Known issues
The following important issues remained open at the time of the latest release for each version.
Releases are cumulative, so if an issue in a previous version isn’t listed as fixed, it remains open in the latest version.
AM 7.2.x
AM 7.2.2
OPENAM-21441 |
Policy evaluation with LDAPFilter condition is done with config store user instead of identity store user |
OPENAM-21683 |
AM lets you create anonymous user when it already exists |
OPENAM-21682 |
OAuth 2.0: AM doesn’t redirect back to the client if consent is denied and no redirect_uri is present in the query parameters |
OPENAM-21074 |
Amazon SNS client code doesn’t support external proxy authentication |
OPENAM-20927 |
User info is still cached after removing privilege from group |
OPENAM-20754 |
SAML pages saml2-write.js and saml2-read.js can cause error due to javascript |
OPENAM-20442 |
Trim whitespace at the end of email input before validation in Attribute Collector node |
AM 7.2.1
OPENAM-20546 |
Ensure AM handles an empty value for the authorization JWT response signing algorithm |
OPENAM-20479 |
OIDC authentication request fails if request is sent as unsecured JWS |
OPENAM-20457 |
DeviceLocationMatchNode fails when location service is disabled in browser and is unable to collect location information |
OPENAM-20396 |
Authentication tree is selected by order of |
OPENAM-20104 |
The |
AM 7.2
OPENAM-19619 |
NodeState keys API does not return all keys using a wildcard (\*) |
OPENAM-19613 |
PSearch is already removed error message should be warning |
OPENAM-19567 |
InvalidCount variable does not update after successive failed attempts |
OPENAM-19480 |
500 Internal Server Error on /json/scripts with "not equal" CREST filter |
OPENAM-19476 |
AbstractUpgradeHelper#updateChoiceValues does not handle i18nKey values |
OPENAM-19451 |
When using Chrome WebAuthn simulator and WebAuthn set with attestation DIRECT fails |
OPENAM-19422 |
KeepAlive search filter shouldn’t be Absolute True and False Filters |
OPENAM-19375 |
Searching JavaDoc does not function correctly |
OPENAM-19371 |
Updating an auth tree over REST requires all the nodes to be listed in the payload |
OPENAM-19261 |
Introspect call for tokens obtained via the client credentials grant produces error, warning |
OPENAM-19213 |
AM doesn’t work in Tomcat 10 |
OPENAM-19187 |
Unable to remove Saml2 IDP Attribute Mapper scripts using UI |
OPENAM-19139 |
AM reports authorization errors using fragments on form_post requests |
OPENAM-19118 |
Authentication audit events not logged when ScriptedDecisionNode script contains a syntax error |
OPENAM-19084 |
Response does not comply to Standard when Requesting Claim that are Unavailable |
OPENAM-19081 |
Modules of type OpenID Connect id_token bearer are not correctly handled in UI and in datastore |
OPENAM-19039 |
Amster query command base64-encodes the |
OPENAM-19030 |
AM Logs an Error if Resource Type cannot be found |
OPENAM-19008 |
AuthTreesSecretsApiStep creates a potentially invalid secret mapping |
OPENAM-18961 |
BasicOAuth2RequestImpl throws error at "ERROR" level |
OPENAM-18935 |
Inconsistent behavior in ConfigProviderNode when omitting config properties |
OPENAM-18715 |
Due to an unresolved issue in the updated version of Groovy used by Amster, Amster cannot execute
multi-line commands from a script while creating a realm using the Workaround : Use a single-line command instead. For example, instead of a multi-line command like this:
Create a single-line command like this: +
|
OPENAM-18544 |
AM Access Auditing Reports FAILURE on 302 |
OPENAM-18512 |
UMA resource set endpoint doesn’t list all relevant resource sets |
OPENAM-18481 |
OIDC client mandates kid value in JOSE header |
OPENAM-18469 |
Persistent Claims doc string references "RFC 123" |
OPENAM-18394 |
Bazel fails to download Maven dependencies on first compilation |
OPENAM-18375 |
Common password policy validation fails when using Registration Tree |
OPENAM-18351 |
Form parameter is not recognized in access_token endpoint |
OPENAM-18254 |
Attempting to create a user via Registration Tree fails after scaling up ds pods |
OPENAM-18122 |
FBC rule written to remove reference to MAY_ACT default script set null instead of [Empty] |
OPENAM-17957 |
Identify Existing User node fails with exception when more than one user is found |
OPENAM-13329 |
Trees Display Character Encoding in Settings Dropdown Menu |
OPENAM-12492 |
Identities: 500 Error when switch to Services tab on anonymous profile |
AM 7.1.x
AM 7.1.4
OPENAM-21180 |
Amster should set file encoding to UTF-8 internally |
OPENAM-21158 |
Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 |
OPENAM-21155 |
Unable to remove OAuth 2.0 client with name that includes a period ( |
OPENAM-21100 |
SAML v2.0 IDP single logout (SLO) using HTTP redirect needs Request stickiness and HA |
OPENAM-21031 |
Google KMS secret store configured in AM exceeds the rate limit |
OPENAM-20927 |
User info is still cached after removing privilege from group |
OPENAM-20766 |
Insufficient debug logging to troubleshoot WS-Federation issuing party issue |
OPENAM-20761 |
Create EngineConfiguration fails when using POST with |
OPENAM-20754 |
SAML v2.0 pages |
OPENAM-20753 |
With the LDAP authentication node, the |
OPENAM-20745 |
Insufficient debug logging to troubleshoot JWK_URI keys issue |
OPENAM-20742 |
WS-Federation entities can not be managed through the AM UI |
OPENAM-20728 |
Push log is noisy even when the Push Service is not used |
OPENAM-20706 |
Unnecessary config store queries for services that don’t exist |
OPENAM-20705 |
SAML v2.0 circle of trust status has no effect |
OPENAM-20683 |
UI does not handle multi-valued attributes |
OPENAM-20645 |
JWK_URI endpoint is not thread safe |
OPENAM-20582 |
JWT client authentication: |
OPENAM-20581 |
JWT Client authentication fails but the root cause can not be determined from the logs |
OPENAM-20570 |
NullPointerException is thrown when |
OPENAM-20539 |
Access Token to OIDC Id Token exchange fails for |
OPENAM-20505 |
OAuth 2.0 clients / groups list sort function is not working |
OPENAM-20480 |
FBC/Amster config upgrade rules are missing for removed properties |
OPENAM-20441 |
OATH Registration node generates Base32 padded secret |
OPENAM-20405 |
Transient state that is populated in an inner tree is not available in the parent tree |
OPENAM-20379 |
REST STS doesn’t work with |
OPENAM-20333 |
The Enable Cookies Message is inconsistent |
OPENAM-20332 |
When the |
OPENAM-20331 |
Policy scope evaluator does not work well with JWT Bearer Authorization grant |
OPENAM-20308 |
Access token with auth_level changes does not persist after refreshing token |
OPENAM-20271 |
Certificate Validation node fails when optional properties are not configured |
OPENAM-20261 |
Problem with User/CTS affinity failover when the DS disk volume is detached |
OPENAM-20254 |
When Hosted SP Default RelayState is specified, you shouldn’t need an entry in the Relay State URL List |
OPENAM-20242 |
Certification Validation node: Certificate-based authentication requires LDAP |
OPENAM-20239 |
Setting the |
OPENAM-20234 |
Setting the LDAP Connection Heartbeat Interval to zero breaks persistent search |
OPENAM-20231 |
OAuth 2.0 token introspection - stacktrace is withheld |
OPENAM-20216 |
Fixed size LDAP connection pool not properly established |
OPENAM-20202 |
|
OPENAM-20177 |
Insufficient information in warning message to troubleshoot root cause |
OPENAM-20143 |
Unnecessary ERRORs logged when adding pointers in the |
AM 7.1.3
OPENAM-19749 |
Authentication failure when using a specific locale containing a |
OPENAM-19743 |
Message node allows empty value for locale name |
OPENAM-18818 |
Persistent search error message shows wrong DS identifier |
OPENAM-18613 |
Web upgrader fails during second instance upgrade |
OPENAM-18558 |
OIDC Client Group Inheritance not honoured immediately |
OPENAM-17768 |
Enabling allowlisting in trees causes an infinite redirect loop in the registration tree |
OPENAM-17687 |
XUI selects wrong partials if a new partial exists with the same prefix |
OPENAM-17418 |
OpenId account mapping fails because userInfo subject claim has value |
OPENAM-17315 |
Update defaults scripts with the change introduced in COMMONS-628 |
OPENAM-16449 |
Filter fields on the Scripts admin page do not work |
AM 7.0.x
AM 7.0.2
OPENAM-17663 |
Improve the error response code for "Failed to revoke access token" |
OPENAM-17452 |
SAML bearer grant flow using signed assertions fails - signature validation failure |
OPENAM-17394 |
Callback types should be part of the supported API |
OPENAM-17256 |
Text is overlapping buttons in configuration UI in Firefox while adding new server |
OPENAM-16939 |
IDM nodes does not follow proxy settings |
OPENAM-16561 |
OAuth Consent screen does not apply theming |
OPENAM-16554 |
Misplaced bufferingEnabled checkbox in New Syslog configuration |
OPENAM-16539 |
|
OPENAM-16522 |
Device Save Node failed on Platform environment |
OPENAM-16491 |
SAML Update introduces javascript calls that aren’t available in IE8 and below (or IE11 using Enterprise mode) |
OPENAM-16280 |
German login page translation is not complete |
OPENAM-16261 |
Node dev guide - CoreWrapper is not supported API |
OPENAM-16258 |
Resource login fails to work to Authenticate to Module instance |
OPENAM-16229 |
Exceptions logged while upgrading to AM7 |
OPENAM-16202 |
Deleting SAML2 entities in console does not remove them from COT |
OPENAM-16197 |
social authmodule does not send activaion email if un-authenticated SMTP server is used |
OPENAM-16105 |
AM Login UI cannot handle self service and SDK authentication callbacks |
OPENAM-16076 |
An auth node config marked @password (type char[]) cannot also be Optional |
OPENAM-16068 |
Annotation based service implementation provides no way to deregister service listeners |
OPENAM-15892 |
ScriptingSchemaStep clears whitelist customisations on upgrade |
OPENAM-15879 |
openam > ui-admin > entire sessions view disappears when querying with asterisk |
OPENAM-15861 |
NullPointerException in CollectionHelper.getServerMapAttrs |
OPENAM-15860 |
IdP Init SAML SSO results in two set-cookie: amlbcookie headers in SP Consumer response |
OPENAM-15812 |
WebAuthn Node for a user with a WebAuthn profile for another site causes authenticator to complain using wrong security key |
OPENAM-15791 |
The /json/groups endpoint is not accessible to the Agents |
OPENAM-15727 |
JWT minted by oauth2/authorize does not have correct acr claim when an upgraded SSO token is used |
OPENAM-15699 |
_fields query parameter for API "Action" end point eg _action=refresh does not work as documented |
OPENAM-15609 |
CorsService API Descriptor text doesn’t match functionality |
OPENAM-15534 |
LDAP connection errors when using DS7 and rest2ldap test |
OPENAM-15351 |
During Upgrade Scripts are not updated |
OPENAM-15253 |
Upgrade fails if external data store for Applications and Policies is used |
OPENAM-15037 |
React-select-multi component - when key pressed to add an entry the previously selected entry remains highlighted |
OPENAM-15027 |
React-select-multi component - when enter is clicked on the 'x' of selected entry to delete, form is submitted |
OPENAM-14897 |
Default values for JWKs URI content cache timeout and miss timeout are not set on upgrade |
OPENAM-14887 |
TimerPool logs error during AM graceful shutdown |
OPENAM-14882 |
OAuth2 do not log scopes while using device code flow |
OPENAM-14838 |
Trusted JWT issuer cache is refreshed inefficiently affecting other lookups |
OPENAM-14837 |
Trusted Issuer lookup does not pick up modified issuer values |
OPENAM-14834 |
JWT bearer grant implementation finds trusted JWT issuers by performing an unindexed search |
OPENAM-14755 |
NullPointerException if auth module callback xml file can not be retrieved by ResourceLookup |
OPENAM-14666 |
XUI - InternalError: "too much recursion" error can appear when Adding/Viewing/Updating realms |
OPENAM-14602 |
The API documentation for some Node API is missing methods/fields in 6.5/7 |
OPENAM-14594 |
Possible thread-safety issue in OIDC pairwise subject identifiers |
OPENAM-14576 |
Configuration LDAP accessed when users endpoint accessed |
OPENAM-14500 |
SAML SP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded |
OPENAM-14499 |
SAML IdP-initiated SSO without existing SSO Session - value of 'goto' parameter not URLencoded |
OPENAM-14494 |
In Firefox the text is cropped inside of the realm’s card on Dashboard |
OPENAM-14404 |
Multiple calls being made to session endpoint by XUI when session cookie lost |
OPENAM-14343 |
AM console - localisation issue for algorithms in global Common Federation Configuration |
OPENAM-14322 |
Servers → Directory Configuration API Can Be Broken With Crafted Payload |
OPENAM-14290 |
Caching issue for 'users' REST endpoint |
OPENAM-14263 |
Bad title for External Data Stores secondary configuration page |
OPENAM-14207 |
NullPointerException AM Console if IDPSSODescriptor is missing attribute 'WantAuthnRequestsSigned' |
OPENAM-13962 |
Errors during shutdown of AM |
OPENAM-13513 |
Call Authentication Tree in a Radius Client |
OPENAM-12207 |
Created OAuth2 client using curl request with defined scopes breaks the AM UI |
OPENAM-11737 |
http.response.headers not populating in audit logs |
OPENAM-11083 |
Delegated Admin cannot create Oauth2 Provider in realm |
OPENAM-10696 |
Login screen does not show mobile users feedback on failure |
OPENAM-10554 |
AM installation fails if BASE_DIR is different from the path in .openamcfg |
OPENAM-10427 |
LDAP connections created by the configurator wizard are never closed |
OPENAM-71 |
SAML2 error handling in HTTP POST and Redirect bindings |