Fixes in AM 7.5.x
This page lists the cumulative fixes in AM 7.5.x releases:
AM 7.5
-
OPENAM-22206: AM upgrade fails for 7.1.4 and older: Creating UMA PCT Encryption Secret Failed
-
OPENAM-22191: JUnit jars are bundled in the AM.war release
-
OPENAM-22119: "Access to Java class ScriptedLoggerWrapper prohibited" exception
-
OPENAM-22101: UI admin tests are failing since updating secret ID to secret label
-
OPENAM-22060: am-config-upgrader: poor performance
-
OPENAM-22035: Page Nodes don’t delete contained nodes when a tree is deleted
-
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
-
OPENAM-21976: Single point of locking contention when doing Client-based session logout
-
OPENAM-21941: Unable to edit policies in the UI
-
OPENAM-21937: Quota Enforcement affecting agents sessions that authenticate by tree
-
OPENAM-21936: Unable to use Legacy and Next Generation Script in the same authentication tree
-
OPENAM-21912: OAuth2/OIDC signing slow with RSA keys when using Google Secret Manager
-
OPENAM-21856: Introspecting stateless token with IG/Web agents will cause OAuth2ChfException
-
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
-
OPENAM-21840: Warning for missing mapping in dynamic secret doesn’t warn for missing secret label identifier
-
OPENAM-21803: CertificateUserExtractorNode cannot resolve wrong name when UPN SubjectAltNameExt
-
OPENAM-21780: Next generation scripting
httpClient
adds "null" as entity to GET requests -
OPENAM-21748: Next generation scripting missing "get" wrapper function for HiddenValueCallback
-
OPENAM-21739: Running the am-config-upgrader on an empty directory results in unexpected addition of library scripting service
-
OPENAM-21707: file-functional-tests: OAuth2Provider doesn’t allow setting of default consent agent when scalableAgents are enabled
-
OPENAM-21693: Remove default global library script
-
OPENAM-21664: Upgrade fails to AM 7.4 with an uncaught exception when initialising the PrivilegeIndexStore class
-
OPENAM-21506: Inner Evaluator Tree with Data Store Decision node fails with correct password on first pass when used with Retry Decision node
-
OPENAM-21484: OAuth2 tokenintrospection response has different claim value types when refresh tokens are introspected
-
OPENAM-21473: Certificate collector node: getPortalStyleCert throws exception when cert/header not present
-
OPENAM-21389: Searching algorithm for calculating the reachability of a node in a tree returns incorrect result
-
OPENAM-21053: User ID is missing from access.audit.json for JWT client authentication flow using
org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false
-
OPENAM-20924: Reentry cookie when set causes the user to redirect to an incorrect IdP
-
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
-
OPENAM-20329: Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant
-
OPENAM-19999: ID token as AM session doesn’t work with
/authorize
when openid scope is requested -
OPENAM-19889: Policy evaluation fails with Agent access token JWT as subject
-
OPENAM-17816: 500 Internal Server Error (from NPE) returned for a missing Content-Type header
-
OPENAM-17315: Update defaults scripts with the change introduced in COMMONS-628
AM 7.4
AM 7.4.1
-
OPENAM-22753: Destroy All session may fail to work
-
OPENAM-22715: PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly
-
OPENAM-22696: Persistent search notification invalidation on AD identity store doesn’t invalidate user cached attributes
-
OPENAM-22620: Slow response from access token endpoint using client credentials grant
-
OPENAM-22602: OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL
-
OPENAM-22421: Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2
-
OPENAM-22289: Session quota action may fail when the session isn’t updatable but should be fine to proceed
-
OPENAM-22181: Approve UMA request fails with 500 error when AM deployed as a platform
-
OPENAM-22171: Forgotten password fails when AM searches for the identity to modify
-
OPENAM-22119: "Access to Java class ScriptedLoggerWrapper prohibited" exception
-
OPENAM-22109: The expiry time of OPS token in 7.x doesn’t change with the time of tokens created
-
OPENAM-22017: Configuration Provider node creates node class dynamically leading to native memory leak
-
OPENAM-21976: Single point of locking contention when doing client-based session logout
-
OPENAM-21972: SAML artifact binding is using crosstalk for artifact resolution
-
OPENAM-21941: Unable to edit policies in the UI
-
OPENAM-21937: Quota enforcement affects agent sessions that authenticate by tree
-
OPENAM-21936: Unable to use legacy and next-generation scripts in the same authentication tree
-
OPENAM-21868: ssoadm
create-sub-cfg
not working for AM 7.2+ due to thecontext=
field -
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
-
OPENAM-21803: Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt
-
OPENAM-21780: Next-generation
httpClient
script binding adds "null" as entity to GET requests -
OPENAM-21664: Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class
-
OPENAM-21484: OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens
-
OPENAM-21473: Certificate Collector node: getPortalStyleCert throws exception when cert/header not present
-
OPENAM-21466: AM using OIDC social authentication fails to verify ID token if remote JWK_URIs have duplicate KID
-
OPENAM-21191: Web agent sessions have a long session lifetime of 42 years
-
OPENAM-20609: Inconsistent error message when generating access token using refresh token after changing username
-
OPENAM-19999: ID token as AM session doesn’t work with
/authorize
when openid scope is requested -
OPENAM-19889: Policy evaluation fails with agent access token JWT as subject
-
OPENAM-17816: 500 Internal Server Error (from NPE) returned for a missing Content-Type header
AM 7.4
-
OPENAM-21053: Missing
userId
from Access audit log whenorg.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false
in JWT client authentication flow -
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
-
OPENAM-21476: Persistent Cookie isn’t created when using Configuration Provider node
-
OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention
-
OPENAM-21390: Fix caching error when a journey switches backend instances to correctly provide data to
nodeState
-
OPENAM-21360: Add
java.util.concurrent.ExecutionException
to AM scripting class allowlist -
OPENAM-21323: LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes
-
OPENAM-21304: Retain request URI values specified during dynamic client registration
-
OPENAM-21164: Fix type issue of XML String in SAML responses when using a custom adapter
-
OPENAM-21160: Make sure secure state values are retained when navigating the authentication tree
-
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
-
OPENAM-21085: Undefined bindings are incorrectly evaluated in Groovy scripts
-
OPENAM-21069: WindowsDesktopSSO authentication is failing
-
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
-
OPENAM-21004: AM will always look for valid session when
scope=openid
-
OPENAM-21001: SAML IdPAccountMapper isn’t correctly determined
-
OPENAM-20980: OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison
-
OPENAM-20953: Return subject attributes correctly when evaluating a policy using a
JwtClaim
as subject type -
OPENAM-20920: Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null
-
OPENAM-20897: Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others
-
OPENAM-20895: Newly created Maven archetype project for building custom authentication nodes fails to build
-
OPENAM-20851: Existing registered devices unable to use push notifications when AWS SNS credentials are updated
-
OPENAM-20784: TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException
-
OPENAM-20756: Social authentication request for Apple fails due to duplicated
response_mode=form_post
request parameter -
OPENAM-20691: Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed
-
OPENAM-20682: Unable to encrypt from
jwk_uri
where there are multiple JWKs with the samekid
but different algorithms -
OPENAM-20451: Fix to display user-friendly account name during WebAuthn device registration
-
OPENAM-20299: Fix to make agent authentication honor
com.iplanet.am.session.agentSessionIdleTime
-
OPENAM-20230: Class allowlisting denies access to permitted classes after running for an extended period of time
-
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
-
OPENAM-20024: Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint
-
OPENAM-19282: Recovery Code Display Node works only immediately after Registration node
-
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
-
OPENAM-18709: New
nodeState.getObject
method added to return values stored in both shared and secure state -
OPENAM-18685: New realm-level configuration setting to remove or skip
subname
claim -
OPENAM-18004: Support sequential transaction IDs to improve audit logging for HTTP requests to IDM
-
OPENAM-17331: Push Notifications: User with disabled endpoint is not able to login
-
OPENAM-17179: Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts
AM 7.3.x
AM 7.3.1
-
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
-
OPENAM-21976: Single point of locking contention when performing client-based session logout
-
OPENAM-21941: Unable to edit policies in the UI
-
OPENAM-21854: TermsAndConditionsCallback fails with error on XUI
-
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
-
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
-
OPENAM-21421: Scripting logger name isn’t based on logging hierarchy convention
-
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
-
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain
request_uri
values when creating -
OPENAM-21164: Calling
toXMLString
in custom SAML adapter can return incorrectly formatted XML leading to invalid signature -
OPENAM-21160: Inconsistent values in secure state when navigating an authentication tree
-
OPENAM-21158: Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2
-
OPENAM-21069: WindowsDesktopSSO authentication is failing
-
OPENAM-21010: Social authentication for remote OIDC server for user profile non-english words corrupted
-
OPENAM-21004: AM will always look for valid session when scope=openid
-
OPENAM-21001: IdPAccountMapper is not correctly determined
-
OPENAM-20980: Unable to use issuer comparison check regex in oidc social provider
-
OPENAM-20897: Debug logs not showing info for
ERROR: Unsupported Callback, "{0}"
and others -
OPENAM-20895: Newly-created Maven archetype project fails to build
-
OPENAM-20756: OIDC social authentication request (Apple) fails due to duplicate
response_mode=form_post
request parameter -
OPENAM-20691: Destroy oldest session may fail to work
-
OPENAM-20682: Unable to encrypt from
jwk_uri
when there are duplicatekid
-
OPENAM-20490: AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes"
-
OPENAM-20026: Trailing whitespace prevents social provider deletion via UI
-
OPENAM-19999: ID token as AM session doesn’t work with
/authorize
when openid scope is requested -
OPENAM-19889: Policy evaluation fails with agent access token JWT as subject
-
OPENAM-19282: Recovery Code Display Node works only immediately after Registration node
-
OPENAM-18599: Allow for custom error message if user account is locked
AM 7.3
-
OPENAM-20396: Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved
-
OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
-
OPENAM-20260: Unable to log into AM when external application store is down
-
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
-
OPENAM-20181: AD account notification fails
-
OPENAM-20159: Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs
-
OPENAM-20104: The
fragment
response_mode for the /oauth2/authorize endpoint is not working -
OPENAM-20085: STS token generation does not work with clustered docker pods
-
OPENAM-20082: Locked out users are shown a misleading error message
-
OPENAM-19868: Correctly handle multi-line text in Email Suspend nodes
-
OPENAM-19866: Excessive logging when accessing protected resources
-
OPENAM-19726: The
par
endpoint doesn’t return arequest_uri
when using JAR and claims are provided -
OPENAM-19515: Unable to update session service with read only identity store
-
OPENAM-18818: Persistent search error message shows wrong DS identifier
-
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
-
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
-
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
-
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny
AM 7.2.x
AM 7.2.2
-
OPENAM-22380: LDAP Decision node adding wrong username causing incorrect log messages
-
OPENAM-22289: Correctly check failure to save read session causing session quota failure
-
OPENAM-22017: ConfigProviderNode creates node class dynamically leading to native memory leak
-
OPENAM-21976: Single point of locking contention when doing client-based session logout
-
OPENAM-21972: SAML artifact binding fails in load-balanced deployment
-
OPENAM-21941: Unable to edit policies in the UI
-
OPENAM-21937: Quota enforcement affecting agent sessions that authenticate by tree
-
OPENAM-21728: Certificate module fails using JDK 11.0.21 and later with undefined access to private method
-
OPENAM-21484: Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response
-
OPENAM-21473: Certificate collector node:
getPortalStyleCert
throws exception when cert/header not present -
OPENAM-21390: ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment
-
OPENAM-21304: OAuth 2.0 dynamic client registrations don’t retain
request_uri
values when creating -
OPENAM-21160: Ensure secure state values are retained when navigating the authentication tree
-
OPENAM-21010: Social authentication user profile corrupted when remote OIDC server provides non-English identity claims
-
OPENAM-21004: AM will always look for valid session when
scope=openid
-
OPENAM-21002: CTS task queue full and
SeriesTaskExecutorThread
can get stuck waiting -
OPENAM-20897: Issue with logging unsupported callbacks
-
OPENAM-20783: OAuth 2.0 authorization code flow throws an error when content-type isn’t
x-www-form-urlencoded
and body isn’t JSON -
OPENAM-20756: Social authentication request for Apple fails due to duplicated
response_mode=form_post
request parameter -
OPENAM-20682: Unable to encrypt from
jwk_uri
where there are multiple JWKs with the samekid
but different algorithms -
OPENAM-20396: Authentication tree is selected by order of
acr
to tree mapping, not the default values, and order is not preserved -
OPENAM-20104: The
fragment
response_mode for the/oauth2/authorize
endpoint is not working -
OPENAM-20026: Social IDP with trailing whitespace in the name can’t be deleted using the UI
-
OPENAM-19999: ID token as AM session doesn’t work with
/authorize
when openid scope is requested -
OPENAM-19282: Recovery Code Display node works only immediately after Registration node
-
OPENAM-19261: Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant
-
OPENAM-18599: Allow for custom error message if user account is locked
-
OPENAM-17816: 500 internal server error (from NPE) returned for a missing Content-Type header
AM 7.2.1
-
OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion
-
OPENAM-20318: Accessing AM end user login page for PlatformLogin journey in platform environment shows non-rendered html
-
OPENAM-20260: Unable to log into AM when external application store is down
-
OPENAM-20230: Class allowlisting fails with permission denied after an extended period
-
OPENAM-20181: AD account notification fails
-
OPENAM-20082: Locked out users are shown a misleading error message
-
OPENAM-20031: Access token modification can no longer access refresh token reference
-
OPENAM-19884: AM returns 500 error when
;
is used in the access token header -
OPENAM-19684: Error
EntitlementService.getSubjectAttributesCollectorConfiguration
logged on initial agent access -
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
-
OPENAM-19515: Unable to update session service with read-only identity store
-
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
-
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
-
OPENAM-18818: Persistent search error message shows wrong DS identifier
-
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level
-
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
-
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
-
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect
AM 7.2
-
OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow
-
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing
/
-
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
-
OPENAM-19380: Social Google node does not work if placed after an input collector in a tree
-
OPENAM-19359: Social authentication not working on Subrealms
-
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
-
OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted
-
OPENAM-19281: OIDC dynamic client registration cannot take
\n
in the client_description -
OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor
-
OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows
-
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
-
OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes
-
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
-
OPENAM-19162: REST API definition inaccurate for endpoint
/realm-config/saml
-
OPENAM-19123: AM validates duplicate registration tokens
-
OPENAM-19122: AM’s
jwks_uri
endpoint should preserve order of keys within the set -
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
-
OPENAM-19086:
rest-sts
endpoint is not included when CORS is enabled -
OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas
-
OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned
-
OPENAM-18996: Issues with trees and navigating quickly between Social Login providers
-
OPENAM-18990: Non-compliant OAuth 2.0 error response generated
-
OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret
-
OPENAM-18952: KBA questions are not falling back to the default language when French is present
-
OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store
-
OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly
-
OPENAM-18891: JWT Profile Oauth 2.0 grant returns
invalid_grant
-
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
-
OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers
-
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
-
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
-
OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered
-
OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication
-
OPENAM-18754: User profile success URL ignored when authenticating with trees
-
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
-
OPENAM-18705: Problem with Page Node using node relying on secureState
-
OPENAM-18701: DN cache doesn’t get deleted in some cases
-
OPENAM-18684: Redirect to
authorize
endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients -
OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node
-
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
-
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
-
OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo
-
OPENAM-18644: IdRepo cache can not be disabled anymore
-
OPENAM-18640: REST-STS uses the old path to reach the
users
endpoint -
OPENAM-18623: Issue with
jwk_uri
endpoint called in parallel -
OPENAM-18610: RealmOAuth2ProviderSettings for
getJwks
permits an empty set -
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
-
OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade
-
OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"
-
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
-
OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters
-
OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers
-
OPENAM-18523: NullPointerException when Web Agent group is changed
-
OPENAM-18487: Trust anchor check fails with Yubikey
-
OPENAM-18460:
max_age
parameter is overwritten -
OPENAM-18459:
IdTokenInfo
endpoint behavior has changed and fails when usingclient_id
in POST -
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
-
OPENAM-18443: Transactional authentication is disabled on new installs
-
OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode
-
OPENAM-18434: Authorization Code flow redirects to malformed uri if
redirect_uri
contains underscore -
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
-
OPENAM-18422: Email Template node creates threads without terminating them
-
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
-
OPENAM-18384: Email Suspend Node clears the secure state
-
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
-
OPENAM-18359: Choice Collector Node not present following upgrade
-
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
-
OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at
access_token
endpoint -
OPENAM-18297: Outbound calls to
jwk_uri
endpoint do not support proxy settings -
OPENAM-18268:
webauthnDeviceProfiles
is not multi-valued for AD -
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
-
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
-
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
-
OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with
Unsupported node type PersistentCookieDecisionNode
-
OPENAM-18212: Check for user/agent profile condition during login can be refined further
-
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
-
OPENAM-18205: Excessive logging occurs when agent profile is not found
-
OPENAM-18180: No
TransactionId
present for AuthTreeExecutor -
OPENAM-18171: Back-Channel logout keeps adding to
trackingIds
audit for every logout -
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
-
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
-
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
-
OPENAM-18141: AM no longer uses global SAML configuration
-
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
-
OPENAM-18132: Failed to get the distinct
userIdAttributes
for configured identity stores in realm -
OPENAM-18121: Complex authentication trees load slowly
-
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
-
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin
-
OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628
-
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
-
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
-
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
-
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists
-
OPENAM-18065:
Logback.jsp
cannot be used to set log levels for loggers in custom code -
OPENAM-18062:
SPACSUtils
withholds exception and does not log error -
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
-
OPENAM-18043: Device Match module not setting correct AuthLevel
-
OPENAM-18030: Message node shows inconsistent behavior regarding the default locale
-
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
-
OPENAM-18009: HTTP error code 500 when authenticating with
authIndexType service
withoutauthIndexValue
-
OPENAM-18006: Persistent search for identity store does not recover
-
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
-
OPENAM-17993:
org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator
is missing a@Nullable
annotation -
OPENAM-17979: Backchannel authentication
auth_req_id
can be used to obtain multiple access tokens -
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
-
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
-
OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page
-
OPENAM-17935: Missing
return
statement in the happy flow of the kerberos node -
OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled
-
OPENAM-17916: When no session exists logout page redirects to login
-
OPENAM-17912: Account lockout count is not reset correctly
-
OPENAM-17904: JSON Audit Log Location not working when modifying location to only include
%SERVER_URI%
variable -
OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked
-
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade
-
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
-
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
-
OPENAM-17826:
introspect
endpoint returns a static value forexpires_in
when using client-based tokens -
OPENAM-17814: Auth Tree step-up fails if username case does not match
-
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
-
OPENAM-17783: Language tag limited to 5 characters instead of 8
-
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
-
OPENAM-17760: PEM support incorrectly decodes some EC private keys
-
OPENAM-17718: OAuth 2.0
introspection
endpoint does not acceptAccept
header with extra accept extension param (like weight q=0.8) or charset -
OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
-
OPENAM-17688:
InMemoryCtsSessionCacheStep#cacheTrusted
field should be marked volatile -
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
-
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
-
OPENAM-17677:
oauth2/device/code
endpoint does not supportlocale
parameter -
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
-
OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport
-
OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared
-
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
-
OPENAM-17590: OIDC login hint cookie broken since 7.0
-
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
-
OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes
-
OPENAM-17521: Insufficient error logging to track down
Multivalued RDNs not supported
issue -
OPENAM-17515: Sub attribute in access token can be in wrong case
-
OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)
-
OPENAM-17440: OAuth 2.0 service provider does not error if
IAT
attribute is mandatory but not issued -
OPENAM-17426: No validation for attribute collector node
-
OPENAM-17405: Token introspection response not spec compliant
-
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
-
OPENAM-17320: Revisit prompt=login behavior change that keeps existing session
-
OPENAM-17308: Custom IdRepo uninstall
realm-config/services/id-repositories?_action=nextdescendents
fails -
OPENAM-17265: Amster updates incorrect
authorized_keys
file -
OPENAM-17040: UMA policy creation does not work with shared repo
-
OPENAM-16988:
accessedEndpoint
including port causes verify Assertion Consumer URL to fail -
OPENAM-16953: Custom idrepo sample using
IdRepoConfig
does not work -
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
-
OPENAM-16653: Identity using
fr-idm-uuid
has wrong account ID in FR Authenticator -
OPENAM-16642: Server id creation can fail when id is greater than 100
-
OPENAM-16490: OWASP ESAPI broken
-
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
-
OPENAM-16262: Javadocs for IdUtils needs updating
-
OPENAM-16216: Get Session Data node improvements
-
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
-
OPENAM-15408:
oauth2/connect/jwk_uri
does not expose keys of the remote consent agent profile -
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
-
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
-
OPENAM-13855: CTS creates too many connections to DS
-
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
-
OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set
-
OPENAM-11636: IdP-Proxy -
proxyidpfinder.jsp
is not triggered when 'Use IDP Finder' is enabled for remote SP entity
AM 7.1.x
AM 7.1.4
-
OPENAM-21004: AM will always look for valid session when scope=openid
-
OPENAM-21002: CTS task queue full and
SeriesTaskExecutorThread
can get stuck waiting -
OPENAM-20897: Issue with logging unsupported callbacks
-
OPENAM-20691: Destroy oldest session may fail to work
-
OPENAM-20396: Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved
-
OPENAM-20318: Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML
-
OPENAM-20260: Unable to log into AM when external application store is down
-
OPENAM-20230: Class whitelisting fails with permission denied after an extended period
-
OPENAM-20181: AD account notification fails
-
OPENAM-20085: STS token generation does not work with clustered docker pods
-
OPENAM-20082: Locked out users are shown a misleading error message
-
OPENAM-19954: SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration
-
OPENAM-19362: AM to DS certificate log message logged at warning instead of error or critical
-
OPENAM-18818: Persistent search error message shows wrong DS identifier
-
OPENAM-18629: RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls
-
OPENAM-18488: Windows Hello with TPM/platform authenticator returns two certificates
-
OPENAM-17591: Session quota action
destroy next expiring token
can fail when two new sessions attempt to read and update the same expiring session -
OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found
-
OPENAM-13766: No configuration found for login with
SessionConditionAdvice=deny
AM 7.1.3
-
OPENAM-19884: AM returns 500 when
;
used in access token header -
OPENAM-19865: Memory Leak due to samlResponseDataHash not being cleaned up
-
OPENAM-19649: ID token not linked to session when authorising with sso token
-
OPENAM-19613: PSearch is already removed error message should be warning
-
OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong
-
OPENAM-19530: Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'
-
OPENAM-19515: Unable to update session service with read only identity store
-
OPENAM-19512: Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints
-
OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page
-
OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity
-
OPENAM-19427: Display security questions in the correct default language
-
OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing '/'
-
OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node
-
OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception
-
OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1
-
OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description
-
OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows
-
OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade
-
OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters
-
OPENAM-19162: REST API definition inaccurate for endpoint '/realm-config/saml'
-
OPENAM-19123: AM validates duplicate registration tokens
-
OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set
-
OPENAM-19119: GetAuthenticatorApp Node needs better localization support
-
OPENAM-19112: AM with embedded DJ always runs DJ backup and upgrade
-
OPENAM-19111: insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API
-
OPENAM-19109: Insufficient debug logging to troubleshoot CORS service
-
OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions
-
OPENAM-19086:
rest-sts
endpoint is not included when CORS is enabled -
OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas
-
OPENAM-19016: Logback.jsp should show the actual setting of the loggers instead of defaults
-
OPENAM-19011: QR code message used in MFA Authentication node should be customizable / localizable
-
OPENAM-18990: Non-compliant OAuth2 error response generated
-
OPENAM-18952: KBA questions are not falling back to the default language when French is present
-
OPENAM-18891: JWT Profile Oauth2 Grant returns 'invalid_grant'
-
OPENAM-18835: JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes
-
OPENAM-18834: AM fails to start when upgrading after using am-upgrader
-
OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo
-
OPENAM-18478: XUI shows incorrect subjectType following upgrade from AM < 6.5.3
-
OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP
-
OPENAM-18432: Remove the internal idm-delegation grant type from the well known info
-
OPENAM-18384: Email Suspend Node clears the secure state
-
OPENAM-18268:
webauthnDeviceProfiles
is not multi-valued for AD -
OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication
-
OPENAM-18196: More meaningful error message when Client Secret is not URL-encoded
-
OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs
-
OPENAM-18149: Wrong log file is used for SAML2 extensions log message
-
OPENAM-18132: Failed to get the distinct
userIdAttributes
for configured identity stores in realm -
OPENAM-18113: LDAP authentication node : change of connection mode does not recreate the connection pool
-
OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server
-
OPENAM-18062:
SPACSUtils
withholds exception and does not log error -
OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists
-
OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails
-
OPENAM-17835: Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso
-
OPENAM-17688:
InMemoryCtsSessionCacheStep#cacheTrusted
field should be marked volatile -
OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config
-
OPENAM-17308: Custom IdRepo uninstall
realm-config/services/id-repositories?_action=nextdescendents
fails -
OPENAM-17201: XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used
-
OPENAM-16953: Custom idrepo sample using
IdRepoConfig
does not work -
OPENAM-16878: Scripted Decision Node secrets binding object does not have public API
-
OPENAM-16490: OWASP ESAPI lib is missing some classes
-
OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset
-
OPENAM-15997: Enhance CookieHelper to perform better cookie detection
-
OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable
-
OPENAM-15408:
oauth2/connect/jwk_uri
does not expose keys of the remote consent agent profile -
OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration
-
OPENAM-13766: No configuration found for login with SessionConditionAdvice=deny
-
OPENAM-12992: Misleading error message in XUI console when existing DNS alias is provided
-
OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect
-
OPENAM-11319: Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse
AM 7.1.2
-
OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store
-
OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly
-
OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt
-
OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared
-
OPENAM-18836: No TransactionId on "debug.out" for the AM recording.
-
OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null
-
OPENAM-18780: JwksOAuth2AgentEventListener class not setting the correct default cache miss time value
-
OPENAM-18756: Entering correct otp after entering wrong otp fails authentication
-
OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures
-
OPENAM-18711: AES Encryption/Decryption fails when running in Java 17
-
OPENAM-18705: Problem with Page Node using node relying on secureState
-
OPENAM-18684: redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients
-
OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node
-
OPENAM-18663: AM should check new realm with rest end-point names by ignoring case
-
OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted
-
OPENAM-18646: Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile
-
OPENAM-18644: IdRepo cache can not be disabled anymore
-
OPENAM-18640: REST-STS is using the old path to reach /users endpoint
-
OPENAM-18623: issue with jwk_uri endpoint called in parallel
-
OPENAM-18610: RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.
-
OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication
-
OPENAM-18586: Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade
-
OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL
-
OPENAM-18536: Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI
-
OPENAM-18511: Missing navigation options when an expired link from "Email Suspend" node is used
-
OPENAM-18443: Transactional authentication is disabled on new installs
-
OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore
-
OPENAM-18297: Outbound calls to Jwks_URI endpoint does not support proxy settings
-
OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically
-
OPENAM-18175: SMSUtils#addAttributesToMap inconsistency with array ordering
-
OPENAM-18141: AM no longer uses global SAML configuration
-
OPENAM-18130: "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different
-
OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter
-
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
-
OPENAM-18030: Message node shows inconsistent behaviour regarding the default locale
-
OPENAM-18005: Insufficient error message to troubleshoot persistent search issue
-
OPENAM-17949: Account lockout applied to tree even when ignore profile selected
-
OPENAM-17904: Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable
-
OPENAM-17833: Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port
-
OPENAM-17830: Error messages are logged when the Push Notification Service is absent
-
OPENAM-17829: External UMA Resource Set using SSL but not StartTLS fails
-
OPENAM-17593: Deadlock when admin token is invalid and when config data is getting cleared
-
OPENAM-17271: Typo for Realm in SAML/Federation debug
-
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
AM 7.1.1
-
OPENAM-18604: Formatting issues in Upgrade Report
-
OPENAM-18573: URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"
-
OPENAM-18566: Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0
-
OPENAM-18559: Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."
-
OPENAM-18532: Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI
-
OPENAM-18523: NullPointerException when AgentsRepo with from group is changed
-
OPENAM-18459: IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST
-
OPENAM-18422: Email Template node creates threads without terminating them
-
OPENAM-18421: In Platform environment, using a Email Template node creates new thread that does not terminate
-
OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth
-
OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name
-
OPENAM-18366: Upgrade Report contains unformatted line feeds "%LF%"
-
OPENAM-18359: Choice Collector Node appears to not be present following upgrade
-
OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server
-
OPENAM-18319: Realm is added more than once when session upgrade happens more than once with modules.
-
OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)
-
OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint
-
OPENAM-18258: Failed to load configuration for OAuth2Provider observed after upgrade
-
OPENAM-18241: Permit OAuth2 Modification Script to return scopes as space delimeter string
-
OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session
-
OPENAM-18227: Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode
-
OPENAM-18212: Check for user/agent profile condition during login can be refined further
-
OPENAM-18207: Global Service cache is not updated by changes from other servers in a site
-
OPENAM-18205: Excessive logging occurs when agent profile is not found
-
OPENAM-18180: No TransactionId present for AuthTreeExecutor
-
OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout
-
OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST
-
OPENAM-18154: Wrong AMR returned with prompt=login and force authn setting enabled
-
OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings
-
OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops
-
OPENAM-18121: Slow loading in Authentication Tree
-
OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amadmin
-
OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes
-
OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM
-
OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist
-
OPENAM-18065: Logback.jsp can not be used to set log levels loggers in custom code
-
OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined
-
OPENAM-18043: Device Match module not setting correct AuthLevel
-
OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes
-
OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue
-
OPENAM-18006: Persistent search for identity store does not recover
-
OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees
-
OPENAM-17993: The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation
-
OPENAM-17979: Backchannel authentication - auth_req_id can be used to obtain multiple access tokens
-
OPENAM-17962: LDAP Decision Node does not put updated password in transient state
-
OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page
-
OPENAM-17935: Missing 'return' statement in the happy flow of the kerberos node
-
OPENAM-17923: Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled
-
OPENAM-17916: When no session exists logout page redirects to login
-
OPENAM-17912: Account lockout count is not reset correctly
-
OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked
-
OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.
-
OPENAM-17863: Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile
-
OPENAM-17828: Apostrophe in username breaks Push/OATH device registration
-
OPENAM-17826: Introspect endpoint returns a static value for "expires_in" when using client based tokens
-
OPENAM-17814: Auth Tree step-up fails if username case does not match
-
OPENAM-17801: OIDC userinfo subname claim returns incorrect value
-
OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname
-
OPENAM-17782: Policy evaluation fails with 400 error when user does not exist
-
OPENAM-17774: Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint
-
OPENAM-17773: The acr_values parameter is mandatory on CIBA bc-authorize endpoint
-
OPENAM-17760: PEM support incorrectly decodes some EC private keys
-
OPENAM-17738: Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI
-
OPENAM-17718: OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset
-
OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed
-
OPENAM-17677: The oauth2/device/code endpoint does not support locale parameter
-
OPENAM-17663: Improve the error response code for "Failed to revoke access token"
-
OPENAM-17630: JMS Audit logging broken and cannot start up
-
OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.
-
OPENAM-17590: OIDC login hint cookie broken since 7.0
-
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
-
OPENAM-17493: OAuth2 node does not support external proxy authentication (user/pass)
-
OPENAM-17405: Token introspection response not spec compliant
-
OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session
-
OPENAM-17265: Wrong authorized_keys file updated
-
OPENAM-17262: Subname claim inconsistences
-
OPENAM-16988: The accessedEndpoint including port causes verify Assertion Consumer URL to fail
-
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
-
OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator
-
OPENAM-16642: Server id creation can fail when id is greater than 100
-
OPENAM-16554: Misplaced bufferingEnabled checkbox in New Syslog configuration
-
OPENAM-16491: SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)
-
OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong
-
OPENAM-16216: Get Session Data node improvements
-
OPENAM-15861: NullPointerException in CollectionHelper.getServerMapAttrs
-
OPENAM-15740: Document _fields is case sensitive
-
OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in
-
OPENAM-13855: CTS creates too many connections to DS
-
OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"
-
OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity
AM 7.1
-
OPENAM-17396: Terms of Service URI Link does not Display in Consent Page
-
OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset
-
OPENAM-17365: Checking agent type with caller token can cause deadlock
-
OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees
-
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
-
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
-
OPENAM-17353: HTML pages are not picked up when placing in a theme folder
-
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
-
OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired
-
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
-
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
-
OPENAM-17276: AM recorder does not record anymore
-
OPENAM-17271: Typo for Realm in SAML/Federation debug
-
OPENAM-17260: Allow arg=newsession usage in authorize calls
-
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
-
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
-
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
-
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
-
OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters
-
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
-
OPENAM-17114: Save Consent check box always shown, even when not configured
-
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
-
OPENAM-17089: Forgot password functionality broken
-
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
-
OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849
-
OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE
-
OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated
-
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
-
OPENAM-17006: Hosted SAML entity - can not remove bindings
-
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
-
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
-
OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail
-
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
-
OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)
-
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
-
OPENAM-16936: Tree nodes create new keystore object each time node is called.
-
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
-
OPENAM-16934: sm.getSchemaManager has a typo including a comma
-
OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode
-
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
-
OPENAM-16907: Kerberos Node in 7.0 does not work
-
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
-
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
-
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
-
OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token
-
OPENAM-16849: WeChat Social Auth module broken (regression)
-
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
-
OPENAM-16847: AM email service failing with 'Start TLS' option
-
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
-
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
-
OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed
-
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
-
OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep
-
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
-
OPENAM-16758: Cannot install AM 7 on Windows
-
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
-
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
-
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
-
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
-
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
-
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
-
OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree
-
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
-
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
-
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
-
OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request
-
OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers
-
OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set
-
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
-
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
-
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
-
OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set
-
OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong
-
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
-
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
-
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
-
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
-
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
-
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
-
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
-
OPENAM-15963: Historical retention files ( csv ) were not deleted
-
OPENAM-15948: Update DS profiles to add VLV indexes for CTS use
-
OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)
-
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
-
OPENAM-15663: UserInfoClaims is not part of public API
-
OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified
-
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
-
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
-
OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file
AM 7.0.x
AM 7.0.2
-
OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost
-
OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile
-
OPENAM-17683: Selfservice user registration auto login fails for a sub-realm
-
OPENAM-17673: Nodes within a Page node do not have access to secure state
-
OPENAM-17672: Page Node does not expose inner nodes inputs or outputs
-
OPENAM-17630: JMS Audit logging broken and cannot start up
-
OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session
-
OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret
-
OPENAM-17570: OIDC request parameter decryption fails to find any applicable keys
-
OPENAM-17555: AM 7.x versions of Amster use Java 8 format of debug port
-
OPENAM-17517: JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.
-
OPENAM-17515: Sub attribute in access token can be in wrong casing
-
OPENAM-17483: SecretsPlugin upgrade from 6.5.x failing
-
OPENAM-17477: Thread-safety issue in AMAuthenticationManager
-
OPENAM-17436: JS version of the OIDC Claims script does not work due to a casting error.
-
OPENAM-17405: Token introspection response not spec compliant
-
OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check
-
OPENAM-17365: Checking agent type with caller token can cause deadlock
-
OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees
-
OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation
-
OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope
-
OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh
-
OPENAM-17337: Access token passed in request body results in failure
-
OPENAM-17324: Client credentials grant in FBC config with group inheritance causes User not Valid Error
-
OPENAM-17322: SAML2 bearer grant returns NoUserExistsException
-
OPENAM-17321: Prometheus Endpoint returns http 500 error when used with file based config
-
OPENAM-17317: A realm without any modules can cause increased thread count and slow response.
-
OPENAM-17310: 'ssoadm list-datastore-types' sub-command broken
-
OPENAM-17277: AM Recording with thread dump only shows depth of 8
-
OPENAM-17276: AM recorder does not record anymore
-
OPENAM-17274: AM should not change the supported subject types for an existing install
-
OPENAM-17271: Typo for Realm in SAML/Federation debug
-
OPENAM-17265: Wrong authorized_keys file updated
-
OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant
-
OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found
-
OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'
-
OPENAM-17175: XUI OAuth2 consent page does not render when using themes
-
OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible
-
OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.
-
OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory
-
OPENAM-17117: Service config XML dump consumes a lot of memory (whole config is read to memory)
-
OPENAM-17114: Save Consent check box always shown, even when not configured
-
OPENAM-17102: OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication
-
OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC
-
OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails
-
OPENAM-17081: OAuth2 client agent group settings are not taken into account
-
OPENAM-17079: Identities and Session : unexpected returned error when trying to request for unexisting identity
-
OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication
-
OPENAM-17066: Unable to add server to existing deployment through UI
-
OPENAM-17042: User Self Registration REST API does not generate SSO token
-
OPENAM-17019: Allowing wildcards in OAuth 2.0 clients prevents exact matching from working
-
OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config
-
OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"
-
OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates
-
OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail
-
OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist
-
OPENAM-16932: PageNode does not pick up outcomes if ScriptedDecisionNode is used inside
-
OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'
-
OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid
-
OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO
-
OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters
-
OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference
-
OPENAM-16849: WeChat Social Auth module broken (regression)
-
OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0
-
OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'
-
OPENAM-16651: Default configuration fails if the trust store type JVM property is not defined for the JVM
-
OPENAM-16638: AM with embedded DS setup fails when Java system keystore properties is set
-
OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore
-
OPENAM-16581: SAML Authentication Module on hosted SP gets SAML No authentication context error
-
OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs
-
OPENAM-16515: Social auth - insufficient debug logging for troubleshooting
-
OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes
-
OPENAM-16364: Macaroon access tokens don’t work with the new any-realm token introspection
-
OPENAM-16262: Javadocs for IdUtils needs updating
-
OPENAM-15963: Historical retention files ( csv ) were not deleted
-
OPENAM-15214: Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node
-
OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided
-
OPENAM-13783: REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect
-
OPENAM-13575: Unhelpful log message when OIDC public client wants to use HMAC id token signing
AM 7.0.1
-
OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1
-
OPENAM-16934: sm.getSchemaManager has a typo including a comma
-
OPENAM-16907: Kerberos Node in 7.0 does not work
-
OPENAM-16877: Error when creating AM "Self-service Trees" service in native admin ui
-
OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled
-
OPENAM-16847: AM email service failing with 'Start TLS' option
-
OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules
-
OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM
-
OPENAM-16802: Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE
-
OPENAM-16794: Google KMS options missing after upgrade from 6.5
-
OPENAM-16791: AMAccessAuditEventBuilder#forRequest can generate an entry with :-1 for the port
-
OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow
-
OPENAM-16759: Amster on windows : AM does not restart properly after setup
-
OPENAM-16758: Cannot install AM 7 on Windows
-
OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled
-
OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)
-
OPENAM-16702: Saving engine configuration in FBC mode makes that config non-readable
-
OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token
-
OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
-
OPENAM-16686: Cannot create a User after upgrade from 6.5.2 to 7.0.1
-
OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type
-
OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo
-
OPENAM-16650: Authz Policy Subjects Policy.title is showing property name text
-
OPENAM-16641: OAuth2 provider supported grant types attribute missing localization property on XUI
-
OPENAM-16606: Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults
-
OPENAM-16594: ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155
-
OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.
-
OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request
-
OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token
-
OPENAM-16545: Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents
-
OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain
-
OPENAM-16483: XUI - Typo in SAML SP "Default Relay State Url" label
-
OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade
-
OPENAM-16367: OIDC request_uri response causes NPE while debug logging
-
OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory
-
OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly
-
OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive
-
OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save
-
OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented
-
OPENAM-15671: LoginContext is missing debug logging for troubleshooting
-
OPENAM-15663: UserInfoClaims is not part of public API
-
OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)
-
OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)
-
OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE
AM 7.0
-
OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.
-
OPENAM-16425: AM does not handle malformed/incorrect signature correctly
-
OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.
-
OPENAM-16379: URL fragments like # cause forbidden login in the XUI
-
OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.
-
OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.
-
OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication
-
OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim
-
OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)
-
OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled
-
OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords
-
OPENAM-16165: social authmodule causes NullPointerException
-
OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token
-
OPENAM-16136: queryFilter only matches against first entry in array
-
OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates
-
OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node
-
OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints
-
OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow
-
OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm
-
OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications
-
OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth
-
OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied
-
OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified
-
OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked
-
OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException
-
OPENAM-15900: Kerberos fails when used with IBM JDK
-
OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection
-
OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema
-
OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used
-
OPENAM-15853: External UMA store fails on resource creation
-
OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired
-
OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request
-
OPENAM-15784: Form elements in policy environment condition tab are displayed twice
-
OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled
-
OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.
-
OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL
-
OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server
-
OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect
-
OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'
-
OPENAM-15697: Default ACR values from OAuth2 provider not taken into account
-
OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access
-
OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling
-
OPENAM-15670: DeviceIdSave auth module initialization fails if username is null
-
OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting
-
OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected
-
OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support
-
OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow
-
OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"
-
OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'
-
OPENAM-15559: OATH module broken in Japanese locale
-
OPENAM-15533: WS-Federation doesn’t work with Authentication Trees
-
OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS
-
OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default
-
OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees
-
OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token
-
OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly
-
OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned
-
OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.
-
OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN
-
OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication
-
OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error
-
OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported
-
OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims
-
OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback
-
OPENAM-15349: Access Token request returns a 500 error
-
OPENAM-15345: at_hash value generated does not take the latest modified access token
-
OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree
-
OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example
-
OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.
-
OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions
-
OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules
-
OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"
-
OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind
-
OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field
-
OPENAM-15147: HTTP 500 upon accessing openam/json/
-
OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken
-
OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )
-
OPENAM-15117: KeyVault KeyStoreType not supported
-
OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not
-
OPENAM-15105: Unable to get trusted devices using REST API
-
OPENAM-15101: Remove the ability to disable XUI
-
OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL
-
OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId
-
OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching
-
OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file
-
OPENAM-15028: Cannot load metadata in ssoadm without extended metadata
-
OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment
-
OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache
-
OPENAM-14991: Changes to boot.json are overwritten
-
OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade
-
OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain
-
OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error
-
OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file
-
OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain
-
OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.
-
OPENAM-14893: XUI displays multiple error messages when an authentication session times out
-
OPENAM-14889: Upgrade of Peristent Cookie auth module fails
-
OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration
-
OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)
-
OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)
-
OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty
-
OPENAM-14858: When NameIDPolicy does not contain
Format=..
, remoteEntityID is passed as null -
OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module
-
OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens
-
OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice
-
OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search
-
OPENAM-14804: Memory leak when running UMA RPT soak test
-
OPENAM-14799: Unable to update Agent profile using REST
-
OPENAM-14794: User privileges are removed from group if another group is given same privilege
-
OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO
-
OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM
-
OPENAM-14782: AuthTree created Session does not use per User Session Service settings
-
OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens
-
OPENAM-14717: mailto attribute have space between ':' and mail address
-
OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted
-
OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads
-
OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier
-
OPENAM-14578: WDSSO failing but no fallback…
-
OPENAM-14573: amlbcookie is not secure when authenticating with trees
-
OPENAM-14572: prompt=login destroys and creates new session
-
OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different
-
OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation
-
OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore
-
OPENAM-14539: SAML SLO with multi protocols
-
OPENAM-14529: UMA RPT expiry time incorrect in CTS
-
OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding
-
OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported
-
OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ
-
OPENAM-14480: AuthLoginException is lost
-
OPENAM-14471: Failed to create root realm for data store (External Policy | Application)
-
OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on
-
OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used
-
OPENAM-14450: userinfo typo in Claims.java
-
OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL
-
OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application
-
OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done
-
OPENAM-14391: Self Service Link not Display when Using Authentication Tree
-
OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set
-
OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure
-
OPENAM-14362: UMA load test fails with Invalid resource type error
-
OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy
-
OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client
-
OPENAM-14313: Audit Logging - STS transformations create duplicate entries
-
OPENAM-14310: CheckSession page indicates the session is not valid
-
OPENAM-14294: am-external Git repository 6.5 have bad source
-
OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef
-
OPENAM-14239: FMSigProvider.verify NPE with null input for certificates
-
OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number
-
OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set
-
OPENAM-14229: custom AuthorizeTemplate under theme not used
-
OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute
-
OPENAM-14212: SAML redirect to login page fails if AM installed into the root context
-
OPENAM-14200: Social auth modules do not work when AM is installed into the root context
-
OPENAM-14189: effectiveRange of Time environment has issue
-
OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception
-
OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered
-
OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.
-
OPENAM-14147: arg=newsession in XUI just shows the "Loading…" page
-
OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state
-
OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie
-
OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow
-
OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive
-
OPENAM-14054: XUI Custom templates and Partials not applied consistently
-
OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn
-
OPENAM-14040: LdifUtils debug logging prints out wrong classname
-
OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server
-
OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.
-
OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
-
OPENAM-13978: Session Upgrade - AuthLevel format changes
-
OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider
-
OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given
-
OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user
-
OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not
-
OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext
-
OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6
-
OPENAM-13831: RP-Initiated Logout does not handle state parameter
-
OPENAM-13779: Session API - _action=refresh requires an admin token
-
OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"
-
OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals
-
OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent
-
OPENAM-13465: Dynamic client registration sets wrong subjectType
-
OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain
-
OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout
-
OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"
-
OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional
-
OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation
-
OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees
-
OPENAM-12759: max_age should a number, not a string
-
OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies
-
OPENAM-12498: Authorization Grant response returns scope(s) in the URL
-
OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"
-
OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme
-
OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console
-
OPENAM-11863: CORSFilter position in web.xml should come before most filters
-
OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception
-
OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification
-
OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.
-
OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified
-
OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled
-
OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)
-
OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly
-
OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo
-
OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM