TideCloak 0.13.11
This is the largest TideCloak release to date and it includes breaking changes. It ships major Keycloak upgrades, the Forseti programmable policy engine, offboarding ("break-glass") flows, broad SDK refactors, and multiple security/performance improvements.
⚠️ Breaking changes / upgrade notes (read first)
- Fabric reset required: this release introduces a new unified ORK API framework and cannot be seamlessly migrated from earlier networks. Upgrading requires deploying against a fresh network state.
- API contract changes: most ORK endpoints now follow a unified request/attestation/voucher model. Older clients and "init-cert" style flows are deprecated.
- TideCloak UI note: Forseti support currently ships via API only (UI planned).
Highlights
- Programmable Decentralized Policy Engine (Forseti)
- Break-glass offboarding flow (Ragnarök)
- Major Keycloak upgrades (26.4.7)
- Tide Authenticator Android app (public release)
Try the TideCloak dev Playground demo:
Cybersecurity Fabric changes
Programmable Decentralized Policy Engine - "Forseti"
Tide's Ineffable Cryptography scheme enables cryptographic operations in permanent decentralized secrecy - private keys are never exposed, not even in memory. Until this release, these capabilities were restricted to predefined operations (PRISM authentication, decryption, JWT signing) with fixed qualification checks. Forseti opens this up: developers can now upload custom policies that define their own verification, authorization, and message serialization logic.
In addition to functioning as a programmable rules engine, Forseti acts as a programmable serialization layer for ineffable Ed25519 signing calls, expanding use-cases well beyond JWT validation - including SSH authentication, blockchain transactions, DID attestations, and more.
Forseti is designed similarly to a smart-contract runtime: policy code is uploaded once and executed across a decentralized swarm of ORK nodes, where each node operates internally a thin layer of sandboxed Virtual Machines with strong resource controls. Unlike many smart-contract engines, Forseti uses compiled code for performance, leveraging the richness of C# together with the maturity of the Microsoft .NET compiler platform (Roslyn).
Primary features
- Policies are developer-authored programs executed by the Fabric.
- Policies are uploaded per Tide Key (they run only on that key's swarm).
- The SHA-256 checksum of the policy source is used as an integrity identifier.
- Each ORK verifies the checksum, compiles the policy, and stores the executable locally.
- Policies execute in a sandboxed VM with enforced limits (CPU, memory, timeout).
- Policies do not have access to key shards.
(Deprecated) Native Hedera Hashgraph and Cardano transaction flows
As a proof-of-concept, native sign flows were added for Hedera Hashgraph mainnet UTXO and Cardano Byron mainnet UTXO serialization formats, enabling the Fabric to validate and sign these transactions prior to chain submission.
These native flows are now deprecated because Forseti can describe and enforce the required message serialization format directly, enabling support for additional formats and protocols (UTXO variants, access tokens, SSH handshakes, etc.) via policies.
Streamlined unified API structure
Most ORK API endpoints now follow a unified framework because they share common verification requirements. This improves consistency and reduces the chance of edge-case behavior across endpoints.
The unified framework standardizes:
- API versioning
- Voucher budgeting and validation
- Call authentication
- Attestation nonce management
- Final attestation proof (signature)
This redesign is the primary reason the upgrade is a breaking change and required a network reset. The new structure is intended to prevent similar resets in future releases.
Break-glass offboarding flow - "Ragnarök"
Tide's security model is Fabric-dependent by design (continuous connectivity and quorum trust assumptions). Ragnarök provides a controlled way to "de-Tidify" a platform if an owner needs the option to revert to non-Tide operation.
Once offboarding is approved:
- The platform can download an encrypted backup of the master key (eVVK).
- The master key can be unlocked as part of the offboarding process.
- Requests are protected by Quorum-Enforced Authorization (no single operator can trigger it).
- ORKs participate in unlocking the key and then delete their shares (irreversible).
Once offboarding is complete, the key is deemed insecure by Tide and is deleted from the Fabric.
Secure Web Enclave pop-up for modern browser storage partitioning
Starting with Safari's Intelligent Tracking Prevention (2017) and accelerating through Chrome 115's Storage Partitioning (2023), major browsers now isolate storage for embedded content. This can prevent the Secure Web Enclave from retrieving the ephemeral keys needed to establish end-to-end encrypted sessions when it runs inside an iframe.
This release introduces a compliant fallback - without requiring users to weaken their browser's privacy settings:
- A small first-party enclave pop-up window (on the enclave's domain) to restore storage access.
- The pop-up communicates with the parent iframe via
postMessage+MessagePort, which remains fully supported even under the strictest partitioning rules. - Where supported, the Storage Access API can avoid the pop-up entirely, with the pop-up retained as a reliable fallback.
Storage Access API browser support: Chrome 115+, Edge 115+, Firefox 65+, Safari 11.1+.
Cross-network database sync improvements
- Improved sync performance
- Fixed race conditions
- Strengthened correctness and integrity verification
Miscellaneous security and performance improvements
- ORK build pipeline improvements
- Hardened container images
- Expanded metrics for traceability and operations
TideCloak changes
Keycloak upgrade to 26.4.7
TideCloak has been upgraded to Keycloak 26.4.7, pulling in a large set of upstream fixes (SAML race condition fixes, LDAP referral restrictions, session cleanup improvements, rate limiting for verification emails, path normalization, memory leak mitigations, Quarkus updates, admin console stability fixes, and more).
Noteworthy items
- Quarkus 3.27.1
- Infinispan 15.0.19.Final
- LDAP referral filtering enabled by default
- Optional hiding of client scopes from
scopes_supported - Verification email rate limiting (update email context)
- Improvements to admin-managed user-profile email verification attributes
- Federated client auth via SPIFFE or Kubernetes service account tokens
- Client-initiated renegotiation hardened (disabled by default)
- Official DPoP support
- Final specs support for FAPI 2.0 Security Profile + Message Signing
- Serving as an authorization server for MCP (act as authz in MCP-based integrations)
- Asynchronous logging for higher throughput/lower latency
Ragnarök offboarding integration
TideCloak now implements Ragnarök internally:
- TideCloak stores an encrypted master key backup (eVVK).
- An admin quorum can approve offboarding, unlock the key locally, migrate Tide users to regular auth (password reset can be automated), and decrypt protected data to cleartext.
Full documentation here.
Unified API support
TideCloak communications were updated to support the unified ORK API framework. This includes:
- token validation fixes
- support for Forseti policy signing requests and policy builder functions
- deprecation of the legacy "init-cert" flows
Forseti is currently supported via TideCloak API endpoints only (no UI yet).
Miscellaneous
- Improved build scripts to support automated CI/CD and clearer artifacts
- Automatic NPM version checks
- Multi-arch Docker builds (Win-x64, Linux-x64, ARM64) with added hardening
- Completely rewritten JNA interface handling between Keycloak (Java) and Tide (.NET) libraries for performance, security, and reliability
- Event logging improvements for the wealth of newly-added Quorum-Enforced administration
Tide Authenticator app
Tide's passwordless authentication app is the first open-source, fully-decentralized multi-factor authentication tool, designed to act as a secondary factor. It scans QR codes generated by the Secure Web Enclave to establish a secure channel and provide a zero-knowledge attestation of the user's identity.
- Android: first public release is now available on Google Play
- iOS: currently in Apple's release process
SDK changes
This release updates SDKs for:
- the unified ORK API framework
- Forseti policy management
- passwordless app-driven authentication flows
- Newly supported hybrid-BFF flow
New server-side SDK - "Asgard"
This release introduces Asgard, a C#-based server-side SDK complementing:
- the client SDKs (language-dependent), and
- the Keycloak SDK ("Midgard")
Prior Node support (Tide-VerifyJS) provided basic JOSE validation but lacked Tide-specific functionality - Asgard can be considered its successor. Asgard is purpose-built for Tide server-side capabilities such as:
- Forseti policy management actions
- Ragnarök offboarding actions for secure server-side data
- secure tunnel support to the enclave
- Hybrid-BFF (Backend-for-Frontend) flow, where the authz server returns both the
CPKEandid_tokenartefacts to the front-channel, however conducts the code exchange directly with the backend, so the JWT never handles the session control.
TideJS refactor
TideJS (a shared core library across multiple Tide projects) was significantly refactored:
- migrated fully to TypeScript for stronger typing
- restructured to better support server-side SDK needs (Asgard)
- removed unused libraries and references
Known limitations
- Forseti UI: policy management is currently API-only; a TideCloak UI is planned for a future release.
- iOS Authenticator: the Apple App Store release is pending Apple's review process.
Detailed changelog
For a granular per-repository breakdown of changes (Midgard, Heimdall, ORK, Ragnarok, TideJS, TideCloakJS, Asgard, master-libs, tidecloak-override, and upstream Keycloak), see the detailed changelog.