Response timeout configuration for predictions
Valid from Pega Version 8.5
You can now set a response timeout for your predictions in Prediction Studio. By setting a response timeout, you control how Prediction Studio registers customer responses that later serve as feedback data for your predictions.
For more information, see Customizing predictions.
New JWT access token format: Authorized Access Token
Valid from Pega Version 8.5
Pega Platform™ is changing from using opaque tokens to using JSON Web (JWT) tokens and the JWT access token format: Authorized Access Token (AAT). An AAT enables a client application to validate the server for user permissions and authorizes a specific application to access specific parts of a user’s data.
The major benefits to using the JWT format are:
- The JWT is a self-contained token that has authentication information, expire time information, and other user-defined claims digitally signed.
- A single token can be used with multiple applications.
- The tokens are short-lived and can minimize damage if transport security is compromised, as the token signature is verified.
- As the token is verified with the signature, there is no need to verify against a database, thus reducing latency (usually important for Web APIs).
For more information, see Understanding authorized access tokens.
Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service
Valid from Pega Version 8.5
Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.
Token Introspection service
Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication.
Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT).
Token Introspection service endpoint
The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid:
- Valid tokens have the
“active”:truestatus - Invalid tokens have the
“active” :falsestatus.
The inactive status can also be due to revocation.
Token Denylist service
You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.
Keys endpoint
Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.
For more information, see OAuth 2.0 Management Services.
Enhanced refresh token strategy
Valid from Pega Version 8.5
You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case.
These can be configured in the OAuth2 Client registration rule form.
For more information, see Enhanced refresh token strategy.
External data flow rules are deprecated
Valid from Pega Version 8.5
External data flows are now deprecated and no longer supported. To improve your user experience with Pega Platform™, the user interface elements associated with these rules are hidden from view by default. Identifying unused features allows Pega to focus on developing and supporting the features that you need.
For more information, see Deprecated: External data flows.
Enhancements to token lifetime limits
Valid from Pega Version 8.5
Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.
These can be configured in the OAuth2 Client registration rule form.
For more information, see OAuth 2.0 Management Services.
Geolocation tracking for the latest mobile client
Valid from Pega Version 8
The latest version of Pega Mobile Client™ now supports geolocation tracking for offline-enabled mobile apps. You can enable constant tracking when users work on specific cases from their worklists. This enhancement helps audit the trail of the case and increase the efficiency of your mobile users. For example, dispatchers at headquarters can track the routes of field workers and more effectively assign them tasks based on their current location.
For more information, see Tracking mobile users based on geolocation data.
Visual Business Director data is automatically cleaned after a retention period expires
Valid from Pega Version 8.5
To avoid negative impact on system resources, such as memory and disk space, Pega Platform™ automatically cleans out collections data accumulated in Visual Business Director after the time period specified in the vbd/dataRetentionTimeout dynamic system setting.
Upgrade impact
In versions of Pega Platform earlier than 8.5, collections data was not automatically removed. From version 8.5, the data is removed after 465 days (15 months) by default.
What steps are required to update the application to be compatible with this change?
If the default data retention period does not meet your requirements, you can change it by editing the vbd/dataRetentionTimeout setting.
For more information, see "Configuring the data retention period for Visual Business Director" in the Pega Customer Decision Hub 8.5 Upgrade Guide on the Pega Customer Decision Hub product page.
Optimization check utility available for legacy strategies
Valid from Pega Version 8.5
Ensure that your strategies are compatible with the optimized strategy execution engine introduced in Pega Platform™ 8.1 by running a post-upgrade utility that checks strategies within your application for areas that you can optimize, for example, by reducing the number of page properties that are copied from one shape to another. Running the utility produces a report that you can use to plan the required updates to your strategies.
For more information, see Make your strategies compatible with the optimized strategy execution engine by using a check utility.
Native synchronization indicators for offline-enabled mobile apps
Valid from Pega Version 8.5
Offline-enabled mobile apps now include a set of native synchronization indicators. Indicators keep users informed about the data synchronization status, for example, the Syncing indicator appears when an app regains network connectivity and starts receiving responses from the server. You can customize the indicators to better suit the look and feel of your mobile app. For more information, see Customizing synchronization indicators.
Upgrade impact
After upgrading Pega Platform™ to version 8.5, your app does not include native synchronization indicators until you update your application to use UI-Kit 15.
What steps are required to update the application to be compatible with this change?
Update the UI Kit in your application to version 15. For more information, see Updating the UI Kit in your application.