25 January 2021 (v2.46)


Mitigating downgrade attacks

Code exchanges with the code_verifier parameter outside of a PKCE flow now result in an error to better mitigate PKCE downgrade attacks.

JSON Web Key Set

We have changed the behavior of the RSA public key management used to sign tokens. Previously it was stored directly on the account.

We have moved it to each client settings page for a more logical configuration. You can now generate new keys and keep the old ones in the JSON Web Key Set.

You can still check the JWKS configuration of your account at the following URL: https://<yourdomain>/jwks.json.

More info

More developments on this topic are coming shortly.

If you want to know more on JSON Web Keys, you can check out the corresponding RFC 7517.



We have adjusted the behavior of the Lite profiles creation with external_id only so that it is now possible to register Lite profiles with external_id as the only identifier.

Check out pushLiteProfile for more details.

Removed features

Instagram is now deprecated as a social connector and is no longer supported. This is due to a decision by Facebook to restrict its usage.

You can use Meta Connect (Facebook Login) instead.


We have fixed the following items:

  • Lite profiles updates are now possible from your ReachFive Console.

  • The input parameters of import or export definitions are correctly checked to avoid adding corrupted data and making the section inaccessible.

  • The WebAuthn signatures during the authentication process weren’t properly checked, resulting in a inefficient error throws that made it possible to continue with the authentication.