PingAccess 7.2.4 (August 2024)
Fixed a security vulnerability with URL-encoded characters
Security PA-15776
Added the pa.uri.canonicalize parameter to the Configuration file reference to fix a security vulnerability. Learn more in an upcoming security advisory.
Opt out of automatic URL encoding
Improved PA-15697
By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format.
You can now opt out of automatic URL encoding by deselecting the Encode URL check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in:
Set response headers for OAuth errors
Improved PA-15764
Added the oauth.error.headers and oauth.error.header.Content-Security-Policy parameters to the Configuration file reference.
Fixed issues with query parameter behavior due to automatic URL encoding
Fixed PA-15696
Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing = to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators.
Fixed admin JWKS endpoint returning a 401 or 500 response instead of the OAuth key set
Fixed PA-15723
Fixed an issue that caused PingAccess to override existing handling for the /pa/oauth/JWKS endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in 401 unauthorized responses or 500 internal server errors.