Skip to main content

Published Release Notes

Find release notes for the selected Pega Version and Capability

Browse resolved issues for Platform releases.

This documentation is for non-current versions of Pega Platform. For current release notes, go here.

Business logic-based routing cards enhancements

Valid from Pega Version 8.5

To ensure that the sequence of business logic-based routing cards conforms to your business requirements, you now have the option to change the order of the cards. For easier navigation across multiple routing cards, the system automatically collapses the cards for you, and you can then easily expand the cards that you need to display.

For more information, see Navigate easier across business logic-based routing cards (8.5), Assigning users automatically at run time.

Improvements to OAuth 2.0 Services with Token Introspection Service and Token Denylist Service

Valid from Pega Version 8.5

Increase the security of user sessions by using the newly supported Token Introspection and Denylist services for OAuth 2.0.

Token Introspection service

Use the Token Introspection service to validate JSON Web Tokens (JWT). The Token Introspection service requires authentication. 

Pega now uses OAuth 2.0 access tokens called Authorized Access Tokens (AAT). 

Token Introspection service endpoint

The Token Introspection service endpoint provides the information about the status of access token and refresh token. Token introspection can be used to validate if a given token is still active or inactive. The token introspection endpoint determines whether the token is valid. The status indicates whether an access token or refresh token is valid or invalid: 

  • Valid tokens have the “active”:true status
  • Invalid tokens have the “active” :false status.

The inactive status can also be due to revocation. 

Token Denylist service

You can add tokens to the deny list in cases where suspicious activity might have occurred. The Token Denylist service provides a method for denying user access to the application by revoking the user's access token. This service can prevent a token from being used more than the specified number of times, which can be helpful in preventing replay attacks. Stolen tokens should be revoked using this service. A GET API is also available to get the list of denied tokens.

Keys endpoint

Pega Platform™ is changing from using opaque tokens to JSON Web (JWT) tokens. If this JWT is used by any other system, the public key is needed for signature verification. A new endpoint is exposed to provide these public keys in JWK format: https://host:port/prweb/api/oauth2/v1/token/keys.

 

For more information, see OAuth 2.0 Management Services.

Enhanced refresh token strategy

Valid from Pega Version 8.5

You now have more precise control over your refresh token expiration strategy. When a refresh token is enabled, you can choose to set its initial expiration based on the value provided by the IDP. The refresh token expiry can be derived from IDP’s session timeout when SSO is used with external IDP for user authentication in the authorization code grant flow. You can also specify a separate refresh token expiration strategy based on your use-case. 

These can be configured in the OAuth2 Client registration rule form.

For more information, see Enhanced refresh token strategy.

Enhancements to token lifetime limits

Valid from Pega Version 8.5

Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.

These can be configured in the OAuth2 Client registration rule form.

For more information, see OAuth 2.0 Management Services.

Create, Save As, and Specialization forms

Valid from Pega Version 7.1.4

The familiar “New” and “Save As” forms have been streamlined to make record creation faster and more intuitive. You can easily target a specific layer in your application stack, interactively define the record’s configuration and select only those circumstance definitions that make sense for your use case.

While the underlying behavior for creating a record is not new for this release, the redesigned UI of these forms and new defaulting strategy for fields is worth noting:

PRPC_7_1_4_Release_Notes-1.jpg

To launch these forms, use one of the new options found in the action area of the form header:

PRPC_7_1_4_Release_Notes-2.jpg

Note that not all record types support the ability to specialize by circumstance.

For more guidance on how to use the Create, Save As and Specialization forms, please refer to: Intuitive record creation and specialization

Redirect users to logout screen

Valid from Pega Version 7.1.4

New applications built in Version 7.1 will automatically redirect users to the PRPC login page upon logout.

 

A new template, Web-Session-Return-Template, has been added, to allow developers to customize their applications to redirect users to a logout page, if they wish.  This template can be copied to a ruleset visible to unauthenticated requestors (via node configuration) and used to override Web-Session-Return.

Enabling security policies now requires current password

Valid from Pega Version 7.1.3

As part of Pega’s initiative to protect against malicious attacks, the change password dialog has been enhanced.  When Security Policies have been enabled for your system, new users or those with expired passwords will now be prompted for both their existing password as well as their desired new password.

For more details, review the Designer Studio > System > Settings > Security Policies landing page.

Source field not displaying in data transform

Valid from Pega Version 7.1.4

On the Data Transform rule form when using the Update Page action, if the Relation value is updated to “with values from”, the Source field will not be displayed.

(Note that for existing data transforms where the Source field has already been completed, this situation should not occur.)

Workaround

  1. Below is a data transform that has been configured to use Update Page.
    DataTransform1.jpg
  2. If a user were to choose an alternate source by updating the ‘with values from’ Relation value, they would not be prompted to provide a page name in the Source field.
    DataTransform2.jpg
  3. At this point, to be able to enter the Source page value, the user has to save the rule, which results in an error because the source page value is blank. This causes the field to appear.
    DataTransform3.jpg
  4. Once the field has appeared, the Source page value can be provided, and the form can be saved successfully.
    DataTransform4.jpg

Automated Unit Testing is unavailable

Valid from Pega Version 7.1.1

Automated Unit Testing (AUT) is unavailable in 7.1.1 - 7.1.5.

Starting in 7.1.6, users can access AUT features from supported browser versions of IE.

IE8 limits expansion features

Valid from Pega Version 7.1.1

Internet Explorer 8 (IE8) does not support CSS media queries, which are used by re-expansion features in the Designer Studio. IE8 users with low screen resolution (800 x 600) and a small window size may find that the explorer area in the Designer Studio collapses but cannot re-expand. 

As a work around, access the Designer Studio from another supported browser version and use the recommended, minimum screen resolution width of 1280 pixels.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us