❗️

High-Risk Update: Fixes to Token Endpoint, Activation Flow, and Locale Mapping

This update resolves issues in the token endpoint, activation flow legal acceptance, and unsupported locales in registration. Please report any issues immediately to ensure platform stability.

🌟

Highlights

This release includes key updates to enhance security, usability, and foundational support for future capabilities:

• Enhanced Security and OIDC Compliance: Fixed the /userinfo endpoint to include claims parameter data, ensuring alignment with OIDC standards. Addressed 2FA bypass vulnerabilities and refined SMS-based MFA workflows for accurate and secure authentication.
• Improved Registration and Profile Flows: Enhanced field validation, error messaging, and locale handling for smoother user experiences.
• Foundational Enhancements: Added the backend foundation for external database connections and strengthened IDP-agnostic capabilities.

The following changes are included in this release of the Next Identity platform.

Enhancements

Connect

• External Database Connection Foundation: Laid the groundwork with backend work for a future feature allowing customers to connect external databases to Next Identity.
• Backend Updates for Enhanced IDP-Agnostic Capability: Continued migrating account-related endpoints to further improve compatibility with future IDP integrations and enhance IDP agnostic capability.

Unify

• Configurable Passwordless Prompts: Introduced the ability for applications to configure "Enable Passwordless" prompts for biometrics setup during key user journeys, including login and profile editing, enhancing security, user experience, and adoption of passwordless authentication.
• TOTP Account Disabling Update: Made the DELETE /totp/register endpoint public, allowing users to be disconnected from the TOTP feature in cases such as loss of access to mobile or email.

Bug Fixes

Operate

• Secret Rotation Issues Resolved: Addressed two bugs affecting secret rotation in the Next Identity Console and App Team Console. Users with the "Secret Rotator" role can now rotate secrets as expected, and clear feedback is provided when secret rotation fails.

Unify

• Password Update Error: Resolved an issue where attempting to change a password resulted in a 502 error, ensuring users can successfully update their passwords without interruptions.
• Legal Acceptance Localization Issue: Resolved an issue where the default legal acceptance was incorrectly applied alongside the specified locale during account activation, ensuring only the passed locale's legal acceptance is processed.
• Claims Parameter Issue in /userinfo Endpoint: Resolved an issue where the /userinfo endpoint did not include data specified in the claims parameter, ensuring compliance with the OIDC specification.
• Locale Registration Issue: Resolved an issue where users were unable to register using unsupported locales. Users can now complete registration without issues.
• Mobile Number Validation Fix: Resolved an issue where the front end failed to display an error for invalid mobile numbers during registration, ensuring users are properly informed of input errors.
• Registration Validation Fix: Resolved an issue where the "Create Account" button was enabled even when the mobile number field was empty, ensuring required fields are properly validated before submission.
• 2FA and Verification Updates: Resolved a security issue allowing users to bypass 2FA authentication using the browser's back button and corrected the message displayed during SMS-based MFA setup to ensure accurate and secure user authentication.
• Progressive Profile Updates: Resolved issues in the Progressive Profile flow, including duplicate "Block fraudulent" error messages and a bug preventing users from proceeding after entering a mobile number and changing the country code, ensuring a smoother user experience.