Version 7.1.0 contains additions to the configuration model and updates to the templates. Details are provided below.
The configuration model for the haapi capability was extended with the use-legacy-dpop setting. When set to false, Curity Identity Server will use an improved DPoP processing algorithm, providing better security and handling of clock skew issues. However, using the new non-legacy behavior requires the use of compatible mobile (Android or iOS) HAAPI SDK versions (see Curity SDKs for further information). For the Web HAAPI SDK, any version will correctly support the new DPoP behavior.
haapi
use-legacy-dpop
false
The use-legacy-dpop setting is considered to be true when absent, so the old legacy behavior is the one used by default and no migration or use of new mobile SDK versions is required. However, when enabling the haapi capability on a client via Web UI, then the setting will be explicitly assigned with false, enabling the new improved behavior and requiring the use of a compatible mobile SDK version.
true
Improvements to the Webauthn templates and messages has been made, see release notes for details.
Affected templates:
$IDSVR_HOME/usr/share/templates/core/authenticator/webauthn/js/authenticate-device.vm
$IDSVR_HOME/usr/share/templates/core/authenticator/webauthn/js/common-js.vm
$IDSVR_HOME/usr/share/templates/core/authenticator/webauthn/js/register.vm
Affected messages:
$IDSVR_HOME/usr/share/messages/core/en/authenticator/webauthn/register/messages
$IDSVR_HOME/usr/share/messages/core/sv/authenticator/webauthn/register/messages
The server will no longer recognize template messages with over 1,000 characters or containing any new-lines as message keys. If you have newlines or very long message keys, these should updated.