PingAuthorize 9.2 (December 2022) - PingAuthorize - 9.3

PingAuthorize 9.3

bundle
pingauthorize-93
ft:publication_title
PingAuthorize 9.3
Product_Version_ce
PingAuthorize 9.3
category
ContentType
Product
Productdocumentation
paz-93
pingauthorize
ContentType_ce
Product documentation

Added the ability to define external Trust Framework attribute caches for development and production

New
Added support and configuration controls for Redis external caching of Trust Framework attribute values. See Configuring Trust Framework attribute caching for production and Configuring Trust Framework attribute caching for development.

Added the ability to configure custom OIDC scopes for the Policy Editor

New
You can now use the --scope option during Policy Editor setup to persistently override the default OpenID Connect (OIDC) scopes. For a one-time override, use the PING_SCOPE environment variable during Policy Editor startup. See the OIDC mode (custom scope) tab of Installing the PingAuthorize Policy Editor non-interactively for more details.

Added an HTTP servlet extension to support Prometheus monitoring

New
Added an HTTP servlet extension that allows the values of numeric monitor attributes to be published as metrics in a form that can be consumed by a Prometheus monitoring server. See Monitoring server metrics with Prometheus.

Setting up and upgrading PostgreSQL policy databases has changed

Info
In an early access release of the Policy Editor, we provided a tool called the db-cli for PostgreSQL policy databases. This tool is now deprecated and will be removed in a later release. You should now use the policy-db tool to create and upgrade PostgreSQL databases.

Docker support update for PingAuthorize PAP using PostgreSQL

Info
PingAuthorize policy administration point (PAP) Docker images based on product version 9.2.0.0 EA do not support PostgreSQL as a policy database backend due to schema changes. We have reintroduced PostgreSQL support for images based on version 9.2.0.0 GA or later. See Deploying PingAuthorize Policy Editor using Docker.

Updated Groovy version support

Info
Updated Groovy support from version 2.x to 3.x. This change might introduce some minor incompatibilities in Groovy script support. For example, import statements can no longer be split into multiple lines. Deployments making use of Groovy-scripted extensions should carefully test these extensions in a temporary standalone instance to verify compatibility and make any necessary changes before updating an existing instance.

Deprecated the OIDC implicit flow for the Policy Editor

Info
The OIDC Implicit flow implementation in the Policy Editor has been deprecated, because the OAuth Working Group no longer recommends its use. Implicit flow will be removed from a future version of PingAuthorize. You should transition to the Authorization Code with PKCE flow.

Qualified the Apigee OAuth flow

Info
You can use OAuth standard authentication as part of your Apigee integration with PingAuthorize. See Configuring an OAuth flow in Apigee (optional) for more information.

Deprecated the Swagger documentation for the Policy Editor REST APIs

Info
The Swagger pages documenting the REST APIs that manage the Policy Editor have been deprecated and will be removed from the product in a future release. We plan to re-implement the REST API documentation outside of the Policy Editor and make it available at a future date.

Introduced a character limit for Policy Editor entities

Info
Set a limit of 255 characters for the following names: branches, deployment packages, Trust Framework entities, and Policy Manager entities.

Improved the performance of the Policy Editor and PDP APIs

Improved
You should see performance improvements when using the Policy Editor or the various PingAuthorize PDP modes and APIs.

Made the JWKS endpoint response cacheable in the Policy Editor

Improved
You can now use the Authentication.oidcJwksCacheExpirySeconds setting in the options.yml file to control whether the server caches the JWKS endpoint response and for how long when using the Policy Editor in OIDC mode. See Configuring the JWKS endpoint cache.

Made the Policy Editor user data configurable

Improved
You can now change the claim that controls the user data displayed in the upper right of the Policy Editor. See Changing the default JWT claim for the OIDC user ID for more information.

Added support for generating digital signatures

Improved
Added support for generating digital signatures with a key obtained from an encryption settings definition. By default, the server's preferred encryption settings definition is used to obtain the signing key, but you can use the signing-encryption-settings property in the crypto manager configuration to choose an alternative definition.

Previously, signatures were generated using a legacy key shared among servers in the topology, which could make it difficult to validate signatures outside of the topology. The legacy key will continue to be used in environments without any encryption settings definitions.

The replace-certificate tool re-prompts you for the path to a valid file containing certificates

Improved
Previously in an interactive PingAuthorize Server setup, when replace-certificate prompted you for the path to a file containing one or more certificates to be imported, it would exit with an error if the provided path represented a file that did not contain valid certificate information. It now re-prompts you for the path to a valid file after displaying the error message.

Fixed an issue with batch JSON PDP API requests

FixedPAZ-5366
You should now be able to make batch JSON PDP API requests that contain only one decision request.

Fixed an issue with SpEL allow lists

FixedPAZ-5424
Fixed an issue where SpEL allow lists in the configuration file were being ignored.

Fixed an issue with policy database value migration during an upgrade

FixedPAZ-6154
Fixed a database upgrade issue where attributes with default values of null were not migrating and test assertion values became empty. This issue only affected customers that were running a pre-9.2-EA Policy Editor and upgraded to 9.2-EA.

Fixed an issue that prevented the Policy Editor from starting after upgrading the policy database schema

FixedPAZ-6122
Fixed a rare issue where the tools missed applying some upgrade operations for the policy database, preventing the Policy Editor from starting. The setup and policy-db tools now validate the system time when performing schema element upgrades.

Fixed an issue with the Policy Editor UI when trying to drag multiple components onto a rule condition

FixedPAZ-899
The Policy Editor UI no longer prevents you from dragging more than one Trust Framework component onto a policy rule when creating conditions.

Fixed an issue with missing Policy Editor entity changes

FixedPAZ-5186
Fixed an issue where the Policy Editor could drop entity changes when performed concurrently with commits on the same branch.

Fixed an issue with policy creation using Applies To targets

FixedPAZ-5344
Fixed an issue that stopped you from creating policies or policy sets with targets in the Applies To section.

Fixed an issue with replacing deleted deployment packages

FixedPAZ-5574
Fixed an issue where the Deployment Manager wouldn't let you replace the deployment package after deleting that deployment package from the Policy Editor.

Fixed an issue with Policy Editor logging

FixedPAZ-6494
Fixed a regression from 9.2-EA where the lowered log level of HTTP PIP service call failures prevented them from appearing when using the default Policy Editor logging configuration.

Fixed a pagination issue with Test Suite entities in the Policy Editor

FixedPAZ-6640
Fixed an issue where a large number of saved Test Suite entities were not being paged correctly by the Policy Editor backend, resulting in an HTTP 400 response.

Fixed an issue with portability of the configuration.yml file for the Policy Editor

FixedPAZ-4448
Fixed an issue with the Policy Editor setup tool using an absolute file reference to the default H2 policy database when writing configuration.yml, which caused issues if the server instance root was moved to a different file system location. Now, the setup tool generates a file reference relative to the server instance root. You can still provide your own value through --dbConnectionString, or by modifying configuration.yml after it is generated.

Fixed a Policy Editor OIDC sign-on error

FixedPAZ-5452
Fixed the following error in the OIDC implicit grant flow: Unable to complete background login with reason: invalid state parameter.

Fixed a Policy Editor issue with propagating the OIDC base URL to the configuration file

FixedPAZ-6051
Fixed a Policy Editor issue for the bin/setup oidc command with the --oidcBaseUrl argument. Previously, when you provided a path without an ending forward slash, the command didn't propagate your path value to configuration.yml.

Updated the dsconfig tool for applying authentication settings to a server group

FixedDS-46313
Updated the dsconfig tool to ensure that it uses the correct authentication type when applying changes to all servers in a server group. Previously, it would always attempt to use simple authentication, even if the connection to the initial server was authenticated using a different mechanism.

Fixed a Kong-related issue when using set-headers with an array of strings

FixedPAZ-5847
Fixed an issue where, when using the ping-auth plugin with Kong Gateway, sending the set-headers statement with an array of strings in the payload produced an error.

Fixed a Kong-related issue where using exclude-attributes or regex-replace-attributes produced invalid JSON

FixedPAZ-5848
Fixed an issue where, when using the ping-auth plugin with Kong Gateway, sending either the exclude-attributes or regex-replace-attributes statements returned invalid JSON in the response.

Fixed a Kong-related issue where using set-attributes produced an upstream server timeout error

FixedPAZ-5849
Fixed an issue where, when using the ping-auth plugin with Kong Gateway, sending the set-attributes statement returned the following message: An invalid response was received from the upstream server. The Kong error log also listed an upstream timed out error for the same response.

Fixed Kong-related modify-query statement failures

FixedPAZ-5846
Fixed an issue where, when using the ping-auth plugin with Kong Gateway, sending the modify-query statement with a query in the payload but no set query parameters returned the following response: An unexpected error occurred. The Kong error log also listed a thread aborted runtime error.