What’s new
This page covers the new features and improvements in the current release of ForgeRock Access Management.
| Version | Date |
|---|---|
AM 7.2 |
June 30, 2022 |
For end of service life dates (EOSL), see ForgeRock End of Service Life (EOSL) Policy and EOSL Dates in the ForgeRock Knowledge Base.
New features in AM 7.2.0
ForgeRock Access Management 7.2 is a minor release that introduces new features, functional enhancements, and fixes.
JWKs URI for remote consent agents
To make it easier to publish keys used for remote consent, AM 7.2 provides a new JWKs URI, specifically for remote consent agents. This URI indicates where a remote consent service can obtain the keys that AM uses to sign and encrypt the consent request. These keys include:
-
The public signing key, used to sign the consent request that is sent to the remote consent server, so that it can be validated on the remote consent server.
-
The public encryption key for the consent response, so that the response can be encrypted (if encryption is enabled).
The default JWKs URI for remote consent clients is /oauth2/consent_agents/jwk_uri.
For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/consent_agents/jwk_uri.
Flag to request userinfo from Apple
For social authentication through Apple, this flag indicates that the native app can send userinfo in JSON format.
For details, see Request Native App for UserInfo.
Configuration Provider node
The Configuration Provider node lets you reference a script that builds up the node configuration, based on the node state.
For details, see Configuration Provider node.
CAPTCHA node
The CAPTCHA node has been rewritten to support ReCAPTCHA v3. The new node has two possible outcomes (success and failure), and lets you set a score threshold. For more information, see CAPTCHA node.
Pass-through Authentication node for Platform deployments
For details, see Pass-Through Authentication node.
Set Custom Cookie node
The Set Custom Cookie node lets you store a custom cookie in the client.
For details, see Set Custom Cookie node.
Scripted support for Java extension points
The scripted implementation of the existing Java extension points lets you extend AM functionality rapidly and easily, without the need to recompile.
AM now provides JavaScript example scripts for the following extension points:
-
For OAuth2:
-
Access Token Modification
-
OIDC Claims
-
Scope Evaluation
-
Scope Validation
-
Authorize Endpoint Data Provider
-
-
For SAML2:
-
IDP Adapter
-
IDP Attribute Mapper
-
For details, see Sample scripts.
OAuth 2.0 Pushed Authorization Requests (PAR)
The addition of a new PAR endpoint as defined in RFC 9126, lets clients push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request, and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint.
For details, see:
System property for AES Key Wrap encryption
A new Java system property (org.forgerock.openam.encryption.padshortinputs) pads short inputs for compatibility with
Java 17.
For details, see Use stronger encryption algorithms.
ForceAuth server property for authentication chains
A new advanced server property (org.forgerock.openam.authentication.forceAuth.enabled) controls the ForceAuth
authentication property for chains.
For details, see org.forgerock.openam.authentication.forceAuth.enabled.
Support for JWT-secured authorization response (JARM)
AM now supports JWT-secured authorization response ((JARM), which gives clients the option to receive authorization response parameters packaged in a signed, and optionally encrypted, JWT.
JARM introduces the following client configuration properties and corresponding oauth2/.well-known/openid-configuration parameters:
| Client configuration | /oauth2/.well-known/openid-configuration |
|---|---|
authorization_signed_response_alg |
|
authorization_encrypted_response_alg |
|
authorization_encrypted_response_enc |
The supported algorithms and methods are defined in new OAuth 2.0 provider configuration.
For details, see response_mode.
UMA interactive claims gathering
The UMA provider service includes a number of new properties to support interactive claims gathering.
For details, see Claims gathering.
Grace periods on refresh tokens
You can now configure a grace period on refresh tokens, that effectively lets you reuse a refresh token. This setting lets your OAuth 2.0 clients recover seamlessly, if the response from an original refresh token request is not received, because of a network problem or other transient issue. The ability to reuse refresh tokens is limited by the grace period set in the OAuth2.0 provider configuration or on the OAuth 2.0 client.
Ability to disable authentication trees over REST
A new enabled setting in the authentication tree configuration lets you use the REST interface to disable trees that are
not in use, and enable trees when they are ready to be used.
For details, see Enable and disable an authentication tree.
Major improvements
- Improved locale assessment for message nodes
-
The Message node now has better assessment of the locale to use when displaying messages to the user.
- Proxy advanced server properties
-
Previous versions of AM could only specify the URL of the proxy to use when sending HTTP client requests to third parties, such as social identity providers, using JVM properties. These properties, however, cannot provide credentials to the proxy.
AM 7.2 includes the following advanced server properties to configure the proxy’s URI and its credentials, if needed:
-
org.forgerock.openam.httpclienthandler.system.proxy.uri -
org.forgerock.openam.httpclienthandler.system.proxy.username -
org.forgerock.openam.httpclienthandler.system.proxy.password -
org.forgerock.openam.httpclienthandler.system.nonProxyHosts
For more information, see Configure AM for outbound communication.
-
- Client-side session cache advanced server property
-
AM 7.2 includes a new advanced server property,
org.forgerock.session.stateless.jwtcache.expiry.time, to control the maximum time, in seconds, that AM caches client-side session JTWs.Setting a long cache timeout may be more efficient, but AM will not detect if a client-side session JWT has expired or has become invalid until the cache expires.
- Improvements to the OTP email sender node
-
On earlier versions of AM, the amount of time that the OTP Email Sender node waited to declare that an outbound SMTP connection was unavailable depended on the operating system where AM ran.
AM 7.2 includes the following advanced server properties to configure the timeout:
-
org.forgerock.openam.smtp.system.connect.timeout -
org.forgerock.openam.smtp.system.socket.read.timeout -
org.forgerock.openam.smtp.system.socket.write.timeout
For more information, see Advanced Properties.
-
- AES-GCM modes for assertion encryption
-
AM now supports the following AES-GCM modes for assertion encryption. ForgeRock recommends GCM over the older AES-CBC modes. GCM offers authenticated encryption, which better protects against an attacker tampering with an encrypted assertion:
-
http://www.w3.org/2009/xmlenc11#aes128-gcm -
http://www.w3.org/2009/xmlenc11#aes192-gcm -
http://www.w3.org/2009/xmlenc11#aes256-gcm
For example metadata and instructions on configuring hosted providers, see Configuring the Advertised Signing and Encryption Algorithms.
-
- OAuth 2.0 plugin configuration
-
You can now explicitly configure individual plugins using the
Plugin Type,Script, andPlugin Implementation Classattributes for each OAuth 2.0 plugin.The OAuth 2.0 provider configuration includes a new Plugins tab for configuring the supported OAuth2 extension points.
Each of the provider plugin settings can be overridden at the client level.
For more information, see:
-
OAuth2 provider configuration
-
Client overrides configuration
-
- Added validation options for request object JWTs
-
To increase compliance with the Financial-grade API (FAPI) security profile, AM now provides the option to mandate the presence of the
exp(expiration time) andnbf(not before) claims in request object JWTs.If enabled, these claims must be included in JWT request objects specified at the /oauth2/authorize or /oauth2/par endpoints. The JWT is then validated against the following configuration settings:
-
Max nbf and exp difference -
Max nbf age
-
For more information, see the Advanced properties in the OAuth2 Provider configuration.
- Configurable OAuth 2.0 device flow user code generation
-
The user code generated in the OAuth 2.0 device flow can now be configured in the OAuth 2.0 provider using the following settings:
-
User Code Character Length -
User Code Character Set -
Device Code Flow User Code Generator Implementation Class
-
For more information, see the OAuth2 Provider reference section.
- Validation of changes to LDAP server connection details
-
LDAP configuration store settings can be changed at Deployment > Servers > Server Name > Directory Configuration. In previous AM versions, there was no validation of these changes before the configuration was saved. From AM 7.2.0, AM makes a test connection to the LDAP server before saving the changes. This improvement prevents errors in configuration changes from being saved.
- New option to select specification for OpenID Connect request object processing
-
To support both the JAR specification and OpenID Connect Core 1.0 specification, you can now configure which specification should be applied to incoming OpenID Connect requests that specify a request object.
For details, see the Request Object Processing Specification configuration property.
Security advisories
ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly.
ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.