configuration

The Admin Console now has an option that allows the jetty transport to manage its configuration. This may provide improved container performance.

Set the value for following jetty configurations under com.soa.platform.jetty to -1, so that Jetty will calculate the values based on machine configurations.

  • http.incoming.transport.config.acceptThreads

  • http.incoming.transport.config.requestQueueSize

After upgrading, manually change the values for these properties to -1 to use this configuration.

See Configuration properties for the Jetty transport in the Akana documentation for more detail.

The Revoke Token API now supports revocation of refresh token along with access token

The Revoke Token API (PUT oauth/admin/token/revoke) has added support for an authorized user to refresh a token as well as revoke one. See PUT oauth/admin/token/revoke in the Akana documentation.

Case number: No related case

The Akana OAuth provider domain now supports a configurable value for the audience field

When requesting an OAuth token from the Akana OAuth provider, the audience ("aud") value always defaulted to the Authorization Server URL configuration for the Akana OAuth Provider domain. Now the audience value is configurable and will be included in the aud claim in the access token. A single audience value is allowed.

Case number: No related case

New fields for JCA providers in OAuth provider domain to support HSM

New fields have been added to both the Akana OAuth/OIDC provider and External OAuth provider to capture the JCA providers required by hardware security module (HSM):

Akana OAuth provider:

  • Verify JCA Provider textbox (Token tab > JWT Bearer Access Token > Signing JCA Provider)

  • Decrypt JCA Provider textbox (Token tab > JWT Bearer Access Token > Encrypt JWT Access Token > Encrypt JCA Provider)

External OAuth provider:

  • Verify JCA Provider textbox (Access Token Validation tab > JWT Bearer Access Token > Signing Key)

  • Decrypt JCA Provider textbox (Access Token Validation tab > JWT Bearer Access Token > Supports Encryption)

Case number: No related case

Logging messages enhanced for easier troubleshooting

Akana has enhanced its alert descriptions to better identify connectivity issues for inbound and outbound requests. These include:

  • SSL Handshake related errors

  • Peer certificate validation errors during the SSL handshake

Enhanced alerts will help in troubleshooting OAuth providers and API gateway traffic. See "Logging of TLS errors and the corresponding alert code" in the Akana documentation.

Case numbers: 01162921, 01180895

Akana OAuth Provider implicit flow validation added on public client type

When implicit flow is enabled in the Akana OAuth provider, additional validation has been introduced on the public client type. (The implicit flow is supported only for a public client type, not for a confidential client type).

Case number: No related case

Bug Fixes: 2024.1.1

Case-insensitive OAuth token could be generated in some cases

Generating an Akana OAuth provider token did not properly consider case when validating the client_id. Now, the Akana OAuth provider generates a token only if the client_id is an exact match.

Case number: 01139380

Token expiration errors could be inconsistent for multiple OAuth domains on a single API

When a single API was connected to multiple OAuth domains, error messages for expired tokens could be inconsistent. Now, an expired token in this case results in the correct error message ("1012117 - Invalid Token. The token has expired."), regardless of the OAuth provider.

Case number: 01186837

Revoke Token API worked incorrectly with Mongo DB

The Revoke Token API (PUT oauth/admin/token/revoke) did not work properly with Mongo DB. Now, API calls for which a token has been revoked will fail for both Mongo DB and RDBMS.

Case number: 01142496

After upgrading, could not log into the Developer Portal using an OIDC domain

After upgrading, logging into the Developer Portal using an OpenID Connect Relying Party (OIDC) domain could return an error.

Case number: No related case

Incorrect alert notifications in some situations

An incorrect alert code 9031 and alert message (Cannot establish connection to [{0}] because it cannot be trusted) could be produced for a target API SSL connection error.

A new alert code 9033 and alert message (Connection to [{0}] cannot be established due to a SSL Exception, which may indicate either an SSL handshake error or IO error) has been added to handle this case.

Case number: 01130776

Audit log for the HTTP Caching Policy does not include all data

When using the HTTP Caching Policy, the contract information was not displayed in the audit log.

Case number: 00620140