#0.18

#0.18.0

#Features

OIDC Integration & Role Mapping The Enterprise Auth API now supports OIDC as an authentication flow, including external role mapping from identity providers (e.g., Keycloak) to tenant roles, deterministic fallback role assignment, and wallet-scope allow/deny validation. Session propagation and token mapping diagnostics have been improved throughout

Zero-Retention / Data Minimisation Mode A configurable zero-retention mode has been introduced for PII data in issuance and verification sessions. When enabled, session data is not persisted beyond the immediate transaction, supporting GDPR and data minimisation requirements

TokenStatusList Draft 15 Upgrade TokenStatusList support has been upgraded to IETF Draft 15, including Appendix C test vectors, zlib compression fixes, enforcement of application-specific status value ranges, and an end-to-end revocation test with the verifier

Extended Wallet Cryptographic Support The wallet now supports ECDH-ES encryption with a broad range of symmetric algorithms (A128GCM, A192GCM, A256GCM, A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) and asymmetric curves (secp256r1, secp384r1, secp521r1). Signed request handling with client ID prefix authentication and encrypted direct post for non-DC API flows have also been implemented. Compliance has been verified across multiple SD-JWT VC presentation combinations

Permission Enforcement on Persistence Layer Fine-grained permission enforcement has been implemented across all major enterprise persistence services: Key Management, DID Service, DID Store, DID Registry, Certificate Store, Policy Store, and VICAL Registry

Database Profiles & Connection Pooling Configurable database profiles and connection pooling support have been added, enabling operators to tune database behaviour per environment. DocumentDB compatibility has been improved, including retryWrites parameter support and configurable engine version. CosmosDB integration tests have also been added

Business Wallet Demo UI & BFF A Business Wallet demo UI and backend-for-frontend have been introduced, featuring role-based issuance gating, Keycloak OIDC login, tenant bootstrapping for demo roles, and a default wallet key reference in the issuance form

Secured Credential Store, Policy Store, and VICAL Registry APIs The credential store, policy store, and VICAL registry APIs are now secured with enterprise permission enforcement, consistent with the broader security initiative

X.509 Store Enhancements The X.509 service has been significantly extended: stored certificate IDs are now returned in issuance responses, store ID collision pre-checks are enforced before issuance, VICAL entry metadata validation has been added, and certificate persistence to linked X.509 stores is now supported

AWS and Azure KMS / Storage Enhancements Resource access configuration has been extended with support for AWS KMS, Azure Key Vault, and GCP storage. Key resolution for wallet requests now uses cloud-provider credentials where configured. Managed Azure Blob Storage support has been added

Annex C (DC API) Flow SupportDcApiAnnexCFlowSetup has been integrated into EnterpriseVerifier2Service, and the Annex C creation response has been updated to surface custom data immediately and hide unnecessary URLs

HPA Support for Data Retention Horizontal Pod Autoscaler (HPA) support has been added for the DataRetentionService, allowing retention workloads to scale independently under load

System Config Override Operators can now override system-level configuration at runtime without redeployment

JCA CRL Check JCA-based Certificate Revocation List (CRL) checking has been enabled, strengthening certificate validation in X.509 flows

#Fixes & Improvements

HTTP Client & Timeout Stability Enterprise HTTP client configuration has been revised: connectTimeout and socketTimeout are now explicitly set to reduce maxEndpointIdleTime and prevent stale connections. The Ktor CIO transitive dependency has been fixed, and the enterprise stack has been switched to OkHttp for integration tests

Integration Test Reliability Default coroutine timeouts have been set for all tests to prevent flaky failures. Integration test reporting has been improved, and the build pipeline has been split to allow faster feedback. Test runners have been moved to self-hosted infrastructure

DataRetentionService Improvements Cron schedule handling has been made more robust, logging has been migrated to Klogging, and the startSchedule function is now a suspend function for correct coroutine handling

Logging & Observability Logging has been improved across core services, the DataRetentionService, ExternalRoleResolver, DistributedLockService, and VCT retrieval. Caught exceptions are now consistently logged. Request profiling has been added to enterprise integration tests

Issuer Service Error Handling Error messages for expired and invalid issuance sessions have been improved. Error handling and code structure in IssuerService have been cleaned up for clarity

DocumentDB Fixes Several DocumentDB compatibility issues have been resolved, including support for features not available in DocumentDB (configurable via feature flags) and retryWrites handling

OpenBadge Schema Reference The Open Badges v3 schema is now referenced from the canonical IMS Global URL, ensuring schema validation uses the authoritative source

Miscellaneous Code Quality Unused imports, debug print statements, unnecessary null assertions, and deprecated logging usages have been removed throughout the codebase. SonarQube issues have been addressed. Set-based assertions replace list-based comparisons in tests for correctness

#Breaking Changes

• TokenStatusList upgraded to Draft 15: status value ranges and compression behaviour have changed. Existing status list configurations should be reviewed against the Draft 15 specification before upgrading.