Breaking changes planned for OAuth 2.0

Lindsey Rix

Our OAuth 2.0 implementation is undergoing changes as we plan to update the cipher suite and IP configuration through which OAuth 2 is accessed on Thursday, April 28th, 2022.

Depending on your application's networking configuration, these may be breaking changes. Below is a summary of the changes, including how you can test your application’s readiness and how to prepare for the change.

TL;DR? – Jump to “What do I need to do?”

New OAuth 2.0 authorization URL

For a SKY application to access SKY API, a Blackbaud user in a Blackbaud environment must grant the application access. As our documentation states, applications begin this interaction by sending users to https://oauth2.sky.blackbaud.com/authorization. While this URL will be supported going forward and we expect most applications to continue to use this URL, starting Thursday, April 28th, 2022, this URL will redirect to https://app.blackbaud.com/oauth/authorize.

For nearly all applications, this redirect will not be a concern. However, we are aware that some client-side frameworks require explicit declarations of URLs and whether the application should follow redirects. We want those applications affected to be ready for our change.

Disabling weak cipher suites

Our OAuth 2.0 implementation uses the TLS 1.2 protocol to ensure that communication between SKY Applications and our APIs remains secure. Among other things, this protocol defines which cipher suites can be used when application clients attempt to communicate with us. The cipher suite itself defines the set of algorithms that are used to encrypt and decrypt requests to OAuth 2.0 and responses back to your application. To read more about the relationship between TLS and cipher suites, review how CloudFlare describes TLS.

While TLS 1.2 defines the cipher suites it supports, over time weaknesses have been discovered in some of these suites. As such, we occasionally remove these weaker ciphers suites.

On Thursday, April 28th, 2022, we will update OAuth 2.0 to support only the following cipher suites:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

From our usage metrics, we have found that these cipher suites cover roughly 98% of all request traffic to SKY API. In addition to this announcement, we will be proactively reaching out to developers whose accounts make up the remaining 2% of usage.

IP address accessibility

While we have not formally documented the IP addresses SKY API uses, we know some resourceful developers have performed lookups for these to configure firewalls. Our IP addresses have always been prone to change and they are going to change on April 28th, 2022. Also, going forward they are likely going to change more frequently. As described in previous announcements, we recommend restricting by host name (e.g. oauth2.sky.blackbaud.com, api.sky.blackbaud.com, etc.) rather than IP address.

For additional details and action items, see the Shared changelog.

Chris Rodgers

As described in the announcement above, we will begin deployment of these changes at 22:00 GMT (18:00 EDT, 8:00 AEST). I will update this thread to indicate the start of the deployment and again when the deployment is complete. Most SKY Applications will receive the change within minutes, but depending on DNS caches, your application may be delayed in seeing the changes (typically no more than a couple hours).

Chris Rodgers

The change deployment has started.

Chris Rodgers

The change deployment has completed. We are seeing the majority of SKY Applications have received the change. Applications that have not yet received the change should soon as DNS caches allow.