Enhanced optimized tables
Valid from Pega Version 8.5
Optimized tables now come with a greater range of options, such as support for sorting and filtering cell content in embedded sections. The new options also include passing parameter values from a data page to a table instead of manually entering the values for each of the parameters. For example, you can mark an organization name as a parameter to pass into a table. The new enhancements facilitate the transition to the more efficient optimized tables, and save time and effort.
For more information, see Optimizing table code.
Improved support for working with cases in multiple browser tabs
Valid from Pega Version 8.5
The Cosmos design system now provides enhanced support for opening and working on cases in multiple browser tabs. Cases that users open in new browser tabs are processed independently and include the portal’s main navigation bar, which allows users to conveniently browse other pages on any tab.
Improved identification and handling of code assembly errors
Valid from Pega Version 8.5
Code assembly error logs are now more meaningful and help you identify root causes with better accuracy. Pega Platform™ now also invalidates erroneous assembly to facilitate successful reassembly when the code is accessed again. For example, if a section is not correctly assembled when a user first signs in to the system, the application attempts to reassemble that section the next time a user signs in. In this way, you can avoid lingering issues and improve stability.
Retention of mashup state on browser refresh
Valid from Pega Version 8.5
Mashup configuration now includes an option to retain the state of the mashup after the user refreshes the browser that displays the mashup. In previous releases, when users refreshed a browser window with a case in a mashup, the system discarded the state of the case and then created a new case. Now, you can enable the mashup to use the values in the Clipboard tool from before the refresh. This enhancement helps users seamlessly continue their work after a browser refresh.
For more information, see Pega web mashups for embedding Pega Platform UI in external web pages.
Custom DX API attributes for auto-generated controls
Valid from Pega Version 8.5
Auto-generated controls now include the option to add custom attributes for use with the Pega Digital Experience (DX) API. The attributes are part of the DX API response to the front end and you can use them to modify the run-time behavior of the UI elements in your application. For example, you can add an attribute to a field that displays a tooltip text for that field at run time. This enhancement introduces significant flexibility to application development and gives you greater control over UI components.
For more information, see Adding custom attributes for version 1 DX API to auto-generated controls.
New JWT access token format: Authorized Access Token
Valid from Pega Version 8.5
Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.
The major benefits to using the JWT format are:
- The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
- A single token can be used with multiple applications.
- The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
- As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).
For more information, see Understanding authorized access tokens.
Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service
Valid from Pega Version 8.5
Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.
Token Introspection service
Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication.
Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT).
Token Introspection service endpoint
The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid:
- Valid tokens have the
“active”:truestatus - Invalid tokens have the
“active” :falsestatus.
The inactive status can also be due to revocation.
Token Denylist service
You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.
Keys endpoint
Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.
For more information, see OAuth 2.0 Management Services.
Enhanced refresh token strategy
Valid from Pega Version 8.5
You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case.
These can be configured in the OAuth2 Client registration rule form.
For more information, see Enhanced refresh token strategy.
Tamper-proof Pega Web Mashup loading
Valid from Pega Version 8.5
To protect your application from hackers, Pega Web Mashup is now loaded in a more secure way. The system generates a channel ID in the mashup code for validation on the server, before passing the mashup request.
For more information, see Creating a mashup.
Upgrade impact
After an upgrade to Pega Platform 8.5, existing mashups, which do not have the channel ID parameter in their code, cannot load and users see the access control warning.
What steps are required to update the application to be compatible with this change?
If you need to maintain full availability of the mashup during the upgrade of the production environment, perform the steps in Migrating existing mashups.
Support for React-based components in Pega Infinity applications
Valid from Pega Version 8.5
React-based components can now conveniently be enabled in any existing Pega Infinity™ application without the need to migrate the application to the full React UI. By selecting a single option, you can enable and experience some of the most modern functionalities, such as intuitive and comfortable landing page authoring, or the more efficient React-based tables.
For more information, see Enabling Cosmos React UI for landing pages.