---
title: New in AM 7.3.x
description: AM 7.3.3 is a maintenance release that introduces functional enhancements and fixes.
component: pingam
version: release-notes
page_id: pingam::whats-new-7.3
canonical_url: https://docs.pingidentity.com/pingam/release-notes/whats-new-7.3.html
section_ids:
  am_7_3_3: AM 7.3.3
  am_7_3_2: AM 7.3.2
  backchannel_logout_token_contains_exp_claim: Backchannel logout token contains exp claim
  system_property_for_social_provider_sub_claim_uniqueness: System property for social provider sub claim uniqueness
  new_ssoadm_commands_update_attributes_in_a_realm_service: New ssoadm commands update attributes in a realm service
  am_7_3_1: AM 7.3.1
  storing_identified_identities_in_the_authentication_session: Storing identified identities in the authentication session
  scripting_logger_name_change: Scripting logger name change
  customize_account_lockout_message: Customize account lockout message
  setting_to_permit_client_credentials_in_token_endpoint_query_parameters: Setting to permit client credentials in token endpoint query parameters
  am_7_3: AM 7.3
  combined_mfa_registration_node: Combined MFA Registration node
  oidc_id_token_validator_node: OIDC ID Token Validator node
  oath_device_storage_node: OATH Device Storage node
  support_for_eddsa_for_webauthn: Support for EdDSA for WebAuthn
  scripted_support_for_saml_v2_0_sp_adapter: Scripted support for SAML v2.0 SP adapter
  addition_of_prompt_values_supported_to_the_oidc_exposed_configuration: Addition of prompt_values_supported to the OIDC exposed configuration
  support_for_multi_tenant_social_identity_providers: Support for multi-tenant social identity providers
  ability_to_invalidate_sessions_by_username: Ability to invalidate sessions by username
  scripted_jwt_issuer: Scripted JWT issuer
  oauth_2_0_authentication_supported_for_email_service: OAuth 2.0 authentication supported for email service
  cross_upgrade_session_reference_property: Cross-upgrade session reference property
  ability_to_specify_location_of_rest_sts_instance: Ability to specify location of REST STS instance
---

# New in AM 7.3.x

## AM 7.3.3

AM 7.3.3 is a maintenance release that introduces functional enhancements and fixes.

## AM 7.3.2

AM 7.3.2 is a maintenance release that introduces functional enhancements and fixes.

### Backchannel logout token contains `exp` claim

The logout token generated during backchannel logout now contains an `exp` claim.

Learn more in [Backchannel logout](https://docs.pingidentity.com/pingam/7.3/oidc1-guide/backchannel-logout.html).

### System property for social provider `sub` claim uniqueness

A new system property (`org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique`) indicates that the OIDC social provider doesn't return a unique value for the `sub` claim.

This is false by default.

### New `ssoadm` commands update attributes in a realm service

A fix to the deprecated `ssoadm` tool adds the following new commands:

* `add-realm-default-attributes`

* `set-realm-default-attributtes`

* `remove-realm-default-attributes`

* `get-realm-default-attributes`

These commands work on realm defaults from AM 7 onwards.

## AM 7.3.1

AM 7.3.1 is a maintenance release that introduces functional enhancements and fixes.

### Storing identified identities in the authentication session

The following new methods let you record users and agents verified to exist in an identity store:

* `org.forgerock.openam.auth.node.api.Action`

  * `public ActionBuilder withIdentifiedIdentity(AMIdentity id)`

  * `public ActionBuilder withIdentifiedIdentity(String username, IdType id)`

* `org.forgerock.openam.auth.nodes.script.ActionWrapper`

  * `public ActionWrapper withIdentifiedAgent(String agentName)`

  * `public ActionWrapper withIdentifiedUser(String username)`

A new advanced server property, `org.forgerock.am.auth.trees.authenticate.identified.identity` determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username.

For more information, refer to [advanced server properties](https://docs.pingidentity.com/pingam/7.3/reference/deployment-configuration-reference.html#org.forgerock.am.auth.trees.authenticate.identified.identity).

### Scripting logger name change

Scripts that log debug messages create loggers that now include the name of the script.

The name of a scripting logger uses the format `scripts.<context>.<script UUID>.(<script name>)`; for example, `scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script)`.

Refer to [Debug logging](https://docs.pingidentity.com/pingam/7.3/maintenance-guide/debug-logging.html).

### Customize account lockout message

Use the new `ActionBuilder.withLockoutMessage(String lockoutMessage)` method in a [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/scripted-decision.html) to customize the message displayed to an end user when their account is locked or inactive.

For details, refer to [Scripted decision node API](https://docs.pingidentity.com/pingam/7.3/authentication-guide/scripting-api-node.html).

### Setting to permit client credentials in token endpoint query parameters

The OAuth 2.0 Provider service includes a new advanced property, [Allow Client Credentials in Token Endpoint Query Parameters](https://docs.pingidentity.com/pingam/7.3/reference/global-services-configuration.html#allow-client-credentials-in-token-endpoint-query-parameters), that lets you include client credentials as query parameters in OAuth 2.0 token endpoint requests.

In previous AM versions, you could supply client credentials (the `client_id` and `client_secret`) as query parameters in POST requests to the `/oauth2/access_token` endpoint. This is now prohibited by default and you must include the credentials within the POST request body.

The new Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior and is `false` by default in new deployments. For security reasons, keep this property disabled to prevent client credentials from being included as query parameters.

When you upgrade an existing deployment to AM 7.3.1, this property is initially set to `true` for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to `false`.

## AM 7.3

AM 7.3 is a minor release that introduces new features, functional enhancements, and fixes.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | An issue was discovered in the 7.3.0 release of DS that has the potential to corrupt static groups. To ensure data integrity, we highly recommend upgrading to DS 7.3.1. This issue affects the stability and reliability of static groups only. Continuing to use DS 7.3.0 may lead to data corruption and other unintended consequences.The necessary fixes were made in DS 7.3.1; however if you deployed AM with DS 7.3.0, and you use static groups, you must contact Support for assistance with resolving the data corruption. |

### Combined MFA Registration node

The Combined MFA Registration node lets an authenticated user register a device, such as a mobile phone, for multi-factor authentication with a push notification *and* an OATH one-time password in a single step.

For details, refer to [Combined MFA Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/combined-mfa-registration.html).

### OIDC ID Token Validator node

The OIDC ID Token Validator node provides similar functionality to the OpenID Connect id\_token bearer module. It evaluates whether the ID token is valid, according to the [OIDC specification](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) to let AM rely on an OIDC provider (OP)'s ID token to authenticate an end user.

For details, refer to [OIDC ID Token Validator](https://docs.pingidentity.com/auth-node-ref/8.1/oidc-idtoken-validator.html).

### OATH Device Storage node

The OATH Device Storage node stores devices in the user profile after an [OATH Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/oath-registration.html) records them in the shared state.

For details, refer to [OATH Device Storage node](https://docs.pingidentity.com/auth-node-ref/8.1/oath-device-storage.html).

### Support for `EdDSA` for `WebAuthn`

The WebAuthn Registration node now supports EdDSA as a signing algorithm. Devices that provide EdDSA-signed attestation data in *packed* format during registration (specifically EdDSA with the Ed25519 curve, as required by the [WebAuthn specification](https://www.w3.org/TR/webauthn-2/)) are now supported.

### Scripted support for SAML v2.0 SP adapter

You can now customise the SP adapter with a script. Create a script of type `SAML2_SP_ADAPTER` and configure the hosted SP entity to use the custom script.

For details, refer to [SP adapter](https://docs.pingidentity.com/pingam/7.3/saml2-guide/plugins-sp-adapter.html).

### Addition of `prompt_values_supported` to the OIDC exposed configuration

The OpenID Connect [`well-known/openid-configuration`](https://docs.pingidentity.com/pingam/7.3/oidc1-guide/rest-api-oidc-discovery-configuration.html) endpoint has been enhanced to expose the `prompt_values_supported` parameter of the provider configuration.

### Support for multi-tenant social identity providers

Social identity provider configuration now lets you specify a regular expression to evaluate the issuer claim in ID tokens.

For details, refer to the [Issuer comparison check](https://docs.pingidentity.com/pingam/7.3/authentication-guide/social-idp-client-reference.html#issuer-comparison-check) setting.

For details, refer to [Advanced properties](https://docs.pingidentity.com/pingam/7.3/reference/deployment-configuration-reference.html#server-advanced).

### Ability to invalidate sessions by username

The new `logoutByUser` action on the `json/sessions` endpoint lets you log out all sessions for a specified user. This action is available for server-side *and* client-side sessions but is disabled for client-side sessions by default. For more information, refer to [Invalidate all sessions for a user](https://docs.pingidentity.com/pingam/7.3/sessions-guide/managing-sessions-REST.html#invalidate-sessions-user).

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | This action introduces a new audit notification topic `/agent/session.v2`. Subscribers to this topic receive the same notifications available from the `/agent/session` topic with an additional notification message for a `LOGOUT_USER_TOKEN` event. This event is created in the `activity` audit log whenever `logoutByUser` is invoked. The action is `CREATE` or `UPDATE` depending on whether a token for the user being logged out exists.The `userId` component of this entry is that of the caller, not of the target. For example, if an administrative user logs out another user, the `userId` is that of the administrative user, not that of the user being logged out. The `objectId` indicates the target of the operation.The `LOGOUT_USER_TOKEN` event notification has a different syntax. Instead of a `sessionuuid`, it contains the user's `universalId`. For example:```json
{
  "topic": "/agent/session.v2",
  "timestamp": "2022-11-14T09:56:56.814Z",
  "body": {
    "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
    "eventType": "LOGOUT_USER_TOKEN"
  }
}
```Consumers cannot rely on new events having identical syntax and should check the `eventType` before deciding how to process the event. |

### Scripted JWT issuer

For the JWT profile for OAuth 2.0 authorization grant, AM now lets you provide dynamic trusted JWT issuers via a script as an alternative to static configuration.

For details, refer to [Configure a scripted JWT issuer](https://docs.pingidentity.com/pingam/7.3/oauth2-guide/oauth2-jwt-bearer-grant.html#configure-scripted-jwt-issuer).

### OAuth 2.0 authentication supported for email service

Microsoft are deprecating SMTP Basic authentication. AM 7.3 introduces the option in the email service to select REST-based OAuth 2.0 authentication using Microsoft Graph API, in addition to supporting the legacy SMTP authentication.

For details, refer to [Configure the email service](https://docs.pingidentity.com/pingam/7.3/user-self-service-guide/configuring-email-service.html).

### Cross-upgrade session reference property

To track the session through upgrade, enable the cross-upgrade session reference property, which retains its value throughout the session lifecycle.

This unique and constant session reference is recorded in the [audit logs](https://docs.pingidentity.com/pingam/7.3/security-guide/sec-maint-audit-ref.html) for session creation and upgrade events.

Refer to the [Enable Cross Upgrade Session Reference](https://docs.pingidentity.com/pingam/7.3/reference/global-services-configuration.html#global-session-xusref) property for details.

### Ability to specify location of REST STS instance

AM 7.3 includes a new option in the REST STS configuration that lets you specify whether the STS instance is running on the AM host or as a separate, remote Java process.

Refer to the [STS Instance is running as remote instance](https://docs.pingidentity.com/pingam/7.3/sts-guide/sts-configure-rest-properties.html#sts-remote) property for details.