Version 3.26 (August 2024)
New features and enhancements
Improved exception handling in SOAP wrappers
By default, the SOAP handlers ignore underlying exceptions, and always return a generic "Service is not available" error message. You can now configure the SOAP wrappers, so that underlying exceptions are re-thrown (as IdentikeyConnectionException) and can be properly handled by the application.
For the Java wrappers, this behavior can be configured with the ConfigurationBean.setRethrowOnConnectionError() method.
For the .NET wrappers, this behavior can be configured via the RethrowOnConnectionError setting in the application configuration file (app.config).
Jakarta EE support
The SDK now fully supports the Jakarta EE platform. The package includes project files and artifacts for the SOAP client and the SOAP wrapper that are compliant with Jakarta EE 9 and provide Java 11 target compatibility.
Fixes and other updates
Issue OAS-21228: authUser does not return used authenticator instance
Description: Authentication and signature validation commands return the serial number of the used authenticator (CREDFLD_SERIAL_NO). In case of MDL, this field contains the authenticator instance number, e.g. VDS1000120-1. This was not the case for the authUser command.
Affects: OAS Authentication SDK 3.21–3.25
Status: This issue has been fixed. The authUser command now correctly returns the authenticator (instance) serial number as CREDFLD_SERIAL_NO. Note that this attribute is not returned if a static password was used for the authentication.
Issue OAS-19748: Response indicates success despite database error
Description: When a SOAP operation fails due to a database or ODBC connection issue, it correctly returns an error code (RET_FAILURE) whereas the status code indicates success (STAT_SUCCESS). Furthermore, the error stack in the SOAP response includes database/ODBC-specific error messages that can expose critical information to potential attackers.
Affects: OAS Authentication SDK 3.21–3.25
Status: This issue has been fixed. All SOAP operations now correctly return STAT_COMMS in case of database connection issues and don't include low-level database error messages in the SOAP response anymore.
Issue OAS-9099 (Support case CS0061534): Signature validation uses incorrect authenticator application and succeeds
Description: In some environments where more than one signature authenticator application is used, the authSignature command may use an incorrect authenticator application to process the request and still create a valid signature.
Consider a scenario where two signature authenticator applications exist on an authenticator, SG1 that accepts exactly one data field and SG2 that accepts two data fields. Now assume that a user attempts a transaction signature validation for a business application that requires two data fields, but mistakenly selects the authenticator application that is accepting only one data field. The signature validation can still be successful, because it uses SG1 to successfully process the request (ignoring the second data field).
Affects: OAS Authentication SDK 3.21–3.25
Status: This issue has been fixed.
- The data field handling in the authSignature command was improved, any authenticator application that cannot process as many data fields as required by the request will be ignored.
- The attribute handling in the authUser command was changed to ignore Response-Only authenticator applications if the CREDFLD_CHALLENGE attribute is specified.
Deprecated components and features
PDF documentation (Deprecated)
You can view the user documentation of most OneSpan products online already at https://community.onespan.com/documentation, and we plan to shift exclusively to online documentation.
This means that PDF documentation will be completely removed in future major releases of OAS Authentication SDK (currently planned for 3.27).
Known issues
Issue 44570: New client components for multi-device licensing (MDL) not automatically created (OneSpan Authentication Server Configuration Wizard)
Description: When running the Configuration Wizard and registering the SDK as part of an advanced installation, the client components for the new multi-device licensing (MDL) functionalities are not created automatically.
Affects: OAS Authentication SDK 3.7–3.26
Status: Before using the sample websites, the client components for MDL must be created manually.
Version 3.25 (January 2024)
New features and enhancements
Custom authenticator application selection for Secure Channel operations
You can now select a specific authenticator application to use when you initiate an authentication or signature validation process using Secure Channel.
The SOAP communication interface now supports the following attributes to select a specific authenticator application:
- CREDFLD_CRYPTO_APP_INDEX. The index of the authenticator application to use when you initiate an authentication process with the getSecureChallenge command.
- CREDFLD_CRYPTO_APP_NAME. The name of the authenticator application to use when you initiate an authentication process with the getSecureChallenge command.
- SIGNFLD_CRYPTO_APP_INDEX. The index of the authenticator application to use when you initiate a signature validation with the genRequest command.
- SIGNFLD_CRYPTO_APP_NAME. The name of the authenticator application to use when you initiate a signature validation with the genRequest command.
If you do not specify a particular authenticator application, the first applicable authenticator application that is allowed by the effective policy will be used (current default behavior).
Version 3.24 (July 2023)
Version 3.23 (July 2022)
New features and enhancements
Supported platforms and other third-party products
Software libraries
OAS Authentication SDK now includes the following (updated) third-party libraries:
- Apache Log4j Core 2.17.1
Fixes and other updates
Issue OAS-12270 (Support case CS0085940): Wrong parameter in cancelAuthSignatureRequest example (Documentation)
Description: In the OAS Authentication SDK SOAP Reference, the cancelAuthSignatureRequest example contains an incorrect parameter (requestKey). The correct parameter is requestKeyMessage.
Affects: OAS Authentication SDK 3.17–3.22
Status: The documentation has been updated.
Version 3.22 (October 2021)
New features and enhancements
Authenticator/host synchronization
A new syncTokenAndHost command has been added to the SOAP authentication interface that allows users to synchronize the device time or event counter of their authenticators with the authentication server.
This is useful for scenarios where an authenticator has not been used for a long period of time or the authenticator clock has drifted too far. The synchronization supports time- and event-based authenticator applications.
Version 3.21 (January 2021)
No changes.