We are informing you of an upcoming behavior change to the Secured API defaults in our upcoming OpenFin 24 release, targeted for February 2022.
With targeted release OpenFin 24, OpenFin is further tightening our API Security stance by requiring Application Providers utilizing OpenFin 24 and a Secured API to also have RVM 6.5, or newer, on the end-user’s desktop. If an Application attempts to use a Secured API in OpenFin 24 and an RVM older than 6.5 is on the machine, the application’s attempt to use the Secured API will fail. Similarly, if an OpenFin runtime is attempted to be used directly without an RVM present then Secured APIs will not be available.
Security is OpenFin’s top priority for both Application Providers and Desktop Owners. We work closely with IT Security teams to ensure OpenFin meets rigorous security standards. Through these collaborations we’ve collectively agreed to address a migration path for OpenFin’s APIs with a higher security profile.
At the direction of our customer’s security teams, OpenFin first introduced API Security in July 2019 with OpenFin 12. With OpenFin 16 (May ‘20), and then again OpenFin 20 (June ‘21), we further tightened controls around Secured APIs while enabling customers an opportunity to plan and adapt to these changes.
OpenFin 24 is the next step in ensuring applications are Secure by Default.
Application Providers who upgrade to OpenFin 24 and leverage one or more of our Secured APIs (i.e.
Application Providers wishing to upgrade to OpenFin 20+ (including OpenFin 24) and leveraging a Secured API continue to have the following options for their applications to access Secured APIs:
In the event neither a DOS file nor a Global Allow Listing has been established, OpenFin prompts the application end-user for authorization to use the Secured API (similar to “Ask before accessing” option in Chrome’s privacy and security settings).
Additionally, OpenFin 24+ will require that RVM 6.5+ is also present on the desktop when wishing to use a Secured API.
OpenFin 24 (target release) - February 2022
Yes. Secured APIs will continue to work in OpenFin versions 19 and older until we have the larger OpenFin community ready to turn on backwards enforcement. You still need to declare Secured API usage in your application manifest, and Desktop Owners will continue to have the ability to prevent usage if they so choose by disabling those APIs across their desktops.
Please be advised that security features, enhancements and bug fixes from the Chromium, Electron and OpenFin teams will be applied to future versions of OpenFin.
An upcoming behavior change to OpenFin Workspace will require necessary changes for Workspace customers to upgrade to 4.0. These behavior changes will impact how OpenFin Home retrieves its views, applications and workspaces.
With the release of Workspace 4.0, OpenFin is enhancing the mechanics for how Workspace customers retrieve their Workspace content. Today, this is accomplished via the Content Discovery Service, which will no longer be used directly by OpenFin Home in 4.0. Instead of OpenFin Workspace calling the Content Discovery Service, content will instead be supplied programmatically by a Workspace CLI Provider. We will be providing more details on the Workspace CLI Provider as part of our developer documentation with this release.
The intention of this notice is to ensure our customers are not negatively impacted by automatically consuming the 4.0 release. Customers can ensure they remain on a Workspace version < 4.0 by setting their Desktop Owner Settings file to a specific Workspace version.
Previously, OpenFin Home made direct calls to the Content Discovery Service to retrieve app definitions. This approach has three limitations:
- Significant complexity to share session cookies for the authenticated user
- Some customers had difficulty configuring for CORS
- Many customers want to provide app definitions per End User and to apply other business rules not supported by the Content Discovery Service.
The new approach solves these problems by delegating the search to your authenticated app via client-side APIs that are part of Workspace SDK. This eliminates the need to share session cookies as well as the need for CORS configuration. Additionally, your app can now apply all business rules as it performs the search for app definitions.
Workspace customers not setting a specific Workspace version in their Desktop Owner Settings file or any customer upgrading to Workspace 4.0+.
Workspace 4.0 - Nov 24
Yes. OpenFin will provide developer documentation on how to migrate to the Workspace Provider CLI. Additionally, OpenFin intends to pair these developer docs with a reference implementation to assist with the transition. This reference will include a change to how Workspace is initiated.
An upcoming behavior change to the security defaults in OpenFin 20 release, targeted for June 2021, may require changes to your configuration.
With targeted release OpenFin 20, we are further tightening our API security stance by changing from a “default allow” paired with a block list to a “default prevent” coupled with an allow list. Any Application using a Secured API need to be allowed in order to use the API. If an application attempts to use a secure API and that usage has not been allowed, the callback for the API returns an error.
Security is OpenFin’s top priority for both Application Providers and Desktop Owners. We work closely with IT security teams to ensure OpenFin meets rigorous security standards. Through these collaborations we’ve collectively agreed to address a migration path for OpenFin’s APIs with a higher security profile.
OpenFin introduced its initial layer of API security in OpenFin 12, requiring Application Providers to declare usage of a secured API via its application manifest. The upfront affirmation assisted desktop owners by informing them of an application’s intent to use a secured API. Additionally, desktop owners have the ability to disable an application’s usage of an API via a
permissions configuration in their DOS file.
In OpenFin 16, we tightened API security by adding sensitive web APIs to our secured API designation (audio, video, geolocation, etc.) and requiring applications to declare intent to use a sensitive web API in their application manifest as well as providing desktop owners the ability to manage an application’s usage of these APIs.
OpenFin 20 is the next step in enhancing application security.
Application Providers who upgrade to OpenFin 20 and leverage one or more of our secured APIs (e.g.,
Application Providers wishing to upgrade to OpenFin 20 and leveraging a secure API have the following options:
Desktop owner settings management
- Desktop owners can manage an OpenFin DOS file to enable secured API usage. See Desktop Owner Settings for further details.
- In the event neither a DOS file nor global allow listing has been established, OpenFin prompts the application end-user for authorization to use the secured API (similar to the “Ask before accessing” option in Chrome’s privacy and security settings).
Additional details on the specific changes in the Desktop Owner Secure API will be provided prior to the release.
OpenFin 20 (target release) - June 2021
Yes. Secured APIs will continue to work in OpenFin versions 19 and older until we have the larger OpenFin community ready to turn on backwards enforcement. You still need to declare secured API usage in your application manifest, and desktop owners will continue to have the ability to prevent usage if they so choose by disabling those APIs across their desktops.
Please be advised that security features, enhancements and bug fixes from the Chromium, Electron, and OpenFin teams will be applied to future versions of OpenFin.
This communication is to inform you of upcoming changes OpenFin is implementing for Flash.
Chromium is ending support for Flash in Chromium 88, due out in Jan 2021. As a result, OpenFin 18 (built on top of Chromium 87) is the last version of OpenFin on which Flash applications will be able to run. OpenFin 18 is targeting a delivery date of Nov 2020.
Please visit Chromium’s Flash Roadmap for additional information.
Application Providers running Flash content directly on OpenFin.
Harman has taken over ownership of Adobe Air. The OpenFin Adobe Air Adapter is not impacted and should continue to work. This allows you to run Flex/Flash content in Adobe Air while connecting back into the rest of the OpenFin environment on the desktop. The OpenFin Air Adapter will not get further investment (no new API features, etc.) and we will work with you to make sure you have the right support.
Application Providers wishing to Upgrade to OpenFin 19 (Chromium 89) will need to take the necessary steps to migrate any Flash applications / dependencies out of their applications.
Chromium 88 - JAN 2021
OpenFin 18 (Chromium 87) - Nov 2020
Yes. Please be advised that security features, enhancements and bug fixes from the Chromium, Electron and OpenFin teams will be applied to future versions of OpenFin.
This notice is to inform you of changes OpenFin is implementing.
- End-of-Life for the Layouts v1 API which has been replaced by the Platform API. The Platform API includes more advanced layouts capabilities and significantly improves on the Layouts v1 API.
- Final Runtime Version supported is 184.108.40.206
- End of Support Date is May 9, 2021
- Change-of-Life-Cycle for our Notifications and FDC3 APIs which will no longer be managed as Services (the APIs will remain unchanged)
- Service Life-Cycle for both APIs will no longer be supported as of March 1, 2021
- Deprecation of fin.Notifications legacy API which is being replaced by the Notifications API.
- Marked as Deprecated in Runtime Version 17.85.55.*
- End of Support as of March 1, 2021
Application Providers leveraging any of the following OpenFin APIs:
These changes are being made in response to broad customer feedback. A summary of each is below. Please don’t hesitate to contact us if you’d like additional information.
The Layouts v1 API has been replaced with our Platform API (previously known as Layouts API 2.0). This change is being made to:
- Significantly improve performance and maintainability
- Provide default tab support, customization, and complex layout support
- Correctly integrate with standard Operating System functions such as Alt + Tab Preview, Move + Left/Right arrow keys, and z-order
The FDC3 API now ships by default with the Runtime and does not need to be invoked as a Service. This has the following benefits:
- FDC3 API is versioned in tandem with the other OpenFin APIs
- Simplified app upgrade process: FDC3 API changes can be made and tested once as part of upgrading the Runtime version
- Eliminates conflicts from different apps using different versions of the Service
- Eliminates conflicts from compatibility issues between Runtime versions and Service versions
The Notifications Center’s lifecycle will be managed by the Notifications API and will no longer need to be invoked as a Service as of version 1.0 which is scheduled for release in Q4 2020. This change is being made to:
- Avoid visual collisions from multiple versions of Notification Center on the same desktop
- Enable Desktop Owners to control the version of Notification Center for both internal and 3rd- party apps
- Significantly improve end user experience when more than one application is generating notifications
- Provide visual consistency and customization across notifications
- Keep notifications history available to end users
Application Providers should migrate as soon as possible. In all cases, we are here to help and assist teams with their migration plans.
Layouts v1 API
- Migrate to the OpenFin Platform API as part of upgrading to OpenFin 16 and beyond. Instructions are available in the Migrating from Layouts v1 Workspaces tutorial.
- Configure your Application Manifest to add the FDC3 API to your Application and remove the FDC3 Service from your Application Manifest as part of upgrading to OpenFin 17.85.55.* and beyond
- Remove the Notifications Service declaration from your Application Manifest as part of migrating to a version of the OpenFin-Notifications NPM package that supports the new lifecycle management. (Version 1.0+, release date Q4 2020).
- Migrate to the OpenFin Notifications API.
Yes - OpenFin strongly advises all customers to move to the respective alternative approaches as soon as practicable. If continuing to use the Services and the fin.Notification API, be advised that no patches will be applied for any discovered bugs and any Chromium Security patches must be consumed in later versions of OpenFin.
Updated 5 months ago