--- title: Regular channel changelog description: Version 21182.9 component: pingoneaic page_id: pingoneaic:release-notes:regular-channel/version-21182.9 canonical_url: https://docs.pingidentity.com/pingoneaic/release-notes/regular-channel/version-21182.9.html llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md section_ids: 14_apr_2026: 14 Apr 2026 key_features: Key features enhancements: Enhancements fixes: Fixes --- # Regular channel changelog | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This is a changelog entry for version 21182.9. You can review the changelog for all versions in [Regular channel changelog](../regular-channel-changelog.html). | ## 14 Apr 2026 **Version 21182.9** ### Key features * Partial support for Rich Authorization Requests (RAR) (AME-28325) The `/authorize` and `/par` endpoints now optionally accept the `authorization_details` parameter from the RAR (Rich Authorization Requests) specification RFC 9396, allowing clients to specify fine-grained authorization requirements. * App Policy Decision node (AME-30063) A new [App Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/app-policy-decision.html) is a specialized policy node that lets you enforce OIDC and SAML application access policies in journeys. You can use the node to filter access by group, organization, and more. * Support for audience parameter in token exchange (AME-33970) A client can now specify audience parameters in OAuth 2.0 Token Exchange requests. These parameters can be allowlisted and, if valid, are included in the audience claim of the resulting token. * Next-generation scripted JWT operations (OPENAM-25836) The `jwtValidator` and `jwtAssertion` bindings are now available in all next-generation scripts. ### Enhancements * AME-33573: Next-generation scripts now include `utils.base64url.encode()` and `utils.base64url.decodeToBytes()` for Base64URL encoding and decoding. * AME-33971: Added a new Save and Test Connection button to the PingOne worker configuration screen allowing you to validate the connection. * AME-33973: You can now configure the PingOne Worker Service connection using a credential JWT. * AME-34248: You can now use next-generation scripts in the Social Provider Handler node to transform normalized profile data into identities or managed users. * AME-34249: You can now use next-generation scripts in the OIDC ID Token Validator node. The `jwtClaims` binding now behaves as a native JavaScript object. * AME-34540: You can now specify autocomplete attributes for username nodes. * OPENAM-21474: A new `Minimum max_age for Authorize Requests` property is now available in the advanced OIDC settings of the OAuth 2.0 provider service. * OPENAM-24523: You can now dynamically modify the scopes of a refresh token during the refresh flow with the new next-generation scope validation script binding, `scopeValidatorHelper`, and its method, `inheritAccessTokenScopesOnRefresh()`. This is useful when scope validation scripts alter access token scopes and you need the refresh token to inherit those changes. * OPENAM-25901: Next-generation OAuth 2.0 scope validation scripts now have access to the `availableScopes` binding, which lists all scopes configured for the client. A new `throwInvalidScope()` method is also available to simplify error handling. ### Fixes * AME-34216, AME-34398: When using an SSO token as the subject for a policy with an `IDM user` environment condition, it now correctly resolves to the IDM `_id` instead of the user's AM universal ID. You can temporarily revert this behavior by setting the ESV `esv.am.policy.condition.idm.universalId` to `true` to let you update policies to use another property. * AME-34329: By default, parallel updates can no longer be made for CTS sessions. You can revert this behavior by setting the ESV `esv.cts.use.etag.assertion.on.updates` to `false`. * FRAAS-31318: Fixed an issue where setting certain special characters in an ESV prevented the ESV from being interpreted correctly.