Published Release Notes

Automated Unit Testing is unavailable

Automated Unit Testing (AUT) is unavailable in 7.1.1 - 7.1.5.

Starting in 7.1.6, users can access AUT features from supported browser versions of IE.

Privilege required for Recent Explorer

Users with custom roles defined must add the pxUpdateRecents privilege to see work in the Recent Items Explorer. 

Use standard Developer portal

Customized versions of the Developer portal rely on legacy components and are not supported.

To avoid backwards compatibility issues, update your access group to point to the standard Developer portal prior to upgrade.

Top-level (named) pages may no longer be classless

Newly created top-level (named) pages may no longer be classless or have a blank pxObjClass property. This change can affect applications upgrading from versions prior to Pega 7 to the latest version, especially when:

• Application logic relies on a blank value in the pxObjClass property.
• An activity assumes a new top-level page is classless and explicitly sets pxObjClass in a Property-Set step.
• A data transform assumes a new top-level page is classless and explicitly sets pxObjClass using a Set action.

To avoid application failures, remove or update any logic that expects a blank pxObjClass. Where possible, use the new engine API that finds a page by both name and class:

findPageWithException(PageName, ClassName);

Activities and data transforms continue to create a top-level page when one does not exist. The class name is now derived from the Pages and Classes tab.

IE8 limits expansion features

Internet Explorer 8 (IE8) does not support CSS media queries, which are used by re-expansion features in the Designer Studio. IE8 users with low screen resolution (800 x 600) and a small window size may find that the explorer area in the Designer Studio collapses but cannot re-expand. 

As a work around, access the Designer Studio from another supported browser version and use the recommended, minimum screen resolution width of 1280 pixels.

All tabs are accessible on delegated rule forms

Delegates can now access all tabs in a delegated rule form.

You can continue to customize the development experience for delegated users, such as line managers, who may not require the full set of rule form options. For example, you can prevent users from adding new nodes on the Decision Tree form or using the expression builder on the Map Value form. All users, including delegated users, can remove these restrictions if they hold a rule-editing privilege.

For more details on this process and a list of commonly delegated rules, see How to delegate a rule.

Business logic-based routing cards enhancements

To ensure that the sequence of business logic-based routing cards conforms to your business requirements, you now have the option to change the order of the cards. For easier navigation across multiple routing cards, the system automatically collapses the cards for you, and you can then easily expand the cards that you need to display.

For more information, see Navigate easier across business logic-based routing cards (8.5), Assigning users automatically at run time.

New JWT access token format: Authorized Access Token

Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.

The major benefits to using the JWT format are:

• The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
• A single token can be used with multiple applications.
• The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
• As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).

For more information, see Understanding authorized access tokens.

Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service

Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.

Token Introspection service

Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication. 

Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT). 

Token Introspection service endpoint

The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid: 

• Valid tokens have the “active”:true status
• Invalid tokens have the “active” :false status.

The inactive status can also be due to revocation. 

Token Denylist service

You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.

Keys endpoint

Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.

For more information, see OAuth 2.0 Management Services.

Enhanced refresh token strategy

You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case. 

These can be configured in the OAuth2 Client registration rule form.

For more information, see Enhanced refresh token strategy.