Skip to main content

TideCloak 0.6.37

Beside many improvements and bug fixes for the Tide-IGA capability, this release also introduces a glimpse to the E2EE feature coming up: Role-based End-to-End Encryption!

In addition, there are a few other significant improvements, such as the server-side key generation enhancement, guaranteeing uniform user experience, improved performance and brand new NPM package as TideCloak's official SDK: Heimdall Plus.

A new client-server example project is now available for developers here.

Keycloak 26.1.1

Full release notes can be found on Keycloak website. The list below reflects the most relevant changes in the TideCloak context, in descending priority order.

Abort X.509 authentication if outdated

This may sound obvious, but until this release, the CRL field wasn't validated on X.509 authentication. This has now been fixed.

Fix existing realms that aren't found

In the admin console, sometimes a Realm wasn't found although it exists and were only accessible if entered directly in the URL. This is fixed.

Vendor's key generation moved to the backend

Until now, the creation and initialization of the Vendor Verified Key (VVK) was done in Javascript, as part of the Tide IdP creation in the Administration console. This functionality suffered from inconsistent behaviour across OS and browsers, sometimes failed, but most significantly, it prevented the ability to perform key generation via the Admin API. A lot of work was conducted to move all that functionality to TideCloak's backend (Midgard). Amongst fixing all above issues, this change also introduced significant performance increase. In addition, this enhancement introduced:

  1. API endpoint for certifying Vendor's settings
  2. API endpoint to generate licensing keys
  3. Streamline the management of Tide Cybersecurity Fabric settings within the key management (homeORK URL, vendor ID, Payer public key)
  4. Native code (AOT) implementation of Tide core cryptography: swarm key generation flow, signing and decryption

IGA Enhancement

An overall set of improvements and fixes for the IGA behaviour:

  1. Support for realm names with special characters
  2. Better quorum threshold calculations
  3. Improved caching for quicker UI feedback
  4. Better support for composite roles assignments
  5. Confirm button addition in the admin changeset cancellation request process
  6. Manual forced settings certification on request
  7. Awesome new icon for Tide IdP
  8. Ability to quickly adapt to session context change (between accepting invitation to signing in)

New Javascript SDK

A new NPM module codename "Heimdall-Plus" was introduced, that merges all of Keycloak's latest SDK with the additional TideCloak capabilities. Unlike the lightweight version, named "Heimdall" which only invokes the Tide login web enclave, this full-fledged SDK includes E2EE functionality as well as IGA.

E2EE

This release introduces the third layer of verifiably secured identity management (BYOiD + Quorum IGA + E2EE) allowing (initially a limited preview) for optimal data protection on platforms. With this release, platform developers can declare sensitive fields as Tide-secured. Only the end-user that owns the account for these fields can encrypt or decrypt those - all without ever having the root key. Both security functions occur at the browser's edge, while the information remains encrypted, and keyless, in transit and in storage. Administrators can define entire classes of fields based on a customizable "tag" name, e.g. "personal" and assign rights of access for that tag to the relevant users. Tide adheres to those quorum-certified settings and executes those in a swarm multi-party fashion on the Tide Cybersecurity Fabric. This functionality has been embedded in the "Heimdall-Plus" SDK and is documented here.

ORK's documentation

Comprehensive documentation written on the inner-working of Tide Fabric's node, the ORK and its different components: the ORK's different services, core cryptographic library, main MPC request, tests processes and benchmark measurements.

Example dev project

To wrap it all up nicely, we've introduced another example project for developers, with this one implementing both frontend and backend in NextJS environment. This project includes frontend integration with Tide IdP (implemented in ReactJS similar to the Getting Started example), server-side JWT validation (implemented in NextJS together with the off-the-shelf JOSE library), API fetch call (classic NodeJS) and E2EE implementation (in Javascript). You can find the project and its documentation here.