Skip to main content

Release notes: SecureAuth CIAM 2.27.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.27.0.

For platform component version details, see SecureAuth platform dependencies version reference.

Release Date: January 20, 2026

New features

  • System scripts management APIs – New system-level APIs enable full CRUD operations for managing scripts within authorization servers, including create, read, update, patch, delete, and list operations. A new manage_scripts scope controls authorization for script management. Client libraries are available for TypeScript, Java, and Go. [AUT-12922]

  • System delete client API – System administrators can now delete OAuth2 clients through the system API endpoints with proper authorization and validation controls. [AUT-12920]

  • Agentic AI workspace generally available – Agentic AI workspace with a Finance Assistant demo is now generally available for securing and governing AI agents with identity-driven access control. See Get started with Agentic AI workspace demo. [AUT-12873]

  • Node.js FaaS runtime v7 – Added new FaaS runtime environment node-env v7 with updated dependencies. [AUT-13038]

Improvements

  • Authorization audit events – Audit events now include granted authorization details for Rich Authorization Requests (RAR) for improved debugging and compliance tracking. [AUT-12992]

  • Brute force counter in authentication audit events – Authentication audit events now include the identity brute force counter for failed attempts, enabling better security monitoring. [AUT-12902]

  • Create connection interface refinement – Improved visual hierarchy and reduced interface clutter by removing borders from provider tiles and refining the button layout. [AUT-12949]

  • Translated emails and messages – Emails and messages are now translated based on user preferences and browser language settings, with support for Spanish. [AUT-12528]

  • Modern reCAPTCHA v3 implementation – Registration and password reset forms now use reCAPTCHA v3 for improved user experience, with automatic fallback to reCAPTCHA v2 when the score is below the configured threshold (0.5 by default). [AUT-12416]

  • Optimized login discovery – Login discovery endpoint performance improved by replacing N+1 cache lookups with a single SQL query. [AUT-13116]

  • Two-step activation flow – Added two-step activation flow to prevent email scanners from triggering user activation prematurely. [AUT-13112]

  • TimescaleDB compatibility – Replaced deprecated timescaledb_experimental.time_bucket_ng with standard time_bucket for month/year bucketing. Requires TimescaleDB 2.8.0 or later. [AUT-13108]

Bug fixes

  • DBFP timeout handling – Fixed DBFP timeout that was not cleared after successful device fingerprint loading, which could cause unexpected redirects to the current endpoint with dbfp=failure query parameter. [AUT-13012]

  • Automatic identity provider discovery – Fixed automatic identity provider discovery that was blocking user input even when no provider was found. Discovery now only occurs through manual entry (Enter key) or the Next button. [AUT-12818]

  • Authentication context in hybrid flow – Fixed authentication context (authn_ctx) not being available in pre-token minting scripts during hybrid and implicit OAuth flows. [AUT-13075]

  • Post-authentication script error handling – Post-authentication extension script errors are now returned to the OAuth2 client callback URL as query parameters instead of rendering a server-side error page. [AUT-13090]

  • AWS authorizer stale file handle – Fixed an error in AWS authorizer where the authorizer sometimes failed due to a stale configuration file handle.