Fixes in AM 6.5.x

OPENAM-19613: PSearch is already removed error message should be warning

OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page

OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity

OPENAM-19380: Social Google node does not work if placed after an input collector in a tree

OPENAM-19290: In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1

OPENAM-19281: OIDC dynamic client registration cannot handle "\n" in the client_description

OPENAM-19220: WebAuthN/Fido - can not authenticate with recovery codes on Windows

OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade

OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters

OPENAM-19171: Realm admin unable to call "policies?_action=evaluate"

OPENAM-19123: AM validates duplicate registration tokens

OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set

OPENAM-19111: Insufficient debug logging to troubleshoot error "Illegal arguments: One or more required arguments is null or empty" when performing user identity subject update via REST API

OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions

OPENAM-19083: Creating a client-based access & refresh token breaks subsequent use of Session Quotas

OPENAM-18990: Non-compliant OAuth2 error response generated

OPENAM-18928: Client credential OAuth2 request results in searches for OAuth2 client against Identity Store

OPENAM-18921: Double slashes in oauth2 claim name handled incorrectly

OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt

OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared

OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null

OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication

OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures

OPENAM-18679: OATH Registration node doesn’t work when placed inside a 'Page' node

OPENAM-18655: Deleting OAuth2 Client causes unnecessary notification error message in IdRepo

OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set

OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade

OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"

OPENAM-18477: Choice Collector Callback fails to replaceSharedState() using Action.send() method inside Page Node

OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name

OPENAM-18372: After upgrade from 5.1.1 to 6.5.4 Mail server secure connection value is displayed incorrectly in XUI

OPENAM-18359: Choice Collector Node not present following upgrade

OPENAM-18306: OAuth2 Authorization Code Grant Fails when including scope parameter at access_token endpoint

OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD

OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

OPENAM-18121: Complex authentication trees load slowly

OPENAM-18113: LDAP auth node - change of connection mode does not re-created connection pool

OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

OPENAM-18062: SPACSUtils withholds exception and does not log error

OPENAM-18030: Message node shows inconsistent behavior regarding the default locale

OPENAM-18006: Persistent search for identity store does not recover when re-configuring identity store

OPENAM-18005: Insufficient error message to troubleshoot persistent search issue

OPENAM-17962: LDAP Decision Node does not put updated password in transient state

OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable

OPENAM-17882: Slow memory leaks when persistent search starts a retry activity when persistent search fails

OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared

OPENAM-16490: OWASP ESAPI lib is missing some classes

OPENAM-15682: AM jwks_uri doesn’t reflect changes to secret mappings

OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable

OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile

OPENAM-14343: AM console - localization issue for algorithms in global Common Federation Configuration

OPENAM-13912: Node implementations are loading the resource bundles incorrectly

OPENAM-13855: CTS creates too many connections to DS

OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"

OPENAM-12992: Misleading error message in XUI console for existing DNS alias

OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

OPENAM-18316: Typo in oauth2 template (templates/touch/authorize.ftl)

OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

OPENAM-18212: Check for user/agent profile condition during login can be refined further

OPENAM-18205: Excessive logging occurs when agent profile is not found

OPENAM-18091: Concurrent JATO COT updates can cause COT list inconsistencies

OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

OPENAM-18049: Saml2 Module does not handle the pipe delimeter

OPENAM-18043: Device Match module not setting correct AuthLevel

OPENAM-18035: Policy retrieval of response attributes can fail when using LdapDecisionNode against different directory to identity store

OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes

OPENAM-18009: AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue

OPENAM-17954: Accept-Language header locale ignored on OAuth2 Consent page

OPENAM-17916: When no session exists logout page redirects to login

OPENAM-17896: ForgottenPassword Reset on multiple cluster not working when reset link clicked

OPENAM-17828: Apostrophe in username breaks Push/OATH device registration

OPENAM-17826: introspect endpoint returns a static value for "expires_in" when using client based tokens

OPENAM-17815: client specific token lifetimes are not used when casing of client id differs between authentication request and token request

OPENAM-17814: Auth Tree step-up fails if username case does not match

OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

OPENAM-17784: Session timeouts (maximum session time, maximum idle timeout) set incorrectly if username is dynamically created in a tree.

OPENAM-17783: Language tag limited to 5 characters instead of 8

OPENAM-17782: Policy Eval fails with 400 error when user (subject) does not exist

OPENAM-17719: JATO Federation does not log trackingId in the audit log to permit traceability

OPENAM-17712: SAML2 session state not stored in-memory if it can’t be stored locally

OPENAM-17691: lastEmailSent attribute missing when using am-identity-store setup profile

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost

OPENAM-17683: Selfservice user registration auto login fails for a sub-realm

OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed

OPENAM-17677: oauth2/device/code endpoint does not support locale parameter

OPENAM-17663: Improve the error response code for "Failed to revoke access token"

OPENAM-17610: OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport.

OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes

OPENAM-17405: Token introspection response not spec compliant

OPENAM-17397: ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check

OPENAM-17396: Terms of Service URI Link does not Display in Consent Page

OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset

OPENAM-17365: Checking agent type with caller token can cause deadlock

OPENAM-17364: prompt login / session upgrade / OIDC ACR looping with trees

OPENAM-17361: API Explorer Swagger Template body needs modification to include configExport, debugLogs and threadDump as per the API Documentation

OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired

OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

OPENAM-17320: Revisit prompt=login behaviour change that keeps existing session

OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

OPENAM-17271: Typo for Realm in SAML/Federation debug

OPENAM-17260: Allow arg=newsession usage in authorize calls

OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

OPENAM-17237: Using ODSEE on LDAP module for password reset, displays the wrong error message

OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

OPENAM-17157: Password reset via admin console with Proxied Authorization enabled is not possible

OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters

OPENAM-17114: Save Consent check box always shown, even when not configured

OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

OPENAM-17089: Forgot password flow not working after initial attempt to reset password fails

OPENAM-17081: OAuth2 client agent group settings are not taken into account

OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

OPENAM-17060: Audit Logging "Resolve host name" is still available after * OPENAM-7849

OPENAM-17042: User Self Registration REST API does not generate SSO token

OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated

OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail

OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

OPENAM-16944: LdapDecisionNodes fails if inetuserstatus does not exist

OPENAM-16936: Tree nodes create new keystore object each time node is called.

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token

OPENAM-16849: WeChat Social Auth module broken (regression)

OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

OPENAM-16847: AM email service failing with 'Start TLS' option

OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled

OPENAM-16712: Importing SAML2 Metadata with both IDP and SP with cot ends up with duplicated extended metadata

OPENAM-16642: Server id creation can fail when greater id is greater than 100

OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree

OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs

OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers

OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set

OPENAM-16473: Unable to authenticate after UpdatePassword flow

OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

OPENAM-16262: Javadocs for IdUtils needs updating

OPENAM-16216: Get Session Data node improvements

OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

OPENAM-15963: Historical retention files ( csv ) were not deleted

OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly

OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in

OPENAM-15253: Upgrade fails if external data store for Applications and Policies is used

OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified

OPENAM-14245: Console error when adding entity to circle of trust

OPENAM-14240: FMSigProvider.verify does not tell if certificates are provided

OPENAM-13586: Removing all SingleSignOnService entries from a hosted IDP entity causes it to vanish from the console (A Bad Federation entry makes other entries not listed)

OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

OPENAM-11706: Policies in a policy set are not visible in Internet Explorer IE

OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

OPENAM-16697: Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format

OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

OPENAM-16566: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration with POST authentication

OPENAM-16555: (audit) logging does not tell which policy allowed or denied a resource request

OPENAM-16551: Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token

OPENAM-16537: AM not validating relative redirects on POST

OPENAM-16528: webauthn auth tempalte missing quotation marks aroudn userVerification component

OPENAM-16519: access_token call in OIDC flow cause search against Identity Store when Account Lockout is turned on and set to Store Invalid Attempts in Data Store

OPENAM-16498: 500 returned when OAuth2 token is submitted with incorrect or non-existent KID

OPENAM-16495: typo "Conenct" in Audience help of OpenID Connect id_token bearer authentication module

OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.

OPENAM-16425: AM does not handle malformed/incorrect signature correctly

OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

OPENAM-16394: Stress-testing increases am_cts_task_queue_count until a connection timeout

OPENAM-16379: URL fragments like # cause forbidden login in the XUI

OPENAM-16367: OIDC request_uri response causes NPE while debug logging

OPENAM-16352: Policy evaluation performance degraded by 18-20%

OPENAM-16345: Nullpointer exception AgentResourceExceptionMappingHandler when no errorCode

OPENAM-16343: ScriptCondition initializes AMIdentity with user token

OPENAM-16342: Call to AdminTokenAction refreshes token in CTS datastore

OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

OPENAM-16334: Checking AgentType with user token triggers permission check

OPENAM-16295: Watchdog errors on AM when external CTS with DS Entry Expiration and Deletion used

OPENAM-16289: Fedlet fails with NPE when default digest method is missing from FederationConfig.properties

OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.

OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.

OPENAM-16271: Groovy Sandbox does need explicit whitelist on nested primitive Array type

OPENAM-16268: Fedlet root url provider appends additional slash when context root is not available

OPENAM-16256: StringIndexOutOfBoundsException when SAML Auth Request 's Reference URI has an empty string

OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication

OPENAM-16249: AM expects consent_response although agent’s configured for implied consent

OPENAM-16242: Lowercase ID attribute does not work with OAuth2 settings.

OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim

OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)

OPENAM-16218: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type JWT_BEARER

OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled

OPENAM-16203: SAML SSO Admin Create SAML entities does not add attribute mappings

OPENAM-16194: SAML jsp scripts do not compile

OPENAM-16192: Elastic SAML: ForceAuthn fails if user already has a session when using Authentication tree

OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords

OPENAM-16177: Unmet lodash dependency warning when building openam-ui-ria module

OPENAM-16165: social authmodule causes NullPointerException

OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

OPENAM-16161: "same site patch" breaks SAML2 integrated mode on Apache Tomcat 7

OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not casesensitive

OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

OPENAM-16151: AM account lockout is checked even when it’s disabled

OPENAM-16137: JWT PAP claims problem with session upgrade

OPENAM-16136: queryFilter only matches against first entry in array

OPENAM-16133: IdRepoCache being bypassed with increased usage of search alias

OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates

OPENAM-16121: com.sun.identity.sm.notification.threadpool.size default should be updated to ensure sequential processing of SMS notifications

OPENAM-16118: Deadlock in smIdmThreadPool notifyDescriptorChange

OPENAM-16109: Non amadmin admin user can’t edit Policy Sets / Policies

OPENAM-16096: AMKeyProvider.mapPk2Cert error when using AWS CloudHSM

OPENAM-16049: WPA - Environment Condition TYPE!'s not working when evaluated to false

OPENAM-16036: Identity stores configuration broken after upgrade

OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node

OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints

OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow

OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm

OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications

OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth

OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

OPENAM-15979: WindowsDesktopSSO WSSO Configuration changes on isInitiator does not refresh configuration

OPENAM-15977: _queryFilter is not working with _id field

OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified

OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

OPENAM-15929: OAuth2 Server Metadata - code challenge methods supported are not discoverable

OPENAM-15919: AM OAuth metadata doesn’t list revocation endpoint

OPENAM-15918: access_token endpoint returns wrong error if client is incorrect

OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

OPENAM-15900: Kerberos fails when used with IBM JDK

OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

OPENAM-15888: Long lived Device Code Lifetime cause Token’s Expiry Time to be wrong

OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema

OPENAM-15864: SP init SSO fails after upgrade

OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

OPENAM-15855: AM requires "jti" claim for private_key_jwt client authentication

OPENAM-15853: External UMA store fails on resource creation

OPENAM-15849: An admin cannot DELETE 2fa devices owned by users

OPENAM-15841: DisableSameSiteCookiesFilter broken on WebLogic

OPENAM-15835: WebAuthn Nodes does not work when Relying Party domain is used.

OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

OPENAM-15784: Form elements in policy environment condition tab are displayed twice

OPENAM-15776: Push Registration fails (QR code invalid) to register

OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some special characters.

OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

OPENAM-15722: SAML2 IdP federation endpoint does not set amlbcookie when using host-based cookies

OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'

OPENAM-15697: Default ACR values from OAuth2 provider not taken into account

OPENAM-15696: The attribute "com.sun.am.ldap.connnection.idle.seconds" with > 0 causes LDAP pool initialization failure when using external CTS / UMA

OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

OPENAM-15687: Session endpoint is searching for a long value in CTS that is stored as a string

OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling

OPENAM-15671: LoginContext is missing debug logging for troubleshooting

OPENAM-15670: DeviceIdSave auth module initialization fails if username is null

OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting

OPENAM-15663: UserInfoClaims is not part of public API

OPENAM-15662: RefreshToken does not work if Resource owner not in datastore (or using Ignore Profile)

OPENAM-15652: Debug.jsp does not update all existing appenders when trying to override -Dcom.iplanet.services.debug.level at runtime

OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected

OPENAM-15643: Need to send additional URL parameter values to agents from authorize end-point

OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support

OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow

OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"

OPENAM-15594: CsrfFilter should only block requests that contain a cookie

OPENAM-15591: When using an OIDC id_token as SSO token composite/txid authenticate event generates 500

OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'

OPENAM-15574: Amster Import - updating com.iplanet.am.lbcookie.value to a different value to server ID

OPENAM-15562: SAML2 crosstalk fails when Accept-Language header is missing from the original request

OPENAM-15559: OATH module broken in Japanese locale

OPENAM-15548: WS-Fed - allow wreply to use Valid wreply List

OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS

OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default

OPENAM-15510: Generic amster error message "No Base Entity dc=config,dc=forgerock,dc=com found" needs to detail the actual ldap error - during install-openam

OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees

OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.

OPENAM-15490: Policy evaluation and resource type lookups and creation fail and cannot recover from External Policy Store restart

OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN

OPENAM-15487: OIDC - JWT Request Parameter returns errors in query, not in the fragment with invalid acr essential claim

OPENAM-15483: IDPSSOUtil.doSSOFederate throws NumberFormatException when subrealm is used with federation

OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

OPENAM-15446: Incorrect error management during SAML SSO

OPENAM-15444: Prepare for Chrome’s move to SameSite=lax by default

OPENAM-15432: Oath User Devices endpoint not accessible for delegated admin

OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported

OPENAM-15421: audit logging does not output when a collector node is wrapped in a page node

OPENAM-15382: custom Audit logging node or extending Scripted Node with able to audit

OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims

OPENAM-15371: Ssoadm import-svc-cfg fails with unable to recognize the data store type error

OPENAM-15370: Ssoadm import-svc-cfg fails with Unable to obtain Server URL

OPENAM-15363: Redirect_uri_mismatch error occurs in Agent 5.x after upgrading from OpenAM 13.5.0

OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

OPENAM-15353: OIDC Verification of a signed Jwt using multiple keys (e.g. jwk_uri) is not attempted against all keys

OPENAM-15350: wrong message when saving Trusted JWT Issuer

OPENAM-15349: Access Token request returns a 500 error

OPENAM-15347: Trusted JWT Issuer is highlighted as current menu item when I choose OAuth2

OPENAM-15345: at_hash value generated does not take the latest modified access token

OPENAM-15337: Change Advice Format Value

OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

OPENAM-15309: JWTs are always SignedThenEncrypted when encrypted using JwtEncryptionHandler#encryptJwt

OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.

OPENAM-15270: token_endpoint_auth_signing_alg should support any signing algorithms supported by the OP

OPENAM-15257: XUI freezing when /authenticate returns unhandled http result codes

OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

OPENAM-15220: relayState is lost when both a relayState url and intermediate url are used

OPENAM-15216: LDAP Decision Node does not continue through "Fail" flow when Node Fails with exception

OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

OPENAM-15206: webAuthn returns JavaScript with linebreak characters, and tries to store negative ints in an unsigned array

OPENAM-15198: WS-FED Attribute Mapper returns incorrect map when AM is SP

OPENAM-15193: moduleMessageEnabledInPasswordGrant is providing a different authentication error since AM 6.5.1

OPENAM-15192: WebAuthn doesn’t work on WildFly containers

OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

OPENAM-15147: HTTP 500 upon accessing openam/json/

OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

OPENAM-15129: registering client with token_endpoint_auth_method=none returns secret

OPENAM-15128: webAuthn rpId detection does not account for cross-domain requests

OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

OPENAM-15117: KeyVault KeyStoreType not supported

OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

OPENAM-15105: Unable to get trusted devices using REST API

OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId

OPENAM-15073: Missing RelayState query parameter in the AM redirect to fedlet application

OPENAM-15065: HTTP 500 authentication error in CIBA workflow when user deny request

OPENAM-15063: when binding message of CIBA request is too long, notification fail to be sent

OPENAM-15053: when client send wrong auth_req_id in CIBA polling request, there is HTTP 500 server error

OPENAM-15052: when id_token_hint is not JWT, CIBA authorization request returns HTTP 500

OPENAM-15050: WebAuthn client script cannot be parsed in Internet Explorer

OPENAM-15049: wrong JWT while obtaining CIBA auth request id will result in HTTP 500 NPE

OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

OPENAM-15040: CIBA authorization request returns HTTP 500 NPE when file is wrong

OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

OPENAM-15018: Encrypted stateless tokens contains zip header, even though should not be present if none

OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade

OPENAM-14973: Monitoring throws StackTrace even if JDMK isn’t being used/needed.

OPENAM-14971: Unable to set up ssoadm when AM is installed to the root context

OPENAM-14951: OAuth2 provider does not validate RCS clients in an external application store

OPENAM-14930: OAuth2 introspect fails with could not find any verification keys for keyId

OPENAM-14907: OAuth2/OIDC - jwk_uri returns keys for algorithms that are not listed/supported at the OAuth2 Provider

OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

OPENAM-14874: It would be nice if the x-forwarded-* option was able to parse the comma-separated string and use the first (outermost) proxy host name.

OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

OPENAM-14842: Misleading "CTS: Operation failed: Result Code: Connect Error" message when CTS store is still up and running

OPENAM-14841: WebAuthnAuthentication node inside a Page Node causes UI to fail rendering the tree

OPENAM-14782: AuthTree created Session does not use per User Session Service settings

OPENAM-14744: Multivalued DN stops persistent search

OPENAM-14700: XUI: AM pages don’t render in Internet Explorer

OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different

OPENAM-14534: The request parameter should accept any signing algorithms supported by the OP

OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

OPENAM-14520: CreateMetadataModelImpl determines AM URL incorrectly when AM is deployed to root context

OPENAM-14480: Provide better error handling during WDSSO Keytab file permission check

OPENAM-14391: Self Service Link not displayed when using authentication tree

OPENAM-14313: Audit Logging - STS transformations create duplicate entries

OPENAM-14292: AM-LOGIN-COMPLETED does not log name of chain used for login

OPENAM-14265: Amster Import with --clean doesn’t delete the secrets store and mappings

OPENAM-14229: custom AuthorizeTemplate under theme not used

OPENAM-14188: Unable to Generate JSDoc in UI

OPENAM-14109: Agent-as-OAuth2-Client cannot create id token when agent realm is different

OPENAM-14103: Session REST API does not offer same restricted session functionality as Session Client SDK API

OPENAM-13948: When realm have Session service and user has Session service too viewing User’s service fails

OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

OPENAM-13840: Creating a Session service on a Subject fails when there is a realm Session service already

OPENAM-13831: RP-Initiated Logout does not handle state parameter

OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"

OPENAM-13549: Enabling Warning Headers causes multiple Secondary Configurations Tabs to generate 500 errors.

OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

OPENAM-13465: Dynamic client registration sets wrong subjectType

OPENAM-13310: Allow id tokens to be issued when no datastore configured

OPENAM-12759: During authorization code grant flow - max_age should be a number, not a string

OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies

OPENAM-12285: Allow Agents to receive notifications for oauth2 access token revocations

OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"

OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console

OPENAM-11912: LDAPv3 data store type does not handle property 'sun-idrepo-ldapv3-config-auth-kba-attr'

OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification

OPENAM-11159: OpenAM Amster export/import for Site have import errors

OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified

OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo

OPENAM-14675: Error output in Configuration debug log when creating new realm

OPENAM-14669: ssoadm does not install using Java 1.8.192 and above

OPENAM-14660: Error in console and unable to Add/Edit/Delete Security Questions for a user via XUI

OPENAM-14573: amlbcookie is not secure when authenticating with trees

OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

OPENAM-14529: UMA RPT expiry time incorrect in CTS

OPENAM-14516: Attempt to resolve a named secret containing a : character on Windows fails if the filesystem secret store is involved

OPENAM-14509: When a user is marked as inactive, can still perform introspect and tokeninfo endpoint requests

OPENAM-14505: Agent sessions are constrained by Session Quota

OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

OPENAM-14450: userinfo typo in Claims.java

OPENAM-14427: Certificate Module with option "Match Certificate in LDAP" does not work in AM 6.5.0

OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS or SSL

OPENAM-14425: JwkSetSecretStore does not reload the SecretStore when it has expired

OPENAM-14394: Customise the JWK KIDs

OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

OPENAM-14387: Dynamic registration PUT is not implemented

OPENAM-14386: JWK keyuse can be customised

OPENAM-14384: Allow metadata to be returned in authentication tree API responses

OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

OPENAM-14374: Success login URL via trees redirects to profile when already authenticated

OPENAM-14369: Upgrading from OpenAM 13.5.0 to AM 6.0.0.5 with custom PAPs causes NPE failure

OPENAM-14308: LDAP Connection Pool Minimum Size for Identity Store missing from XUI

OPENAM-14307: ConcurrentModificationException when creating resource_set

OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

OPENAM-14270: SocialOpenIdConnectNodeTest does not compile

OPENAM-14255: Help text in OAuth 2.0 client "mTLS Self-Signed Certificate" property needs encoding?

OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

OPENAM-14235: mTLS drop down labels dont match the value (or the spec)

OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

OPENAM-14222: Amster fails exporting Secret Store Mappings in sub-realms

OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

OPENAM-14210: Unable to delete a PageNode that has child nodes

OPENAM-14205: PageNodes property panel only appears for new PageNodes.

OPENAM-14200: Social auth modules do not work when AM is installed into the root context

OPENAM-14189: effectiveRange of Time environment has issue

OPENAM-14183: Cannot change amadmin’s password through XUI

OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

OPENAM-14172: Amster Export - Persistent cookie Keystore Mapping inconsistency after upgrade to 6.5.0

OPENAM-14169: XUI does not update for a new PollingWaitCallback

OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

OPENAM-14165: ThemeConfiguration is Not Exposed in Final UI Production Build

OPENAM-14147: arg=newsession in XUI does shows just the "Loading…​" page

OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

OPENAM-14092: Custom node can prevent all default nodes appearing in admin view

OPENAM-14082: Authentication Chains will not open using IE11

OPENAM-14080: LDAP Decision Node returns incorrect user attribute to search for in user store

OPENAM-14078: RetryTask can block notification processing for an extended period of time

OPENAM-14068: The new Policy and Application Stores only support a single target connection address

OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

OPENAM-14058: Cannot create Elasticsearch audit handler configuration through admin console UI

OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn

OPENAM-14050: LDAP should reestablish connection to the orignal server after it has recovered

OPENAM-14049: Amster export failure

OPENAM-14040: LdifUtils debug logging prints out wrong classname

OPENAM-14032: In Social authentication nodes and Message node is not possible to change value of attribute maps or dictionaries

OPENAM-14009: Authtree does not proceed for missing Authorization Header

OPENAM-14004: AM should support agents deployed to the root context (/), not just /openam

OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

OPENAM-13978: Session Upgrade - AuthLevel format changes

OPENAM-13941: OAuth2 Provider’s ID Token Algs lists PS384 algorithm as PS284

OPENAM-13940: Session quota limits not applied when using trees

OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

OPENAM-13896: Comparison method violates its general contract! seen during amster import

OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

OPENAM-13861: Social Authentication Tree does not complete its flow with ForceAuth parameter

OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

OPENAM-13651: Client registration does not support auth method of "none"

OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

OPENAM-13217: make transient state available to scripted node type

OPENAM-13088: Add option for isInitiator=false to WDSSO configuration

OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

OPENAM-12965: httpClient not exposed to OIDC Claim Script

OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

OPENAM-12937: Soap STS creation fails when OpenIDConnect token config required

OPENAM-12627: Initiating TransactionConditionAdvice with a wrong credential resulting in a non-error response

OPENAM-12620: Add more data to Scripted Node Decision binding

OPENAM-12498: Authorization Grant response returns scope(s) in the URL

OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

OPENAM-11863: CORSFilter position in web.xml should come before most filters

OPENAM-11523: Using the LDAP/AD auth module, the change password on next login, if current password is empty it displays the wrong error message

OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM