AM 2.4

We are pleased to announce that Access Management 2.4.0 is now available.

What’s new ?

Here are the highlights of this release:

  • PSD2 and Open Banking context
  • Users storage

PSD2 and Open Banking

Payment Services Directive (PSD2) defines list of EU rules that should help stimulate competition in the electronic payments market.

This would allow consumers to benefit from more and better choices between different types of payment services and service providers.

Bank companies will expose open APIs to allow other banks and third parties (known as TPP) to access customer account and payment services.

To secure those APIs, “Open Banking standards” have chosen to rely on standard protocols such as OAuth 2.0 and OpenId Connect.

User consent model (PSD2/Banking context)

To fulfill Open Banking and PSD2 requirements, Access Management has started to make some improvements which have been released in this 2.4 version.

Stronger tokens AM 2.4 is moving from random UUID to use a 160-bit (20 byte) random value to generate tokens (e.g : client_id, client_secret, authorization_code, tokens) to be consistent with the OAuth 2.0 specification.

The probability of an attacker guessing generated tokens (and other
credentials not intended for handling by end-users) MUST be less than
or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160).

Fine-grained user consent expiry time

Until version 2.3 of AM, OAuth 2.0 scopes shared the same expiry time for user consent/approval. In banking context, payment initiation approval time is generally shorter than administrative task such as access account information. AM 2.4 now let you define an expiry time for each scope at security domain and client level.

Scope expiry time

Users storage

When creating users in AM (via User Management or SCIM protocol) users were stored by default in the AM identity provider (MongoDB database). You can now choose in which identity provider the newly created users will be stored.

User creation

With this feature, each application can choose their own users directory instead of relying on the security domain one.

What’s next ?

  • Continue the PSD2 and Banking context with consent and scope approval management
  • Start Audit Trail logs feature

To discover all these new features, just follow the installation guide or start to play with by using Docker.

Waiting for your feedbacks, we would be happy to talk and help you from Gitter channel.