Table of Contents

5.1.8

PAS 5.1.8 is a larger maintenance release that focuses on these main areas:

  • Mobile authenticator QR code accessibility improvements (WCAG)
  • Clavister OneID component rebranding
  • Bug fixes and vulnerability mitigation

Mobile authenticator improvements

PAS 5.1.8 introduces improvements to mobile authenticators (BankID, SITHs eID, Freja, OneID / OneTouch) including major accessibility improvements to the QR code components according to BankID's guidelines.

It is now possible to configure a max lifetime of a QR code in all these mobile authenticator components, and an automatic transaction refresh will happen in the backend until then should the transaction expire before the configured lifetime (e.g. BankID has a max transaction length of 30 seconds).

It is also possible to configure which modes (QR Code, Same device) should be available for each authenticator, if you ever want to opt out of a mode (if you know all users will be on a mobile device for example).

Clavister OneID release

PAS 5.1.8 also marks the official release of Clavister OneID by rebranding some components from the working title "OneTouch 2". Previous versions of PAS (5.1.4 and above) still support the backend for OneID, but will be branded differently.

End users will still experience either OneTouch or OneID branding in authenticators, enrollment, and SelfService flows based on whether OneID or OneTouch is configured. Read more on how to set up OneID in the article OneID.

Improvements

  • PHX-4222 - PAS Mobile authenticators: QR WCAG Improvements. Adjusted QR codes in mobile authenticators to fit BankID guidelines. Added configurable QR code max duration to all mobile authenticators.
  • PHX-4312 - Make HTTP request headers/field sizes configurable. Previously hardcoded max header/field sizes are now configurable, described in detail in the article Globals.
  • PHX-4313 - Make it possible to skip the QR code part of mobile authenticators. Added a configuration option to mobile authenticators where you can adjust the allowed modes (QRCode, Same device).
  • PHX-4366 - Rebrand OneTouch v2 to OneID throughout the entire product. The working title "OneTouch 2" has been changed to "OneID" and branding has been updated to match this. Creation of new authenticators will use the localizationKey that matches the enabled backend. Enrollment components will automatically describe the correct app to use, and so on.

Bug fixes

  • PHX-3717 - Vulnerability: CVE-2024-6484 (Bootstrap 3.4.1 - EOL), 6.4: Medium. This bootstrap vulnerability is suppressed as it is limited to a carousel component unused by PAS.
  • PHX-4165 - Prism-signingclient and PDFSignatureStatusValve boolean use differs. Resolved a bug in prism-signingclient regarding format of a boolean variable.
  • PHX-4169 - Fedsigning prism module may produce errors in older browsers. Resolved an issue where older browsers were missing the Promise.withResolvers JavaScript function by using a polyfill.
  • PHX-4192 - BankID authenticator creates to orders if you open on same device. Resolved an issue where mobile authenticators would cancel and restart a transaction when swapping between QR and same device mode.
  • PHX-4283 - Vulnerability: CVE-2025-48734: commons-beanutils (8.8). Mitigated vulnerability by updating dependency.
  • PHX-4295 - Browsing directly to OIDC authorization_endpoint results in HTTP 400. Improved the error handling if visiting the authroization endpoint without a proper OIDC / OAuth request. Now uses a proper error page explaining the problem.
  • PHX-4317 - Export/Import of pipes does not work in Execution Flow view under API Endpoints. Resolved an issue where pipe import/export did not work in the API section of the config gui.
  • PHX-4319 - Custom error messages does not work in RPBroker and SPBroker. Resolved an issue where custom error messages would not be displayed in RPBroker and SPBroker.
  • PHX-4343 - Memory Leak: Http Servers. There was a memory leak in vertx http servers, particularly when starting and stopping servers repeatedly. This has been resolved by vertx so this has been resolved by updating dependency version.
  • PHX-4344 - When connecting with build in Android Account connector it fails with new Agnostic selector. Resolved an issue where some browsers without a localStorage API (Android Account connector for example) would cause e.g. AuthSelector to throw an error.
  • PHX-4349 - RetryPromiseHelper broken: "Unsupported unit: Millis". Resolved an issue where a tool for internal request retries was broken.
  • PHX-4351 - Wrong naming of language. Resolved an issue where new PRISM apps would list a language display name in english instead of its own language.
  • PHX-4358 - CVE-2025-48924 (CVSS 6.9), CVE-2025-53864 (CVSS 6.9). Mitigated vulnerabilities by updating dependencies.
  • PHX-4379 - OneID enrollment creates a new device even if device is already registered. Resolved an issue where duplicate devices would be created in OneID enrollment.
  • PHX-4324 - Access token missing custom claims when using Client Credentials. Resolved an issue where access tokens would not add custom claims when using client credentials flow. JWT access tokens in client credentials flow will now get their custom claims same as other flows, by the configured claims that have the include_in_access_token property set to true. The available item properties come from a client authorization pipe in this case.
  • PHX-4391 - FedSigning API not backward compatible. Resolved an issue where the FedSigning prism module, when running in non legacy mode, could not handle legacy format in API requests.
  • PHX-4262 - Backport of PHX-4262 (originally fixed in PAS 6.0.0): OTTokenVerifierValve does not work with OT2. Resolved an issue where OTTokenVerifierValve could not be used with tokens issued by OneID. The valve is now compatible with both versions, and will only permit the correct versions as configured in the PKI module. In compatibility mode, both tokens from OneTouch or OneID will be allowed. Read more in the article: OTTokenVerifierValve.
  • PHX-4396 - Vulns: CVE-2025-58057, CVE-2025-58056. Vulnerabilities mitigated by updating dependency.