--- title: Fixes in AM 8.0.x description: This page lists the cumulative fixes in AM 8.0.x releases: component: pingam version: release-notes page_id: pingam::fixes-8.0 canonical_url: https://docs.pingidentity.com/pingam/release-notes/fixes-8.0.html section_ids: am_8_0_2: AM 8.0.2 am_8_0_1: AM 8.0.1 am_8_0_0: AM 8.0.0 am_7_5_x: AM 7.5.x am_7_4_x: AM 7.4.x am_7_3_x: AM 7.3.x --- # Fixes in AM 8.0.x This page lists the cumulative fixes in AM 8.0.x releases: ## AM 8.0.2 | | | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | AME-32756 | Address issue with stale policy index cache | | AME-32195 | Node Designer doesn't work for non-English system and user locale | | AME-32279 | Scripting context upgrade step should preserve property name prefix | | OPENAM-25527 | Make sure PAR endpoint computed correctly for JWT audience validation | | OPENAM-25462 | In Node Designer, the `defaultValue` property doesn't work for custom nodes when using AM 8.0.1 with Java 21 | | OPENAM-24543 | The PingOne Protect Initialization node displays an unnecessary form to the end user | | OPENAM-24400 | Update Get Authenticator App node to point to PingID instead of ForgeRock Authenticator | | OPENAM-24393 | InnerTreeEvaluator node in the journey doesn't work when accessed using REST without authId (affects KerberosNode) | | OPENAM-24349 | "Unable to determine key size for key" error occurs when signing an assertion with an explicit signing algorithm configured in the Service Provider (SP) | | OPENAM-24335 | The `_queryFilter` Parameter does not work for advancedOAuth2ClientConfig when scalable OAuth2 Clients are enabled | | OPENAM-24228 | Add support for eu-west-2 SNS Client Region in the Push Notification Service | | OPENAM-24219 | Suspended authentication doesn't work with journey session allowlist | | OPENAM-24125 | OAuth 2.0 or agent service fails to recover after schema reload required for external app store | | OPENAM-24109 | LDAPFilterCondition doesn't use search request timeout settings properly (timeout using heartbeat timeout) | | OPENAM-24091 | Invalid encryption key used for service attributes during FBC setup | | OPENAM-24061 | A delegated admin logged into a root realm can't edit/create a policy set in the sub realm | | OPENAM-24059 | Add support for "android-key" webauthn attestation format | | OPENAM-24020 | AgentIdentityImpl to use AdminTokenAction to reduce stress on policy store | | OPENAM-23945 | Distributed tracing fails to initialize in non-FBC scenario | | OPENAM-23851 | The AM-8.\*.zip is missing required file in order to build a base docker-image | | OPENAM-23767 | The `acr_sig` value being read from the PAR object instead of the query parameter | | OPENAM-23766 | Adapter Environment under SP role in the GUI isn't working properly | | OPENAM-23595 | A `redirect_uri` using a URN results in a malformed redirect location | | OPENAM-23341 | No error logging on AM side when OIDC or OAuth2 error responses are generated | | OPENAM-23283 | SecretReferenceCache not used for `am.applications.oauth2.client.%s.secret` labels | | OPENAM-23107 | Make `/authorize` response compliant with JARM specification when response type `code` | | OPENAM-21910 | PAR `client_id` parameter treated as mandatory when using JAR and `private_key_jwt` auth method | | OPENAM-20776 | Social IdP with OIDC configuration uses token endpoint for private key JWT `aud` value | | OPENAM-20809 | IE11 doesn't work with AM 7.2.1-RC1 and AM 7.3.0 | | OPENAM-20582 | The `iss` claim value must match `sub` claim value for JWT client authentication | ## AM 8.0.1 | | | | ------------ | --------------------------------------------------------------------------------------------------- | | AME-31120 | Prevent using library scripts in Node Designer scripts | | AME-31114 | Change the case of the SNS push message `GCM_PRIORITY` field to lowercase | | AME-31109 | Amster 8.0 import fails with `NoSuchMethodError` | | OPENAM-23770 | WebAuthn node flow causes exception instead of `Client Error` outcome when passkey prompt cancelled | ## AM 8.0.0 | | | | ------------ | ------------------------------------------------------------------------------------------------------------ | | OPENAM-23581 | Configuration Provider node doesn't accept duration values as integers | | OPENAM-23537 | Configuration Provider node fails to get inputs for Inner Tree node | | OPENAM-23519 | Android devices without a screen lock throw an error with WebAuthn registration | | OPENAM-23518 | AuthenticateToTreeConditionAdvice doesn't work with Inner Tree as first node | | OPENAM-23516 | Timeout node configuration properties no longer accept negative numbers | | OPENAM-23441 | Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working | | OPENAM-23427 | Composite advice with Auth Level fails when the realm contains a broken journey | | OPENAM-23228 | Fix file leak when receiving large response from next-generation scripting `httpClient` request | | OPENAM-23095 | Reduced default OAuth2 denylist poll interval to ensure access token is correctly reported invalid | | OPENAM-23091 | Fix for `systemEnv.getProperty()` in next-generation scripting | | OPENAM-23077 | The `/access_token` endpoint sets the wrong error code when `code_verifier` isn't supplied | | OPENAM-23059 | `ssoadm` doesn't work against realm defaults | | OPENAM-22988 | Failover doesn't occur when heartbeat interval is set to 0 | | OPENAM-22966 | AM should accept `NONE` as a valid client authentication method for social IdPs | | OPENAM-22955 | Set Persistent Cookie node before tree failure causes 500 error instead of 401 | | OPENAM-22865 | Stateful refresh token revoke race condition | | OPENAM-22846 | External app/policy store active/passive LB isn't working | | OPENAM-22811 | Unable to modify `objectAttributes` when present in shared and transient state | | OPENAM-22708 | Loop back to the same node causes exception when the journey runs | | OPENAM-22688 | Page node localization for header, description and footer isn't working as expected | | OPENAM-22675 | Next-generation scripting `callbacksBuilder` can't set value for NameCallback | | OPENAM-22657 | JWT validation fails when signed using the RS256 algorithm | | OPENAM-22652 | Some authentication nodes missing from am-external after IDM node seperation | | OPENAM-22630 | Empty webhooks property key results in NullPointerException | | OPENAM-22608 | Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing | | OPENAM-22298 | NullPointerException in `SAML2Utils.verifyNameIDFormat` method | | OPENAM-22297 | Saml2Node doesn't log whether SP and IDP descriptor were retrieved | | OPENAM-22270 | No OAuth clients shown when scalable agents enabled | | OPENAM-22264 | AM doesn't use global service schema properties set by `ssoadm` | | OPENAM-22171 | Forgotten Password flow fails when AM searches for the identity to modify | | OPENAM-22146 | Request object failure not logged even when debug logging is set to highest level | | OPENAM-22120 | Backchannel logout tokens now include the `exp` claim | | OPENAM-22009 | Providing an invalid alias to a secret store mapping breaks AM | | OPENAM-21974 | Social Identity Provider Service: LinkedIn template is out of date | | OPENAM-21913 | When doing Session upgrade the Session property `Host` doesn't change from original value | | OPENAM-21617 | Exception thrown by scope validator script not whitelisted in script engine configuration | | OPENAM-21545 | Unable to create a circle of trust in file-based configuration with external data store | | OPENAM-21003 | IE11 not working during SAML tree authentication due to use of Arrow function | | OPENAM-18252 | Let nodes update the universal ID for impersonation and peer authentication | | OPENAM-15834 | Access token call fails when an unsupported claim is requested | | OPENAM-15410 | Audience claim not able to customize if scope with openid and profile | | OPENAM-14438 | Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster | | OPENAM-14217 | Add more debug when getSessionInfo v2.1 fails with Internal Server Error | ## AM 7.5.x > **Collapse: AM 7.5.2** > > | | | > | ------------ | --------------------------------------------------------------------------------------------------------------------------------------- | > | OPENAM-24543 | The PingOne Protect Initialization node displays an unnecessary form to the end user | > | OPENAM-24349 | "Unable to determine key size for key" error occurs when signing an assertion with an explicit signing algorithm configured in the SP | > | OPENAM-24335 | The `_queryFilter` Parameter doesn't work for `advancedOAuth2ClientConfig` when scalable OAuth 2.0 clients are enabled | > | OPENAM-24125 | OAuth 2.0 or agent service fails to recover after schema reload required for external app store | > | OPENAM-24109 | LDAPFilterCondition uses search time limit for request timeout | > | OPENAM-23716 | Policy lookup doesn't error when cache isn't populated and policy store is down | > | OPENAM-23595 | Redirect using a URN loses the scheme-specific part | > | OPENAM-23767 | The `acr_sig` value is read from the PAR object instead of the query parameter | > | OPENAM-23766 | Adapter Environment under SP role in the GUI isn't working properly | > | OPENAM-23519 | Android devices without a screen lock not working with WebAuthn registration | > | OPENAM-23518 | AuthenticateToTreeConditionAdvice does not work with innerTree as first node | > | OPENAM-23441 | Enabling OAuth 2.0 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working | > | OPENAM-23341 | AM doesn't log errors for OIDC or OAuth 2.0 failures | > | OPENAM-23283 | SecretReferenceCache not used for `am.applications.oauth2.client.%s.secret` labels | > | OPENAM-23091 | Fix for `systemEnv.getProperty()` in next-generation scripting | > | OPENAM-22988 | Failover doesn't occur when heartbeat interval is set to `0` | > | OPENAM-22846 | External app/policy store active/passive LB isn't working | > | OPENAM-22657 | JWT validation fails when signed using the RS256 algorithm | > | OPENAM-22654 | BooleanAttributeInputCallback renders an enabled checkbox in AM XUI | > | OPENAM-22630 | Empty webhooks property key results in a NullPointerException | > | OPENAM-22608 | Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing | > | OPENAM-22520 | WebAuthN (FIDO Certification): TPM attestation failing when `pubArea.nameAlg` doesn't match the hash used to generate the attested name | > | OPENAM-22346 | The RP `form_post` endpoint doesn't handle POST data well when OP returns error | > | OPENAM-22298 | NullPointerException in `SAML2Utils.verifyNameIDFormat` method | > | OPENAM-22281 | NameIdFormat values populated for remote IdP | > | OPENAM-22120 | Backchannel logout tokens now include the `exp` claim | > | OPENAM-20776 | Enable private key jwt audience to be configurable | > | OPENAM-20239 | Setting the `keepalive` or `heartbeat` interval to a negative value in the IdRepo config causes an error | > | OPENAM-20089 | Configuration Provider nodes don't take integer values | > | OPENAM-15834 | Access token call fails when an unsupported claim is requested | > | OPENAM-15410 | Audience claim not customizable when scope set to `openid` and `profile` | > **Collapse: AM 7.5.1** > > | | | > | ------------ | --------------------------------------------------------------------------------------------------------------------- | > | IAM-5473 | Always save UI environment variables to `.env` file when using yarn start | > | IAM-6429 | Failure URL node not working as expected on Safari when used with a Message node | > | OPENAM-23059 | SSOADM doesn't work for realm defaults | > | OPENAM-22955 | Set Persistent Cookie node causes 500 error before failure | > | OPENAM-22847 | Nodes that use a tree hook with an injection annotation cause an error when the tree fails | > | OPENAM-22836 | Unable to update KBA security questions using XUI | > | OPENAM-22753 | Destroy All session may fail to work | > | OPENAM-22717 | SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character | > | OPENAM-22715 | `PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder` isn't escaping values correctly | > | OPENAM-22708 | Loop back to the same node causes exception when tree is executed | > | OPENAM-22696 | Persistent search notification invalidation on AD identity store doesn't invalidate user cached attributes | > | OPENAM-22676 | `SecretsProviderFacadeFactory` is not a supported API but is the only valid way to create the `SecretsProviderFacade` | > | OPENAM-22675 | Unable to set a default value for NameCallback in next-generation `callbacksBuilder` | > | OPENAM-22672 | Configuring SAML entities with invalid secret label mappings break SAML flows for other entities | > | OPENAM-22656 | Setting `JWKs URI content cache timeout` to a small value throws an error | > | OPENAM-22632 | `AMSetupServlet` installation error on Windows multi-domain environment | > | OPENAM-22620 | Slow response from access token endpoint using client credentials grant | > | OPENAM-22602 | OIDC ID Token Validator Node isn't using inbuilt `httpClient` settings to connect to JWK or well-known URL | > | OPENAM-22465 | Unexpected error when `request_uri` client doesn't match request parameter client in PAR authorise request | > | OPENAM-22391 | Issues with `evaluateTree` when using wildcard policies | > | OPENAM-22322 | ArtifactResponse Assertion that is signed cannot be verified and fails | > | OPENAM-22318 | OAUTH\_REQUEST\_ATTRIBUTES cookie isn't getting deleted after authentication | > | OPENAM-22289 | Session quota action may fail when the session is not updateable but should be fine to proceed. | > | OPENAM-22281 | NameIdFormat values populated for remote IdP | > | OPENAM-22181 | Approve UMA request fails with 500 error when AM deployed as a platform | > | OPENAM-22171 | Forgotten password fails when AM searches for the identity to modify | > | OPENAM-22146 | OAuth 2.0 request object failure not logged for POST requests even when full debug logging is enabled | > | OPENAM-22120 | Backchannel logout tokens now include the `exp` claim | > | OPENAM-22109 | The expiry time of OPS token in 7.x fails to update correctly | > | OPENAM-22009 | Providing an invalid alias to a secret store mapping breaks AM | > | OPENAM-21972 | SAML artifact binding is failing in load-balanced deployments | > | OPENAM-21951 | No option to set the `selectedIndex` on a ChoiceCallback | > | OPENAM-21897 | Creation order determines policy evaluate and evaluateTree results | > | OPENAM-21864 | No option to enable the `trackingCookie` with next-generation `callbacksBuilder` | > | OPENAM-21852 | Failure when reading input from next-generation SelectIDPCallback | > | OPENAM-21609 | OAuth2Provider service created immediately after install/restart isn't available in code flow | > | OPENAM-21191 | Web agent sessions have a long session lifetime of 42 years | > | OPENAM-21158 | Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 | > | OPENAM-20945 | Unable to trace token revocation back to resource owner because of missing `trackingID` field | > | OPENAM-20609 | Inconsistent error message getting access token when using refresh token after changing username | > | OPENAM-20314 | Social Provider Handler node and Social IdP service use the `sub` claim to search for links to existing accounts | > | OPENAM-14438 | Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster | > **Collapse: AM 7.5.0** > > | | | > | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | > | OPENAM-22206 | AM upgrade fails for 7.1.4 and older: Creating UMA PCT Encryption Secret Failed | > | OPENAM-22191 | JUnit jars are bundled in the AM.war release | > | OPENAM-22119 | "Access to Java class ScriptedLoggerWrapper prohibited" exception | > | OPENAM-22101 | UI admin tests are failing since updating secret ID to secret label | > | OPENAM-22060 | am-config-upgrader: poor performance | > | OPENAM-22035 | Page Nodes don't delete contained nodes when a tree is deleted | > | OPENAM-22017 | ConfigProviderNode creates node class dynamically leading to native memory leak | > | OPENAM-21976 | Single point of locking contention when doing Client-based session logout | > | OPENAM-21941 | Unable to edit policies in the UI | > | OPENAM-21937 | Quota Enforcement affecting agents sessions that authenticate by tree | > | OPENAM-21936 | Unable to use Legacy and Next Generation Script in the same authentication tree | > | OPENAM-21912 | OAuth2/OIDC signing slow with RSA keys when using Google Secret Manager | > | OPENAM-21856 | Introspecting stateless token with IG/Web agents will cause OAuth2ChfException | > | OPENAM-21854 | TermsAndConditionsCallback fails with error on XUI | > | OPENAM-21840 | Warning for missing mapping in dynamic secret doesn't warn for missing secret label identifier | > | OPENAM-21803 | CertificateUserExtractorNode cannot resolve wrong name when UPN SubjectAltNameExt | > | OPENAM-21780 | Next generation scripting `httpClient` adds "null" as entity to GET requests | > | OPENAM-21748 | Next generation scripting missing "get" wrapper function for HiddenValueCallback | > | OPENAM-21747 | Amster not working after connecting when AM REST call has extra `set-cookie` headers | > | OPENAM-21739 | Running the am-config-upgrader on an empty directory results in unexpected addition of library scripting service | > | OPENAM-21707 | file-functional-tests: OAuth2Provider doesn't allow setting of default consent agent when scalableAgents are enabled | > | OPENAM-21693 | Remove default global library script | > | OPENAM-21664 | Upgrade fails to AM 7.4 with an uncaught exception when initialising the PrivilegeIndexStore class | > | OPENAM-21506 | Inner Evaluator Tree with Data Store Decision node fails with correct password on first pass when used with Retry Decision node | > | OPENAM-21484 | OAuth2 tokenintrospection response has different claim value types when refresh tokens are introspected | > | OPENAM-21473 | Certificate collector node: getPortalStyleCert throws exception when cert/header not present | > | OPENAM-21389 | Searching algorithm for calculating the reachability of a node in a tree returns incorrect result | > | OPENAM-21277 | Running Amster in debug mode doesn't work on Windows | > | OPENAM-21053 | User ID is missing from access.audit.json for JWT client authentication flow using `org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false` | > | OPENAM-20924 | Reentry cookie when set causes the user to redirect to an incorrect IdP | > | OPENAM-20490 | AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" | > | OPENAM-20329 | Forgerock JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) not spec compliant | > | OPENAM-19999 | ID token as AM session doesn't work with `/authorize` when openid scope is requested | > | OPENAM-19889 | Policy evaluation fails with Agent access token JWT as subject | > | OPENAM-17816 | 500 Internal Server Error (from NPE) returned for a missing Content-Type header | > | OPENAM-17315 | Update defaults scripts with the change introduced in COMMONS-628 | ## AM 7.4.x > **Collapse: AM 7.4.2** > > | | | > | ------------ | ---------------------------------------------------------------------------------------------------------------- | > | OPENAM-23441 | Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working | > | OPENAM-23091 | Fix for `systemEnv.getProperty()` in next-generation scripting | > | OPENAM-23059 | `ssoadm` doesn't work against realm defaults | > | OPENAM-22988 | Failover doesn't occur when `heartbeat` interval is set to 0 | > | OPENAM-22846 | External app/policy store active/passive LB isn't working | > | OPENAM-22836 | Unable to update KBA security questions using XUI | > | OPENAM-22717 | SP-initiated SSO fails with "Illegal character in scheme name" when the IdP entity name has a special character | > | OPENAM-22657 | JWT validation fails when signed using the RS256 algorithm | > | OPENAM-22632 | AMSetupServlet install error with Windows multi-domain environment | > | OPENAM-22608 | Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing | > | OPENAM-22465 | Unexpected error when request\_uri client doesn't match request parameter client in PAR authorise request | > | OPENAM-22391 | Issues with `evaluateTree` when using wildcard policies | > | OPENAM-22346 | The RP `form_post` endpoint doesn't handle POST data well when OP returns error | > | OPENAM-22322 | Signed ArtifactResponse Assertion can't be verified and fails | > | OPENAM-22318 | OAUTH\_REQUEST\_ATTRIBUTES cookie isn't getting deleted after authentication | > | OPENAM-22298 | NullPointerException in `SAML2Utils.verifyNameIDFormat` method | > | OPENAM-22264 | Add global attribute handling to `ssoadm` | > | OPENAM-22120 | Backchannel logout tokens now include the `exp` claim | > | OPENAM-21951 | No option to set the `selectedIndex` on a ChoiceCallback | > | OPENAM-21926 | Lockout message is not applied when using Identity Store Decision node | > | OPENAM-21897 | Creation order determines policy `evaluate` and `evaluateTree` results | > | OPENAM-21864 | No option to enable the `trackingCookie` with `callbacksBuilder` | > | OPENAM-21748 | Next-generation scripting missing "get" wrapper function for HiddenValueCallback | > | OPENAM-21609 | OAuth2Provider service created immediately after install/restart isn't available in code flow | > | OPENAM-21545 | Unable to create a circle of trust in file-based configuration with external data store | > | OPENAM-20945 | Unable to trace token revocation back to resource owner because of missing `trackingID` field | > | OPENAM-20314 | Social Provider Handler node and Social IdP service use the `sub` claim to search for links to existing accounts | > | OPENAM-20239 | Setting the `keepalive` or `heartbeat` interval to a negative value in the IdRepo config causes an error | > | OPENAM-15834 | Access token call fails when an unsupported claim is requested | > | OPENAM-14438 | Ensure OAuth2ClientAgentGroups are imported before OAuth2ClientAgents in Amster | > **Collapse: AM 7.4.1** > > | | | > | ------------ | ---------------------------------------------------------------------------------------------------------- | > | OPENAM-22753 | Destroy All session may fail to work | > | OPENAM-22715 | PlaceholderAnnotationUtils.insertDefaultValueIntoPlaceholder is not escaping values correctly | > | OPENAM-22696 | Persistent search notification invalidation on AD identity store doesn't invalidate user cached attributes | > | OPENAM-22620 | Slow response from access token endpoint using client credentials grant | > | OPENAM-22602 | OIDC ID Token Validator node uses own httpClient settings to connect to JWK or well-known URL | > | OPENAM-22421 | Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 | > | OPENAM-22289 | Session quota action may fail when the session isn't updatable but should be fine to proceed | > | OPENAM-22181 | Approve UMA request fails with 500 error when AM deployed as a platform | > | OPENAM-22171 | Forgotten password fails when AM searches for the identity to modify | > | OPENAM-22119 | "Access to Java class ScriptedLoggerWrapper prohibited" exception | > | OPENAM-22109 | The expiry time of OPS token in 7.x doesn't change with the time of tokens created | > | OPENAM-22017 | Configuration Provider node creates node class dynamically leading to native memory leak | > | OPENAM-21976 | Single point of locking contention when doing client-based session logout | > | OPENAM-21972 | SAML artifact binding is using crosstalk for artifact resolution | > | OPENAM-21941 | Unable to edit policies in the UI | > | OPENAM-21937 | Quota enforcement affects agent sessions that authenticate by tree | > | OPENAM-21936 | Unable to use legacy and next-generation scripts in the same authentication tree | > | OPENAM-21868 | ssoadm `create-sub-cfg` not working for AM 7.2+ due to the `context=` field | > | OPENAM-21854 | TermsAndConditionsCallback fails with error on XUI | > | OPENAM-21803 | Certificate User Extractor node cannot resolve wrong name when UPN SubjectAltNameExt | > | OPENAM-21780 | Next-generation `httpClient` script binding adds "null" as entity to GET requests | > | OPENAM-21747 | Amster not working after connecting when AM REST call has extra `set-cookie` headers | > | OPENAM-21664 | Upgrade fails to AM 7.4.0 with an uncaught exception when initializing the PrivilegeIndexStore class | > | OPENAM-21484 | OAuth 2.0 token introspection response has different claim value types when introspecting refresh tokens | > | OPENAM-21473 | Certificate Collector node: getPortalStyleCert throws exception when cert/header not present | > | OPENAM-21466 | AM using OIDC social authentication fails to verify ID token if remote JWK\_URIs have duplicate KID | > | OPENAM-21277 | Running Amster in debug mode doesn't work on Windows | > | OPENAM-21191 | Web agent sessions have a long session lifetime of 42 years | > | OPENAM-20609 | Inconsistent error message when generating access token using refresh token after changing username | > | OPENAM-19999 | ID token as AM session doesn't work with `/authorize` when openid scope is requested | > | OPENAM-19889 | Policy evaluation fails with agent access token JWT as subject | > | OPENAM-17816 | 500 Internal Server Error (from NPE) returned for a missing Content-Type header | > **Collapse: AM 7.4.0** > > | | | > | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ | > | OPENAM-21476 | Persistent Cookie isn't created when using Configuration Provider node | > | OPENAM-21421 | Scripting logger name isn't based on logging hierarchy convention | > | OPENAM-21390 | Fix caching error when a journey switches backend instances to correctly provide data to `nodeState` | > | OPENAM-21360 | Add `java.util.concurrent.ExecutionException` to AM scripting class allowlist | > | OPENAM-21323 | LDAP (inline) upgrade fails due to policy creation of UssSelfWriteAttributes | > | OPENAM-21304 | Retain request URI values specified during dynamic client registration | > | OPENAM-21164 | Fix type issue of XML String in SAML responses when using a custom adapter | > | OPENAM-21160 | Make sure secure state values are retained when navigating the authentication tree | > | OPENAM-21158 | Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 | > | OPENAM-21085 | Undefined bindings are incorrectly evaluated in Groovy scripts | > | OPENAM-21069 | WindowsDesktopSSO authentication is failing | > | OPENAM-21053 | Missing `userId` from Access audit log when `org.forgerock.security.oauth2.enforce.sub.claim.uniqueness=false` in JWT client authentication flow | > | OPENAM-21030 | Amster CLI doesn't work on Windows | > | OPENAM-21010 | Social authentication user profile corrupted when remote OIDC server provides non-English identity claims | > | OPENAM-21004 | AM will always look for valid session when `scope=openid` | > | OPENAM-21001 | SAML IdPAccountMapper isn't correctly determined | > | OPENAM-20980 | OIDC social provider uses configured issuer instead of wellknown endpoint issuer when using regex comparison | > | OPENAM-20953 | Return subject attributes correctly when evaluating a policy using a `JwtClaim` as subject type | > | OPENAM-20920 | Improve handling of SAML2 IDP metadata that uses SSO endpoint entries other than HTTP-POST or HTTP-Redirect bindings when binding is null | > | OPENAM-20897 | Debug logs not showing info for ERROR: Unsupported Callback, "{0}" and others | > | OPENAM-20895 | Newly created Maven archetype project for building custom authentication nodes fails to build | > | OPENAM-20851 | Existing registered devices unable to use push notifications when AWS SNS credentials are updated | > | OPENAM-20784 | TestUMAPolicy fails for users that will cause LocalizedIllegalArgumentException | > | OPENAM-20756 | Social authentication request for Apple fails due to duplicated `response_mode=form_post` request parameter | > | OPENAM-20691 | Fix rare race condition in session quota destroy next expiring action that can lead to the oldest session not being destroyed | > | OPENAM-20682 | Unable to encrypt from `jwk_uri` where there are multiple JWKs with the same `kid` but different algorithms | > | OPENAM-20490 | AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" | > | OPENAM-20451 | Fix to display user-friendly account name during WebAuthn device registration | > | OPENAM-20299 | Fix to make agent authentication honor `com.iplanet.am.session.agentSessionIdleTime` | > | OPENAM-20230 | Class allowlisting denies access to permitted classes after running for an extended period of time | > | OPENAM-20026 | Social IDP with trailing whitespace in the name can't be deleted using the UI | > | OPENAM-20024 | Improve debug logging when login to XUI fails with HTTP 404 JsonValueException from endpoint | > | OPENAM-19282 | Recovery Code Display Node works only immediately after Registration node | > | OPENAM-19261 | Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant | > | OPENAM-18709 | New `nodeState.getObject` method added to return values stored in both shared and secure state | > | OPENAM-18685 | New realm-level configuration setting to remove or skip `subname` claim | > | OPENAM-18004 | Support sequential transaction IDs to improve audit logging for HTTP requests to IDM | > | OPENAM-17331 | Push Notifications: User with disabled endpoint is not able to login | > | OPENAM-17179 | Deleting an authentication tree leaves orphaned nodes that prevent deletion of referenced scripts | ## AM 7.3.x > **Collapse: AM 7.3.3** > > | | | > | ------------ | ------------------------------------------------------------------------------------------------------------ | > | OPENAM-23519 | Android devices without a screen lock not working with WebAuthn registration | > | OPENAM-23518 | AuthenticateToTreeConditionAdvice doesn't work with Inner Tree as first node | > | OPENAM-23441 | Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working | > | OPENAM-22846 | External app/policy store active/passive LB isn't working | > | OPENAM-22654 | BooleanAttributeInputCallback renders an enabled checkbox in AM XUI | > | OPENAM-22608 | Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing | > | OPENAM-21026 | OAuth Clients don't work when the redirect uri list contains an invalid uri | > | OPENAM-20451 | Fix to display user-friendly account name during WebAuthn device registration | > | OPENAM-15834 | Access token call fails when an unsupported claim is requested | > **Collapse: AM 7.3.2** > > | | | > | ------------ | ---------------------------------------------------------------------------------------------------------------- | > | OPENAM-22836 | Unable to update KBA Security questions using XUI | > | OPENAM-22753 | Destroy All session may fail to work | > | OPENAM-22717 | SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character | > | OPENAM-22696 | Persistent search notification invalidation on AD identity store doesn't invalidate user cached attributes | > | OPENAM-22656 | Setting `JWKs URI content cache timeout` to a small value throws an error | > | OPENAM-22632 | AMSetupServlet install error with Windows multi-domain environment | > | OPENAM-22602 | OIDC ID Token Validator node uses own `httpClient` settings to connect to JWK or well-known URL | > | OPENAM-22421 | Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 | > | OPENAM-22391 | Issues with `evaluateTree` when using wildcard policies | > | OPENAM-22322 | Unable to verify signed ArtifactResponse Assertion leading to failure | > | OPENAM-22318 | OAUTH\_REQUEST\_ATTRIBUTES cookie isn't getting deleted after authentication | > | OPENAM-22289 | Session quota action may fail when the session isn't updatable but should be fine to proceed | > | OPENAM-22288 | Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception | > | OPENAM-22181 | Approve UMA request fails with 500 error when AM deployed as a platform | > | OPENAM-22120 | Backchannel logout token doesn't contain `exp` claim | > | OPENAM-21972 | SAML artifact binding is failing in load-balanced deployments | > | OPENAM-21937 | Quota enforcement affects agent sessions that authenticate by tree | > | OPENAM-21897 | Creation order determines policy evaluate and evaluateTree results | > | OPENAM-21473 | Certificate collector node: `getPortalStyleCert` throws exception when cert/header not present | > | OPENAM-21322 | AM console allows creation of entity provider with space at the end of the name | > | OPENAM-21191 | Web agent sessions have a long session lifetime of 42 years | > | OPENAM-21085 | Undefined bindings are incorrectly evaluated in Groovy scripts | > | OPENAM-20945 | Unable to trace token revocation back to resource owner because of missing `trackingID` field | > | OPENAM-20314 | Social Provider Handler node and Social IdP service use the `sub` claim to search for links to existing accounts | > | OPENAM-20299 | Fix to make agent authentication honor `com.iplanet.am.session.agentSessionIdleTime` | > | OPENAM-19261 | Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant | > **Collapse: AM 7.3.1** > > | | | > | ------------ | -------------------------------------------------------------------------------------------------------------- | > | OPENAM-22017 | ConfigProviderNode creates node class dynamically leading to native memory leak | > | OPENAM-21976 | Single point of locking contention when performing client-based session logout | > | OPENAM-21941 | Unable to edit policies in the UI | > | OPENAM-21854 | TermsAndConditionsCallback fails with error on XUI | > | OPENAM-21747 | Rest SDK and Amster send cookies if request has cookie header | > | OPENAM-21728 | Certificate module fails using JDK 11.0.21 and later with undefined access to private method | > | OPENAM-21484 | Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response | > | OPENAM-21421 | Scripting logger name isn't based on logging hierarchy convention | > | OPENAM-21390 | ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment | > | OPENAM-21304 | OAuth 2.0 dynamic client registrations don't retain `request_uri` values when creating | > | OPENAM-21277 | Running Amster in debug mode doesn't work on Windows | > | OPENAM-21164 | Calling `toXMLString` in custom SAML adapter can return incorrectly formatted XML leading to invalid signature | > | OPENAM-21160 | Inconsistent values in secure state when navigating an authentication tree | > | OPENAM-21158 | Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 | > | OPENAM-21069 | WindowsDesktopSSO authentication is failing | > | OPENAM-21030 | Amster 7.3.0 CLI isn't working on Windows | > | OPENAM-21010 | Social authentication for remote OIDC server for user profile non-english words corrupted | > | OPENAM-21004 | AM will always look for valid session when scope=openid | > | OPENAM-21001 | IdPAccountMapper is not correctly determined | > | OPENAM-20980 | Unable to use issuer comparison check regex in oidc social provider | > | OPENAM-20897 | Debug logs not showing info for `ERROR: Unsupported Callback, "{0}"` and others | > | OPENAM-20895 | Newly-created Maven archetype project fails to build | > | OPENAM-20756 | OIDC social authentication request (Apple) fails due to duplicate `response_mode=form_post` request parameter | > | OPENAM-20691 | Destroy oldest session may fail to work | > | OPENAM-20682 | Unable to encrypt from `jwk_uri` when there are duplicate `kid` | > | OPENAM-20490 | AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" | > | OPENAM-20026 | Trailing whitespace prevents social provider deletion via UI | > | OPENAM-19999 | ID token as AM session doesn't work with `/authorize` when openid scope is requested | > | OPENAM-19889 | Policy evaluation fails with agent access token JWT as subject | > | OPENAM-19282 | Recovery Code Display Node works only immediately after Registration node | > | OPENAM-18599 | Allow for custom error message if user account is locked | > **Collapse: AM 7.3.0** > > | | | > | ------------ | ------------------------------------------------------------------------------------------------------------------- | > | OPENAM-20396 | Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved | > | OPENAM-20360 | Ampersand is double encoded in the Destination of a SAML Assertion | > | OPENAM-20260 | Unable to log into AM when external application store is down | > | OPENAM-20230 | Class allowlisting fails with permission denied after an extended period | > | OPENAM-20181 | AD account notification fails | > | OPENAM-20159 | Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs | > | OPENAM-20104 | The `fragment` response\_mode for the /oauth2/authorize endpoint is not working | > | OPENAM-20085 | STS token generation does not work with clustered docker pods | > | OPENAM-20082 | Locked out users are shown a misleading error message | > | OPENAM-19868 | Correctly handle multi-line text in Email Suspend nodes | > | OPENAM-19866 | Excessive logging when accessing protected resources | > | OPENAM-19726 | The `par` endpoint doesn't return a `request_uri` when using JAR and claims are provided | > | OPENAM-19665 | Wrong Java version in Amster README file | > | OPENAM-19515 | Unable to update session service with read only identity store | > | OPENAM-19411 | Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration | > | OPENAM-18818 | Persistent search error message shows wrong DS identifier | > | OPENAM-18488 | Windows Hello with TPM/platform authenticator returns two certificates | > | OPENAM-18172 | Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level | > | OPENAM-17215 | Policy debug log fills up at very high pace if the config store is not found | > | OPENAM-13766 | No configuration found for login with SessionConditionAdvice=deny |