25 January 2021 (v2.46)
Code exchanges with the
code_verifier parameter outside of a PKCE flow now result in an error to better mitigate PKCE downgrade attacks.
We have changed the behavior of the RSA public key management used to sign tokens. Previously it was stored directly on the account.
We have moved it to each client settings page for a more logical configuration. You can now generate new keys and keep the old ones in the JSON Web Key Set.
You can still check the JWKS configuration of your account at the following URL:
More developments on this topic are coming shortly.
If you want to know more on JSON Web Keys, you can check out the corresponding RFC 7517.
We have adjusted the behavior of the Lite profiles creation with
external_id only so that it is now possible to register Lite profiles with
external_id as the only identifier.
|Check out pushLiteProfile for more details.|
|You can use Facebook Connect instead.|
We have fixed the following items:
Lite profiles updates are now possible from your ReachFive Console.
The input parameters of import or export definitions are correctly checked to avoid adding corrupted data and making the section inaccessible.
The WebAuthn signatures during the authentication process weren’t properly checked, resulting in a inefficient error throws that made it possible to continue with the authentication.