SR-113624 · Issue 167070
Enabling out-of-the-box Security Policies now redirects immediately
Resolved in Pega Version 7.1.7
When enabling out-of-the-box Security Policies, it was not immediately redirecting to the change password screen but instead requiring the timeout interval to expire before redirect happened. This has been corrected.
SR-118880 · Issue 172588
Change Password redirect loop fixed
Resolved in Pega Version 7.1.7
When URLEncryption is enabled along with Security Policies, redirection to the Change Password screen caused the browser to loop into an endless redirect (HTTP 302 loop). This was caused by Incorrect (un-obfuscated) data being used internally when obfuscation was enabled, and has been fixed.
INC-118838 · Issue 560691
OKTA receives parameters on logout
Resolved in Pega Version 8.2.7
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the DB, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D95148 · Issue 557483
Port validation updated for redirect URI
Resolved in Pega Version 8.2.7
When an offline app for windows client was generated, trying to login via SSO resulted in the error "invalid redirect_uri". This was traced to the system validating the whole loopback redirection URL, e.g. "http://127.0.0.1:1234/redirection", including the port number. To enhance flexibility, an update has been made so that the port number will not be validated, allowing the client to establish it based on availability at the moment of the request to the authorization service. NOTE: As a best practice, a loopback URL should not be configured as a redirect URI. If a loopback URL is configured, then at run time the port number will not be validated, and the client application can use any available port on the system including ports that may not be intended for use.
INC-201713 · Issue 700221
Resolved SSO logout error
Resolved in Pega Version 8.6.5
After configuring prconfig/initialization/Urlencryption/default -> true and prconfig/initialization/SubmitObfuscatedURL/default -> required, logging in to any portal using SSO resulted in a 400 error when trying to log out. This has been resolved by adding a call to the encryption Rule-Utility-Function while calling logoff activity from 'pzSingleLogoutServiceRedirectV2'.
INC-202702 · Issue 713726
Ruleset creation process updated to maintain thread scope
Resolved in Pega Version 8.6.5
On creating a ruleset, the system generated the error "There has been an issue. Please consult your system administrator." If browser cookies and site settings were cleared and the browser was relaunched before logging in and creating a ruleset, the issue did not occur. Investigation showed that the Application page was at the Requestor scope for some of the threads due to handling in the ruleset creation process that removed the Application page and recreated it in the default scope of the thread with the latest state. To resolve this, the process for deleting the Application page and recreating it on the Requestor page has been removed.
INC-212265 · Issue 714015
at+jwt header type support added
Resolved in Pega Version 8.6.5
After upgrading from Pega 7 to Pega 8, using JWT validation in the REST service package with type "at+jwt" resulted in the JSON web token being rejected during signature verification with the error "header "typ" (type) "at+jwt" not allowed". Pega uses the third-party Nimbus jar to generate and verify JWT tokens, and this issue was traced to a difference in the versions of that jar: Pega 7.3 uses the nimbus-jose-jwt 5.1 version jar, while Pega 8.6+ uses the 8.20 jar version. Nimbus rejects at+jwt header types by default from the 8.0 jar version. To resolve this and improve backwards compatibility, at+jwt header type support has been added.
INC-216154 · Issue 718236
SMTPPort parameter will be passed to ForgotPasswordUtil
Resolved in Pega Version 8.6.5
When a user triggered the "Trouble Signing in" function, the SentEmailNotification activity connection was trying to use port 25 even if the SMTP Port was configured as 587 in the Email Account instance. This was due to the SMTP Port not being passed to the SentEmailNotification activity, causing a fallback to port 25 for non-SSL connections. In order to ensure SendEmailNotification uses a specified port if configured, pySMTPPort will be passed to ForgotPasswordUtil.java.
INC-217461 · Issue 714310
Key ID made optional for JWT
Resolved in Pega Version 8.6.5
After update, Connect-REST services were failing with a Admin_Security_Token.Action error. This was traced to kID (key ID) being mandated following previous work done to address an issue. To resolve this and better support backwards compatibility, the kID has been made optional in the JWT header.
INC-219208 · Issue 717217
Updated OAuth2 registration handling for modified application definition
Resolved in Pega Version 8.6.5
After update, attempting to resave an application definition after any modification resulted in the error "Application OAuth2 client registration is failed. Error Message: PegaApp_XXBase:Client already exists". This was due to pxCreateRecord being called to create the authentication profile: as it was already present, it failed to create a new one. This has been resolved by changing pxCreateRecord to Obj-Save in this process. This change will only be applied on newly created applications using the Data-Application-OAuth2ClientRegistration instance. The solution for already exported applications is to delete the corresponding OAuth2 client (PegaApp_<application id>) and resave the application to create a new client along with the needed metadata.