Table of Contents

6.0.1

PAS 6.0.1 is a maintenance version based on both 6.0.0 and 5.1.8, so review both those release notes as well to get a full view of what this version offers. All improvements and bug fixes introduced in version 5.1.8 are included in this release and listed at the bottom of this article.

Improvements

  • PHX-4323 - Add "username input mode" to FrejaAuthenticator. Added configuration parameters userInfoType and userInfo to FrejaAuthenticator, allowing for "username input mode". UserInfo parameter is expandable such that you may fill it with values from the current auth flow. Read more in the article FrejaAuthenticator.

Bug fixes

  • PHX-4315 - Missing documentation for ForceAuthn and other parameters in SAML SP. Added a new documentation article to describe all config parameters for the SAML service provider: SAML SP.
  • PHX-4316 - NiasAuth: java.lang.NullPointerException: "this.vertx" is null in NiasAuditLogger. Resolved an issue introduced in 6.0.0 where Nias authenticators could crash with a NullPointerException.
  • PHX-4318 - Discovery Service in SAML with spbroker does not work with new ACS URLs. Resolved an issue where using a Discovery service in SPBroker with the new ACS urls would not work due to the RelayState not being included in the return url.
  • PHX-4322 - Using ItemCreateFromRequestValve in Internal Auth causes duplicate trace_id. Resolved an issue where internal authentication combined with ItemCreateFromRequestValve could result in duplicate trace_id which could then cause errors.
  • PHX-4359 - PAS Vulnerabilities (CVE-2025-52999, CVE-2025-53864, CVE-2024-7254). Vulnerabilities mitigated by updating dependencies.
  • PHX-4389 - Vuln: CVE-2025-7962. Vulerability CVE-2025-7962 mitigated by updating dependency.
  • PHX-4392 - Mobile Authenticators: no audit log or metric increment on failed initialization. Resolved an issue where mobile authenticators (BankID, Freja, Nias, OneID/OneTouch, Siths eID) would not perform audit logs on failure if initialization of new transactions failed, they would only do it when pending transactions failed.

Issues from 5.1.8

Improvements

  • PHX-4222 - PAS Mobile authenticators: QR WCAG Improvements. Adjusted QR codes in mobile authenticators to fit BankID guidelines. Added configurable QR code max duration to all mobile authenticators.
  • PHX-4312 - Make HTTP request headers/field sizes configurable. Previously hardcoded max header/field sizes are now configurable, described in detail in the article Globals.
  • PHX-4313 - Make it possible to skip the QR code part of mobile authenticators. Added a configuration option to mobile authenticators where you can adjust the allowed modes (QRCode, Same device).
  • PHX-4366 - Rebrand OneTouch v2 to OneID throughout the entire product. The working title "OneTouch 2" has been changed to "OneID" and branding has been updated to match this. Creation of new authenticators will use the localizationKey that matches the enabled backend. Enrollment components will automatically describe the correct app to use, and so on.

Bug fixes

  • PHX-3717 - Vulnerability: CVE-2024-6484 (Bootstrap 3.4.1 - EOL), 6.4: Medium. This bootstrap vulnerability is suppressed as it is limited to a carousel component unused by PAS.
  • PHX-4165 - Prism-signingclient and PDFSignatureStatusValve boolean use differs. Resolved a bug in prism-signingclient regarding format of a boolean variable.
  • PHX-4169 - Fedsigning prism module may produce errors in older browsers. Resolved an issue where older browsers were missing the Promise.withResolvers JavaScript function by using a polyfill.
  • PHX-4192 - BankID authenticator creates to orders if you open on same device. Resolved an issue where mobile authenticators would cancel and restart a transaction when swapping between QR and same device mode.
  • PHX-4283 - Vulnerability: CVE-2025-48734: commons-beanutils (8.8). Mitigated vulnerability by updating dependency.
  • PHX-4295 - Browsing directly to OIDC authorization_endpoint results in HTTP 400. Improved the error handling if visiting the authroization endpoint without a proper OIDC / OAuth request. Now uses a proper error page explaining the problem.
  • PHX-4317 - Export/Import of pipes does not work in Execution Flow view under API Endpoints. Resolved an issue where pipe import/export did not work in the API section of the config gui.
  • PHX-4319 - Custom error messages does not work in RPBroker and SPBroker. Resolved an issue where custom error messages would not be displayed in RPBroker and SPBroker.
  • PHX-4343 - Memory Leak: Http Servers. There was a memory leak in vertx http servers, particularly when starting and stopping servers repeatedly. This has been resolved by vertx so this has been resolved by updating dependency version.
  • PHX-4344 - When connecting with build in Android Account connector it fails with new Agnostic selector. Resolved an issue where some browsers without a localStorage API (Android Account connector for example) would cause e.g. AuthSelector to throw an error.
  • PHX-4349 - RetryPromiseHelper broken: "Unsupported unit: Millis". Resolved an issue where a tool for internal request retries was broken.
  • PHX-4351 - Wrong naming of language. Resolved an issue where new PRISM apps would list a language display name in english instead of its own language.
  • PHX-4358 - CVE-2025-48924 (CVSS 6.9), CVE-2025-53864 (CVSS 6.9). Mitigated vulnerabilities by updating dependencies.
  • PHX-4379 - OneID enrollment creates a new device even if device is already registered. Resolved an issue where duplicate devices would be created in OneID enrollment.
  • PHX-4324 - Access token missing custom claims when using Client Credentials. Resolved an issue where access tokens would not add custom claims when using client credentials flow. JWT access tokens in client credentials flow will now get their custom claims same as other flows, by the configured claims that have the include_in_access_token property set to true. The available item properties come from a client authorization pipe in this case.
  • PHX-4391 - FedSigning API not backward compatible. Resolved an issue where the FedSigning prism module, when running in non legacy mode, could not handle legacy format in API requests.
  • PHX-4262 - Backport of PHX-4262 (originally fixed in PAS 6.0.0): OTTokenVerifierValve does not work with OT2. Resolved an issue where OTTokenVerifierValve could not be used with tokens issued by OneID. The valve is now compatible with both versions, and will only permit the correct versions as configured in the PKI module. In compatibility mode, both tokens from OneTouch or OneID will be allowed. Read more in the article: OTTokenVerifierValve.
  • PHX-4396 - Vulns: CVE-2025-58057, CVE-2025-58056. Vulnerabilities mitigated by updating dependency.