Breaking Changes Planned: SKY API OAuth 2 Cipher Suite And IP Address Accessibility Changes

To accommodate changes to our OAuth 2.0 implementation in early 2022, we will be updating the cipher suite and the IP configuration through which OAuth 2 is accessed on December 15th, 2021. Depending on your application's cipher suite configuration, these changes may be breaking changes to your application.

Change 1. Cipher Suite Support Changes

Our OAuth 2.0 implementation uses the TLS 1.2 protocol to ensure that communication between SKY Applications and our APIs remains secure. Among other things, this protocol defines which cipher suites can be used when application clients attempt to communicate with us. The cipher suite itself defines the set of algorithms that are used to encrypt and decrypt requests to OAuth 2.0 and responses back to your application. To read more about the relationship between TLS and cipher suites, review how CloudFlare describes TLS.

On December 15th, 2021, we will update OAuth 2.0 (accessed through oauth2.sky.blackbaud.com) to support the following cipher suites:

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_128_GCM_SHA256

Note: The cipher suite configuration we applied on October 18th, 2021 (previous announcement) to the SKY API APIs themselves (accessed through api.sky.blackbaud.com) is still in effect. The cipher suite change above only applies to OAuth 2.0.

Change 2. IP Address Accessibility

While we have not formally documented the IP addresses SKY API uses, we know some resourceful developers have performed lookups for these to configure firewalls. Our IP addresses have always been prone to change (and will change again in the future). In general, we recommend restricting by host name (oauth2.sky.blackbaud.com, api.sky.blackbaud.com, etc.) rather than IP. However, we want to provide advance notice here as our IP address configuration has not changed in a while.

If this applies to you, please add the following IP to your firewall so you will be ready for December 9th, 2021.

104.208.238.110

Do not remove any existing entries you have provisioned for SKY API/OAuth 2 previously.

When is the change happening?

This change will happen in two phases.

Phase 1: Rehearsal

Like our previous cipher suite change, we are providing an opportunity for SKY Application developers to validate that their applications support at least one of the supported cipher suites. During this rehearsal, any applications that cannot negotiate with one of the supported cipher suites will be unable to connect to OAuth 2.0.

• Thursday, December 9nd, 2021, at 22:00 GMT (17:00 EST) – 23:00 GMT (18:00 EST)

During the rehearsal, if you uncover an issue with your configuration and cannot resolve it using one of the documented cipher suites above, contact the Blackbaud SKY Developer team.

Phase 2: Final change

The final change will take place on Wednesday, December 15th, 2021, at 22:00 GMT (17:00 EST).

Who is impacted?

Any SKY application that makes a server-side request to oauth2.sky.blackbaud.com could be impacted. Applications do this when:

• Exchanging authorization codes or refresh tokens as part of the OAuth 2.0 Authorization Code Flow

• Validating the User Identity Token for a SKY Add-in

What do I need to do?

You will need to ensure that your application is configured to support one or more of the supported cipher suites above and that your firewall is configured to allow the new IP address. If your application has no explicit firewall rules or is configured to allow all public traffic or traffic to oauth2.sky.blackbaud.com, you’ll only need to concern yourself with the cipher suite portion of this announcement.

You can validate your application’s ability to make requests using a supported cipher suite by having it send a test request to the following non-production endpoint: https://oauth2.nxt.blackbaud-test.com/version. If the request is successful, your application is ready for the change. Note: If you need to update your firewall for the proposed IP change, you will need to add both 104.208.238.110 and 137.116.87.106 to your configuration in order to access this non-production endpoint.

What changes are coming to OAuth 2 in 2022?

Most of the changes in the early part of the year will be to improve system health and security and will not be user/consumer facing; however, some visual treatments will be made to the Authorization endpoint (https://oauth2.sky.blackbaud.com/authorization). We will provide more details in the new year.