Support for the JSON Web Token Bearer grant type for accessing external APIs
Valid from Pega Version 8.4
You can now access external APIs by using the new OAuth 2.0 JSON Web Token (JWT) Bearer grant type, in an OAuth 2.0 authentication profile. To use the JWT Bearer grant type as a client assertion, source the JWT from an active SSO session, a token profile, or a property reference. You can use JWTs that you obtain during an OpenID Connect SSO in connectors, to achieve user impersonation flows, such as the On-Behalf-Of (OBO) flow. The OAuth 2.0 type authentication profile now also supports authentication of client applications by using Private Key JWTs.
Instances of the OAuth 2.0 provider are now deprecated. As a best practice, use the new, unified authentication profile configuration instead.
For more information, see Configuring an OAuth 2.0 authentication profile.
Upgrade impact
After an upgrade to Pega Platform 8.4 and later, Authentication Profiles can take advantage of the new JWT based OAuth 2.0 grant type and client authentication features. To take advantage of this and other new security features, you must update any existing Authentication Profiles formats must to use those in Pega Platform 8.4 and later.
What steps are required to update the application to be compatible with this change?
Since these features are available only for profiles created in Pega Platform 8.4 and later, clients must open and then save existing 'Authentication Profile' instances to ensure that the configuration is compatible with the latest authentication formats.
Sign and encrypt signatures and content with additional algorithms
Valid from Pega Version 8.4
You can now authenticate using JSON Web Token (JWT) token profiles to symmetrically and asymmetrically encrypt both signatures and content. All algorithms in the Nimbus JWT library are supported, including nested tokens. Custom key identifier headers (kid) are also supported. Use token profiles to securely propagate identities and transfer data between systems.
For more information, see Creating a processing JSON Web token profile.
For more information, see Creating a generation JSON Web token profile.
All search data is encrypted
Valid from Pega Version 8.2
All search data in Pega Cloud deployments is now encrypted, both at rest and in transit. The encryption of search data makes search compliant with regulatory requirements.
For more information about search, see Full-text search.
Authentication service for basic credentials
Valid from Pega Version 8.2
A new type of authentication service is available for authenticating operators by using basic credentials (user ID and password). The default Pega Platform™ login is now an instance of this type of authentication service. All basic credentials authentication services include mobile authentication with the OAuth 2.0 protocol and Proof Key for Code Exchange (PKCE). You no longer have to create a custom authentication service to support mobile applications.
For more information, see Configuring a basic authentication service.
Unauthenticated sessions transition seamlessly to authenticated
Valid from Pega Version 8.2
A new authentication service type allows a guest user to use an application without logging in, and to be prompted to authenticate later in the session. This enhancement supports scenarios such as online shopping portals where a user can browse for items and load a shopping cart as a guest but be prompted for credentials at checkout.
For more information, see Configuring an anonymous authentication service.
Create single sign-on authentication services from App Studio
Valid from Pega Version 8.2
You can create and enable single sign-on (SSO) authentication services from a new landing page in App Studio. From this new landing page you can also configure new SAML and OpenID Connect authentication services to provision users. For more information, see Creating a SAML SSO authentication service and Creating an OIDC SSO authentication service.
Protect against insecure deserialization
Valid from Pega Version 8.2
Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top 10 security vulnerabilities for web applications. Pega Platform™ protects against this vulnerability by using filters that prevent deserialization of suspect data streams. You can configure these filters from the Deserialization Blacklist landing page.
For more information, see Configuring the deserialization filter.
Support for Firebase Cloud Messaging (FCM) push notifications in Android custom mobile apps
Valid from Pega Version 8.2
You can now create Android custom mobile apps that use push notifications with the Firebase Cloud Messaging (FCM) services. The push notifications for Android custom mobile apps based on legacy Google Cloud Messaging (GCM) are deprecated, as GCM services will be officially removed from use on April 11, 2019. To continue to use push notifications, you must migrate your custom mobile apps to FCM services. Before building your custom mobile app, you must register your Android app for push notifications in the Firebase console, obtain the FCM server key and Google Services JSON file, and use the key and file in the Android certificate set to build the custom mobile app.
For more information, see Migrating Android custom mobile apps that use push notifications to Firebase Cloud Messaging, Push notifications in Android mobile app, and Android certificate set.
PEGA0107 alert enables performance monitoring of offline-enabled apps
Valid from Pega Version 8.2
You can now monitor the performance of offline-enabled apps by analyzing PEGA0107 alerts from Pega Predictive Diagnostic Cloud™. PEGA0107 alerts are equivalent to PEGA0069 alerts in the context of offline-enabled applications, but PEGA0069 alerts are not generated for offline-enabled applications.
For more information, see PEGA0107 alert: Client page load time for offline-enabled applications and Pega Predictive Diagnostic Cloud Improvement Plan overview.
Mashup code preview in App Studio
Valid from Pega Version 8.2
When you create a mashup channel for your application, you can now eliminate issues with the code and create better looking applications, by using the portal preview in App Studio. You can preview a channel to verify that different types of devices correctly display the mashup code. The preview functionality uses a default wrapper that functions as a portal for displaying a frame with the mashup code. You can modify the appearance of the default wrapper, and adapt the mashup user interface in design mode to meet your requirements.
For more information, see Configuring the Mashup channel and Previewing an application.