Versions Compared

Old Version 1

changes.mady.by.user Michelle Williams

Saved on

compared with

New Version Current

changes.mady.by.user Michelle Williams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Deployed to production 22 August 2022.

SVS v4.0.0

COMING SOON!

This summer, the InAcademia team will deploy a new release that is dedicated to providing support for the OAuth 2.0 Authorization Code Grant*. I'd like to provide some additional information that should help you to understand the motivation for this change and the related timelines.

What are the benefits of this update?

We believe that we are now at a point where the Authorisation Code Grant variation would offer more benefit to merchants utilising the InAcademia service than offered by the (now legacy) Implicit flow.

Is this a positive change? What are the benefits?

Primarily, this upgraded version would offer increased security as exemplified by this extract of information provided by the IETF on the topic:

...

The following describes a proposal to implement the Authorization Grant Authorization Code Flow and to deprecate the Authorization Grant Implicit Flow.

Deploy v4.0.0 to the InAcademia Customer Integration Platform (Pre-Production) to enable merchants to perform regression testing and to explore the new feature

Late

25th July 2022

- Date TBC

Deploy v4.0.0 to Production 

Mid-

22nd August 2022

- Date TBC

Authorization Code Grant Flow becomes 'recommended' by InAcademia

Mid-

22nd August 2022

- Date TBC

Remove support for Implicit Flow

End 2023 or when the IETF OAuth Working Group specifies removal from Best Practice (whichever is sooner)

It will be possible for merchants to adopt this change from the point of release of InAcademia/SVS v4.0.0, however, it is recommended that a period of robust testing is undertaken prior to launching any change to workflow in the merchant's environment.

Summary of proposed changes:

As-built

Upgraded feature

InAcademia utilises Implicit Flow

InAcademia provides options:

  1. Authorization Code Flow
  2. Implicit Code Flow (to be deprecated end 2023 or when the IETF OAuth Working Group specifies removal from Best Practice, whichever is sooner)

Merchant signals flow utilising response_type=id_token in the OIDC Authentication Request

Merchant signals flow utilising response_type=code in the OIDC Authentication Request

Claims are returned as part of the id_token

Claims are returned either as part of the id_token or user_info endpoint. 

The InAcademia support team will be available to help throughout the introduction of this new flow.

...