AM 7.2.0

What’s new

This page covers the new features and improvements in the current release of ForgeRock Access Management.

Release dates
Version Date

AM 7.2

June 30, 2022

For end of service life dates (EOSL), see ForgeRock End of Service Life (EOSL) Policy and EOSL Dates in the ForgeRock Knowledge Base.

New features in AM 7.2.0

ForgeRock Access Management 7.2 is a minor release that introduces new features, functional enhancements, and fixes.

To make it easier to publish keys used for remote consent, AM 7.2 provides a new JWKs URI, specifically for remote consent agents. This URI indicates where a remote consent service can obtain the keys that AM uses to sign and encrypt the consent request. These keys include:

  • The public signing key, used to sign the consent request that is sent to the remote consent server, so that it can be validated on the remote consent server.

  • The public encryption key for the consent response, so that the response can be encrypted (if encryption is enabled).

The default JWKs URI for remote consent clients is /oauth2/consent_agents/jwk_uri.

For example,

Flag to request userinfo from Apple

For social authentication through Apple, this flag indicates that the native app can send userinfo in JSON format.

Configuration Provider node

The Configuration Provider node lets you reference a script that builds up the node configuration, based on the node state.

For details, see Configuration Provider node.


The CAPTCHA node has been rewritten to support ReCAPTCHA v3. The new node has two possible outcomes (success and failure), and lets you set a score threshold. For more information, see CAPTCHA node.

Pass-through Authentication node for Platform deployments

The Set Custom Cookie node lets you store a custom cookie in the client.

For details, see Set Custom Cookie node.

Scripted support for Java extension points

The scripted implementation of the existing Java extension points lets you extend AM functionality rapidly and easily, without the need to recompile.

AM now provides JavaScript example scripts for the following extension points:

  • For OAuth2:

    • Access Token Modification

    • OIDC Claims

    • Scope Evaluation

    • Scope Validation

    • Authorize Endpoint Data Provider

  • For SAML2:

    • IDP Adapter

    • IDP Attribute Mapper

For details, see Sample scripts.

OAuth 2.0 Pushed Authorization Requests (PAR)

The addition of a new PAR endpoint as defined in RFC 9126, lets clients push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request, and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint.

For details, see:

System property for AES Key Wrap encryption

A new Java system property (org.forgerock.openam.encryption.padshortinputs) pads short inputs for compatibility with Java 17.

ForceAuth server property for authentication chains

A new advanced server property (org.forgerock.openam.authentication.forceAuth.enabled) controls the ForceAuth authentication property for chains.

Support for JWT-secured authorization response (JARM)

AM now supports JWT-secured authorization response ((JARM), which gives clients the option to receive authorization response parameters packaged in a signed, and optionally encrypted, JWT.

JARM introduces the following client configuration properties and corresponding oauth2/.well-known/openid-configuration parameters:

Client configuration /oauth2/.well-known/openid-configuration




The supported algorithms and methods are defined in new OAuth 2.0 provider configuration.

For details, see response_mode.

UMA interactive claims gathering

The UMA provider service includes a number of new properties to support interactive claims gathering.

For details, see Claims gathering.

Grace periods on refresh tokens

You can now configure a grace period on refresh tokens, that effectively lets you reuse a refresh token. This setting lets your OAuth 2.0 clients recover seamlessly, if the response from an original refresh token request is not received, because of a network problem or other transient issue. The ability to reuse refresh tokens is limited by the grace period set in the OAuth2.0 provider configuration or on the OAuth 2.0 client.

Ability to disable authentication trees over REST

A new enabled setting in the authentication tree configuration lets you use the REST interface to disable trees that are not in use, and enable trees when they are ready to be used.

Major improvements

AM 7.2
Improved locale assessment for message nodes

The Message node now has better assessment of the locale to use when displaying messages to the user.

Proxy advanced server properties

Previous versions of AM could only specify the URL of the proxy to use when sending HTTP client requests to third parties, such as social identity providers, using JVM properties. These properties, however, cannot provide credentials to the proxy.

AM 7.2 includes the following advanced server properties to configure the proxy’s URI and its credentials, if needed:

  • org.forgerock.openam.httpclienthandler.system.proxy.uri

  • org.forgerock.openam.httpclienthandler.system.proxy.username

  • org.forgerock.openam.httpclienthandler.system.proxy.password

  • org.forgerock.openam.httpclienthandler.system.nonProxyHosts

For more information, see Configure AM for outbound communication.

Client-side session cache advanced server property

AM 7.2 includes a new advanced server property, org.forgerock.session.stateless.jwtcache.expiry.time, to control the maximum time, in seconds, that AM caches client-side session JTWs.

Setting a long cache timeout may be more efficient, but AM will not detect if a client-side session JWT has expired or has become invalid until the cache expires.

Improvements to the OTP email sender node

On earlier versions of AM, the amount of time that the OTP Email Sender node waited to declare that an outbound SMTP connection was unavailable depended on the operating system where AM ran.

AM 7.2 includes the following advanced server properties to configure the timeout:

  • org.forgerock.openam.smtp.system.connect.timeout


  • org.forgerock.openam.smtp.system.socket.write.timeout

For more information, see Advanced Properties.

AES-GCM modes for assertion encryption

AM now supports the following AES-GCM modes for assertion encryption. ForgeRock recommends GCM over the older AES-CBC modes. GCM offers authenticated encryption, which better protects against an attacker tampering with an encrypted assertion:




For example metadata and instructions on configuring hosted providers, see Configuring the Advertised Signing and Encryption Algorithms.

OAuth 2.0 plugin configuration

You can now explicitly configure individual plugins using the Plugin Type, Script, and Plugin Implementation Class attributes for each OAuth 2.0 plugin.

The OAuth 2.0 provider configuration includes a new Plugins tab for configuring the supported OAuth2 extension points.

Each of the provider plugin settings can be overridden at the client level.

For more information, see:

Added validation options for request object JWTs

To increase compliance with the Financial-grade API (FAPI) security profile, AM now provides the option to mandate the presence of the exp (expiration time) and nbf (not before) claims in request object JWTs.

If enabled, these claims must be included in JWT request objects specified at the /oauth2/authorize or /oauth2/par endpoints. The JWT is then validated against the following configuration settings:

  • Max nbf and exp difference

  • Max nbf age

For more information, see the Advanced properties in the OAuth2 Provider configuration.

Configurable OAuth 2.0 device flow user code generation

The user code generated in the OAuth 2.0 device flow can now be configured in the OAuth 2.0 provider using the following settings:

  • User Code Character Length

  • User Code Character Set

  • Device Code Flow User Code Generator Implementation Class

For more information, see the OAuth2 Provider reference section.

Validation of changes to LDAP server connection details

LDAP configuration store settings can be changed at Deployment > Servers > Server Name > Directory Configuration. In previous AM versions, there was no validation of these changes before the configuration was saved. From AM 7.2.0, AM makes a test connection to the LDAP server before saving the changes. This improvement prevents errors in configuration changes from being saved.

New option to select specification for OpenID Connect request object processing

To support both the JAR specification and OpenID Connect Core 1.0 specification, you can now configure which specification should be applied to incoming OpenID Connect requests that specify a request object.

For details, see the Request Object Processing Specification configuration property.

Security advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly.

ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Copyright © 2010-2022 ForgeRock, all rights reserved.