Product Documentation

    Fixes and Changes in SKFS 4.8.0

    #

    Explanation

    RFE-24

    Server ID added to logged TXIDs

    A server ID has been added to the TXID printed in the Payara logs to help with logging conflicts across the cluster.

    Old TXID:

    [TXID=71-1671722582291]

    New TXID:

    [TXID=2-168-1671488338984]

    RFE-25

    TTE logged for expected errors

    SKFS previously printed a Time To Complete (TTC) for every successful transaction but it does not have anything similar for failures/errors.

    SKFS version 4.8.0 will introduce a Time To Error (TTE) for expected failures/errors encountered in the server.

    Example of logged TTE:

    FIDO-ERR-0003: Error during calling web service: [TXID=1-77-1671497178295, START=1671497178305, FINISH=1671497178323, TTE=18]]]

    RFE-26

    Add Application TXID to logs

    Add the ability for an application to optionally add a custom "appTXID" within a web service reqeust's payload object. This appTXID will be logged along with the TXID. The updated request bodies can be found here.

    Example of logged appTXID:

    [TXID=1-77-1671754556627, appTXID=CustomAppTXID]

    RFE-27

    Obfuscate IDs printed in server logs

    Instead of logging the whole id, rawId, and credentialId in both register and authenticate web services, obfuscate them by only logging the first and last 8 (default) characters of the strings, while still returning the whole string in the web service responses.

    A new skfs configuration has been added: "skfs.cfg.property.return.obfuscation.limit"
    This property determines the length of the beginning and end of the id/rawId/credentialId printed in the server logs. (Default: 8)

    Ex: When the id, rawId, or credentialId "abcdefghijklmnopqrstuvwxyz" is obfuscated...


    • ...with the (default) obfuscation limit config value of  8,the server logs the value: "abcdefgh...stuvwxyz"

    • ...with the obfuscation limit config value of 3, the server logs the value: "abc...xyz"

    The web service response does not change, showing the entirety of the id/rawId/credentialId.

    RFE-29

    Add cross origin support in FIDO policy

    SKFS administrators may now specify whether cross-origin requests are allowed in the SKFS. If so, they may specify from which origins the SKFS will process requests.

    Here is a detailed example of the SKFS FIDO policy.

    An example cross origin policy key would look like the following:

    {
    "FidoPolicy": {
            ...
            "crossOrigin" : {
            "enabled": true,
            "allowedOrigins": ["example.strongkey.com", "test.strongauth.com"]
        },
            ...
        }
    }

    BUG-8

    Add support for EC keys for Windows 11 22H2 in TPM 2.0 version

    TPM 2.0 started issuing Elliptic-Curve (EC) keys in Windows 11 22H2. Earlier versions of the FIDO Server only supported RSA and have now added the capability to handle EC keys.