Added the ability to define external Trust Framework attribute caches for development and production
Added support and configuration controls for Redis external
caching of Trust Framework attribute values. See Configuring Trust Framework attribute caching for production and Configuring Trust Framework attribute caching for development.
Added the ability to configure custom OIDC scopes for the Policy Editor
You can now use the --scope option during
Policy Editor setup to persistently override the default
OpenID Connect (OIDC) scopes. For a one-time override, use the
PING_SCOPE environment variable during Policy Editor startup. See the OIDC mode (custom
scope) tab of Installing the PingAuthorize Policy Editor noninteractively for more
details.
Added an HTTP servlet extension to support Prometheus monitoring
Added an HTTP servlet extension that allows the values of numeric
monitor attributes to be published as metrics in a form that can be consumed by
a Prometheus monitoring server. See Monitoring server metrics with
Prometheus.
Setting up and upgrading PostgreSQL policy databases has changed
Docker support update for PingAuthorize PAP using PostgreSQL
PingAuthorize policy administration point (PAP) Docker images
based on product version 9.2.0.0 EA do not support PostgreSQL as a policy
database backend due to schema changes. We have reintroduced PostgreSQL support
for images based on version 9.2.0.0 GA or later. See Deploying PingAuthorize Policy Editor using Docker.
Updated Groovy version support
Updated Groovy support from version 2.x to 3.x. This change might
introduce some minor incompatibilities in Groovy script support. For example,
import statements can no longer be split into multiple lines. Deployments making
use of Groovy-scripted extensions should carefully test these extensions in a
temporary standalone instance to verify compatibility and make any necessary
changes before updating an existing instance.
Deprecated the OIDC implicit flow for the Policy Editor
The OIDC Implicit flow implementation in the Policy Editor has been deprecated, because the OAuth Working Group no
longer recommends its use. Implicit flow will be removed from a future version
of PingAuthorize. You should transition to
the Authorization Code with PKCE flow.
Qualified the Apigee OAuth flow
You can use OAuth standard authentication as part of your Apigee
integration with PingAuthorize. See Configuring an OAuth flow in Apigee (optional) for more information.
Deprecated the Swagger documentation for the Policy Editor REST APIs
The Swagger pages documenting the REST APIs that manage the
Policy Editor have been deprecated and will be removed from
the product in a future release. We plan to re-implement the REST API
documentation outside of the Policy Editor and make it available
at a future date.
Introduced a character limit for Policy Editor entities
Set a limit of 255 characters for the following names: branches,
deployment packages, Trust Framework entities, and Policy Manager
entities.
Improved the performance of the Policy Editor and PDP APIs
You should see performance improvements when using the Policy Editor or the various PingAuthorize PDP modes
and APIs.
Made the JWKS endpoint response cacheable in the Policy Editor
You can now use the
Authentication.oidcJwksCacheExpirySeconds
setting in the
options.yml file to control whether the server caches
the JWKS endpoint response and for how long when using the Policy Editor in OIDC mode. See Configuring the JWKS endpoint cache.Made the Policy Editor user data configurable
You can now change the claim that controls the user data displayed
in the upper right of the Policy Editor. See Changing the default JWT claim for the OIDC user ID for more information.
Added support for generating digital signatures
Added support for generating digital signatures with a key
obtained from an encryption settings definition. By default, the server's
preferred encryption settings definition is used to obtain the signing key, but
you can use the
signing-encryption-settings property
in the
crypto manager configuration to choose an alternative definition. Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions.
The replace-certificate tool re-prompts you for the path to a valid file containing certificates
Previously in an interactive PingAuthorize Server setup, when
replace-certificate prompted you for the path to a file
containing one or more certificates to be imported, it would exit with an error
if the provided path represented a file that did not contain valid certificate
information. It now re-prompts you for the path to a valid file after displaying
the error message.
Fixed an issue with batch JSON PDP API requests
You should now be able to make batch JSON PDP API requests that
contain only one decision request.
Fixed an issue with SpEL allow lists
Fixed an issue where SpEL allow lists in the configuration file
were being ignored.
Fixed an issue with policy database value migration during an upgrade
Fixed a database upgrade issue where attributes with default
values of null were not migrating and test assertion values became empty. This
issue only affected customers that were running a pre-9.2-EA Policy Editor and upgraded to 9.2-EA.
Fixed an issue that prevented the Policy Editor from starting after upgrading the policy database schema
Fixed a rare issue where the tools missed applying some upgrade
operations for the policy database, preventing the Policy Editor
from starting. The setup and policy-db
tools now validate the system time when performing schema element
upgrades.
Fixed an issue with the Policy Editor UI when trying to drag multiple components onto a rule condition
The Policy Editor UI no longer prevents you from
dragging more than one Trust Framework component onto a policy rule when
creating conditions.
Fixed an issue with missing Policy Editor entity changes
Fixed an issue where the Policy Editor could drop
entity changes when performed concurrently with commits on the same
branch.
Fixed an issue with policy creation using Applies To targets
Fixed an issue that stopped you from creating policies or policy
sets with targets in the Applies To
section.
Fixed an issue with replacing deleted deployment packages
Fixed an issue where the Deployment Manager wouldn't let you
replace the deployment package after deleting that deployment package from the
Policy Editor.
Fixed an issue with Policy Editor logging
Fixed a regression from 9.2-EA where the lowered log level of HTTP
PIP service call failures prevented them from appearing when using the default
Policy Editor logging configuration.
Fixed a pagination issue with Test Suite entities in the Policy Editor
Fixed an issue where a large number of saved Test Suite entities
were not being paged correctly by the Policy Editor backend,
resulting in an HTTP 400 response.
Fixed an issue with portability of the configuration.yml file for the Policy Editor
Fixed an issue with the Policy Editor
setup tool using an absolute file reference to the default H2
policy database when writing configuration.yml, which
caused issues if the server instance root was moved to a different file system
location. Now, the setup tool generates a file reference
relative to the server instance root. You can still provide your own value
through --dbConnectionString, or by modifying
configuration.yml after it is
generated.
Fixed a Policy Editor OIDC sign-on error
Fixed the following error in the OIDC implicit grant flow:
Unable to complete background login with reason: invalid state
parameter.
Fixed a Policy Editor issue with propagating the OIDC base URL to the configuration file
Fixed a Policy Editor issue for the
bin/setup oidc command with the
--oidcBaseUrl argument. Previously, when you provided a
path without an ending forward slash, the command didn't propagate your path
value to configuration.yml.
Updated the dsconfig tool for applying authentication settings to a server group
Updated the dsconfig tool to ensure that it
uses the correct authentication type when applying changes to all servers in a
server group. Previously, it would always attempt to use simple authentication,
even if the connection to the initial server was authenticated using a different
mechanism.
Fixed a Kong-related issue when using set-headers with an array of strings
Fixed an issue where, when using the
ping-auth
plugin with Kong Gateway, sending the set-headers statement
with an array of strings in the payload produced an error.Fixed a Kong-related issue where using exclude-attributes or regex-replace-attributes produced invalid JSON
Fixed an issue where, when using the
ping-auth
plugin with Kong Gateway, sending either the
exclude-attributes or
regex-replace-attributes statements returned invalid
JSON in the response.Fixed a Kong-related issue where using set-attributes produced an upstream server timeout error
Fixed an issue where, when using the
ping-auth
plugin with Kong Gateway, sending the set-attributes
statement returned the following message: An invalid response was
received from the upstream server. The Kong error log also listed an
upstream timed out error for the same
response.Fixed Kong-related modify-query statement failures
Fixed an issue where, when using the
ping-auth
plugin with Kong Gateway, sending the modify-query
statement with a query in the payload but no set query parameters returned the
following response: An unexpected error occurred. The Kong error
log also listed a thread aborted runtime
error.