New JWT access token format: Authorized Access Token
Valid from Pega Version 8.5
Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.
The major benefits to using the JWT format are:
- The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
- A single token can be used with multiple applications.
- The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
- As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).
For more information, see Understanding authorized access tokens.
Support for validations in Declare Expression rules
Valid from Pega Version 8.5
Pega Platform™ now correctly evaluates validations on target properties in Declare Expression rules. As a result, any validations defined on properties that have Declare Expression rules in previous releases, now work correctly.
Upgrade impact
Any unintended validations on properties that have configured Declare Expression rules, both default and user-defined, might cause issues in an application upon saving work objects and data objects that refer to Declare Expression rules.
What steps are required to update the application to be compatible with this change?
If you experience issues when saving objects, debug your application by setting the declareexp/target/validation/disable dynamic system setting to true. If your application works correctly after the change, it means that validations on Declare Expressions cause the issues. For your application to work correctly, analyze the log files and remove any unintended validations.
For more information, see Declare Expression rules.
Improving basic access control
Valid from Pega Version 8.5
Pega Platform™ has implemented a new basic access control (BAC) to protect your application from unauthorized server calls from otherwise authenticated users.
For more information, see Access Control Checks.
Upgrade impact
After you upgrade to Pega 8.5, all the functionality in the model configurations that use auto-generated controls and actions continues to work as before. However, you must secure any customized JavaScript in your application layer that makes AJAX (server) calls by using registration or encryption mechanisms.
What steps are required to update the application to be compatible with this change?
After upgrade, to migrate custom JavaScript functionality, see Access Control Checks.