--- title: Fixes in AM 7.1.x description: This page lists the cumulative fixes in AM 7.1.x releases: component: pingam version: release-notes page_id: pingam::fixes-7.1 canonical_url: https://docs.pingidentity.com/pingam/release-notes/fixes-7.1.html section_ids: am_7_1_4: AM 7.1.4 am_7_1_3: AM 7.1.3 am_7_1_2: AM 7.1.2 am_7_1_1: AM 7.1.1 am_7_1_0: AM 7.1.0 am_7_0_x: AM 7.0.x --- # Fixes in AM 7.1.x This page lists the cumulative fixes in AM 7.1.x releases: ## AM 7.1.4 | | | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-21004 | AM will always look for valid session when scope=openid | | OPENAM-21002 | CTS task queue full and `SeriesTaskExecutorThread` can get stuck waiting | | OPENAM-20897 | Issue with logging unsupported callbacks | | OPENAM-20691 | Destroy oldest session may fail to work | | OPENAM-20396 | Authentication trees are selected in order of ACR - tree mapping (not in the default order) and order is not preserved | | OPENAM-20318 | Accessing AM End user login page for PlatformLogin journey in platform environment shows non-rendered HTML | | OPENAM-20260 | Unable to log into AM when external application store is down | | OPENAM-20230 | Class whitelisting fails with permission denied after an extended period | | OPENAM-20181 | AD account notification fails | | OPENAM-20085 | STS token generation does not work with clustered docker pods | | OPENAM-20082 | Locked out users are shown a misleading error message | | OPENAM-19954 | SAML hosted entity uses algorithm set in common federation configuration instead of algorithm set in hosted entity configuration | | OPENAM-19362 | AM to DS certificate log message logged at warning instead of error or critical | | OPENAM-18818 | Persistent search error message shows wrong DS identifier | | OPENAM-18629 | RestSTS should validate sessions with a local call and use asynchronous HTTP calls for remote calls | | OPENAM-18488 | Windows Hello with TPM/platform authenticator returns two certificates | | OPENAM-17591 | Session quota action `destroy next expiring token` can fail when two new sessions attempt to read and update the same expiring session | | OPENAM-17215 | Policy debug log fills up at very high pace if the config store is not found | | OPENAM-13766 | No configuration found for login with `SessionConditionAdvice=deny` | ## AM 7.1.3 | | | | ---------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | | OPENAM-19884 | AM returns 500 when `;` used in access token header | | OPENAM-19865 | Memory Leak due to samlResponseDataHash not being cleaned up | | OPENAM-19649 | ID token not linked to session when authorising with sso token | | OPENAM-19613 | PSearch is already removed error message should be warning | | OPENAM-19537 | UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong | | OPENAM-19530 | Upgrade fails when Organization schema defaults are missing for service 'sunFAMSAML2Configuration' | | OPENAM-19515 | Unable to update session service with read only identity store | | OPENAM-19512 | Faulty Legacy OAuth 2.0 frrest/oauth2 endpoints | | OPENAM-19506 | Installer fails after pressing "cancel" button at amadmin password page | | OPENAM-19455 | Adding Authentication Context without Level value results in uneditable entity | | OPENAM-19427 | Display security questions in the correct default language | | OPENAM-19384 | Suspended Authentication Resume URI is resolved with a missing '/' | | OPENAM-19381 | Timer Stop Node's stop recording does not capture the reference start time of the Timer Start Node | | OPENAM-19297 | OIDC MayAct claims script fails to access clientProperties and causes Java security exception | | OPENAM-19290 | In a cluster, changing AM debug level on local (AM2) to remote (AM1) does not have effect until restart of AM1 | | OPENAM-19281 | OIDC dynamic client registration cannot handle "\n" in the client\_description | | OPENAM-19220 | WebAuthN/Fido - can not authenticate with recovery codes on Windows | | OPENAM-19208 | Webhook with an empty url field throws NPE during a webhook session upgrade | | OPENAM-19190 | LDAPAuthUtils for BASE\_OBJECT does not work with special userId characters | | OPENAM-19162 | REST API definition inaccurate for endpoint '/realm-config/saml' | | OPENAM-19123 | AM validates duplicate registration tokens | | OPENAM-19122 | AM's jwks\_uri endpoint should preserve order of keys within the set | | OPENAM-19119 | GetAuthenticatorApp Node needs better localization support | | OPENAM-19112 | AM with embedded DJ always runs DJ backup and upgrade | | OPENAM-19111 | insufficient debug logging to troubleshoot error "Illegal arguments | | One or more required arguments is null or empty" when performing user identity subject update via REST API | OPENAM-19109 | | Insufficient debug logging to troubleshoot CORS service | OPENAM-19108 | | "Agent" auth tree creates tokens with insufficient permissions | OPENAM-19086 | | `rest-sts` endpoint is not included when CORS is enabled | OPENAM-19083 | | Creating a client-based access & refresh token breaks subsequent use of Session Quotas | OPENAM-19016 | | Logback.jsp should show the actual setting of the loggers instead of defaults | OPENAM-19011 | | QR code message used in MFA Authentication node should be customizable / localizable | OPENAM-18990 | | Non-compliant OAuth2 error response generated | OPENAM-18952 | | KBA questions are not falling back to the default language when French is present | OPENAM-18891 | | JWT Profile Oauth2 Grant returns 'invalid\_grant' | OPENAM-18835 | | JCEEncryption throws ArrayIndexOutOfBoundException when decrypting empty bytes | OPENAM-18834 | | AM fails to start when upgrading after using am-upgrader | OPENAM-18655 | | Deleting OAuth2 Client causes unnecessary notification error message in IdRepo | OPENAM-18478 | | XUI shows incorrect subjectType following upgrade from AM < 6.5.3 | OPENAM-18457 | | OIDC authentication nodes do not work in sub-realm when response\_mode=form\_post is requested from OP | OPENAM-18432 | | Remove the internal idm-delegation grant type from the well known info | OPENAM-18384 | | Email Suspend Node clears the secure state | OPENAM-18268 | | `webauthnDeviceProfiles` is not multi-valued for AD | OPENAM-18252 | | Allow nodes to update the universal ID for use cases like impersonation and peer authentication | OPENAM-18196 | | More meaningful error message when Client Secret is not URL-encoded | OPENAM-18172 | | Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level in logs | OPENAM-18149 | | Wrong log file is used for SAML2 extensions log message | OPENAM-18132 | | Failed to get the distinct `userIdAttributes` for configured identity stores in realm | OPENAM-18113 | | LDAP authentication node | change of connection mode does not recreate the connection pool | | OPENAM-18112 | Misleading error message when LDAP auth node connects to a TLS-enabled server | | OPENAM-18062 | `SPACSUtils` withholds exception and does not log error | | OPENAM-17973 | Retrieving auth code in a realm fails if session for another realm exists | | OPENAM-17882 | Slow memory leaks when persistent search starts a retry activity when persistent search fails | | OPENAM-17835 | Do not display "Unable to retrieve instance of the ValidationServiceConfig" after idpinititated sso | | OPENAM-17688 | `InMemoryCtsSessionCacheStep#cacheTrusted` field should be marked volatile | | OPENAM-17351 | AM File based config setup cannot be used with AM recording to dump the config | | OPENAM-17308 | Custom IdRepo uninstall `realm-config/services/id-repositories?_action=nextdescendents` fails | | OPENAM-17201 | XMLEncryption does not comply with standard when 'rsa-oaep-mgf1p' is being used | | OPENAM-16953 | Custom idrepo sample using `IdRepoConfig` does not work | | OPENAM-16878 | Scripted Decision Node secrets binding object does not have public API | | OPENAM-16490 | OWASP ESAPI lib is missing some classes | | OPENAM-16241 | Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset | | OPENAM-15997 | Enhance CookieHelper to perform better cookie detection | | OPENAM-15472 | HOTP - text for performed attempts is hard-coded and not localisable | | OPENAM-15408 | `oauth2/connect/jwk_uri` does not expose keys of the remote consent agent profile | | OPENAM-14343 | AM console - localisation issue for algorithms in global Common Federation Configuration | | OPENAM-13766 | No configuration found for login with SessionConditionAdvice=deny | | OPENAM-12992 | Misleading error message in XUI console when existing DNS alias is provided | | OPENAM-12101 | Connection pool not restarted if LDAP authentication module admin bind password is incorrect | | OPENAM-11319 | Add localized "description" for JSON response content to OAuth2UserApplications#getResourceResponse | ## AM 7.1.2 | | | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-18928 | Client credential OAuth2 request results in searches for OAuth2 client against Identity Store | | OPENAM-18921 | Double slashes in oauth2 claim name handled incorrectly | | OPENAM-18883 | Inconsistent error response from Client authentication using private\_key\_jwt | | OPENAM-18864 | Upgrade Radius Server Client Secrets fails due to service config cache cleared | | OPENAM-18836 | No TransactionId on "debug.out" for the AM recording. | | OPENAM-18833 | Client authentication using private\_key\_jwt will cause 500 if claims value is null | | OPENAM-18780 | JwksOAuth2AgentEventListener class not setting the correct default cache miss time value | | OPENAM-18756 | Entering correct otp after entering wrong otp fails authentication | | OPENAM-18753 | Upgrading AM Radius server with clients causes Radius auth failures | | OPENAM-18711 | AES Encryption/Decryption fails when running in Java 17 | | OPENAM-18705 | Problem with Page Node using node relying on secureState | | OPENAM-18684 | redirect to /authorize endpoint fails for 2nd OIDC App for Federated Users w/ multi OIDC Clients | | OPENAM-18679 | OATH Registration node doesn't work when placed inside a 'Page' node | | OPENAM-18663 | AM should check new realm with rest end-point names by ignoring case | | OPENAM-18661 | Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted | | OPENAM-18646 | Upgrade for AM 7.1.0 to 7.2+ may fail, because of upgrading existing java agent profile | | OPENAM-18644 | IdRepo cache can not be disabled anymore | | OPENAM-18640 | REST-STS is using the old path to reach /users endpoint | | OPENAM-18623 | issue with jwk\_uri endpoint called in parallel | | OPENAM-18610 | RealmOAuth2ProviderSettings for getJwks is broken in that it permits empty set. | | OPENAM-18605 | Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication | | OPENAM-18586 | Lack of debugging message when AM is not able to read the encrypted\_base64 folder after upgrade | | OPENAM-18547 | Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL | | OPENAM-18536 | Java agent property org.forgerock.agents.session.change.notifications.enabled should be presented in XUI | | OPENAM-18511 | Missing navigation options when an expired link from "Email Suspend" node is used | | OPENAM-18443 | Transactional authentication is disabled on new installs | | OPENAM-18434 | Authorization Code flow redirects to malformed uri if redirect\_uri contains underscore | | OPENAM-18297 | Outbound calls to Jwks\_URI endpoint does not support proxy settings | | OPENAM-18256 | JWK Cache timeout is not set for OAuth 2.0 clients created dynamically | | OPENAM-18175 | SMSUtils#addAttributesToMap inconsistency with array ordering | | OPENAM-18141 | AM no longer uses global SAML configuration | | OPENAM-18130 | "Agent Configuration Change Notification" use the same help text in the XUI for Java and Web agents, but the property name is different | | OPENAM-18120 | Audit logging service does not correctly reflect the "prompt" URL parameter | | OPENAM-18090 | Creation of UMA Policy to share a resource fails when identities have custom attributes | | OPENAM-18030 | Message node shows inconsistent behaviour regarding the default locale | | OPENAM-18005 | Insufficient error message to troubleshoot persistent search issue | | OPENAM-17949 | Account lockout applied to tree even when ignore profile selected | | OPENAM-17904 | Json Audit Log Location not working when modifying location to only include %SERVER\_URI% variable | | OPENAM-17833 | Internal accepted Audience AUD formed from DNS Alias could be wrong when BaseURL does not have port | | OPENAM-17830 | Error messages are logged when the Push Notification Service is absent | | OPENAM-17829 | External UMA Resource Set using SSL but not StartTLS fails | | OPENAM-17593 | Deadlock when admin token is invalid and when config data is getting cleared | | OPENAM-17271 | Typo for Realm in SAML/Federation debug | | OPENAM-17102 | OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication | ## AM 7.1.1 | | | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | | OPENAM-18604 | Formatting issues in Upgrade Report | | OPENAM-18573 | URLPatternMatcher or RedirectURLValidator does fails when query string contains "%20" | | OPENAM-18566 | Missing 'org.forgerock.security.oauth2.enforce.sub.claim.uniqueness' after upgrade from 7.1.0 | | OPENAM-18559 | Upgrade from 6.5.3 to 7.1.0 fails with UpgradeException - "com.sun.identity.sm.InvalidAttributeValueException: Saved Consent Attribute Name is required." | | OPENAM-18532 | Web Agent property org.forgerock.agents.pdp.javascript.repost has incorrect description in XUI | | OPENAM-18523 | NullPointerException when AgentsRepo with from group is changed | | OPENAM-18459 | IdTokenInfo endpoint behaviours change from 6.x and fails when using client\_id in POST | | OPENAM-18422 | Email Template node creates threads without terminating them | | OPENAM-18421 | In Platform environment, using a Email Template node creates new thread that does not terminate | | OPENAM-18389 | HttpClientHandler Guice injection in tree is typically broken with thread pool growth | | OPENAM-18377 | Authorization fails using auth module if user has authenticated with alias name | | OPENAM-18366 | Upgrade Report contains unformatted line feeds "%LF%" | | OPENAM-18359 | Choice Collector Node appears to not be present following upgrade | | OPENAM-18321 | CertificateCollectorNode fails when checking cert in LDAP Directory Server | | OPENAM-18319 | Realm is added more than once when session upgrade happens more than once with modules. | | OPENAM-18316 | Typo in oauth2 template (templates/touch/authorize.ftl) | | OPENAM-18306 | OAuth2 Authorization Code Grant Fails when including scope parameter at access\_token endpoint | | OPENAM-18258 | Failed to load configuration for OAuth2Provider observed after upgrade | | OPENAM-18241 | Permit OAuth2 Modification Script to return scopes as space delimeter string | | OPENAM-18235 | IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session | | OPENAM-18227 | Upgrade from 6.0.x / 6.5.x can fail at Unsupported node type PersistentCookieDecisionNode | | OPENAM-18212 | Check for user/agent profile condition during login can be refined further | | OPENAM-18207 | Global Service cache is not updated by changes from other servers in a site | | OPENAM-18205 | Excessive logging occurs when agent profile is not found | | OPENAM-18180 | No TransactionId present for AuthTreeExecutor | | OPENAM-18171 | Back-Channel logout keeps adding to trackingIds audit for every logout | | OPENAM-18167 | OIDC requests with request parameter fail with 500 error when there is no session using POST | | OPENAM-18154 | Wrong AMR returned with prompt=login and force authn setting enabled | | OPENAM-18153 | OpenIdConnect node call to well-known endpoint does not support proxy settings | | OPENAM-18140 | AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops | | OPENAM-18121 | Slow loading in Authentication Tree | | OPENAM-18119 | Audit log no longer shows the userID of session being invalidated by amadmin | | OPENAM-18090 | Creation of UMA Policy to share a resource fails when identities have custom attributes | | OPENAM-18085 | SocialProviderHandlerNode does not work in an upgraded AM | | OPENAM-18068 | Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exist | | OPENAM-18065 | Logback.jsp can not be used to set log levels loggers in custom code | | OPENAM-18057 | Identities page displays Internal Server Error when a user does not have search attribute defined | | OPENAM-18043 | Device Match module not setting correct AuthLevel | | OPENAM-18017 | Creation of UMA Policy to share a resource fails when identities have custom object classes | | OPENAM-18009 | AM return HTTP error code 500 when authenticate with authIndexType service without authIndexValue | | OPENAM-18006 | Persistent search for identity store does not recover | | OPENAM-18003 | WS-Federation Active Requestor Profile does not work with Authentication Trees | | OPENAM-17993 | The org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation | | OPENAM-17979 | Backchannel authentication - auth\_req\_id can be used to obtain multiple access tokens | | OPENAM-17962 | LDAP Decision Node does not put updated password in transient state | | OPENAM-17954 | Accept-Language header locale ignored on OAuth2 Consent page | | OPENAM-17935 | Missing 'return' statement in the happy flow of the kerberos node | | OPENAM-17923 | Retry Limit Decision Should Not Have User Involvement when Save Retry Limit to User is Disabled | | OPENAM-17916 | When no session exists logout page redirects to login | | OPENAM-17912 | Account lockout count is not reset correctly | | OPENAM-17896 | ForgottenPassword Reset on multiple cluster not working when reset link clicked | | OPENAM-17870 | ScriptedDecisionNodes schema config not upgraded and sharedState does work after upgrade. | | OPENAM-17863 | Authorization code is not issued when nonce is not supplied when using OpenID Hybrid profile | | OPENAM-17828 | Apostrophe in username breaks Push/OATH device registration | | OPENAM-17826 | Introspect endpoint returns a static value for "expires\_in" when using client based tokens | | OPENAM-17814 | Auth Tree step-up fails if username case does not match | | OPENAM-17801 | OIDC userinfo subname claim returns incorrect value | | OPENAM-17793 | OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname | | OPENAM-17782 | Policy evaluation fails with 400 error when user does not exist | | OPENAM-17774 | Missing exp claim throws NullPointerException on CIBA bc-authorize endpoint | | OPENAM-17773 | The acr\_values parameter is mandatory on CIBA bc-authorize endpoint | | OPENAM-17760 | PEM support incorrectly decodes some EC private keys | | OPENAM-17738 | Java Agent "Client IP Validation Mode" property does not work when key is empty from XUI | | OPENAM-17718 | OAuth2 Introspection endpoint does not accept Accept header with with extra accept extension param (like weight q=0.8) or charset | | OPENAM-17678 | Radius server fails to initialize on startup due to Config cache refreshed | | OPENAM-17677 | The oauth2/device/code endpoint does not support locale parameter | | OPENAM-17663 | Improve the error response code for "Failed to revoke access token" | | OPENAM-17630 | JMS Audit logging broken and cannot start up | | OPENAM-17610 | OTP Email Sender node does not allow to specify connect timeout and IO/read timeout for underlying transport. | | OPENAM-17590 | OIDC login hint cookie broken since 7.0 | | OPENAM-17587 | OIDC bearer token authentication module requires context value setting for client secret | | OPENAM-17493 | OAuth2 node does not support external proxy authentication (user/pass) | | OPENAM-17405 | Token introspection response not spec compliant | | OPENAM-17320 | Revisit prompt=login behaviour change that keeps existing session | | OPENAM-17265 | Wrong authorized\_keys file updated | | OPENAM-17262 | Subname claim inconsistences | | OPENAM-16988 | The accessedEndpoint including port causes verify Assertion Consumer URL to fail | | OPENAM-16881 | SAML federation library stopped supporting ACS URLs with query parameters | | OPENAM-16653 | Identity using fr-idm-uuid has wrong account ID in FR Authenticator | | OPENAM-16642 | Server id creation can fail when id is greater than 100 | | OPENAM-16554 | Misplaced bufferingEnabled checkbox in New Syslog configuration | | OPENAM-16491 | SAML Update introduces javascript calls that aren't available in IE8 and below (or IE11 using Enterprise mode) | | OPENAM-16418 | Client auth using private\_key\_jwt fails with 500 if claim format is wrong | | OPENAM-16216 | Get Session Data node improvements | | OPENAM-15861 | NullPointerException in CollectionHelper.getServerMapAttrs | | OPENAM-15740 | Document \_fields is case sensitive | | OPENAM-15278 | "Access Denied" error when accessing logout link and not currently signed in | | OPENAM-13855 | CTS creates too many connections to DS | | OPENAM-13312 | Stateless non-expiring refresh tokens fail with "invalid\_grant" | | OPENAM-11636 | IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity | ## AM 7.1.0 | | | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | OPENAM-17396 | Terms of Service URI Link does not Display in Consent Page | | OPENAM-17395 | SocialOpenIdConnectNode fails to recover from client's connection reset | | OPENAM-17365 | Checking agent type with caller token can cause deadlock | | OPENAM-17364 | Prompt login / session upgrade / OIDC ACR looping with trees | | OPENAM-17361 | API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation | | OPENAM-17357 | Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope | | OPENAM-17353 | HTML pages are not picked up when placing in a theme folder | | OPENAM-17349 | OIDC Refresh token - Ops token is deleted from the CTS during refresh | | OPENAM-17343 | Access token call returns 500 error if password needs to be changed or has expired | | OPENAM-17322 | SAML2 bearer grant returns NoUserExistsException | | OPENAM-17317 | A realm without any modules can cause increased thread count and slow response. | | OPENAM-17276 | AM recorder does not record anymore | | OPENAM-17271 | Typo for Realm in SAML/Federation debug | | OPENAM-17260 | Allow `arg=newsession` usage in authorize calls | | OPENAM-17242 | OAuth2 Policy - Environment Condition AuthLevel >= doesn't work for ROPC grant | | OPENAM-17220 | OAuthLogout.jsp compilation error isGotoUrlValid method signature not found | | OPENAM-17199 | Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices' | | OPENAM-17156 | Adaptive Risk checkGeoLocation null countryCode can cause module fail. | | OPENAM-17136 | OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters | | OPENAM-17121 | Inefficient synchronized block in OAuth2ProviderSettingsFactory | | OPENAM-17114 | Save Consent check box always shown, even when not configured | | OPENAM-17097 | Inconsistent scope policy evaluation between authorize and ROPC | | OPENAM-17089 | Forgot password functionality broken | | OPENAM-17070 | SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication | | OPENAM-17060 | Audit Logging "Resolve host name" is still available after OPENAM-7849 | | OPENAM-17037 | AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE | | OPENAM-17034 | In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated | | OPENAM-17017 | REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config | | OPENAM-17006 | Hosted SAML entity - can not remove bindings | | OPENAM-16998 | Poor logging around failures "Invalid Assertion Consumer Location specified" | | OPENAM-16997 | Device code grant implied consent fails if access\_token request performed before user authenticates | | OPENAM-16988 | Accessed endpoint including port causes verify Assertion Consumer URL to fail | | OPENAM-16955 | When setCookieToAllDomains=false is used, a non matching request from other domain will fail | | OPENAM-16947 | Kerberos Node in 7.0 fails to return goTo(false) | | OPENAM-16944 | LDAP Decision node fails if inetuserstatus does not exist | | OPENAM-16936 | Tree nodes create new keystore object each time node is called. | | OPENAM-16935 | Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1 | | OPENAM-16934 | `sm.getSchemaManager` has a typo including a comma | | OPENAM-16926 | Success URL node doesn't work with SAML Node for Idpinit when not using Integrated mode | | OPENAM-16910 | Can not create SAML entity with entity id including a semicolon ';' | | OPENAM-16907 | Kerberos Node in 7.0 does not work | | OPENAM-16904 | OIDC bearer module fails with NPE when id\_token does not contain kid | | OPENAM-16883 | AM ignores AuthnRequestsSigned property during SSO | | OPENAM-16876 | Default ACR values on OIDC client profile is not honoured in order of preference | | OPENAM-16866 | AM should fail gracefully if id\_token fails to generate when swapping refresh token | | OPENAM-16849 | WeChat Social Auth module broken (regression) | | OPENAM-16848 | Choice Collector and WDSSO node combination does not work if whitelisting is enabled | | OPENAM-16847 | AM email service failing with 'Start TLS' option | | OPENAM-16838 | AuthenticationApproachChecker does not handle session upgrade modules | | OPENAM-16823 | IDM Nodes does not send or propagate transactionId tracking when contacting IDM | | OPENAM-16807 | The dynamic values for request\_uri being stored in client config does not expire and is not automatically removed | | OPENAM-16801 | SAML2 SP init SSO fails after upgrade to 7.0.0 | | OPENAM-16784 | Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep | | OPENAM-16769 | Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow | | OPENAM-16758 | Cannot install AM 7 on Windows | | OPENAM-16745 | client\_id in access token ignores what's been registered when idm cache is disabled | | OPENAM-16726 | Insufficient debug logging for OAuth2 error 'invalid\_client Server does not support this client's subject type' | | OPENAM-16703 | OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client\_secret\_basic used for credentials) | | OPENAM-16701 | The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token | | OPENAM-16684 | OIDC Dynamic Registration client\_description cannot take String type | | OPENAM-16669 | IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo | | OPENAM-16617 | SuccessURL session property is set to gotoURL in authentication tree | | OPENAM-16608 | AM with embedded DS setup fails with permission denied for truststore | | OPENAM-16583 | Crucial information is missing when encountering LDAP connections issue. | | OPENAM-16556 | Radius Server doesn't log IP address into AM Audit logs | | OPENAM-16555 | Audit logging does not tell which policy allowed or denied a resource request | | OPENAM-16540 | Issues with Social Login URLs when navigating quickly between providers | | OPENAM-16535 | "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set | | OPENAM-16515 | Social auth - insufficient debug logging for troubleshooting | | OPENAM-16485 | 'Failed Login URL' is not picked up from the auth chain | | OPENAM-16472 | Proxied Authentication fallback may not work when user entry lack some attributes | | OPENAM-16450 | 501 when default resource version set to "oldest" and Accept-API-Version header set | | OPENAM-16418 | private\_key\_jwt client auth fails with 500 if claim format is wrong | | OPENAM-16368 | Settings of Mail and Scripting global service properties are overwritten at upgrade | | OPENAM-16367 | OIDC request\_uri response causes NPE while debug logging | | OPENAM-16354 | Concurrency bug in OAuth2ProviderSettingsFactory | | OPENAM-16338 | Failing REQUISITE module after SUFFICIENT Device Match doesn't fail chain properly | | OPENAM-16157 | Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive | | OPENAM-16152 | After upgrade, new Identity page has duplicate 'new identity' field and email address does not save | | OPENAM-16006 | Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented | | OPENAM-15963 | Historical retention files ( csv ) were not deleted | | OPENAM-15948 | Update DS profiles to add VLV indexes for CTS use | | OPENAM-15743 | Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0) | | OPENAM-15671 | LoginContext is missing debug logging for troubleshooting | | OPENAM-15663 | UserInfoClaims is not part of public API | | OPENAM-14898 | OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified | | OPENAM-14682 | Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2) | | OPENAM-14527 | Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2) | | OPENAM-12503 | SizeBasedRotationPolicy does not delete oldest file | ## AM 7.0.x > **Collapse: AM 7.0.2** > > | | | > | ------------ | -------------------------------------------------------------------------------------------------------------------------------- | > | OPENAM-17689 | LDAPv3PersistentSearch should log when psearch connection is lost | > | OPENAM-17688 | InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile | > | OPENAM-17683 | Selfservice user registration auto login fails for a sub-realm | > | OPENAM-17673 | Nodes within a Page node do not have access to secure state | > | OPENAM-17672 | Page Node does not expose inner nodes inputs or outputs | > | OPENAM-17630 | JMS Audit logging broken and cannot start up | > | OPENAM-17591 | Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session | > | OPENAM-17587 | OIDC bearer token authentication module requires context value setting for client secret | > | OPENAM-17570 | OIDC request parameter decryption fails to find any applicable keys | > | OPENAM-17555 | AM 7.x versions of Amster use Java 8 format of debug port | > | OPENAM-17517 | JS versions of Social Identity Provider Profile Transformation scripts do not work due to a casting error. | > | OPENAM-17515 | Sub attribute in access token can be in wrong casing | > | OPENAM-17483 | SecretsPlugin upgrade from 6.5.x failing | > | OPENAM-17477 | Thread-safety issue in AMAuthenticationManager | > | OPENAM-17436 | JS version of the OIDC Claims script does not work due to a casting error. | > | OPENAM-17405 | Token introspection response not spec compliant | > | OPENAM-17397 | ssoadm can fail for some cloud-based setups due to FileBasedConfiguration check | > | OPENAM-17365 | Checking agent type with caller token can cause deadlock | > | OPENAM-17364 | prompt login / session upgrade / OIDC ACR looping with trees | > | OPENAM-17361 | API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation | > | OPENAM-17357 | Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope | > | OPENAM-17349 | OIDC Refresh token - Ops token is deleted from the CTS during refresh | > | OPENAM-17337 | Access token passed in request body results in failure | > | OPENAM-17324 | Client credentials grant in FBC config with group inheritance causes User not Valid Error | > | OPENAM-17322 | SAML2 bearer grant returns NoUserExistsException | > | OPENAM-17321 | Prometheus Endpoint returns http 500 error when used with file based config | > | OPENAM-17317 | A realm without any modules can cause increased thread count and slow response. | > | OPENAM-17310 | 'ssoadm list-datastore-types' sub-command broken | > | OPENAM-17277 | AM Recording with thread dump only shows depth of 8 | > | OPENAM-17276 | AM recorder does not record anymore | > | OPENAM-17274 | AM should not change the supported subject types for an existing install | > | OPENAM-17271 | Typo for Realm in SAML/Federation debug | > | OPENAM-17265 | Wrong authorized\_keys file updated | > | OPENAM-17242 | OAuth2 Policy - Environment Condition AuthLevel >= doesn't work for ROPC grant | > | OPENAM-17220 | OAuthLogout.jsp compilation error isGotoUrlValid method signature not found | > | OPENAM-17199 | Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices' | > | OPENAM-17175 | XUI OAuth2 consent page does not render when using themes | > | OPENAM-17157 | Password reset via admin console with Proxied Authorization enabled is not possible | > | OPENAM-17156 | Adaptive Risk checkGeoLocation null countryCode can cause module fail. | > | OPENAM-17121 | Inefficient synchronized block in OAuth2ProviderSettingsFactory | > | OPENAM-17117 | Service config XML dump consumes a lot of memory (whole config is read to memory) | > | OPENAM-17114 | Save Consent check box always shown, even when not configured | > | OPENAM-17102 | OAuth2 client bearer authentication has insufficient logs for troubleshooting failing client authentication | > | OPENAM-17097 | Inconsistent scope policy evaluation between authorize and ROPC | > | OPENAM-17089 | Forgot password flow not working after initial attempt to reset password fails | > | OPENAM-17081 | OAuth2 client agent group settings are not taken into account | > | OPENAM-17079 | Identities and Session: unexpected returned error when trying to request for unexisting identity | > | OPENAM-17070 | SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication | > | OPENAM-17066 | Unable to add server to existing deployment through UI | > | OPENAM-17042 | User Self Registration REST API does not generate SSO token | > | OPENAM-17019 | Allowing wildcards in OAuth 2.0 clients prevents exact matching from working | > | OPENAM-17017 | REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config | > | OPENAM-16998 | Poor logging around failures "Invalid Assertion Consumer Location specified" | > | OPENAM-16997 | Device code grant implied consent fails if access\_token request performed before user authenticates | > | OPENAM-16955 | When setCookieToAllDomains=false is used, a non matching request from other domain will fail | > | OPENAM-16944 | LDAP Decision node fails if inetuserstatus does not exist | > | OPENAM-16932 | PageNode does not pick up outcomes if ScriptedDecisionNode is used inside | > | OPENAM-16910 | Can not create SAML entity with entity id including a semicolon ';' | > | OPENAM-16904 | OIDC bearer module fails with NPE when id\_token does not contain kid | > | OPENAM-16883 | AM ignores AuthnRequestsSigned property during SSO | > | OPENAM-16881 | SAML federation library stopped supporting ACS URLs with query parameters | > | OPENAM-16876 | Default ACR values on OIDC client profile is not honoured in order of preference | > | OPENAM-16849 | WeChat Social Auth module broken (regression) | > | OPENAM-16801 | SAML2 SP init SSO fails after upgrade to 7.0.0 | > | OPENAM-16726 | Insufficient debug logging for OAuth2 error 'invalid\_client Server does not support this client's subject type' | > | OPENAM-16651 | Default configuration fails if the trust store type JVM property is not defined for the JVM | > | OPENAM-16638 | AM with embedded DS setup fails when Java system keystore properties is set | > | OPENAM-16608 | AM with embedded DS setup fails with permission denied for truststore | > | OPENAM-16581 | SAML Authentication Module on hosted SP gets SAML No authentication context error | > | OPENAM-16556 | Radius Server's does not log IP address into AM Audit logs | > | OPENAM-16515 | Social auth - insufficient debug logging for troubleshooting | > | OPENAM-16472 | Proxied Authentication fallback may not work when user entry lack some attributes | > | OPENAM-16364 | Macaroon access tokens don't work with the new any-realm token introspection | > | OPENAM-16262 | Javadocs for IdUtils needs updating | > | OPENAM-15963 | Historical retention files ( csv ) were not deleted | > | OPENAM-15214 | Auth Tree - Clicking save with no changes causes render problem with node attributes inside page node | > | OPENAM-14240 | FMSigProvider.verify does not tell if certificates are provided | > | OPENAM-13783 | REST STS: Cannot add or modify nameID format in SAML config, and default value stated in help is incorrect | > | OPENAM-13575 | Unhelpful log message when OIDC public client wants to use HMAC id token signing | > **Collapse: AM 7.0.1** > > | | | > | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | OPENAM-16935 | Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1 | > | OPENAM-16934 | sm.getSchemaManager has a typo including a comma | > | OPENAM-16907 | Kerberos Node in 7.0 does not work | > | OPENAM-16877 | Error when creating AM "Self-service Trees" service in native admin ui | > | OPENAM-16848 | Choice Collector and WDSSO node combination does not work if whitelisting is enabled | > | OPENAM-16847 | AM email service failing with 'Start TLS' option | > | OPENAM-16838 | AuthenticationApproachChecker does not handle session upgrade modules | > | OPENAM-16823 | IDM Nodes does not send or propagate transactionId tracking when contacting IDM | > | OPENAM-16802 | Upgrade from OpenAM 7.0 to 7.1.0 SNAPSHOT causes NPE | > | OPENAM-16794 | Google KMS options missing after upgrade from 6.5 | > | OPENAM-16791 | AMAccessAuditEventBuilder#forRequest can generate an entry with \|-1 for the port | > | OPENAM-16769 | Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow | > | OPENAM-16759 | Amster on windows AM does not restart properly after setup | > | OPENAM-16758 | Cannot install AM 7 on Windows | > | OPENAM-16745 | client\_id in access token ignores what's been registered when idm cache is disabled | > | OPENAM-16703 | OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client\_secret\_basic used for credentials) | > | OPENAM-16702 | Saving engine configuration in FBC mode makes that config non-readable | > | OPENAM-16701 | The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token | > | OPENAM-16697 | Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format | > | OPENAM-16686 | Cannot create a User after upgrade from 6.5.2 to 7.0.1 | > | OPENAM-16684 | OIDC Dynamic Registration client\_description cannot take String type | > | OPENAM-16669 | IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo | > | OPENAM-16650 | Authz Policy Subjects Policy.title is showing property name text | > | OPENAM-16641 | OAuth2 provider supported grant types attribute missing localization property on XUI | > | OPENAM-16606 | Missing "org.forgerock.openam.saml2.authenticatorlookup.skewAllowance" property in server defaults | > | OPENAM-16594 | ssoadm help should be updated to reflect changes in AME-18650 / OPENAM-16155 | > | OPENAM-16583 | Crucial information is missing when encountering LDAP connections issue. | > | OPENAM-16555 | (audit) logging does not tell which policy allowed or denied a resource request | > | OPENAM-16551 | Scalar String in OAuth2 Access Token Modification Script result in Unable to Obtain Access Token | > | OPENAM-16545 | Upgrade to AM 7.0.0 can cause problems with properties being overriden for some web agents | > | OPENAM-16485 | 'Failed Login URL' is not picked up from the auth chain | > | OPENAM-16483 | XUI - Typo in SAML SP "Default Relay State Url" label | > | OPENAM-16368 | Settings of Mail and Scripting global service properties are overwritten at upgrade | > | OPENAM-16367 | OIDC request\_uri response causes NPE while debug logging | > | OPENAM-16354 | Concurrency bug in OAuth2ProviderSettingsFactory | > | OPENAM-16338 | Failing REQUISITE module after SUFFICIENT Device Match doesn't fail chain properly | > | OPENAM-16157 | Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive | > | OPENAM-16152 | After upgrade, new Identity page has duplicate 'new identity' field and email address does not save | > | OPENAM-16006 | Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented | > | OPENAM-15671 | LoginContext is missing debug logging for troubleshooting | > | OPENAM-15663 | UserInfoClaims is not part of public API | > | OPENAM-14682 | Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2) | > | OPENAM-14527 | Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2) | > | OPENAM-11706 | Policies in a policy set are not visible in Internet Explorer IE | > **Collapse: AM 7.0.0** > > | | | > | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | > | OPENAM-16433 | Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry. | > | OPENAM-16425 | AM does not handle malformed/incorrect signature correctly | > | OPENAM-16402 | The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change. | > | OPENAM-16379 | URL fragments like # cause forbidden login in the XUI | > | OPENAM-16284 | XUI does not handle Special Chars / UTF-8 in realms properly. | > | OPENAM-16279 | AgentsRepo cannot recover when it fails especially on external Application store. | > | OPENAM-16251 | OIDC authentication request with parameters 'prompt=none' and 'acr\_values=' triggers authentication | > | OPENAM-16240 | REST STS under subrealm cannot generate id\_token with realm claim | > | OPENAM-16233 | Policy evaluation fails when subject not found (even in ignore profile) | > | OPENAM-16214 | Push Authentication Module does not work on Session Upgrade when User Cache disabled | > | OPENAM-16184 | Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords | > | OPENAM-16165 | social authmodule causes NullPointerException | > | OPENAM-16164 | social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token | > | OPENAM-16136 | queryFilter only matches against first entry in array | > | OPENAM-16132 | When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates | > | OPENAM-16032 | Unable to delete devices with Recovery Code Collector Decision Node | > | OPENAM-16031 | Intermittent error message when concurrent obtain SSO Token ID with session quota constraints | > | OPENAM-16014 | An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow | > | OPENAM-16013 | Mismatched kid from Json Web Key URI when Specified Encryption Algorithm | > | OPENAM-16009 | Windows Desktop SSO node full adoption and compliance with tree node specifications | > | OPENAM-15989 | OAuth2 client\_id should be url-decoded when using basic auth | > | OPENAM-15982 | OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied | > | OPENAM-15970 | Access Token introspect Fails in subrealm after root realm modified | > | OPENAM-15944 | WS-Federation - RPSignin Request fails because config data is used unchecked | > | OPENAM-15905 | Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException | > | OPENAM-15900 | Kerberos fails when used with IBM JDK | > | OPENAM-15896 | WS-Federation relying party initiated passive request - stuck at Account Realm selection | > | OPENAM-15881 | Custom AM User (amUser.xml) field does not use default values from the schema | > | OPENAM-15858 | Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used | > | OPENAM-15853 | External UMA store fails on resource creation | > | OPENAM-15805 | idtokeninfo endpoint gives invalid signature error when ID Token is expired | > | OPENAM-15785 | OIDC spec violation - HTTP POST can not be used to send Authentication Request | > | OPENAM-15784 | Form elements in policy environment condition tab are displayed twice | > | OPENAM-15766 | LoginState - account lockout is checkout although AM AccountLockout is disabled | > | OPENAM-15758 | KeyStore Secret Store fails to start due to secretId having some characters. | > | OPENAM-15750 | ERROR | > | OAuth2Monitor | Unable to increment "oauth2.grant" metric for unknown grant type BACK\_CHANNEL | > | OPENAM-15724 | SAML2 entities do not set amlbcookie if there is only one server | > | OPENAM-15713 | AM SP drop the 80 characters RelayState silently for HTTP Redirect | > | OPENAM-15698 | IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL' | > | OPENAM-15697 | Default ACR values from OAuth2 provider not taken into account | > | OPENAM-15694 | RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access | > | OPENAM-15679 | The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling | > | OPENAM-15670 | DeviceIdSave auth module initialization fails if username is null | > | OPENAM-15667 | AM debug log does not tell which auth-module was handled - needed for troubleshooting | > | OPENAM-15645 | The \&refresh=true\|false parameter for \_action=validate is not working as expected | > | OPENAM-15632 | OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support | > | OPENAM-15628 | Grant-Set Storage Scheme for CTS does not work with CIBA Flow | > | OPENAM-15627 | Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One" | > | OPENAM-15579 | AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)' | > | OPENAM-15559 | OATH module broken in Japanese locale | > | OPENAM-15533 | WS-Federation doesn't work with Authentication Trees | > | OPENAM-15530 | OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS | > | OPENAM-15520 | XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default | > | OPENAM-15508 | moduleMessageEnabledInPasswordGrant does not apply to Trees | > | OPENAM-15507 | 500 error when calling /revoke or /refresh endpoint with wrong token | > | OPENAM-15501 | Xml encryption 1.1 namespaces aren't always mapped to prefixes correctly | > | OPENAM-15494 | AM expects nonce request parameter in authorize request when no id\_token will be returned | > | OPENAM-15491 | Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies. | > | OPENAM-15489 | WebAuthN Auth Node Doesn't Respect UV=Discouraged During AuthN | > | OPENAM-15465 | Sending HTTP Callback from Inner Tree Evaluator Fails Authentication | > | OPENAM-15459 | When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error | > | OPENAM-15425 | OIDC endsession - encrypted id\_tokens are not supported | > | OPENAM-15374 | OpenID Client authentication with private\_key\_jwt and client\_secret\_jwt does not enforce required jti claims | > | OPENAM-15355 | PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback | > | OPENAM-15349 | Access Token request returns a 500 error | > | OPENAM-15345 | at\_hash value generated does not take the latest modified access token | > | OPENAM-15323 | ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree | > | OPENAM-15307 | Trees Example is not working as expected OOTB to ?service=Example | > | OPENAM-15303 | Claims with multiple values in issued\_token from REST STS represented inconsistently. | > | OPENAM-15244 | AM configuration does not perform schema extension for identity store although it has the permissions | > | OPENAM-15210 | Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules | > | OPENAM-15164 | CDSSO with "ignore profile" throws "No OpenID Connect provider" | > | OPENAM-15160 | LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind | > | OPENAM-15150 | Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field | > | OPENAM-15147 | HTTP 500 upon accessing openam/json/ | > | OPENAM-15145 | OpenAM Scope Validator calls getUserInfo twice when creating IdToken | > | OPENAM-15121 | Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed ) | > | OPENAM-15117 | KeyVault KeyStoreType not supported | > | OPENAM-15116 | Auth ID jwt can be modified to determine whether a realm exists or not | > | OPENAM-15105 | Unable to get trusted devices using REST API | > | OPENAM-15101 | Remove the ability to disable XUI | > | OPENAM-15089 | SAML SLO - Allow RelayState to be a path-relative URL | > | OPENAM-15076 | webAuthn config does not allow for multiple origins under the same rpId | > | OPENAM-15044 | OpenID connect id\_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching | > | OPENAM-15036 | Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file | > | OPENAM-15028 | Cannot load metadata in ssoadm without extended metadata | > | OPENAM-15012 | OIDC - JWT Request Parameter returns errors in query, not in the fragment | > | OPENAM-14995 | IdP Initiated single logout only performs local logout if IdP session cannot be found in cache | > | OPENAM-14991 | Changes to boot.json are overwritten | > | OPENAM-14979 | NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade | > | OPENAM-14977 | PKCE Code challenge method for Authorization Code if not set should use plain | > | OPENAM-14966 | Performing access\_token with arbitrary text as trusted cert header causes server error | > | OPENAM-14919 | Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file | > | OPENAM-14901 | XUI - SAML2 module doesn't redirect to IDP if it's 2nd in the chain | > | OPENAM-14895 | user identity creation fails with "Identity \|" of type user not found. | > | OPENAM-14893 | XUI displays multiple error messages when an authentication session times out | > | OPENAM-14889 | Upgrade of Peristent Cookie auth module fails | > | OPENAM-14883 | OAuth2/OIDC - Issuing client secret to Public clients during registration | > | OPENAM-14881 | AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123) | > | OPENAM-14867 | AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree) | > | OPENAM-14859 | ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty | > | OPENAM-14858 | When NameIDPolicy does not contain `Format=..`, remoteEntityID is passed as null | > | OPENAM-14848 | Insufficient debug logging in OpenID Connect authentication module | > | OPENAM-14845 | user info endpoint does not correctly handle Certificate Bound Access Tokens | > | OPENAM-14829 | AuthSchemeCondition doesn't return realm aware policy condition advice | > | OPENAM-14825 | OAuth2 Dynamic Registration with Software Statement triggers objectClass=\| search | > | OPENAM-14804 | Memory leak when running UMA RPT soak test | > | OPENAM-14799 | Unable to update Agent profile using REST | > | OPENAM-14794 | User privileges are removed from group if another group is given same privilege | > | OPENAM-14786 | idpSingleLogoutPOST throws error 500 IllegalStateException on SLO | > | OPENAM-14783 | PKCS11 KeyStore does not work on IBM JVM | > | OPENAM-14782 | AuthTree created Session does not use per User Session Service settings | > | OPENAM-14766 | introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens | > | OPENAM-14717 | mailto attribute have space between '\|' and mail address | > | OPENAM-14694 | Consent page still shows claim values even when supported claim description is omitted | > | OPENAM-14651 | OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads | > | OPENAM-14581 | handling ManageNameID fails if NameID does not include SPNameQualifier | > | OPENAM-14578 | WDSSO failing but no fallback…​ | > | OPENAM-14573 | amlbcookie is not secure when authenticating with trees | > | OPENAM-14572 | prompt=login destroys and creates new session | > | OPENAM-14570 | OAuth mTLS DN comparison fails when DER-encoding is different | > | OPENAM-14548 | consent page still shows what's been granted/removed as a result of OAuth2 scope policy evaluation | > | OPENAM-14546 | SSOADM access not audited to the ssoadm.access logs anymore | > | OPENAM-14539 | SAML SLO with multi protocols | > | OPENAM-14529 | UMA RPT expiry time incorrect in CTS | > | OPENAM-14523 | NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding | > | OPENAM-14503 | SAML2 - Key Transport Algorithm - RSA OAEP must be supported | > | OPENAM-14483 | If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ | > | OPENAM-14480 | AuthLoginException is lost | > | OPENAM-14471 | Failed to create root realm for data store (External Policy | > | Application) | OPENAM-14465 | > | SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on | OPENAM-14464 | > | XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used | OPENAM-14450 | > | userinfo typo in Claims.java | OPENAM-14426 | > | Unable to add external data store in AM (Policy \| Application) when using TLS/SSL | OPENAM-14419 | > | Policy evaluation returns search results for all policies that match outside of specified application | OPENAM-14393 | > | CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done | OPENAM-14391 | > | Self Service Link not Display when Using Authentication Tree | OPENAM-14378 | > | 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set | OPENAM-14369 | > | Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure | OPENAM-14362 | > | UMA load test fails with Invalid resource type error | OPENAM-14353 | > | Error Message not Displayed when Change Password does not Meet Password Policy | OPENAM-14337 | > | Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client | OPENAM-14313 | > | Audit Logging - STS transformations create duplicate entries | OPENAM-14310 | > | CheckSession page indicates the session is not valid | OPENAM-14294 | > | am-external Git repository 6.5 have bad source | OPENAM-14281 | > | IdP Proxy relays wrong AuthnContextClassRef | OPENAM-14239 | > | FMSigProvider.verify NPE with null input for certificates | OPENAM-14233 | > | updated\_at claim in the ID Token is returned as a string and not a number | OPENAM-14232 | > | Performance issue when creating resource\_set in UMA with many existing resource\_set | OPENAM-14229 | > | custom AuthorizeTemplate under theme not used | OPENAM-14213 | > | Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute | OPENAM-14212 | > | SAML redirect to login page fails if AM installed into the root context | OPENAM-14200 | > | Social auth modules do not work when AM is installed into the root context | OPENAM-14189 | > | effectiveRange of Time environment has issue | OPENAM-14175 | > | CTS updates on multivalue attributes may throws Duplicate values exception | OPENAM-14174 | > | AM shows Ldapter.delete exception when session expires is triggered | OPENAM-14167 | > | HTML tags are shown part of the messages in Change Password section of AD Authentication module. | OPENAM-14147 | > | arg=newsession in XUI just shows the "Loading…​" page | OPENAM-14115 | > | Sample Auth module does not work in a chain when used with Shared-state | OPENAM-14112 | > | Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie | OPENAM-14111 | > | Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow | OPENAM-14062 | > | Redirect to Failure URL does not occur when authentication tree is not interactive | OPENAM-14054 | > | XUI Custom templates and Partials not applied consistently | OPENAM-14053 | > | Cannot build AM UI in Windows for Yarn using mvn | OPENAM-14040 | > | LdifUtils debug logging prints out wrong classname | OPENAM-14018 | > | Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server | OPENAM-13999 | > | Custom node containing ConfirmationCallbacks fails when dropped in a page node. | OPENAM-13991 | > | 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm | OPENAM-13978 | > | Session Upgrade - AuthLevel format changes | OPENAM-13942 | > | SAML2 Circle of Trust - REST Update doesn't update the metadata of the provider | OPENAM-13934 | > | saml2error.jsp fails with exception when malformed SAML2 response given | OPENAM-13900 | > | OAuth2 Device flow - duplicate user\_code error after authenticating user | OPENAM-13892 | > | Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not | OPENAM-13890 | > | Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext | OPENAM-13851 | > | Rest STS cannot be created in the Console when upgrading to 6 | OPENAM-13831 | > | RP-Initiated Logout does not handle state parameter | OPENAM-13779 | > | Session API - \_action=refresh requires an admin token | OPENAM-13764 | > | Monitoring logs in ERROR for "Agent.configAgentsOnly | agent type = OAuth2Client" | > | OPENAM-13720 | Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals | > | OPENAM-13490 | Software Publisher Agent - Secret is not saved when creating an Agent | > | OPENAM-13465 | Dynamic client registration sets wrong subjectType | > | OPENAM-13446 | Social Auth Service doesn't redirect if already using another chain | > | OPENAM-13419 | LDAPPolicyFilterCondition doesn't set request timeout | > | OPENAM-13324 | /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true" | > | OPENAM-13064 | OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional | > | OPENAM-13000 | Custom authentication module with a single ChoiceCallback value is processed without confirmation | > | OPENAM-12955 | Resource Owner Password Credentials Grant does not work with trees | > | OPENAM-12759 | max\_age should a number, not a string | > | OPENAM-12574 | SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies | > | OPENAM-12498 | Authorization Grant response returns scope(s) in the URL | > | OPENAM-12228 | WebAgent REST API queryFilter expression does not work and acts all "true" | > | OPENAM-12186 | Introspect endpoint for RPT does not check the authorization scheme | > | OPENAM-11921 | Incorrect NameId Format offered for SAML2 auth module in console | > | OPENAM-11863 | CORSFilter position in web.xml should come before most filters | > | OPENAM-11778 | Getting accessToken using authorization\_code result in Unhandled exception | > | OPENAM-11338 | OpenID Connect id\_token bearer auth module mixes up aud, azp during verification | > | OPENAM-10869 | SAML2 Authentication module return "Unable to link local user to remote user" ambiguous. | > | OPENAM-10843 | When generating an OIDC token through STS a "kid" value is not specified | > | OPENAM-10127 | SessionMonitoringStore should only be instantiated when monitoring is enabled | > | OPENAM-9931 | Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed) | > | OPENAM-9777 | Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly | > | OPENAM-9459 | 500 Internal Server Error from changePassword endpoint with AD repo | > | OPENAM-5867 | Data Store LDAP server (admin-ordered) list is reordered by OpenAM |