Published Release Notes

Support for the JSON Web Token Bearer grant type for accessing external APIs

You can now access external APIs by using the new OAuth 2.0 JSON Web Token (JWT) Bearer grant type, in an OAuth 2.0 authentication profile. To use the JWT Bearer grant type as a client assertion, source the JWT from an active SSO session, a token profile, or a property reference. You can use JWTs that you obtain during an OpenID Connect SSO in connectors, to achieve user impersonation flows, such as the On-Behalf-Of (OBO) flow. The OAuth 2.0 type authentication profile now also supports authentication of client applications by using Private Key JWTs.

Instances of the OAuth 2.0 provider are now deprecated. As a best practice, use the new, unified authentication profile configuration instead.

For more information, see Configuring an OAuth 2.0 authentication profile.

Upgrade impact

After an upgrade to Pega Platform 8.4 and later, Authentication Profiles can take advantage of the new JWT based OAuth 2.0 grant type and client authentication features. To take advantage of this and other new security features, you must update any existing Authentication Profiles formats must to use those in Pega Platform 8.4 and later.

What steps are required to update the application to be compatible with this change?

Since these features are available only for profiles created in Pega Platform 8.4 and later, clients must open and then save existing 'Authentication Profile' instances to ensure that the configuration is compatible with the latest authentication formats.

Specify the scope for rolling back rules and data to a restore point

Create restore points to save the state of all rules and data in your system at a significant point in time, for example, before you import an application. Roll back to that restore point to return the system to that state. Now, you can filter which rule and data instances are returned to their previous state:

• System: Roll back every rule and data instance that has a history record.
• User: Roll back rule and data instances modified by a specific user. If any rule was changed by more than one user, you will see an error message and must use the system rollback.
• Application: Roll back rule and data instances in a specific application.

For more information, see Using restore points to enable error recovery.

Sign and encrypt signatures and content with additional algorithms

You can now authenticate using JSON Web Token (JWT) token profiles to symmetrically and asymmetrically encrypt both signatures and content. All algorithms in the Nimbus JWT library are supported, including nested tokens. Custom key identifier headers (kid) are also supported. Use token profiles to securely propagate identities and transfer data between systems.

For more information, see Creating a processing JSON Web token profile.

For more information, see Creating a generation JSON Web token profile.

All search data is encrypted

All search data in Pega Cloud deployments is now encrypted, both at rest and in transit. The encryption of search data makes search compliant with regulatory requirements.

For more information about search, see Full-text search.

Authentication service for basic credentials

A new type of authentication service is available for authenticating operators by using basic credentials (user ID and password). The default Pega Platform™ login is now an instance of this type of authentication service. All basic credentials authentication services include mobile authentication with the OAuth 2.0 protocol and Proof Key for Code Exchange (PKCE). You no longer have to create a custom authentication service to support mobile applications.

For more information, see Configuring a basic authentication service.

Unauthenticated sessions transition seamlessly to authenticated

A new authentication service type allows a guest user to use an application without logging in, and to be prompted to authenticate later in the session. This enhancement supports scenarios such as online shopping portals where a user can browse for items and load a shopping cart as a guest but be prompted for credentials at checkout.

For more information, see Configuring an anonymous authentication service.

Create single sign-on authentication services from App Studio

You can create and enable single sign-on (SSO) authentication services from a new landing page in App Studio. From this new landing page you can also configure new SAML and OpenID Connect authentication services to provision users. For more information, see Creating a SAML SSO authentication service and Creating an OIDC SSO authentication service.

Improved search indexing performance

Search indexing now uses a queue processor to improve indexing performance. Indexing can automatically restart if the database goes down temporarily. This saves time and manual action. As a result of using the queue processor for indexing, the following changes have been made to the Search Landing page.

• You cannot cancel indexing from the Search landing page. Cancel indexing by stopping the queue processor from the Data flow landing page.
• The progress message is not shown. View progress on the Queue Processor landing page.
• Queue processor information has been added.

For more information, see Stopping or pausing search reindexing.

Protect against insecure deserialization

Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top 10 security vulnerabilities for web applications. Pega Platform™ protects against this vulnerability by using filters that prevent deserialization of suspect data streams. You can configure these filters from the Deserialization Blacklist landing page.

For more information, see Configuring the deserialization filter.

More visibility of your production level

You can now see the production level of your environment in a new gadget that is available in all Pega Platform™ workspaces. To ensure that you immediately recognize your current environment, you can give it a unique name that is displayed when you click the gadget. In addition to specifying your production level and environment name on the System form in Dev Studio, you can now specify those values on the System & nodes page in Admin Studio.

For more information on Admin Studio, see Modifying your environment name and production level.

For more information on Dev Studio, see Specifying the production level.