PingOne Advanced Identity Cloud

Regular channel changelog

This is a changelog entry for version 21182.9. You can review the changelog for all versions in Regular channel changelog.

14 Apr 2026

Version 21182.9

Key features

Partial support for Rich Authorization Requests (RAR) (AME-28325)

The /authorize and /par endpoints now optionally accept the authorization_details parameter from the RAR (Rich Authorization Requests) specification RFC 9396, allowing clients to specify fine-grained authorization requirements.

App Policy Decision node (AME-30063)

A new App Policy Decision node is a specialized policy node that lets you enforce OIDC and SAML application access policies in journeys. You can use the node to filter access by group, organization, and more.

Support for audience parameter in token exchange (AME-33970)

A client can now specify audience parameters in OAuth 2.0 Token Exchange requests. These parameters can be allowlisted and, if valid, are included in the audience claim of the resulting token.

Next-generation scripted JWT operations (OPENAM-25836)

The jwtValidator and jwtAssertion bindings are now available in all next-generation scripts.

Enhancements

  • AME-33573: Next-generation scripts now include utils.base64url.encode() and utils.base64url.decodeToBytes() for Base64URL encoding and decoding.

  • AME-33971: Added a new Save and Test Connection button to the PingOne worker configuration screen allowing you to validate the connection.

  • AME-33973: You can now configure the PingOne Worker Service connection using a credential JWT.

  • AME-34248: You can now use next-generation scripts in the Social Provider Handler node to transform normalized profile data into identities or managed users.

  • AME-34249: You can now use next-generation scripts in the OIDC ID Token Validator node. The jwtClaims binding now behaves as a native JavaScript object.

  • AME-34540: You can now specify autocomplete attributes for username nodes.

  • OPENAM-21474: A new Minimum max_age for Authorize Requests property is now available in the advanced OIDC settings of the OAuth 2.0 provider service.

  • OPENAM-24523: You can now dynamically modify the scopes of a refresh token during the refresh flow with the new next-generation scope validation script binding, scopeValidatorHelper, and its method, inheritAccessTokenScopesOnRefresh(). This is useful when scope validation scripts alter access token scopes and you need the refresh token to inherit those changes.

  • OPENAM-25901: Next-generation OAuth 2.0 scope validation scripts now have access to the availableScopes binding, which lists all scopes configured for the client. A new throwInvalidScope() method is also available to simplify error handling.

Fixes

  • AME-34216, AME-34398: When using an SSO token as the subject for a policy with an IDM user environment condition, it now correctly resolves to the IDM _id instead of the user’s AM universal ID.

    You can temporarily revert this behavior by setting the ESV esv.am.policy.condition.idm.universalId to true to let you update policies to use another property.

  • AME-34329: By default, parallel updates can no longer be made for CTS sessions. You can revert this behavior by setting the ESV esv.cts.use.etag.assertion.on.updates to false.

  • FRAAS-31318: Fixed an issue where setting certain special characters in an ESV prevented the ESV from being interpreted correctly.