Skip to main content

TideCloak 0.11.18

A minor maintenance release targeting production network resilience and recovery against edge-case failures.

Try our TideCloak dev Playground demo here:

Open in Codespaces

Cybersecurity Fabric changes

ORK database resiliancy enhancements

Several edge-cases were found to cause ORK node instabilities and even crashes. These are all fixed now.

  • During new-user cleanup process ("uncommitted user cleanup"), the ORK node database was sometimes reporting as locked for other processes - which caused a crash.
  • External drive-mount on Docker were found to sometimes cause the ORK node to report issues with its file-based database (external to the Docker for backup and persistency). These issues could have been caused from a few milliseconds delay or disconnection from the drive. A rety mechanism now mitigates that issue.
  • Database readiness is now being tested on first-API call (Pre-Sign) to mitigate transaction failure on the second one (Sign).

TideCloak changes

Licensing errors mitigation

An IdP Tide's Verifiable Vendor Key (VVK) licensing requires a Vendor Random Key (VRK) to be generated and licensed via a Payer ORK. While that process is quite simple, it requires a successful interaction with Stripe payment service - which may take a while (few seconds). This additional delay have proven to cause workflow failures that have resulted in poor user experience. To mitigate those, a revamped licensing process has been implemented that identifies failures, cleans failed retries' artefacts and automatically recovers the process. A failed process will be retried and if failed, clearly indicates the failure to the end-user, while offering a manual retry at the user's discretion.

"Signed-Settings" failure recovery

Once a Tide's VVK is generated, activated and licensed, it is being used as the root authority for the entire TideCloak's realm. The first artefact that is being attested by the VVK is the "Signed-Settings" certificate. That certificate attests the authenticity of this particular realm's settings to prevent internal compromise. The actual settings being authenticated are elements such as Realm's URLs, custom images and some realm-wide configurations (like user registration toggle). These settings are automatically being re-signed by the VVK every time a change is approved. In edge-cases were that certification process failed, a new indication now signals that failure and allow for a manual recovery.