Release notes: SecureAuth CIAM 2.23.0

New claims with scope conditions now require the scopes to exist in the authorization server.

Added a new self-service API to revoke tokens, including access tokens, refresh tokens, and SSO sessions linked to the provided access token.

Enhanced workspace configuration to include allowed authentication mechanisms, providing control over which mechanisms users can use when logging in with identity pools. Key updates:

Updated Alpine and Go versions for the Rego environment to address security vulnerabilities.

API to revoke users tokens in pool

Risk Threshold for SSO

Ability to set tenant role for JITed user

Improved UX in Self Service.

Content reorganized into 3 views: profile, security (with sign-in methods and your devices), privacy (with consent management)

Unified the top bar appearance across the user and admin portals

Enabled passkey setup in the self-service portal

Enhanced error messages for authentication policy execution issues

Added "Try Sign-in with current IDP" button

This is useful when multiple IDPs are configured, allowing you to test the one currently being set up. It also enables testing of IDPs with a hidden flag that cannot be selected on the IDP selector login page.

Improved and standardized the appearance of full-screen dialogs

Updated the system to support "idpconnect.secureauth.com" as the base value.

Add/edit claim modal improvements - scopes input changed to an autocomplete field

Made Authentication Factors v2 available when the acr feature flag is enabled

MFA Friction charts

Exposed System API to fetch OAuth2 clients by ID: GET /client/{cid}

Added  acr_default_values to the client configuration. If the client does not send explicit acr_values to the authorize endpoint, it will request implicit default acr values from the client configuration. This feature is available behind the acr feature flag.

Implemented a new system API to revoke tokens for users in the pool, similar to the functionality provided by the Admin API: https://docs.secureauth.com/ciam-apis/admin.html

Updated default attributes for SAML IDP to use basic attributes: email, first name and last name

Enabled Sign-in and SSO in B2B portal in organization view

Improved user authentication experience in existing SSO session:

If a client requests a max_age that has expired, users are now prompted to log in instead of encountering an error page.

Added a dedicated HTTP client for webhooks with configurable timeouts and retries

Default signing key for new (non-FAPI) workspaces is now rsa instead of ecdsa

Extend token endpoint authz engine policy input with the client certificate metadata, sample policy:

package acp.authz

default allow = false

allow {
input.clientCertificate.subject_attributes["CN"][_] == "cid1.example.com"
}

Added optional "certificate" field to the client create/import API. It accepts base64-encoded PEM certificates and converts them to JWKS

Resolved issue with users selecting an address for activation messages when multiple addresses exist

Ensured B2B portal updates org metadata using the Update Org Metadata API

Fixed input for DCR scope policies to include software statements and client attributes

Allow 10-second skew time for iat claim in the DPoP Proof JWT

Add a circuit breaker to the webhook handler

Limited JARM warnings and sections to the authorization code grant type and added ID token signing algorithm mismatch warnings

Enabled dynamic redirect URIs for demo applications

Changed the default SAML IDP attributes source from Custom to "SAML Assertion Attribute"