22 February 2021 (v2.47)


User data model

Release highlight

We have modified the behavior of the Management API update user endpoint so that it can no longer modify Lite profiles.

If you want to modify Lite profiles specifically, use the Update a LITE profile endpoint.


Whitelisting logout redirect URLs

redirect_to URLs used in the logout endpoint or using the JS SDK logout method must now be whitelisted under the new parameter Allowed logout callback URLs in SSO ReachFive Console setting. Whitelisted URLs can be used with all identity clients for an account.

URLs that are not whitelisted can still be used until the end of March. However, this update will be blocking after 31 March 2021.

JSON Web Key Set

Following our previous developments, we’ve made a few changes to accomodate existing needs and to smooth the transition to better align with RFC 7517. As such, we have added:

  • The ability to re-synchronize every client configured for using the RS256 algorithm on the global account RSA key (the ability of rotating keys to have a specific RSA key on a given client remains available).

  • The ability to check the account RSA key directly in the Settings page (back from previous behavior).

  • The ability to invalidate old JWK keys.

For more information, check out our JWK Sets Guide.


We have improved the use of nonce values you can find in authorization requests and tokens content to avoid possible conflations.

GDPR compliance

We are currently working on a refresh of our consents module. Be aware that these changes will break the compatibility with previous user data models and that some adaptations are required on your side. For more information on the upcoming changes, check out the Attention page.

For this release, we have added the following items:

  • Created a new tag component to better categorize your consents.

  • Updated the current configuration pages so that you can begin to use these new tags.

For more information, you can check out the consents guide or the dedicated Management API section regarding consents.


We have fixed the following items:

  • The external_id field wasn’t unique on Lite profiles.

  • Third party client logos weren’t saved correctly if the Hosted page already contained a logo. Both logos are now handled appropriately.

  • Vkontakte experienced a connection failure in cases of an empty personal field in the user profile.

  • An invalid_state error was thrown when a Lite profile was updated after the user had already updated their email.

  • It was previously impossible to create a Managed profile sharing an external_id with a Lite profile.