Sascha Preibisch

OAuth Toolkit 3.5.00 has been released

Blog Post created by Sascha Preibisch Employee on Jul 8, 2016

New Release

We are happy to announce that OAuth Toolkit 3.5.00 (OTK-3.5.00) has been released today (Friday, 8. July 2016)!

 

What is new?

After a long time of customers asking for it we have updated the authorization endpoint (/auth/oauth/v2/authorize).

These are the main updates:

  • by default the login and consent screen are now on different views. Users will first be presented with a login page, followed by a consent page
  • the API supports the parameters id_token_hint, acr_values, prompt in the context of OpenID Connect
  • the API creates a JSON Web Token (JWT) with some session values. Having that enables customers to externalize the login process just as the consent process to different servers. (Please note that the session JWT is not replacing the default session handling. It is an addition to it)
  • the API has been divided into 3 API's all together. login and consent are handled in their own API

We are hoping that this new version enables our customers to do less of customization within this API. It should enable customers also to implement requested features/flows such as 'I would like to design the consent screen based on an authenticated user/ user group' or 'I would like to limit SCOPE by users/ user groups'.

 

What has changed otherwise?

A few smaller changes have been implemented:

  • The same API (/auth/oauth/v2/authorize) used to display a checkbox on the login screen to keep users logged in if they wanted to do so. That checkbox has been removed. In order to keep that behaviour clients now have to use the parameters 'id_token_hint' and 'prompt'
  • In order to enable the session JWT two additional values have to be configured. One for signing and one for encrypting the JWT. Configuring these two values is required for the out-of-the-box OTK installation!
  • For the complete documentation please refer to CA Technologies Documentation  and search for OAuth Toolkit

 

What's next in this blog?

In the next few days we will publish a guideline on how to leverage an external 'login-server'.

 

Feedback

As always, let us know how you like the new version, what is good, bad or missing!

Outcomes