Changes in AM 8.1.x
AM 8.1
Scope validation plugin script
The OAuth 2.0 scope validation script now ensures that refresh tokens can only obtain access tokens with identical or narrower scopes.
This aligns more closely with the OAuth 2.0 specification and the Java implementation.
To re-enable the previous behavior, set the am.oauth2.grant.validated.scopes.on.refresh
advanced server property to false.
SAML v2.0 SSO flows
In SAML v2.0 single sign-on (SSO) flows, the JSON web token (JWT) created in the browser’s session storage no longer expires.
The time allowed to complete the SSO flow is now determined by the configurable maximum duration of the journey session instead of the JWT expiration.
Previously, the JWT expired when the cache was cleared. By default, the cache is cleared every 10 minutes, but this is configurable using the Cache cleanup interval (in seconds) setting.
Certificate nodes
We’ve made changes to the Certificate Collector and Certificate Validation nodes to collect and validate all certificates in a certificate chain by default.
|
In order to validate all certificates in a certificate chain, the intermediate and root certificates from the chain must be added to the truststore. If you send the whole certificate chain in the request, and intermediate or root certificates are missing from the truststore, certificate validation will fail. |
If required, you can revert to the previous behavior of collecting and validating only the user certificate by setting the am.nodes.certificatechain.validation.enforced advanced server property to false.
IDM configuration cache enabled
Previously, static IDM configuration wasn’t cached by default. The IDM Provisioning service property, Configuration Cache Duration, is now set to a short duration of 1 minute by default to improve performance.
Servlet and filter declarations
Servlets and filters are now injected and mapped programmatically using Java-based Guice modules,
replacing the static declarations in the deployment descriptor, WEB-INF/web.xml.
Learn more in Configure access to endpoints.
Default kid values for GSM certificates
For certificates stored in a Google Secret Manager (GSM secret store), the public key published in the JWK_URI now has a kid value that includes the name of the secret. For example:
"kid" : "secrets/secret-name/versions/1"This is a change in behavior. Prior to AM 8.1, the kid value contained only the GSM secret version, for example:
"kid" : "1"Learn more in Override default kid values.
Parallel updates for CTS sessions
From AM 8.1, parallel updates can’t be made for CTS sessions by default. AM checks that the state of the CTS token in the CTS store is different to the state previously read by the thread making the update. This prevents parallel replay attacks from circumventing authentication session allowlisting.
To re-enable the previous behavior, set the am.cts.use.etag.assertion.on.update advanced server property to false.