Fixes in AM 7.2.x

OPENAM-21004

AM will always look for valid session when scope=openid

OPENAM-21002

CTS task queue full and SeriesTaskExecutorThread can get stuck waiting

OPENAM-20897

Issue with logging unsupported callbacks

OPENAM-20691

Destroy oldest session may fail to work

OPENAM-20396

Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved

OPENAM-20318

Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML

OPENAM-20260

Unable to log into AM when external application store is down

OPENAM-20230

Class whitelisting fails with permission denied after an extended period

OPENAM-20181

AD account notification fails

OPENAM-20085

STS token generation does not work with clustered docker pods

OPENAM-20082

Locked out users are shown a misleading error message

OPENAM-19954

SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration

OPENAM-19362

AM to DS certificate log message logged at warning instead of error or critical

OPENAM-18818

Persistent search error message shows wrong DS identifier

OPENAM-18629

RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls

OPENAM-18488

Windows Hello with TPM/platform authenticator returns two certificates

OPENAM-17591

Session quota action destroy next expiring token can fail when two new sessions attempt to read and update the same expiring session

OPENAM-17215

Policy debug log fills up at very high pace if the config store is not found

OPENAM-13766

No configuration found for login with SessionConditionAdvice=deny

OPENAM-19884

AM returns 500 when ; used in access token header

OPENAM-19865

Memory Leak due to samlResponseDataHash not being cleaned up

OPENAM-19649

ID token not linked to session when authorising with sso token

OPENAM-19613

PSearch is already removed error message should be warning

OPENAM-19537

UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong

OPENAM-19530

Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration'

OPENAM-19515

Unable to update session service with read only identity store

OPENAM-19512

Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints

OPENAM-19506

Installer fails after pressing "cancel" button at amadmin password page

OPENAM-19455

Adding Authentication Context without Level value results in uneditable entity

OPENAM-19427

Display security questions in the correct default language

OPENAM-19384

Suspended Authentication Resume URI is resolved with a missing '/'

OPENAM-19381

Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node

OPENAM-19297

OIDC MayAct claims script fails to access clientProperties and causes Java security exception

OPENAM-19290

In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1

OPENAM-19281

OIDC dynamic client registration cannot handle "\n" in the client_description

OPENAM-19220

WebAuthN/Fido - can not authenticate with recovery codes on Windows

OPENAM-19208

Webhook with an empty url field throws NPE during a webhook session upgrade

OPENAM-19190

LDAPAuthUtils for BASE_OBJECT does not work with special userId characters

OPENAM-19162

REST API definition inaccurate for endpoint '/realm-config/saml'

OPENAM-19123

AM validates duplicate registration tokens

OPENAM-19122

AM’s jwks_uri endpoint should preserve order of keys within the set

OPENAM-19119

GetAuthenticatorApp Node needs better localization support

OPENAM-19112

AM with embedded DJ always runs DJ backup and upgrade

OPENAM-19111

insufficient debug logging to troubleshoot error "Illegal arguments

One or more required arguments is null or empty" when performing user identity subject update via REST API

OPENAM-19109

Insufficient debug logging to troubleshoot CORS service

OPENAM-19108

"Agent" auth tree creates tokens with insufficient permissions

OPENAM-19086

rest-sts endpoint is not included when CORS is enabled

OPENAM-19083

Creating a client-based access & refresh token breaks subsequent use of Session Quotas

OPENAM-19016

Logback.jsp should show the actual setting of the loggers instead of defaults

OPENAM-19011

QR code message used in MFA Authentication node should be customizable / localizable

OPENAM-18990

Non-compliant OAuth2 error response generated

OPENAM-18952

KBA questions are not falling back to the default language when French is present

OPENAM-18891

JWT Profile Oauth2 Grant returns 'invalid_grant'

OPENAM-18835

JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes

OPENAM-18834

AM fails to start when upgrading after using am-upgrader

OPENAM-18655

Deleting OAuth2 Client causes unnecessary notification error message in IdRepo

OPENAM-18478

XUI shows incorrect subjectType following upgrade from AM < 6.5.3

OPENAM-18457

OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP

OPENAM-18432

Remove the internal idm-delegation grant type from the well known info

OPENAM-18384

Email Suspend Node clears the secure state

OPENAM-18268

webauthnDeviceProfiles is not multi-valued for AD

OPENAM-18252

Allow nodes to update the universal ID for use cases like impersonation and peer authentication

OPENAM-18196

More meaningful error message when Client Secret is not URL-encoded

OPENAM-18172

Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs

OPENAM-18149

Wrong log file is used for SAML2 extensions log message

OPENAM-18132

Failed to get the distinct userIdAttributes for configured identity stores in realm

OPENAM-18113

LDAP authentication node

change of connection mode does not recreate the connection pool

OPENAM-18112

Misleading error message when LDAP auth node connects to a TLS-enabled server

OPENAM-18062

SPACSUtils withholds exception and does not log error

OPENAM-17973

Retrieving auth code in a realm fails if session for another realm exists

OPENAM-17882

Slow memory leaks when persistent search starts a retry activity when persistent search fails

OPENAM-17835

Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso

OPENAM-17688

InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

OPENAM-17351

AM File based config setup cannot be used with AM recording to dump the config

OPENAM-17308

Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails

OPENAM-17201

XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used

OPENAM-16953

Custom idrepo sample using IdRepoConfig does not work

OPENAM-16878

Scripted Decision Node secrets binding object does not have public API

OPENAM-16490

OWASP ESAPI lib is missing some classes

OPENAM-16241

Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset

OPENAM-15997

Enhance CookieHelper to perform better cookie detection

OPENAM-15472

HOTP - text for performed attempts is hard-coded and not localisable

OPENAM-15408

oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile

OPENAM-14343

AM console - localisation issue for algorithms in global Common Federation Configuration

OPENAM-13766

No configuration found for login with SessionConditionAdvice=deny

OPENAM-12992

Misleading error message in XUI console when existing DNS alias is provided

OPENAM-12101

Connection pool not restarted if LDAP authentication module admin bind password is incorrect

OPENAM-11319

Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse

OPENAM-18928

Client credential OAuth2 request results in searches for OAuth2 client against Identity Store

OPENAM-18921

Double slashes in oauth2 claim name handled incorrectly

OPENAM-18883

Inconsistent error response from Client authentication using private_key_jwt

OPENAM-18864

Upgrade Radius Server Client Secrets fails due to service config cache cleared

OPENAM-18836

No TransactionId on "debug.out" for the AM recording.

OPENAM-18833

Client authentication using private_key_jwt will cause 500 if claims value is null

OPENAM-18780

JwksOAuth2AgentEventListener class not setting the correct default cache miss time value

OPENAM-18756

Entering correct otp after entering wrong otp fails authentication

OPENAM-18753

Upgrading AM Radius server with clients causes Radius auth failures

OPENAM-18711

AES Encryption/Decryption fails when running in Java 17

OPENAM-18705

Problem with Page Node using node relying on secureState

OPENAM-18684

redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients

OPENAM-18679

OATH Registration node doesn’t work when placed inside a 'Page' node

OPENAM-18663

AM should check new realm with rest end-point names by ignoring case

OPENAM-18661

Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted

OPENAM-18646

Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile

OPENAM-18644

IdRepo cache can not be disabled anymore

OPENAM-18640

REST-STS is using the old path to reach /users endpoint

OPENAM-18623

issue with jwk_uri endpoint called in parallel

OPENAM-18610

RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set.

OPENAM-18605

Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication

OPENAM-18586

Lack of debugging message when AM is not able to read the encrypted_base64 folder after upgrade

OPENAM-18547

Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL

OPENAM-18536

Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI

OPENAM-18511

Missing navigation options when an expired link from "Email Suspend" node is used

OPENAM-18443

Transactional authentication is disabled on new installs

OPENAM-18434

Authorization Code flow redirects to malformed uri if redirect_uri contains underscore

OPENAM-18297

Outbound calls to Jwks_URI endpoint does not support proxy settings

OPENAM-18256

JWK Cache timeout is not set for OAuth 2.0 clients created dynamically

OPENAM-18175

SMSUtils#addAttributesToMap inconsistency with array ordering

OPENAM-18141

AM no longer uses global SAML configuration

OPENAM-18130

"Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different

OPENAM-18120

Audit logging service does not correctly reflect the "prompt" URL parameter

OPENAM-18090

Creation of UMA Policy to share a resource fails when identities have custom attributes

OPENAM-18030

Message node shows inconsistent behaviour regarding the default locale

OPENAM-18005

Insufficient error message to troubleshoot persistent search issue

OPENAM-17949

Account lockout applied to tree even when ignore profile selected

OPENAM-17904

Json Audit Log Location not working when modifying location to only include %SERVER_URI% variable

OPENAM-17833

Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port

OPENAM-17830

Error messages are logged when the Push Notification Service is absent

OPENAM-17829

External UMA Resource Set using SSL but not StartTLS fails

OPENAM-17593

Deadlock when admin token is invalid and when config data is getting cleared

OPENAM-17271

Typo for Realm in SAML/Federation debug

OPENAM-17102

OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

OPENAM-18604

Formatting issues in Upgrade Report

OPENAM-18573

URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20"

OPENAM-18566

Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0

OPENAM-18559

Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required."

OPENAM-18532

Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI

OPENAM-18523

NullPointerException when AgentsRepo with from group is changed

OPENAM-18459

IdTokenInfo endpoint behaviours change from 6.x and fails when using client_id in POST

OPENAM-18422

Email Template node creates threads without terminating them

OPENAM-18421

In Platform environment, using a Email Template node creates new thread that does not terminate

OPENAM-18389

HttpClientHandler Guice injection in tree is typically broken with thread pool growth

OPENAM-18377

Authorization fails using auth module if user has authenticated with alias name

OPENAM-18366

Upgrade Report contains unformatted line feeds "%LF%"

OPENAM-18359

Choice Collector Node appears to not be present following upgrade

OPENAM-18321

CertificateCollectorNode fails when checking cert in LDAP Directory Server

OPENAM-18319

Realm is added more than once when session upgrade happens more than once with modules.

OPENAM-18316

Typo in oauth2 template (templates/touch/authorize.ftl)

OPENAM-18306

OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint

OPENAM-18258

Failed to load configuration for OAuth2Provider observed after upgrade

OPENAM-18241

Permit OAuth2 Modification Script to return scopes as space delimeter string

OPENAM-18235

IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

OPENAM-18227

Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode

OPENAM-18212

Check for user/agent profile condition during login can be refined further

OPENAM-18207

Global Service cache is not updated by changes from other servers in a site

OPENAM-18205

Excessive logging occurs when agent profile is not found

OPENAM-18180

No TransactionId present for AuthTreeExecutor

OPENAM-18171

Back-Channel logout keeps adding to trackingIds audit for every logout

OPENAM-18167

OIDC requests with request parameter fail with 500 error when there is no session using POST

OPENAM-18154

Wrong AMR returned with prompt=login and force authn setting enabled

OPENAM-18153

OpenIdConnect node call to well-known endpoint does not support proxy settings

OPENAM-18140

AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

OPENAM-18121

Slow loading in Authentication Tree

OPENAM-18119

Audit log no longer shows the userID of session being invalidated by amadmin

OPENAM-18090

Creation of UMA Policy to share a resource fails when identities have custom attributes

OPENAM-18085

SocialProviderHandlerNode does not work in an upgraded AM

OPENAM-18068

Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist

OPENAM-18065

Logback.jsp can not be used to set log levels loggers in custom code

OPENAM-18057

Identities page displays Internal Server Error when a user does not have search attribute defined

OPENAM-18043

Device Match module not setting correct AuthLevel

OPENAM-18017

Creation of UMA Policy to share a resource fails when identities have custom object classes

OPENAM-18009

AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue

OPENAM-18006

Persistent search for identity store does not recover

OPENAM-18003

WS-Federation Active Requestor Profile does not work with Authentication Trees

OPENAM-17993

The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation

OPENAM-17979

Backchannel authentication - auth_req_id can be used to obtain multiple access tokens

OPENAM-17962

LDAP Decision Node does not put updated password in transient state

OPENAM-17954

Accept-Language header locale ignored on OAuth2 Consent page

OPENAM-17935

Missing 'return' statement in the happy flow of the kerberos node

OPENAM-17923

Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled

OPENAM-17916

When no session exists logout page redirects to login

OPENAM-17912

Account lockout count is not reset correctly

OPENAM-17896

ForgottenPassword Reset on multiple cluster not working when reset link clicked

OPENAM-17870

ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade.

OPENAM-17863

Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile

OPENAM-17828

Apostrophe in username breaks Push/OATH device registration

OPENAM-17826

Introspect endpoint returns a static value for "expires_in" when using client based tokens

OPENAM-17814

Auth Tree step-up fails if username case does not match

OPENAM-17801

OIDC userinfo subname claim returns incorrect value

OPENAM-17793

OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

OPENAM-17782

Policy evaluation fails with 400 error when user does not exist

OPENAM-17774

Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint

OPENAM-17773

The acr_values parameter is mandatory on CIBA bc-authorize endpoint

OPENAM-17760

PEM support incorrectly decodes some EC private keys

OPENAM-17738

Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI

OPENAM-17718

OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset

OPENAM-17678

Radius server fails to initialize on startup due to Config cache refreshed

OPENAM-17677

The oauth2/device/code endpoint does not support locale parameter

OPENAM-17663

Improve the error response code for "Failed to revoke access token"

OPENAM-17630

JMS Audit logging broken and cannot start up

OPENAM-17610

OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.

OPENAM-17590

OIDC login hint cookie broken since 7.0

OPENAM-17587

OIDC bearer token authentication module requires context value setting for client secret

OPENAM-17493

OAuth2 node does not support external proxy authentication (user/pass)

OPENAM-17405

Token introspection response not spec compliant

OPENAM-17320

Revisit prompt=login behaviour change that keeps existing session

OPENAM-17265

Wrong authorized_keys file updated

OPENAM-17262

Subname claim inconsistences

OPENAM-16988

The accessedEndpoint including port causes verify Assertion Consumer URL to fail

OPENAM-16881

SAML federation library stopped supporting ACS URLs with query parameters

OPENAM-16653

Identity using fr-idm-uuid has wrong account ID in FR Authenticator

OPENAM-16642

Server id creation can fail when id is greater than 100

OPENAM-16554

Misplaced bufferingEnabled checkbox in New Syslog configuration

OPENAM-16491

SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode)

OPENAM-16418

Client auth using private_key_jwt fails with 500 if claim format is wrong

OPENAM-16216

Get Session Data node improvements

OPENAM-15861

NullPointerException in CollectionHelper.getServerMapAttrs

OPENAM-15740

Document _fields is case sensitive

OPENAM-15278

"Access Denied" error when accessing logout link and not currently signed in

OPENAM-13855

CTS creates too many connections to DS

OPENAM-13312

Stateless non-expiring refresh tokens fail with "invalid_grant"

OPENAM-11636

IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

OPENAM-17396

Terms of Service URI Link does not Display in Consent Page

OPENAM-17395

SocialOpenIdConnectNode fails to recover from client’s connection reset

OPENAM-17365

Checking agent type with caller token can cause deadlock

OPENAM-17364

Prompt login / session upgrade / OIDC ACR looping with trees

OPENAM-17361

API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

OPENAM-17357

Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

OPENAM-17353

HTML pages are not picked up when placing in a theme folder

OPENAM-17349

OIDC Refresh token - Ops token is deleted from the CTS during refresh

OPENAM-17343

Access token call returns 500 error if password needs to be changed or has expired

OPENAM-17322

SAML2 bearer grant returns NoUserExistsException

OPENAM-17317

A realm without any modules can cause increased thread count and slow response.

OPENAM-17276

AM recorder does not record anymore

OPENAM-17271

Typo for Realm in SAML/Federation debug

OPENAM-17260

Allow arg=newsession usage in authorize calls

OPENAM-17242

OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

OPENAM-17220

OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

OPENAM-17199

Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

OPENAM-17156

Adaptive Risk checkGeoLocation null countryCode can cause module fail.

OPENAM-17136

OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters

OPENAM-17121

Inefficient synchronized block in OAuth2ProviderSettingsFactory

OPENAM-17114

Save Consent check box always shown, even when not configured

OPENAM-17097

Inconsistent scope policy evaluation between authorize and ROPC

OPENAM-17089

Forgot password functionality broken

OPENAM-17070

SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

OPENAM-17060

Audit Logging "Resolve host name" is still available after OPENAM-7849

OPENAM-17037

AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE

OPENAM-17034

In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated

OPENAM-17017

REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

OPENAM-17006

Hosted SAML entity - can not remove bindings

OPENAM-16998

Poor logging around failures "Invalid Assertion Consumer Location specified"

OPENAM-16997

Device code grant implied consent fails if access_token request performed before user authenticates

OPENAM-16988

Accessed endpoint including port causes verify Assertion Consumer URL to fail

OPENAM-16955

When setCookieToAllDomains=false is used, a non matching request from other domain will fail

OPENAM-16947

Kerberos Node in 7.0 fails to return goTo(false)

OPENAM-16944

LDAP Decision node fails if inetuserstatus does not exist

OPENAM-16936

Tree nodes create new keystore object each time node is called.

OPENAM-16935

Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

OPENAM-16934

sm.getSchemaManager has a typo including a comma

OPENAM-16926

Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode

OPENAM-16910

Can not create SAML entity with entity id including a semicolon ';'

OPENAM-16907

Kerberos Node in 7.0 does not work

OPENAM-16904

OIDC bearer module fails with NPE when id_token does not contain kid

OPENAM-16883

AM ignores AuthnRequestsSigned property during SSO

OPENAM-16876

Default ACR values on OIDC client profile is not honoured in order of preference

OPENAM-16866

AM should fail gracefully if id_token fails to generate when swapping refresh token

OPENAM-16849

WeChat Social Auth module broken (regression)

OPENAM-16848

Choice Collector and WDSSO node combination does not work if whitelisting is enabled

OPENAM-16847

AM email service failing with 'Start TLS' option

OPENAM-16838

AuthenticationApproachChecker does not handle session upgrade modules

OPENAM-16823

IDM Nodes does not send or propagate transactionId tracking when contacting IDM

OPENAM-16807

The dynamic values for request_uri being stored in client config does not expire and is not automatically removed

OPENAM-16801

SAML2 SP init SSO fails after upgrade to 7.0.0

OPENAM-16784

Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep

OPENAM-16769

Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

OPENAM-16758

Cannot install AM 7 on Windows

OPENAM-16745

client_id in access token ignores what’s been registered when idm cache is disabled

OPENAM-16726

Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'

OPENAM-16703

OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

OPENAM-16701

The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

OPENAM-16684

OIDC Dynamic Registration client_description cannot take String type

OPENAM-16669

IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

OPENAM-16617

SuccessURL session property is set to gotoURL in authentication tree

OPENAM-16608

AM with embedded DS setup fails with permission denied for truststore

OPENAM-16583

Crucial information is missing when encountering LDAP connections issue.

OPENAM-16556

Radius Server doesn’t log IP address into AM Audit logs

OPENAM-16555

Audit logging does not tell which policy allowed or denied a resource request

OPENAM-16540

Issues with Social Login URLs when navigating quickly between providers

OPENAM-16535

"JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set

OPENAM-16515

Social auth - insufficient debug logging for troubleshooting

OPENAM-16485

'Failed Login URL' is not picked up from the auth chain

OPENAM-16472

Proxied Authentication fallback may not work when user entry lack some attributes

OPENAM-16450

501 when default resource version set to "oldest" and Accept-API-Version header set

OPENAM-16418

private_key_jwt client auth fails with 500 if claim format is wrong

OPENAM-16368

Settings of Mail and Scripting global service properties are overwritten at upgrade

OPENAM-16367

OIDC request_uri response causes NPE while debug logging

OPENAM-16354

Concurrency bug in OAuth2ProviderSettingsFactory

OPENAM-16338

Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

OPENAM-16157

Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

OPENAM-16152

After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

OPENAM-16006

Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

OPENAM-15963

Historical retention files ( csv ) were not deleted

OPENAM-15948

Update DS profiles to add VLV indexes for CTS use

OPENAM-15743

Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)

OPENAM-15671

LoginContext is missing debug logging for troubleshooting

OPENAM-15663

UserInfoClaims is not part of public API

OPENAM-14898

OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified

OPENAM-14682

Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

OPENAM-14527

Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

OPENAM-12503

SizeBasedRotationPolicy does not delete oldest file

OPENAM-17689

LDAPv3PersistentSearch should log when psearch connection is lost

OPENAM-17688

InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

OPENAM-17683

Selfservice user registration auto login fails for a sub-realm

OPENAM-17673

Nodes within a Page node do not have access to secure state

OPENAM-17672

Page Node does not expose inner nodes inputs or outputs

OPENAM-17630

JMS Audit logging broken and cannot start up

OPENAM-17591

Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

OPENAM-17587

OIDC bearer token authentication module requires context value setting for client secret

OPENAM-17570

OIDC request parameter decryption fails to find any applicable keys

OPENAM-17555

AM 7.x versions of Amster use Java 8 format of debug port

OPENAM-17517

JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error.

OPENAM-17515

Sub attribute in access token can be in wrong casing

OPENAM-17483

SecretsPlugin upgrade from 6.5.x failing

OPENAM-17477

Thread-safety issue in AMAuthenticationManager

OPENAM-17436

JS version of the OIDC Claims script does not work due to a casting error.

OPENAM-17405

Token introspection response not spec compliant

OPENAM-17397

ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check

OPENAM-17365

Checking agent type with caller token can cause deadlock

OPENAM-17364

prompt login / session upgrade / OIDC ACR looping with trees

OPENAM-17361

API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

OPENAM-17357

Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

OPENAM-17349

OIDC Refresh token - Ops token is deleted from the CTS during refresh

OPENAM-17337

Access token passed in request body results in failure

OPENAM-17324

Client credentials grant in FBC config with group inheritance causes User not Valid Error

OPENAM-17322

SAML2 bearer grant returns NoUserExistsException

OPENAM-17321

Prometheus Endpoint returns http 500 error when used with file based config

OPENAM-17317

A realm without any modules can cause increased thread count and slow response.

OPENAM-17310

'ssoadm list-datastore-types' sub-command broken

OPENAM-17277

AM Recording with thread dump only shows depth of 8

OPENAM-17276

AM recorder does not record anymore

OPENAM-17274

AM should not change the supported subject types for an existing install

OPENAM-17271

Typo for Realm in SAML/Federation debug

OPENAM-17265

Wrong authorized_keys file updated

OPENAM-17242

OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

OPENAM-17220

OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

OPENAM-17199

Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

OPENAM-17175

XUI OAuth2 consent page does not render when using themes

OPENAM-17157

Password reset via admin console with Proxied Authorization enabled is not possible

OPENAM-17156

Adaptive Risk checkGeoLocation null countryCode can cause module fail.

OPENAM-17121

Inefficient synchronized block in OAuth2ProviderSettingsFactory

OPENAM-17117

Service config XML dump consumes a lot of memory (whole config is read to memory)

OPENAM-17114

Save Consent check box always shown, even when not configured

OPENAM-17102

OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication

OPENAM-17097

Inconsistent scope policy evaluation between authorize and ROPC

OPENAM-17089

Forgot password flow not working after initial attempt to reset password fails

OPENAM-17081

OAuth2 client agent group settings are not taken into account

OPENAM-17079

Identities and Session: unexpected returned error when trying to request for unexisting identity

OPENAM-17070

SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

OPENAM-17066

Unable to add server to existing deployment through UI

OPENAM-17042

User Self Registration REST API does not generate SSO token

OPENAM-17019

Allowing wildcards in OAuth 2.0 clients prevents exact matching from working

OPENAM-17017

REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

OPENAM-16998

Poor logging around failures "Invalid Assertion Consumer Location specified"

OPENAM-16997

Device code grant implied consent fails if access_token request performed before user authenticates

OPENAM-16955

When setCookieToAllDomains=false is used, a non matching request from other domain will fail

OPENAM-16944

LDAP Decision node fails if inetuserstatus does not exist

OPENAM-16932

PageNode does not pick up outcomes if ScriptedDecisionNode is used inside

OPENAM-16910

Can not create SAML entity with entity id including a semicolon ';'

OPENAM-16904

OIDC bearer module fails with NPE when id_token does not contain kid

OPENAM-16883

AM ignores AuthnRequestsSigned property during SSO

OPENAM-16881

SAML federation library stopped supporting ACS URLs with query parameters

OPENAM-16876

Default ACR values on OIDC client profile is not honoured in order of preference

OPENAM-16849

WeChat Social Auth module broken (regression)

OPENAM-16801

SAML2 SP init SSO fails after upgrade to 7.0.0

OPENAM-16726

Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'

OPENAM-16651

Default configuration fails if the trust store type JVM property is not defined for the JVM

OPENAM-16638

AM with embedded DS setup fails when Java system keystore properties is set

OPENAM-16608

AM with embedded DS setup fails with permission denied for truststore

OPENAM-16581

SAML Authentication Module on hosted SP gets SAML No authentication context error

OPENAM-16556

Radius Server’s does not log IP address into AM Audit logs

OPENAM-16515

Social auth - insufficient debug logging for troubleshooting

OPENAM-16472

Proxied Authentication fallback may not work when user entry lack some attributes

OPENAM-16364

Macaroon access tokens don’t work with the new any-realm token introspection

OPENAM-16262

Javadocs for IdUtils needs updating

OPENAM-15963

Historical retention files ( csv ) were not deleted

OPENAM-15214

Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node

OPENAM-14240

FMSigProvider.verify does not tell if certificates are provided

OPENAM-13783

REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect

OPENAM-13575

Unhelpful log message when OIDC public client wants to use HMAC id token signing

OPENAM-16935

Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

OPENAM-16934

sm.getSchemaManager has a typo including a comma

OPENAM-16907

Kerberos Node in 7.0 does not work

OPENAM-16877

Error when creating AM "Self-service Trees" service in native admin ui

OPENAM-16848

Choice Collector and WDSSO node combination does not work if whitelisting is enabled

OPENAM-16847

AM email service failing with 'Start TLS' option

OPENAM-16838

AuthenticationApproachChecker does not handle session upgrade modules

OPENAM-16823

IDM Nodes does not send or propagate transactionId tracking when contacting IDM

OPENAM-16802

Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE

OPENAM-16794

Google KMS options missing after upgrade from 6.5

OPENAM-16791

AMAccessAuditEventBuilder#forRequest can generate an entry with |-1 for the port

OPENAM-16769

Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

OPENAM-16759

Amster on windows AM does not restart properly after setup

OPENAM-16758

Cannot install AM 7 on Windows

OPENAM-16745

client_id in access token ignores what’s been registered when idm cache is disabled

OPENAM-16703

OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

OPENAM-16702

Saving engine configuration in FBC mode makes that config non-readable

OPENAM-16701

The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

OPENAM-16697

Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format

OPENAM-16686

Cannot create a User after upgrade from 6.5.2 to 7.0.1

OPENAM-16684

OIDC Dynamic Registration client_description cannot take String type

OPENAM-16669

IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

OPENAM-16650

Authz Policy Subjects Policy.title is showing property name text

OPENAM-16641

OAuth2 provider supported grant types attribute missing localization property on XUI

OPENAM-16606

Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults

OPENAM-16594

ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155

OPENAM-16583

Crucial information is missing when encountering LDAP connections issue.

OPENAM-16555

(audit) logging does not tell which policy allowed or denied a resource request

OPENAM-16551

Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token

OPENAM-16545

Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents

OPENAM-16485

'Failed Login URL' is not picked up from the auth chain

OPENAM-16483

XUI - Typo in SAML SP "Default Relay State Url" label

OPENAM-16368

Settings of Mail and Scripting global service properties are overwritten at upgrade

OPENAM-16367

OIDC request_uri response causes NPE while debug logging

OPENAM-16354

Concurrency bug in OAuth2ProviderSettingsFactory

OPENAM-16338

Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

OPENAM-16157

Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

OPENAM-16152

After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

OPENAM-16006

Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

OPENAM-15671

LoginContext is missing debug logging for troubleshooting

OPENAM-15663

UserInfoClaims is not part of public API

OPENAM-14682

Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

OPENAM-14527

Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

OPENAM-11706

Policies in a policy set are not visible in Internet Explorer IE

OPENAM-16433

Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.

OPENAM-16425

AM does not handle malformed/incorrect signature correctly

OPENAM-16402

The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

OPENAM-16379

URL fragments like # cause forbidden login in the XUI

OPENAM-16284

XUI does not handle Special Chars / UTF-8 in realms properly.

OPENAM-16279

AgentsRepo cannot recover when it fails especially on external Application store.

OPENAM-16251

OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication

OPENAM-16240

REST STS under subrealm cannot generate id_token with realm claim

OPENAM-16233

Policy evaluation fails when subject not found (even in ignore profile)

OPENAM-16214

Push Authentication Module does not work on Session Upgrade when User Cache disabled

OPENAM-16184

Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords

OPENAM-16165

social authmodule causes NullPointerException

OPENAM-16164

social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

OPENAM-16136

queryFilter only matches against first entry in array

OPENAM-16132

When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates

OPENAM-16032

Unable to delete devices with Recovery Code Collector Decision Node

OPENAM-16031

Intermittent error message when concurrent obtain SSO Token ID with session quota constraints

OPENAM-16014

An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow

OPENAM-16013

Mismatched kid from Json Web Key URI when Specified Encryption Algorithm

OPENAM-16009

Windows Desktop SSO node full adoption and compliance with tree node specifications

OPENAM-15989

OAuth2 client_id should be url-decoded when using basic auth

OPENAM-15982

OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

OPENAM-15970

Access Token introspect Fails in subrealm after root realm modified

OPENAM-15944

WS-Federation - RPSignin Request fails because config data is used unchecked

OPENAM-15905

Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

OPENAM-15900

Kerberos fails when used with IBM JDK

OPENAM-15896

WS-Federation relying party initiated passive request - stuck at Account Realm selection

OPENAM-15881

Custom AM User (amUser.xml) field does not use default values from the schema

OPENAM-15858

Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

OPENAM-15853

External UMA store fails on resource creation

OPENAM-15805

idtokeninfo endpoint gives invalid signature error when ID Token is expired

OPENAM-15785

OIDC spec violation - HTTP POST can not be used to send Authentication Request

OPENAM-15784

Form elements in policy environment condition tab are displayed twice

OPENAM-15766

LoginState - account lockout is checkout although AM AccountLockout is disabled

OPENAM-15758

KeyStore Secret Store fails to start due to secretId having some characters.

OPENAM-15750

ERROR

OAuth2Monitor

Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

OPENAM-15724

SAML2 entities do not set amlbcookie if there is only one server

OPENAM-15713

AM SP drop the 80 characters RelayState silently for HTTP Redirect

OPENAM-15698

IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'

OPENAM-15697

Default ACR values from OAuth2 provider not taken into account

OPENAM-15694

RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

OPENAM-15679

The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling

OPENAM-15670

DeviceIdSave auth module initialization fails if username is null

OPENAM-15667

AM debug log does not tell which auth-module was handled - needed for troubleshooting

OPENAM-15645

The &refresh=true|false parameter for _action=validate is not working as expected

OPENAM-15632

OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support

OPENAM-15628

Grant-Set Storage Scheme for CTS does not work with CIBA Flow

OPENAM-15627

Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"

OPENAM-15579

AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'

OPENAM-15559

OATH module broken in Japanese locale

OPENAM-15533

WS-Federation doesn’t work with Authentication Trees

OPENAM-15530

OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS

OPENAM-15520

XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default

OPENAM-15508

moduleMessageEnabledInPasswordGrant does not apply to Trees

OPENAM-15507

500 error when calling /revoke or /refresh endpoint with wrong token

OPENAM-15501

Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly

OPENAM-15494

AM expects nonce request parameter in authorize request when no id_token will be returned

OPENAM-15491

Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.

OPENAM-15489

WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN

OPENAM-15465

Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

OPENAM-15459

When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

OPENAM-15425

OIDC endsession - encrypted id_tokens are not supported

OPENAM-15374

OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims

OPENAM-15355

PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

OPENAM-15349

Access Token request returns a 500 error

OPENAM-15345

at_hash value generated does not take the latest modified access token

OPENAM-15323

ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

OPENAM-15307

Trees Example is not working as expected OOTB to ?service=Example

OPENAM-15303

Claims with multiple values in issued_token from REST STS represented inconsistently.

OPENAM-15244

AM configuration does not perform schema extension for identity store although it has the permissions

OPENAM-15210

Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

OPENAM-15164

CDSSO with "ignore profile" throws "No OpenID Connect provider"

OPENAM-15160

LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

OPENAM-15150

Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

OPENAM-15147

HTTP 500 upon accessing openam/json/

OPENAM-15145

OpenAM Scope Validator calls getUserInfo twice when creating IdToken

OPENAM-15121

Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

OPENAM-15117

KeyVault KeyStoreType not supported

OPENAM-15116

Auth ID jwt can be modified to determine whether a realm exists or not

OPENAM-15105

Unable to get trusted devices using REST API

OPENAM-15101

Remove the ability to disable XUI

OPENAM-15089

SAML SLO - Allow RelayState to be a path-relative URL

OPENAM-15076

webAuthn config does not allow for multiple origins under the same rpId

OPENAM-15044

OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

OPENAM-15036

Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file

OPENAM-15028

Cannot load metadata in ssoadm without extended metadata

OPENAM-15012

OIDC - JWT Request Parameter returns errors in query, not in the fragment

OPENAM-14995

IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

OPENAM-14991

Changes to boot.json are overwritten

OPENAM-14979

NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade

OPENAM-14977

PKCE Code challenge method for Authorization Code if not set should use plain

OPENAM-14966

Performing access_token with arbitrary text as trusted cert header causes server error

OPENAM-14919

Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file

OPENAM-14901

XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain

OPENAM-14895

user identity creation fails with "Identity |" of type user not found.

OPENAM-14893

XUI displays multiple error messages when an authentication session times out

OPENAM-14889

Upgrade of Peristent Cookie auth module fails

OPENAM-14883

OAuth2/OIDC - Issuing client secret to Public clients during registration

OPENAM-14881

AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)

OPENAM-14867

AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

OPENAM-14859

ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty

OPENAM-14858

When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

OPENAM-14848

Insufficient debug logging in OpenID Connect authentication module

OPENAM-14845

user info endpoint does not correctly handle Certificate Bound Access Tokens

OPENAM-14829

AuthSchemeCondition doesn’t return realm aware policy condition advice

OPENAM-14825

OAuth2 Dynamic Registration with Software Statement triggers objectClass=| search

OPENAM-14804

Memory leak when running UMA RPT soak test

OPENAM-14799

Unable to update Agent profile using REST

OPENAM-14794

User privileges are removed from group if another group is given same privilege

OPENAM-14786

idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

OPENAM-14783

PKCS11 KeyStore does not work on IBM JVM

OPENAM-14782

AuthTree created Session does not use per User Session Service settings

OPENAM-14766

introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

OPENAM-14717

mailto attribute have space between '|' and mail address

OPENAM-14694

Consent page still shows claim values even when supported claim description is omitted

OPENAM-14651

OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads

OPENAM-14581

handling ManageNameID fails if NameID does not include SPNameQualifier

OPENAM-14578

WDSSO failing but no fallback…​

OPENAM-14573

amlbcookie is not secure when authenticating with trees

OPENAM-14572

prompt=login destroys and creates new session

OPENAM-14570

OAuth mTLS DN comparison fails when DER-encoding is different

OPENAM-14548

consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation

OPENAM-14546

SSOADM access not audited to the ssoadm.access logs anymore

OPENAM-14539

SAML SLO with multi protocols

OPENAM-14529

UMA RPT expiry time incorrect in CTS

OPENAM-14523

NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

OPENAM-14503

SAML2 - Key Transport Algorithm - RSA OAEP must be supported

OPENAM-14483

If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ

OPENAM-14480

AuthLoginException is lost

OPENAM-14471

Failed to create root realm for data store (External Policy

Application)

OPENAM-14465

SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

OPENAM-14464

XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used

OPENAM-14450

userinfo typo in Claims.java

OPENAM-14426

Unable to add external data store in AM (Policy | Application) when using TLS/SSL

OPENAM-14419

Policy evaluation returns search results for all policies that match outside of specified application

OPENAM-14393

CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

OPENAM-14391

Self Service Link not Display when Using Authentication Tree

OPENAM-14378

'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

OPENAM-14369

Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure

OPENAM-14362

UMA load test fails with Invalid resource type error

OPENAM-14353

Error Message not Displayed when Change Password does not Meet Password Policy

OPENAM-14337

Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

OPENAM-14313

Audit Logging - STS transformations create duplicate entries

OPENAM-14310

CheckSession page indicates the session is not valid

OPENAM-14294

am-external Git repository 6.5 have bad source

OPENAM-14281

IdP Proxy relays wrong AuthnContextClassRef

OPENAM-14239

FMSigProvider.verify NPE with null input for certificates

OPENAM-14233

updated_at claim in the ID Token is returned as a string and not a number

OPENAM-14232

Performance issue when creating resource_set in UMA with many existing resource_set

OPENAM-14229

custom AuthorizeTemplate under theme not used

OPENAM-14213

Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute

OPENAM-14212

SAML redirect to login page fails if AM installed into the root context

OPENAM-14200

Social auth modules do not work when AM is installed into the root context

OPENAM-14189

effectiveRange of Time environment has issue

OPENAM-14175

CTS updates on multivalue attributes may throws Duplicate values exception

OPENAM-14174

AM shows Ldapter.delete exception when session expires is triggered

OPENAM-14167

HTML tags are shown part of the messages in Change Password section of AD Authentication module.

OPENAM-14147

arg=newsession in XUI just shows the "Loading…​" page

OPENAM-14115

Sample Auth module does not work in a chain when used with Shared-state

OPENAM-14112

Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie

OPENAM-14111

Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

OPENAM-14062

Redirect to Failure URL does not occur when authentication tree is not interactive

OPENAM-14054

XUI Custom templates and Partials not applied consistently

OPENAM-14053

Cannot build AM UI in Windows for Yarn using mvn

OPENAM-14040

LdifUtils debug logging prints out wrong classname

OPENAM-14018

Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server

OPENAM-13999

Custom node containing ConfirmationCallbacks fails when dropped in a page node.

OPENAM-13991

'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

OPENAM-13978

Session Upgrade - AuthLevel format changes

OPENAM-13942

SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider

OPENAM-13934

saml2error.jsp fails with exception when malformed SAML2 response given

OPENAM-13900

OAuth2 Device flow - duplicate user_code error after authenticating user

OPENAM-13892

Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

OPENAM-13890

Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

OPENAM-13851

Rest STS cannot be created in the Console when upgrading to 6

OPENAM-13831

RP-Initiated Logout does not handle state parameter

OPENAM-13779

Session API - _action=refresh requires an admin token

OPENAM-13764

Monitoring logs in ERROR for "Agent.configAgentsOnly

agent type = OAuth2Client"

OPENAM-13720

Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

OPENAM-13490

Software Publisher Agent - Secret is not saved when creating an Agent

OPENAM-13465

Dynamic client registration sets wrong subjectType

OPENAM-13446

Social Auth Service doesn’t redirect if already using another chain

OPENAM-13419

LDAPPolicyFilterCondition doesn’t set request timeout

OPENAM-13324

/users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

OPENAM-13064

OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

OPENAM-13000

Custom authentication module with a single ChoiceCallback value is processed without confirmation

OPENAM-12955

Resource Owner Password Credentials Grant does not work with trees

OPENAM-12759

max_age should a number, not a string

OPENAM-12574

SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies

OPENAM-12498

Authorization Grant response returns scope(s) in the URL

OPENAM-12228

WebAgent REST API queryFilter expression does not work and acts all "true"

OPENAM-12186

Introspect endpoint for RPT does not check the authorization scheme

OPENAM-11921

Incorrect NameId Format offered for SAML2 auth module in console

OPENAM-11863

CORSFilter position in web.xml should come before most filters

OPENAM-11778

Getting accessToken using authorization_code result in Unhandled exception

OPENAM-11338

OpenID Connect id_token bearer auth module mixes up aud, azp during verification

OPENAM-10869

SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

OPENAM-10843

When generating an OIDC token through STS a "kid" value is not specified

OPENAM-10127

SessionMonitoringStore should only be instantiated when monitoring is enabled

OPENAM-9931

Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

OPENAM-9777

Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

OPENAM-9459

500 Internal Server Error from changePassword endpoint with AD repo

OPENAM-5867

Data Store LDAP server (admin-ordered) list is reordered by OpenAM