Summary
This release introduces no functional additions, it is a security remediation that implements a number of changes that increase the Haventec Authenticate security posture. These updates are required to maintain the security posture of Haventec products.
This includes updates to the signing algorithms, so newly issued authKeys use a stronger encryption that is not backward compatible with the old version.
Note this includes a required manual update that MUST be actioned BEFORE the release. See Release Steps below for details |
Note also that there is a small risk with this release. In the event that a rollback is required, any devices authenticated with the new version will not be backwards compatible with the old version. These devices will need to be re-registered. |
Change Log:
- [Security] Valid Redirect URIs whitelist is now REQUIRED
- [Security] Improvements to the JWT algorithm.
- This update means that subsequently issued JWTs are not backward compatible, so in the event of a rollback, users would be forced to register their devices.
- [Bugfix] Changing PIN - the old PIN is still in play using an old authKey
Pre-Release Mandatory Development Changes
The following changes must be made to your code before scheduling the release:
- If using Haventec Connect Node SDK, you must upgrade to v1.0.9
- If using Authenticate APIs direct without Connect, you must ensure the 'htOidTxid' query parameter is sent to the following APIs:
- /authentication/login
- /authentication/activate/device
- /authentication/activate/user
- /authentication/reset-pin
Note this field is generated and sent with the /openid-connect-jwt/authorize endpoint
See API docs https://haventec.readme.io/reference/activatedevice
Release Steps
- Verify pre-release system integrity by
- Perform system functional tests
- Check that there are no errors in logs
- Verify performance and response times are expected
- Via Console, populate the 'Valid Redirect URIs' field for all Applications.
See https://haventec.zendesk.com/hc/en-us/articles/5088686041487 for details on how to configure this. - Perform the release to deploy Authenticate 1.2.78
- Verify post-release system integrity by:
- Perform system functional tests
- Check that there are no errors in logs
- Verify performance and response times are expected
Rollback Steps
- Deploy previous version of Authenticate
- Verify system integrity by:
- Perform system functional tests
- Check that there are no errors in logs
- Verify performance and response times are expected.
Comments
0 comments
Please sign in to leave a comment.