Default Create stage in a case life cycle
Valid from Pega Version 8.5
Pega Platform™ now adds a default Create stage to a case life cycle every time you create a new case type, both in App Studio and Dev Studio. The default Create stage includes a view that users interact with to provide initial data before case processing begins. Consequently, you can now easily locate the view to make any necessary changes. In the background, the Create stage makes a case type independent from the starting process, which removes relevant advanced configurations and makes application development faster.
For more information, see Capture initial data faster with the default Create stage (8.5), The Create stage.
Control group configuration for predictions
Valid from Pega Version 8.5
You can now configure a control group for your predictions in Prediction Studio. Based on the control group, Prediction Studio calculates a lift score for each prediction that you can later use to monitor the success rate of your predictions.
For more information, see Customizing predictions.
Response timeout configuration for predictions
Valid from Pega Version 8.5
You can now set a response timeout for your predictions in Prediction Studio. By setting a response timeout, you control how Prediction Studio registers customer responses that later serve as feedback data for your predictions.
For more information, see Customizing predictions.
Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service
Valid from Pega Version 8.5
Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.
Token Introspection service
Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication.
Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT).
Token Introspection service endpoint
The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid:
- Valid tokens have the
“active”:truestatus - Invalid tokens have the
“active” :falsestatus.
The inactive status can also be due to revocation.
Token Denylist service
You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.
Keys endpoint
Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.
For more information, see OAuth 2.0 Management Services.
Enhanced refresh token strategy
Valid from Pega Version 8.5
You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case.
These can be configured in the OAuth2 Client registration rule form.
For more information, see Enhanced refresh token strategy.
Predictions for long-term business outcomes
Valid from Pega Version 8.5
Prediction Studio now offers predictions that calculate the probability of your customer performing two subsequent actions, one resulting from the other. For example, you can predict how likely your customer is to click a web banner, and then accept the corresponding offer.
For more information, see Predict long-term business outcomes in Prediction Studio (8.5).
Support for React-based components in Pega Infinity applications
Valid from Pega Version 8.5
React-based components can now conveniently be enabled in any existing Pega Infinity™ application without the need to migrate the application to the full React UI. By selecting a single option, you can enable and experience some of the most modern functionalities, such as intuitive and comfortable landing page authoring, or the more efficient React-based tables.
For more information, see Enabling Cosmos React UI for landing pages.
Enhancements for fields in views and data models
Valid from Pega Version 8.5
Pega Platform™ now provides a unified experience of adding fields to views, the case type data model, and the application data model, by using an intuitive dialog box. For greater clarity, a new field type, data relationship, replaces data references, field groups, and field group lists. As a result, you can conveniently reuse data objects in your application.
When you upgrade to Pega 8.5, your system automatically converts your field groups, field group lists, and data references to data relationships. The case type data model now displays all the fields by default, including any referenced fields, and provides an application layer that contains each field. Use this functionality to view how the data is organized across your system.
For more information, see Define fields in data objects intuitively (8.5), Adding data relationships to fields and data models.
Enhancements to token lifetime limits
Valid from Pega Version 8.5
Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.
These can be configured in the OAuth2 Client registration rule form.
For more information, see OAuth 2.0 Management Services.
Better support for custom PDF fonts
Valid from Pega Version 8.5
Pega Platform™ now supports loading custom fonts for PDF files from a binary file by using the CSS @font-face rule. With this enhancement, your application can generate PDF files that use custom fonts without relying on a dedicated font folder or a cloud bundle. As Pega moves away from folder-based solutions, you can migrate font management to a binary rule for quicker development and improved maintenance.
For more information, see Generating PDFs from your UI.