--- title: PingAuthorize 9.2.0.0 (December 2022) description: New component: pingauthorize version: 9.3 page_id: pingauthorize:release_notes:paz_release_notes_92 canonical_url: https://docs.pingidentity.com/pingauthorize/9.3/release_notes/paz_release_notes_92.html revdate: July 24, 2025 section_ids: added-the-ability-to-define-external-trust-framework-attribute-caches-for-development-and-production: Added the ability to define external Trust Framework attribute caches for development and production added-the-ability-to-configure-custom-oidc-scopes-for-the-policy-editor: Added the ability to configure custom OIDC scopes for the Policy Editor added-an-http-servlet-extension-to-support-prometheus-monitoring: Added an HTTP servlet extension to support Prometheus monitoring setting-up-and-upgrading-postgresql-policy-databases-has-changed: Setting up and upgrading PostgreSQL policy databases has changed docker-support-update-for-pingauthorize-pap-using-postgresql: Docker support update for PingAuthorize PAP using PostgreSQL updated-groovy-version-support: Updated Groovy version support deprecated-the-oidc-implicit-flow-for-the-policy-editor: Deprecated the OIDC implicit flow for the Policy Editor qualified-the-apigee-oauth-flow: Qualified the Apigee OAuth flow deprecated-the-swagger-documentation-for-the-policy-editor-rest-apis: Deprecated the Swagger documentation for the Policy Editor REST APIs introduced-a-character-limit-for-policy-editor-entities: Introduced a character limit for Policy Editor entities improved-the-performance-of-the-policy-editor-and-pdp-apis: Improved the performance of the Policy Editor and PDP APIs made-the-jwks-endpoint-response-cacheable-in-the-policy-editor: Made the JWKS endpoint response cacheable in the Policy Editor made-the-policy-editor-user-data-configurable: Made the Policy Editor user data configurable added-support-for-generating-digital-signatures: Added support for generating digital signatures the-replace-certificate-tool-re-prompts-you-for-the-path-to-a-valid-file-containing-certificates: The replace-certificate tool re-prompts you for the path to a valid file containing certificates fixed-an-issue-with-batch-json-pdp-api-requests: Fixed an issue with batch JSON PDP API requests fixed-an-issue-with-spel-allow-lists: Fixed an issue with SpEL allow lists fixed-an-issue-with-policy-database-value-migration-during-an-upgrade: Fixed an issue with policy database value migration during an upgrade fixed-an-issue-that-prevented-the-policy-editor-from-starting-after-upgrading-the-policy-database-schema: Fixed an issue that prevented the Policy Editor from starting after upgrading the policy database schema fixed-an-issue-with-the-policy-editor-ui-when-trying-to-drag-multiple-components-onto-a-rule-condition: Fixed an issue with the Policy Editor UI when trying to drag multiple components onto a rule condition fixed-an-issue-with-missing-policy-editor-entity-changes: Fixed an issue with missing Policy Editor entity changes fixed-an-issue-with-policy-creation-using-applies-to-targets: Fixed an issue with policy creation using Applies To targets fixed-an-issue-with-replacing-deleted-deployment-packages: Fixed an issue with replacing deleted deployment packages fixed-an-issue-with-policy-editor-logging: Fixed an issue with Policy Editor logging fixed-a-pagination-issue-with-test-suite-entities-in-the-policy-editor: Fixed a pagination issue with Test Suite entities in the Policy Editor fixed-an-issue-with-portability-of-the-configuration-yml-file-for-the-policy-editor: Fixed an issue with portability of the configuration.yml file for the Policy Editor fixed-a-policy-editor-oidc-sign-on-error: Fixed a Policy Editor OIDC sign-on error fixed-a-policy-editor-issue-with-propagating-the-oidc-base-url-to-the-configuration-file: Fixed a Policy Editor issue with propagating the OIDC base URL to the configuration file updated-the-dsconfig-tool-for-applying-authentication-settings-to-a-server-group: Updated the dsconfig tool for applying authentication settings to a server group fixed-a-kong-related-issue-when-using-set-headers-with-an-array-of-strings: Fixed a Kong-related issue when using set-headers with an array of strings fixed-a-kong-related-issue-where-using-exclude-attributes-or-regex-replace-attributes-produced-invalid-json: Fixed a Kong-related issue where using exclude-attributes or regex-replace-attributes produced invalid JSON fixed-a-kong-related-issue-where-using-set-attributes-produced-an-upstream-server-timeout-error: Fixed a Kong-related issue where using set-attributes produced an upstream server timeout error fixed-kong-related-modify-query-statement-failures: Fixed Kong-related modify-query statement failures --- # PingAuthorize 9.2.0.0 (December 2022) ## Added the ability to define external Trust Framework attribute caches for development and production New Added support and configuration controls for Redis external caching of Trust Framework attribute values. See [Configuring Trust Framework attribute caching for production](../pingauthorize_server_administration_guide/paz_tf_attribute_cache_embedded.html) and [Configuring Trust Framework attribute caching for development](../pingauthorize_server_administration_guide/paz_tf_attribute_cache_external.html). ## Added the ability to configure custom OIDC scopes for the Policy Editor New You can now use the `--scope` option during Policy Editor setup to persistently override the default OpenID Connect (OIDC) scopes. For a one-time override, use the `PING_SCOPE` environment variable during Policy Editor startup. See the **OIDC mode (custom scope)** tab of [Installing the PingAuthorize Policy Editor non-interactively](../installing_and_uninstalling_pingauthorize/paz_install_pe_noninteractive.html) for more details. ## Added an HTTP servlet extension to support Prometheus monitoring New Added an HTTP servlet extension that allows the values of numeric monitor attributes to be published as metrics in a form that can be consumed by a Prometheus monitoring server. Learn more in [Monitoring server metrics with Prometheus](https://docs.pingidentity.com/pingdirectory/9.3/pingdirectory_server_administration_guide/pd_ds_monitor_server_metrics_prometheus.html). ## Setting up and upgrading PostgreSQL policy databases has changed Info In an early access release of the Policy Editor, we provided a tool called the `db-cli` for PostgreSQL policy databases. This tool is now deprecated and will be removed in a later release. You should now use the `policy-db` tool to [create](../installing_and_uninstalling_pingauthorize/paz_set_up_postgresql_database.html) and [upgrade](../upgrading_pingauthorize/paz_upgrade_postgresql_policy_db.html) PostgreSQL databases. ## Docker support update for PingAuthorize PAP using PostgreSQL Info PingAuthorize policy administration point (PAP) Docker images based on product version 9.2.0.0 EA do not support PostgreSQL as a policy database backend due to schema changes. We have reintroduced PostgreSQL support for images based on version 9.2.0.0 GA or later. See [Deploying PingAuthorize Policy Editor using Docker](../installing_and_uninstalling_pingauthorize/paz_install_pe_docker.html). ## Updated Groovy version support Info Updated Groovy support from version 2.x to 3.x. This change might introduce some minor incompatibilities in Groovy script support. For example, import statements can no longer be split into multiple lines. Deployments making use of Groovy-scripted extensions should carefully test these extensions in a temporary standalone instance to verify compatibility and make any necessary changes before updating an existing instance. ## Deprecated the OIDC implicit flow for the Policy Editor Info The OIDC Implicit flow implementation in the Policy Editor has been deprecated, because the OAuth Working Group no longer recommends its use. Implicit flow will be removed from a future version of PingAuthorize. You should transition to the Authorization Code with PKCE flow. ## Qualified the Apigee OAuth flow Info You can use OAuth standard authentication as part of your Apigee integration with PingAuthorize. See [Configuring Apigee for PingAuthorize integration](../pingauthorize_integrations/paz_apigee_integration_apigee_setup.html) for more information. ## Deprecated the Swagger documentation for the Policy Editor REST APIs Info The Swagger pages documenting the REST APIs that manage the Policy Editor have been deprecated and will be removed from the product in a future release. We plan to re-implement the REST API documentation outside of the Policy Editor and make it available at a future date. ## Introduced a character limit for Policy Editor entities Info Set a limit of 255 characters for the following names: branches, deployment packages, Trust Framework entities, and Policy Manager entities. ## Improved the performance of the Policy Editor and PDP APIs Improved You should see performance improvements when using the Policy Editor or the various PingAuthorize PDP modes and APIs. ## Made the JWKS endpoint response cacheable in the Policy Editor Improved You can now use the `Authentication.oidcJwksCacheExpirySeconds` setting in the `options.yml` file to control whether the server caches the JWKS endpoint response and for how long when using the Policy Editor in OIDC mode. See [Configuring the JWKS endpoint cache](../pingauthorize_server_administration_guide/paz_jwks_endpoint_cache.html). ## Made the Policy Editor user data configurable Improved You can now change the claim that controls the user data displayed in the upper right of the Policy Editor. See [Changing the default JWT claim for the OIDC user ID](../pingauthorize_server_administration_guide/paz_config_jwt_claims.html) for more information. ## Added support for generating digital signatures Improved Added support for generating digital signatures with a key obtained from an encryption settings definition. By default, the server's preferred encryption settings definition is used to obtain the signing key, but you can use the `signing-encryption-settings property` in the crypto manager configuration to choose an alternative definition. Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions. ## The `replace-certificate` tool re-prompts you for the path to a valid file containing certificates Improved Previously in an interactive PingAuthorize Server setup, when `replace-certificate` prompted you for the path to a file containing one or more certificates to be imported, it would exit with an error if the provided path represented a file that did not contain valid certificate information. It now re-prompts you for the path to a valid file after displaying the error message. ## Fixed an issue with batch JSON PDP API requests Fixed PAZ-5366 You should now be able to make batch JSON PDP API requests that contain only one decision request. ## Fixed an issue with SpEL allow lists Fixed PAZ-5424 Fixed an issue where SpEL allow lists in the configuration file were being ignored. ## Fixed an issue with policy database value migration during an upgrade Fixed PAZ-6154 Fixed a database upgrade issue where attributes with default values of null were not migrating and test assertion values became empty. This issue only affected customers that were running a pre-9.2-EA Policy Editor and upgraded to 9.2-EA. ## Fixed an issue that prevented the Policy Editor from starting after upgrading the policy database schema Fixed PAZ-6122 Fixed a rare issue where the tools missed applying some upgrade operations for the policy database, preventing the Policy Editor from starting. The `setup` and `policy-db` tools now validate the system time when performing schema element upgrades. ## Fixed an issue with the Policy Editor UI when trying to drag multiple components onto a rule condition Fixed PAZ-899 The Policy Editor UI no longer prevents you from dragging more than one Trust Framework component onto a policy rule when creating conditions. ## Fixed an issue with missing Policy Editor entity changes Fixed PAZ-5186 Fixed an issue where the Policy Editor could drop entity changes when performed concurrently with commits on the same branch. ## Fixed an issue with policy creation using **Applies To** targets Fixed PAZ-5344 Fixed an issue that stopped you from creating policies or policy sets with targets in the **Applies To** section. ## Fixed an issue with replacing deleted deployment packages Fixed PAZ-5574 Fixed an issue where the Deployment Manager wouldn't let you replace the deployment package after deleting that deployment package from the Policy Editor. ## Fixed an issue with Policy Editor logging Fixed PAZ-6494 Fixed a regression from 9.2-EA where the lowered log level of HTTP PIP service call failures prevented them from appearing when using the default Policy Editor logging configuration. ## Fixed a pagination issue with Test Suite entities in the Policy Editor Fixed PAZ-6640 Fixed an issue where a large number of saved Test Suite entities were not being paged correctly by the Policy Editor backend, resulting in an HTTP 400 response. ## Fixed an issue with portability of the `configuration.yml` file for the Policy Editor Fixed PAZ-4448 Fixed an issue with the Policy Editor `setup` tool using an absolute file reference to the default H2 policy database when writing `configuration.yml`, which caused issues if the server instance root was moved to a different file system location. Now, the `setup` tool generates a file reference relative to the server instance root. You can still provide your own value through `--dbConnectionString`, or by modifying `configuration.yml` after it is generated. ## Fixed a Policy Editor OIDC sign-on error Fixed PAZ-5452 Fixed the following error in the OIDC implicit grant flow: `Unable to complete background login with reason: invalid state parameter`. ## Fixed a Policy Editor issue with propagating the OIDC base URL to the configuration file Fixed PAZ-6051 Fixed a Policy Editor issue for the `bin/setup oidc` command with the `--oidcBaseUrl` argument. Previously, when you provided a path without an ending forward slash, the command didn't propagate your path value to `configuration.yml`. ## Updated the `dsconfig` tool for applying authentication settings to a server group Fixed DS-46313 Updated the `dsconfig` tool to ensure that it uses the correct authentication type when applying changes to all servers in a server group. Previously, it would always attempt to use simple authentication, even if the connection to the initial server was authenticated using a different mechanism. ## Fixed a Kong-related issue when using `set-headers` with an array of strings Fixed PAZ-5847 Fixed an issue where, when using the `ping-auth` plugin with Kong Gateway, sending the `set-headers` statement with an array of strings in the payload produced an error. ## Fixed a Kong-related issue where using `exclude-attributes` or `regex-replace-attributes` produced invalid JSON Fixed PAZ-5848 Fixed an issue where, when using the `ping-auth` plugin with Kong Gateway, sending either the `exclude-attributes` or `regex-replace-attributes` statements returned invalid JSON in the response. ## Fixed a Kong-related issue where using `set-attributes` produced an upstream server timeout error Fixed PAZ-5849 Fixed an issue where, when using the `ping-auth` plugin with Kong Gateway, sending the `set-attributes` statement returned the following message: `An invalid response was received from the upstream server`. The Kong error log also listed an `upstream timed out` error for the same response. ## Fixed Kong-related `modify-query` statement failures Fixed PAZ-5846 Fixed an issue where, when using the `ping-auth` plugin with Kong Gateway, sending the `modify-query` statement with a query in the payload but no set query parameters returned the following response: `An unexpected error occurred`. The Kong error log also listed a `thread aborted` runtime error.