---
title: Changes in AM 8.1.x
description: The OAuth 2.0 scope validation script now ensures that refresh tokens can only obtain access tokens with identical or narrower scopes.
component: pingam
version: release-notes
page_id: pingam::changes-8.1
canonical_url: https://docs.pingidentity.com/pingam/release-notes/changes-8.1.html
section_ids:
  am_8_1: AM 8.1
  scope_validation_plugin_script: Scope validation plugin script
  saml2-sso-flows: SAML v2.0 SSO flows
  certificate-nodes: Certificate nodes
  idm_configuration_cache_enabled: IDM configuration cache enabled
  guice-servlet-filter: Servlet and filter declarations
  default-kid-values-in-gsm-stores: Default kid values for GSM certificates
  parallel_updates_for_cts_sessions: Parallel updates for CTS sessions
---

# Changes in AM 8.1.x

## AM 8.1

### Scope validation plugin script

The OAuth 2.0 scope validation script now ensures that refresh tokens can only obtain access tokens with identical or narrower scopes.

This aligns more closely with the OAuth 2.0 specification and the Java implementation.

To re-enable the previous behavior, set the `am.oauth2.grant.validated.scopes.on.refresh` advanced server property to `false`.

### SAML v2.0 SSO flows

In SAML v2.0 single sign-on (SSO) flows, the JSON web token (JWT) created in the browser's session storage no longer expires.

The time allowed to complete the SSO flow is now determined by the configurable [maximum duration](https://docs.pingidentity.com/pingam/8.1/authentication-guide/authn-suspended.html#maximum-duration) of the journey session instead of the JWT expiration.

Previously, the JWT expired when the cache was cleared. By default, the cache is cleared every 10 minutes, but this is configurable using the [Cache cleanup interval (in seconds)](https://docs.pingidentity.com/pingam/8.1/reference/services-configuration.html#global-saml2) setting.

### Certificate nodes

We've made changes to the [Certificate Collector](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-collector.html) and [Certificate Validation](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-validation.html) nodes to collect and validate all certificates in a certificate chain by default.

|   |                                                                                                                                                                                                                                                                                                                      |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | In order to validate all certificates in a certificate chain, the intermediate and root certificates from the chain must be added to the truststore.If you send the whole certificate chain in the request, and intermediate or root certificates are missing from the truststore, certificate validation will fail. |

If required, you can revert to the previous behavior of collecting and validating only the user certificate by setting the `am.nodes.certificatechain.validation.enforced` [advanced server property](https://docs.pingidentity.com/pingam/8.1/setup/server-advanced.html#am.nodes.certificatechain.validation.enforced) to `false`.

### IDM configuration cache enabled

Previously, static IDM configuration wasn't cached by default. The IDM Provisioning service property, [Configuration Cache Duration](https://docs.pingidentity.com/pingam/8.1/reference/services-configuration.html#config-cache-duration), is now set to a short duration of 1 minute by default to improve performance.

### Servlet and filter declarations

Servlets and filters are now injected and mapped programmatically using Java-based Guice modules, replacing the static declarations in the deployment descriptor, `WEB-INF/web.xml`.

Learn more in [Configure access to endpoints](https://docs.pingidentity.com/pingam/8.1/am-reference/endpoints-reference.html#web-inf-endpoints).

### Default `kid` values for GSM certificates

For certificates stored in a Google Secret Manager ([GSM secret store](https://docs.pingidentity.com/pingam/8.1/security/secret-stores.html#create-GSM-secret-stores)), the public key published in the JWK\_URI now has a `kid` value that includes the name of the secret. For example:

```json
"kid" : "secrets/secret-name/versions/1"
```

This is a change in behavior. Prior to AM 8.1, the `kid` value contained only the GSM secret *version*, for example:

```json
"kid" : "1"
```

Learn more in [Override default `kid` values](https://docs.pingidentity.com/pingam/8.1/am-oidc1/managing-jwk_uri.html#override-default-kid-values).

### Parallel updates for CTS sessions

From AM 8.1, parallel updates can't be made for CTS sessions by default. AM checks that the state of the CTS token in the CTS store is different to the state previously read by the thread making the update. This prevents parallel replay attacks from circumventing authentication session allowlisting.

To re-enable the previous behavior, set the [am.cts.use.etag.assertion.on.update](https://docs.pingidentity.com/pingam/8.1/setup/server-advanced.html#am.cts.use.etag.assertion.on.update) advanced server property to `false`.