Curity Identity Server 4.2 released

We are delighted to announce that version 4.2 of the Curity Identity Server has been released. This is a minor release but still includes exciting new enhancements.

More PSD2 and Open Banking improvements have been made in this release. The most significant one is the support for certificate-constrained tokens by non-templatized dynamic clients. This allows TPPs (OAuth clients) to register with a DN of some certificate which will later be validated that the client is in possession of that key when authenticating it. If it is, the thumb print will be burned into tokens or included in introspection responses. This allows APIs and API gateways to verify that the client presenting a token is the same one to whom that token was issued.

Another security enhancement in this release is support for TLS 1.3. This new version of TLS was ratified about four months ago. Though it’s brand new, its adoption has been rapid; it’s already supported by all major browsers, and many proxy servers. To allow for a phased deployment and to avoid any unexpected interoperability issues, it’s disabled by default in this release, but can be enabled using the CLI or RESTCONF API. It will be on by default and possible to configure using the admin UI in the next release.

HIGHLIGHTS

  • To conform to PSD2 and aid in the development of banking-grade APIs, non-templatized dynamic clients can now obtain certificate-constrained tokens.
  • The admin UI has been integrated with oauth.tools to make experimentation easier (e.g., OAuth clients can be opened in oauth.tools with a single click)
  • XML configuration files can now be imported into the admin UI
  • TLS 1.3 is now supported
  • Validation of ephemeral ports on loopback interfaces can be loosened according to RFC 8252

This is just a selection of what’s new in the release, you can see the complete list of fixes and improvements in the release notes.