PingFederate 12.1.5 (January 2025)

Resolved issues

Cross-site scripting

Security PF-36304 PF-36311 PF-36313

We’ve fixed a security vulnerability where PingFederate accepted cross-site scripting inputs.

Email verification failure after registration workflow

Fixed PF-36574

We’ve fixed a defect that caused the email verification screen to fail to appear when a user registered through an authentication source.

Multi-part refresh token revocation failure

Fixed PF-36600

We’ve fixed an issue that caused PingFederate to fail to revoke multi-part refresh tokens through the revoke_token.oauth2 endpoint.

OAuth Client Set Authentication Selector with DynamoDB

Fixed PF-36662

We’ve fixed a defect that caused an error in searching for OAuth Client for OAuth Client Set Authentication Selector when DynamoDB is the client storage.

Admin API provisioning connection attributes

Fixed PF-36816

We’ve fixed a defect when using the PingFederate Administrative API sp/idpConnections endpoint to create or update inbound provisioning connections. The API returned errors about coreAttributes values missing from the JSON payload even though the attributes were not required.

Refresh token error when authorization bypass enabled

Fixed PF-36851

We’ve fixed a defect that caused PingFederate to return a revoked or expired consent error when both Bypass Authorization Approval and Bypass Authorization Approval for Previously Approved Consents are enabled.

PingFederate Server