Fixes in 7.2.x

OPENAM-20360: Ampersand is double encoded in the Destination of a SAML Assertion

OPENAM-20318: Accessing AM end user login page for PlatformLogin journey in platform environment shows non-rendered html

OPENAM-20260: Unable to log into AM when external application store is down

OPENAM-20230: Class allowlisting fails with permission denied after an extended period

OPENAM-20181: AD account notification fails

OPENAM-20082: Locked out users are shown a misleading error message

OPENAM-20031: Access token modification can no longer access refresh token reference

OPENAM-19884: AM returns 500 error when ; is used in the access token header

OPENAM-19684: Error EntitlementService.getSubjectAttributesCollectorConfiguration logged on initial agent access

OPENAM-19537: UserSelfCheckCondition.getConditionDecision logging WARN too much when nothing wrong

OPENAM-19515: Unable to update session service with read-only identity store

OPENAM-19506: Installer fails after pressing "cancel" button at amadmin password page

OPENAM-19455: Adding Authentication Context without Level value results in uneditable entity

OPENAM-18818: Persistent search error message shows wrong DS identifier

OPENAM-18172: Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level

OPENAM-17215: Policy debug log fills up at very high pace if the config store is not found

OPENAM-16241: Switching CTS Storage Scheme with stateful refresh-tokens from 1-1 to grantset

OPENAM-12101: Connection pool not restarted if LDAP authentication module admin bind password is incorrect

OPENAM-19427: KBA question are not falling back to the default language when French is present in the restart password flow

OPENAM-19384: Suspended Authentication Resume URI is resolved with a missing /

OPENAM-19381: Timer Stop Node’s stop recording does not capture the reference start time of the Timer Start Node

OPENAM-19380: Social Google node does not work if placed after an input collector in a tree

OPENAM-19359: Social authentication not working on Subrealms

OPENAM-19297: OIDC MayAct claims script fails to access clientProperties and causes Java security exception

OPENAM-19290: In a cluster, changing AM debug level on local AM2 to remote AM1 does not take effect until the remote AM1 is restarted

OPENAM-19281: OIDC dynamic client registration cannot take \n in the client_description

OPENAM-19266: Cannot add Page Headers or Page Descriptions to page nodes in tree editor

OPENAM-19220: WebAuthN/Fido - Cannot authenticate with recovery codes on Windows

OPENAM-19208: Webhook with an empty url field throws NPE during a webhook session upgrade

OPENAM-19196: JavaScript origins in the OAuth2 Client need a restart to apply the changes

OPENAM-19190: LDAPAuthUtils for BASE_OBJECT does not work with special userId characters

OPENAM-19162: REST API definition inaccurate for endpoint /realm-config/saml

OPENAM-19123: AM validates duplicate registration tokens

OPENAM-19122: AM’s jwks_uri endpoint should preserve order of keys within the set

OPENAM-19108: "Agent" auth tree creates tokens with insufficient permissions

OPENAM-19086: rest-sts endpoint is not included when CORS is enabled

OPENAM-19083: Creating a client-based access and refresh token breaks subsequent use of Session Quotas

OPENAM-19042: When using Apple SSO, the Social Identity Provider Handler node ignores the user info returned

OPENAM-18996: Issues with trees and navigating quickly between Social Login providers

OPENAM-18990: Non-compliant OAuth 2.0 error response generated

OPENAM-18953: Insufficient logging when OAuth 2.0 token request fails due to invalid client secret

OPENAM-18952: KBA questions are not falling back to the default language when French is present

OPENAM-18928: Client credential OAuth 2.0 request results in searches for OAuth 2.0 client against the Identity Store

OPENAM-18921: Double slashes in oauth 2.0 claim names are handled incorrectly

OPENAM-18891: JWT Profile Oauth 2.0 grant returns invalid_grant

OPENAM-18883: Inconsistent error response from Client authentication using private_key_jwt

OPENAM-18877: Creating SAML providers with entity ids containing the plus (+) symbol results in errors listing and creating new providers

OPENAM-18864: Upgrade Radius Server Client Secrets fails due to service config cache cleared

OPENAM-18833: Client authentication using private_key_jwt will cause 500 if claims value is null

OPENAM-18775: LdapDecisionNode throws NullPointerException on shared IDM Repository DataStore when Password change policy triggered

OPENAM-18756: Entering correct OTP after an incorrect OTP fails authentication

OPENAM-18754: User profile success URL ignored when authenticating with trees

OPENAM-18753: Upgrading AM Radius server with clients causes Radius auth failures

OPENAM-18705: Problem with Page Node using node relying on secureState

OPENAM-18701: DN cache doesn’t get deleted in some cases

OPENAM-18684: Redirect to authorize endpoint fails for 2nd OIDC App for Federated Users with multiple OIDC Clients

OPENAM-18679: OATH Registration node doesn’t work when placed inside a Page node

OPENAM-18663: AM should check new realm with rest end-point names by ignoring case

OPENAM-18661: Two or more OAuth2 clients with duplicate origins causes CORS filter to be aborted

OPENAM-18655: Deleting OAuth2 Client provides unneeded Notification error message in IdRepo

OPENAM-18644: IdRepo cache can not be disabled anymore

OPENAM-18640: REST-STS uses the old path to reach the users endpoint

OPENAM-18623: Issue with jwk_uri endpoint called in parallel

OPENAM-18610: RealmOAuth2ProviderSettings for getJwks permits an empty set

OPENAM-18605: Proxy authentication required error when connecting to a target host over https via a proxy that requires authentication

OPENAM-18586: No debug message when AM can’t read the encrypted_base64 folder after upgrade

OPENAM-18573: URLPatternMatcher or RedirectURLValidator fails when query string contains "%20"

OPENAM-18547: Unable to load PlatformRegistration when Using Stateless Access Token with BaseURL

OPENAM-18533: Distinguish between standard OIDC and JAR OIDC request parameters

OPENAM-18524: Client assertion JWT generated for private_key_jwt OAuth 2.0 client authentication does not provide a "kid" header - can be rejected by external OAuth 2.0providers

OPENAM-18523: NullPointerException when Web Agent group is changed

OPENAM-18487: Trust anchor check fails with Yubikey

OPENAM-18460: max_age parameter is overwritten

OPENAM-18459: IdTokenInfo endpoint behavior has changed and fails when using client_id in POST

OPENAM-18457: OIDC authentication nodes do not work in sub-realm when response_mode=form_post is requested from OP

OPENAM-18443: Transactional authentication is disabled on new installs

OPENAM-18436: UMA pending requests are stored differently depending on sub claim uniqueness mode

OPENAM-18434: Authorization Code flow redirects to malformed uri if redirect_uri contains underscore

OPENAM-18432: Remove the internal idm-delegation grant type from the well known info

OPENAM-18422: Email Template node creates threads without terminating them

OPENAM-18389: HttpClientHandler Guice injection in tree is typically broken with thread pool growth

OPENAM-18384: Email Suspend Node clears the secure state

OPENAM-18377: Authorization fails using auth module if user has authenticated with alias name

OPENAM-18359: Choice Collector Node not present following upgrade

OPENAM-18321: CertificateCollectorNode fails when checking cert in LDAP Directory Server

OPENAM-18306: OAuth 2.0 Authorization Code Grant Fails when including scope parameter at access_token endpoint

OPENAM-18297: Outbound calls to jwk_uri endpoint do not support proxy settings

OPENAM-18268: webauthnDeviceProfiles is not multi-valued for AD

OPENAM-18256: JWK Cache timeout is not set for OAuth 2.0 clients created dynamically

OPENAM-18252: Allow nodes to update the universal ID for use cases like impersonation and peer authentication

OPENAM-18235: IdPAdapter does not have access to IDPCache in preSendResponse hook when there is an existing session

OPENAM-18227: Upgrade from 6.0.x / 6.5.x fails with Unsupported node type PersistentCookieDecisionNode

OPENAM-18212: Check for user/agent profile condition during login can be refined further

OPENAM-18207: Global Service cache is not updated by changes from other servers in a site

OPENAM-18205: Excessive logging occurs when agent profile is not found

OPENAM-18180: No TransactionId present for AuthTreeExecutor

OPENAM-18171: Back-Channel logout keeps adding to trackingIds audit for every logout

OPENAM-18167: OIDC requests with request parameter fail with 500 error when there is no session using POST

OPENAM-18153: OpenIdConnect node call to well-known endpoint does not support proxy settings

OPENAM-18149: Wrong log file is used for SAML2 extensions log message

OPENAM-18141: AM no longer uses global SAML configuration

OPENAM-18140: AM Error "Trying to redefine version 0.0 for path" thrown on AM startup with forgeops

OPENAM-18132: Failed to get the distinct userIdAttributes for configured identity stores in realm

OPENAM-18121: Complex authentication trees load slowly

OPENAM-18120: Audit logging service does not correctly reflect the "prompt" URL parameter

OPENAM-18119: Audit log no longer shows the userID of session being invalidated by amAdmin

OPENAM-18118: OAuth 2.0 - AM does not implement 'device authorization grant' as specified in RFC 8628

OPENAM-18112: Misleading error message when LDAP auth node connects to a TLS-enabled server

OPENAM-18090: Creation of UMA Policy to share a resource fails when identities have custom attributes

OPENAM-18085: SocialProviderHandlerNode does not work in an upgraded AM

OPENAM-18068: Upgrade from the AM 6.5.3 to 7.1.0 does not work, if Java Agent profile exists

OPENAM-18065: Logback.jsp cannot be used to set log levels for loggers in custom code

OPENAM-18062: SPACSUtils withholds exception and does not log error

OPENAM-18057: Identities page displays Internal Server Error when a user does not have search attribute defined

OPENAM-18043: Device Match module not setting correct AuthLevel

OPENAM-18030: Message node shows inconsistent behavior regarding the default locale

OPENAM-18017: Creation of UMA Policy to share a resource fails when identities have custom object classes

OPENAM-18009: HTTP error code 500 when authenticating with authIndexType service without authIndexValue

OPENAM-18006: Persistent search for identity store does not recover

OPENAM-18003: WS-Federation Active Requestor Profile does not work with Authentication Trees

OPENAM-17993: org.forgerock.openam.auth.nodes.webauthn.trustanchor.TrustAnchorValidator is missing a @Nullable annotation

OPENAM-17979: Backchannel authentication auth_req_id can be used to obtain multiple access tokens

OPENAM-17973: Retrieving auth code in a realm fails if session for another realm exists

OPENAM-17962: LDAP Decision Node does not put updated password in transient state

OPENAM-17954: Accept-Language header locale ignored on OAuth 2.0 Consent page

OPENAM-17935: Missing return statement in the happy flow of the kerberos node

OPENAM-17923: Retry Limit Decision should not involve user when Save Retry Limit to User is disabled

OPENAM-17916: When no session exists logout page redirects to login

OPENAM-17912: Account lockout count is not reset correctly

OPENAM-17904: JSON Audit Log Location not working when modifying location to only include %SERVER_URI% variable

OPENAM-17896: ForgottenPassword Reset on multiple clusters not working when reset link is clicked

OPENAM-17870: ScriptedDecisionNodes schema config not upgraded and sharedState does not work after upgrade

OPENAM-17830: Error messages are logged when the Push Notification Service is absent

OPENAM-17828: Apostrophe in username breaks Push/OATH device registration

OPENAM-17826: introspect endpoint returns a static value for expires_in when using client-based tokens

OPENAM-17814: Auth Tree step-up fails if username case does not match

OPENAM-17793: OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname

OPENAM-17783: Language tag limited to 5 characters instead of 8

OPENAM-17782: Policy evaluation fails with 400 error when user does not exist

OPENAM-17760: PEM support incorrectly decodes some EC private keys

OPENAM-17718: OAuth 2.0 introspection endpoint does not accept Accept header with extra accept extension param (like weight q=0.8) or charset

OPENAM-17689: LDAPv3PersistentSearch should log when psearch connection is lost

OPENAM-17688: InMemoryCtsSessionCacheStep#cacheTrusted field should be marked volatile

OPENAM-17683: Selfservice user registration auto login fails for a sub-realm

OPENAM-17678: Radius server fails to initialize on startup due to Config cache refreshed

OPENAM-17677: oauth2/device/code endpoint does not support locale parameter

OPENAM-17663: Improve the error response code for "Failed to revoke access token"

OPENAM-17610: OTP Email Sender node does not let you specify connect timeout and IO/read timeout for underlying transport

OPENAM-17593: Deadlock when admin token is invalid and when config data is cleared

OPENAM-17591: Session quota destroy next expiring action can fail when two new sessions attempt to read and update the same expiring session

OPENAM-17590: OIDC login hint cookie broken since 7.0

OPENAM-17587: OIDC bearer token authentication module requires context value setting for client secret

OPENAM-17548: Can’t go back to login page after invoking Social Authentication Nodes

OPENAM-17521: Insufficient error logging to track down Multivalued RDNs not supported issue

OPENAM-17515: Sub attribute in access token can be in wrong case

OPENAM-17493: OAuth 2.0 node does not support external proxy authentication (user/pass)

OPENAM-17440: OAuth 2.0 service provider does not error if IAT attribute is mandatory but not issued

OPENAM-17426: No validation for attribute collector node

OPENAM-17405: Token introspection response not spec compliant

OPENAM-17351: AM File based config setup cannot be used with AM recording to dump the config

OPENAM-17320: Revisit prompt=login behavior change that keeps existing session

OPENAM-17308: Custom IdRepo uninstall realm-config/services/id-repositories?_action=nextdescendents fails

OPENAM-17265: Amster updates incorrect authorized_keys file

OPENAM-17040: UMA policy creation does not work with shared repo

OPENAM-16988: accessedEndpoint including port causes verify Assertion Consumer URL to fail

OPENAM-16953: Custom idrepo sample using IdRepoConfig does not work

OPENAM-16881: SAML federation library stopped supporting ACS URLs with query parameters

OPENAM-16653: Identity using fr-idm-uuid has wrong account ID in FR Authenticator

OPENAM-16642: Server id creation can fail when id is greater than 100

OPENAM-16490: OWASP ESAPI broken

OPENAM-16418: Client auth using private_key_jwt fails with 500 if claim format is wrong

OPENAM-16262: Javadocs for IdUtils needs updating

OPENAM-16216: Get Session Data node improvements

OPENAM-15472: HOTP - text for performed attempts is hard-coded and not localisable

OPENAM-15408: oauth2/connect/jwk_uri does not expose keys of the remote consent agent profile

OPENAM-15278: "Access Denied" error when accessing logout link and not currently signed in

OPENAM-14343: AM console - localisation issue for algorithms in global Common Federation Configuration

OPENAM-13855: CTS creates too many connections to DS

OPENAM-13312: Stateless non-expiring refresh tokens fail with "invalid_grant"

OPENAM-12969: UMA Resource deletion results in a 500 error unless another resource has been created within the same resource set

OPENAM-11636: IdP-Proxy - proxyidpfinder.jsp is not triggered when 'Use IDP Finder' is enabled for remote SP entity

OPENAM-17396: Terms of Service URI Link does not Display in Consent Page

OPENAM-17395: SocialOpenIdConnectNode fails to recover from client’s connection reset

OPENAM-17365: Checking agent type with caller token can cause deadlock

OPENAM-17364: Prompt login / session upgrade / OIDC ACR looping with trees

OPENAM-17361: API Explorer Swagger Template body needs modified to include configExport, debugLogs and threadDump as per the API Documentation

OPENAM-17357: Remote Consent Service RCS does follow RCS consented scope when authorization endpoint accessed without any scope

OPENAM-17353: HTML pages are not picked up when placing in a theme folder

OPENAM-17349: OIDC Refresh token - Ops token is deleted from the CTS during refresh

OPENAM-17343: Access token call returns 500 error if password needs to be changed or has expired

OPENAM-17322: SAML2 bearer grant returns NoUserExistsException

OPENAM-17317: A realm without any modules can cause increased thread count and slow response.

OPENAM-17276: AM recorder does not record anymore

OPENAM-17271: Typo for Realm in SAML/Federation debug

OPENAM-17260: Allow arg=newsession usage in authorize calls

OPENAM-17242: OAuth2 Policy - Environment Condition AuthLevel >= doesn’t work for ROPC grant

OPENAM-17220: OAuthLogout.jsp compilation error isGotoUrlValid method signature not found

OPENAM-17199: Insufficient debug logging for 'DJLDAPv3Repo.getAssignedServices'

OPENAM-17156: Adaptive Risk checkGeoLocation null countryCode can cause module fail.

OPENAM-17136: OAuth2 Dynamic Client Registration does not recognise recognised spec defined parameters

OPENAM-17121: Inefficient synchronized block in OAuth2ProviderSettingsFactory

OPENAM-17114: Save Consent check box always shown, even when not configured

OPENAM-17097: Inconsistent scope policy evaluation between authorize and ROPC

OPENAM-17089: Forgot password functionality broken

OPENAM-17070: SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication

OPENAM-17060: Audit Logging "Resolve host name" is still available after OPENAM-7849

OPENAM-17037: AM Upgrade from 6.0.0.7 to 7.0.0 causing NPE

OPENAM-17034: In a realm if User Profile is set to Ignored the realm level Session Service quota settings is also ignored and only the Session Service setting at top level/global is evaluated

OPENAM-17017: REST STS fails with unable get get sub-schema if cache is refreshed while updating REST config

OPENAM-17006: Hosted SAML entity - can not remove bindings

OPENAM-16998: Poor logging around failures "Invalid Assertion Consumer Location specified"

OPENAM-16997: Device code grant implied consent fails if access_token request performed before user authenticates

OPENAM-16988: Accessed endpoint including port causes verify Assertion Consumer URL to fail

OPENAM-16955: When setCookieToAllDomains=false is used, a non matching request from other domain will fail

OPENAM-16947: Kerberos Node in 7.0 fails to return goTo(false)

OPENAM-16944: LDAP Decision node fails if inetuserstatus does not exist

OPENAM-16936: Tree nodes create new keystore object each time node is called.

OPENAM-16935: Logout issue after logging into AM with 'Remember my username' selected with iOS 14.0.1

OPENAM-16934: sm.getSchemaManager has a typo including a comma

OPENAM-16926: Success URL node doesn’t work with SAML Node for Idpinit when not using Integrated mode

OPENAM-16910: Can not create SAML entity with entity id including a semicolon ';'

OPENAM-16907: Kerberos Node in 7.0 does not work

OPENAM-16904: OIDC bearer module fails with NPE when id_token does not contain kid

OPENAM-16883: AM ignores AuthnRequestsSigned property during SSO

OPENAM-16876: Default ACR values on OIDC client profile is not honoured in order of preference

OPENAM-16866: AM should fail gracefully if id_token fails to generate when swapping refresh token

OPENAM-16849: WeChat Social Auth module broken (regression)

OPENAM-16848: Choice Collector and WDSSO node combination does not work if whitelisting is enabled

OPENAM-16847: AM email service failing with 'Start TLS' option

OPENAM-16838: AuthenticationApproachChecker does not handle session upgrade modules

OPENAM-16823: IDM Nodes does not send or propagate transactionId tracking when contacting IDM

OPENAM-16807: The dynamic values for request_uri being stored in client config does not expire and is not automatically removed

OPENAM-16801: SAML2 SP init SSO fails after upgrade to 7.0.0

OPENAM-16784: Upgrade to 7 fails with NullPointerException in Saml2EntitySecretsStep

OPENAM-16769: Enabling Auto-federation when User Profile is Dynamic on SP causes SP to hang during SAML flow

OPENAM-16758: Cannot install AM 7 on Windows

OPENAM-16745: client_id in access token ignores what’s been registered when idm cache is disabled

OPENAM-16726: Insufficient debug logging for OAuth2 error 'invalid_client Server does not support this client’s subject type'

OPENAM-16703: OAuth2 Access token obtained from refresh token is certificate-bound regardless of "Certificate-Bound Access Tokens" configuration (when client_secret_basic used for credentials)

OPENAM-16701: The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent’s ID token

OPENAM-16684: OIDC Dynamic Registration client_description cannot take String type

OPENAM-16669: IdentityGateway Agent entry missing attribute required to support org.forgerock.openam.agent.TokenRestrictionResolver#getAgentInfo

OPENAM-16617: SuccessURL session property is set to gotoURL in authentication tree

OPENAM-16608: AM with embedded DS setup fails with permission denied for truststore

OPENAM-16583: Crucial information is missing when encountering LDAP connections issue.

OPENAM-16556: Radius Server’s does not log IP address into AM Audit logs

OPENAM-16555: Audit logging does not tell which policy allowed or denied a resource request

OPENAM-16540: Issues with Social Login URLs when navigating quickly between providers

OPENAM-16535: "JWKs URI content cache miss cache time" is not triggered when "kid" is missing from cached JWK Set

OPENAM-16515: Social auth - insufficient debug logging for troubleshooting

OPENAM-16485: 'Failed Login URL' is not picked up from the auth chain

OPENAM-16472: Proxied Authentication fallback may not work when user entry lack some attributes

OPENAM-16450: 501 when default resource version set to "oldest" and Accept-API-Version header set

OPENAM-16418: private_key_jwt client auth fails with 500 if claim format is wrong

OPENAM-16368: Settings of Mail and Scripting global service properties are overwritten at upgrade

OPENAM-16367: OIDC request_uri response causes NPE while debug logging

OPENAM-16354: Concurrency bug in OAuth2ProviderSettingsFactory

OPENAM-16338: Failing REQUISITE module after SUFFICIENT Device Match doesn’t fail chain properly

OPENAM-16157: Session Property Whitelist Service allows case variant Property Names but DS is not case sensitive

OPENAM-16152: After upgrade, new Identity page has duplicate 'new identity' field and email address does not save

OPENAM-16006: Device Code Grant does not work with Implied Consent as Authorization is not approved even after consented

OPENAM-15963: Historical retention files ( csv ) were not deleted

OPENAM-15948: Update DS profiles to add VLV indexes for CTS use

OPENAM-15743: Excessive CTS logging when Reaper is disabled (com.sun.am.ldap.connnection.idle.seconds=0)

OPENAM-15671: LoginContext is missing debug logging for troubleshooting

OPENAM-15663: UserInfoClaims is not part of public API

OPENAM-14898: OTP Email Sender Authentication Node fails if no SMTP authentication credentials are specified

OPENAM-14682: Microsoft Social Auth fails when creating an Microsoft account (Legacy OAuth2)

OPENAM-14527: Microsoft Social Auth does not work with latest MS endpoints (Legacy OAuth2)

OPENAM-12503: SizeBasedRotationPolicy does not delete oldest file

OPENAM-16433: Audit Logging change of behaviour when capturing "principals" and "userid" data for each authentication entry.

OPENAM-16425: AM does not handle malformed/incorrect signature correctly

OPENAM-16402: The passwordpolicy.allowDiagnosticMessage should be applicable to admin and selfservice password change.

OPENAM-16379: URL fragments like # cause forbidden login in the XUI

OPENAM-16284: XUI does not handle Special Chars / UTF-8 in realms properly.

OPENAM-16279: AgentsRepo cannot recover when it fails especially on external Application store.

OPENAM-16251: OIDC authentication request with parameters 'prompt=none' and 'acr_values=' triggers authentication

OPENAM-16240: REST STS under subrealm cannot generate id_token with realm claim

OPENAM-16233: Policy evaluation fails when subject not found (even in ignore profile)

OPENAM-16214: Push Authentication Module does not work on Session Upgrade when User Cache disabled

OPENAM-16184: Zero Page Login Collector does not work with UTF-8 base 64 encoded usernames and passwords

OPENAM-16165: social authmodule causes NullPointerException

OPENAM-16164: social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

OPENAM-16136: queryFilter only matches against first entry in array

OPENAM-16132: When TtlSupport is enabled, Stateless OAuth2 Refresh token and JWT whitelist fails on synchroniseExpiryDates

OPENAM-16032: Unable to delete devices with Recovery Code Collector Decision Node

OPENAM-16031: Intermittent error message when concurrent obtain SSO Token ID with session quota constraints

OPENAM-16014: An invalid user passed to any WebAuthn node throws NPE and breaks the Tree flow

OPENAM-16013: Mismatched kid from Json Web Key URI when Specified Encryption Algorithm

OPENAM-16009: Windows Desktop SSO node full adoption and compliance with tree node specifications

OPENAM-15989: OAuth2 client_id should be url-decoded when using basic auth

OPENAM-15982: OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

OPENAM-15970: Access Token introspect Fails in subrealm after root realm modified

OPENAM-15944: WS-Federation - RPSignin Request fails because config data is used unchecked

OPENAM-15905: Login failure with Post Authentication Plugin on timed out Authentication session throws NullPointerException

OPENAM-15900: Kerberos fails when used with IBM JDK

OPENAM-15896: WS-Federation relying party initiated passive request - stuck at Account Realm selection

OPENAM-15881: Custom AM User (amUser.xml) field does not use default values from the schema

OPENAM-15858: Auth Tree fails before 'Max Authentication Time' is reached if authentication session state management scheme CTS is used

OPENAM-15853: External UMA store fails on resource creation

OPENAM-15805: idtokeninfo endpoint gives invalid signature error when ID Token is expired

OPENAM-15785: OIDC spec violation - HTTP POST can not be used to send Authentication Request

OPENAM-15784: Form elements in policy environment condition tab are displayed twice

OPENAM-15766: LoginState - account lockout is checkout although AM AccountLockout is disabled

OPENAM-15758: KeyStore Secret Store fails to start due to secretId having some characters.

OPENAM-15750: ERROR: OAuth2Monitor: Unable to increment "oauth2.grant" metric for unknown grant type BACK_CHANNEL

OPENAM-15724: SAML2 entities do not set amlbcookie if there is only one server

OPENAM-15713: AM SP drop the 80 characters RelayState silently for HTTP Redirect

OPENAM-15698: IdP-initiated SSO fails with error 'Error processing AuthnRequest. IDP Session is NULL'

OPENAM-15697: Default ACR values from OAuth2 provider not taken into account

OPENAM-15694: RestSTSServiceHttpRouteProvider causes memory leak by adding route for every access

OPENAM-15679: The option "com.sun.am.ldap.connnection.idle.seconds" has a misspelling

OPENAM-15670: DeviceIdSave auth module initialization fails if username is null

OPENAM-15667: AM debug log does not tell which auth-module was handled - needed for troubleshooting

OPENAM-15645: The &refresh=true|false parameter for _action=validate is not working as expected

OPENAM-15632: OAuth2 Refresh token lifetime with -1 (never expires) cannot work with CTS TTL support

OPENAM-15628: Grant-Set Storage Scheme for CTS does not work with CIBA Flow

OPENAM-15627: Switching CTS Storage Scheme to "Grant-set" fails with stateless refresh-tokens created with "One-To-One"

OPENAM-15579: AM cookies are not set after successful SP-initiated SSO flow if SP Adapter calls 'response.sendRedirect(String)'

OPENAM-15559: OATH module broken in Japanese locale

OPENAM-15533: WS-Federation doesn’t work with Authentication Trees

OPENAM-15530: OAuth2/OIDC - Resource Owner Password flow with a public client creates an AM session in CTS

OPENAM-15520: XUI Localisation Falls Back To AM-Default "EN" Instead Of Language-Default

OPENAM-15508: moduleMessageEnabledInPasswordGrant does not apply to Trees

OPENAM-15507: 500 error when calling /revoke or /refresh endpoint with wrong token

OPENAM-15501: Xml encryption 1.1 namespaces aren’t always mapped to prefixes correctly

OPENAM-15494: AM expects nonce request parameter in authorize request when no id_token will be returned

OPENAM-15491: Self service password reset returns 500 Internal Server Error, when new password rejected by datastore password policies.

OPENAM-15489: WebAuthN Auth Node Doesn’t Respect UV=Discouraged During AuthN

OPENAM-15465: Sending HTTP Callback from Inner Tree Evaluator Fails Authentication

OPENAM-15459: When Encrypted Attributes on SP is set only with AutoFederation enabled, the attributes get decryption error

OPENAM-15425: OIDC endsession - encrypted id_tokens are not supported

OPENAM-15374: OpenID Client authentication with private_key_jwt and client_secret_jwt does not enforce required jti claims

OPENAM-15355: PageNode with multiple InputNodes without value throws Unsupported InputOnlyPasswordCallback

OPENAM-15349: Access Token request returns a 500 error

OPENAM-15345: at_hash value generated does not take the latest modified access token

OPENAM-15323: ROPC with tree throws "Internal Server Error (500)" when user credentials are incorrect using AuthTree

OPENAM-15307: Trees Example is not working as expected OOTB to ?service=Example

OPENAM-15303: Claims with multiple values in issued_token from REST STS represented inconsistently.

OPENAM-15244: AM configuration does not perform schema extension for identity store although it has the permissions

OPENAM-15210: Authentication nodes that is assigned AuthType values may not work in Session Upgrade case with custom modules

OPENAM-15164: CDSSO with "ignore profile" throws "No OpenID Connect provider"

OPENAM-15160: LDAP Decision Node throws NPE when custom ldap server returns LDAP code 50 on bind

OPENAM-15150: Upgrade fails when there is a bad Token Signing ECDSA public/private key pair alias field

OPENAM-15147: HTTP 500 upon accessing openam/json/

OPENAM-15145: OpenAM Scope Validator calls getUserInfo twice when creating IdToken

OPENAM-15121: Persistent Cookie Auth Tree does not work after the second relogin ( with browser closed )

OPENAM-15117: KeyVault KeyStoreType not supported

OPENAM-15116: Auth ID jwt can be modified to determine whether a realm exists or not

OPENAM-15105: Unable to get trusted devices using REST API

OPENAM-15101: Remove the ability to disable XUI

OPENAM-15089: SAML SLO - Allow RelayState to be a path-relative URL

OPENAM-15076: webAuthn config does not allow for multiple origins under the same rpId

OPENAM-15044: OpenID connect id_token bearer Module Unable to obtain SSO Token due to OpenIDResolver Caching

OPENAM-15036: Cannot view/manage SAML IdP entity in console, imported from schema compliant meta data file

OPENAM-15028: Cannot load metadata in ssoadm without extended metadata

OPENAM-15012: OIDC - JWT Request Parameter returns errors in query, not in the fragment

OPENAM-14995: IdP Initiated single logout only performs local logout if IdP session cannot be found in cache

OPENAM-14991: Changes to boot.json are overwritten

OPENAM-14979: NPE in UtilProxySAMLAuthenticatorLookup if there is a failure to find cached oldSession in sessionUpgrade

OPENAM-14977: PKCE Code challenge method for Authorization Code if not set should use plain

OPENAM-14966: Performing access_token with arbitrary text as trusted cert header causes server error

OPENAM-14919: Unncessary 'Unable to parse packet received from RADIUS client' log entries in log file

OPENAM-14901: XUI - SAML2 module doesn’t redirect to IDP if it’s 2nd in the chain

OPENAM-14895: user identity creation fails with "Identity \*" of type user not found.

OPENAM-14893: XUI displays multiple error messages when an authentication session times out

OPENAM-14889: Upgrade of Peristent Cookie auth module fails

OPENAM-14883: OAuth2/OIDC - Issuing client secret to Public clients during registration

OPENAM-14881: AM Proxied authorization feature on DataStore does not work with locked or expired DJ accounts for password change (gives errorcode=123)

OPENAM-14867: AuthType is not set for Authentication Tree (AnyKnownUserAuthzModule fails in AuthTree)

OPENAM-14859: ROPC throws "Internal Server Error (500)" when 'Password Grant authentication service' is empty

OPENAM-14858: When NameIDPolicy does not contain Format=.., remoteEntityID is passed as null

OPENAM-14848: Insufficient debug logging in OpenID Connect authentication module

OPENAM-14845: user info endpoint does not correctly handle Certificate Bound Access Tokens

OPENAM-14829: AuthSchemeCondition doesn’t return realm aware policy condition advice

OPENAM-14825: OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

OPENAM-14804: Memory leak when running UMA RPT soak test

OPENAM-14799: Unable to update Agent profile using REST

OPENAM-14794: User privileges are removed from group if another group is given same privilege

OPENAM-14786: idpSingleLogoutPOST throws error 500 IllegalStateException on SLO

OPENAM-14783: PKCS11 KeyStore does not work on IBM JVM

OPENAM-14782: AuthTree created Session does not use per User Session Service settings

OPENAM-14766: introspect and tokeninfo endpoints return Internal Server Error 500 in some invalid tokens

OPENAM-14717: mailto attribute have space between ':' and mail address

OPENAM-14694: Consent page still shows claim values even when supported claim description is omitted

OPENAM-14651: OAuth2 GrantSet E-Tag Assertion Failures due to Stale Reads

OPENAM-14581: handling ManageNameID fails if NameID does not include SPNameQualifier

OPENAM-14578: WDSSO failing but no fallback…​

OPENAM-14573: amlbcookie is not secure when authenticating with trees

OPENAM-14572: prompt=login destroys and creates new session

OPENAM-14570: OAuth mTLS DN comparison fails when DER-encoding is different

OPENAM-14548: consent page still shows what’s been granted/removed as a result of OAuth2 scope policy evaluation

OPENAM-14546: SSOADM access not audited to the ssoadm.access logs anymore

OPENAM-14539: SAML SLO with multi protocols

OPENAM-14529: UMA RPT expiry time incorrect in CTS

OPENAM-14523: NullPointerException in IdP-initiated ManageNameIDRequest using SOAP Binding

OPENAM-14503: SAML2 - Key Transport Algorithm - RSA OAEP must be supported

OPENAM-14483: If there is no token, then landing on the AM login page will result in 2 getSessionInfo Requests = 401 UnAuthZ

OPENAM-14480: AuthLoginException is lost

OPENAM-14471: Failed to create root realm for data store (External Policy | Application)

OPENAM-14465: SAML2 Artifact binding fails on multi-instance / multiserver IDP setup with SAML2 Failover on

OPENAM-14464: XUI sends the following message "Loading custom partial "${partialPath}" failed. Falling back to default." to the browser console when a custom theme is used

OPENAM-14450: userinfo typo in Claims.java

OPENAM-14426: Unable to add external data store in AM (Policy | Application) when using TLS/SSL

OPENAM-14419: Policy evaluation returns search results for all policies that match outside of specified application

OPENAM-14393: CTS Operation Fails Entry Already Exists logged for SAML2 Authentication is done

OPENAM-14391: Self Service Link not Display when Using Authentication Tree

OPENAM-14378: 'Set Persistent Cookie' node sets domain cookies in only one domain despite multiple Cookie Domains set

OPENAM-14369: Upgrading from OpenAM 13.5.0 with custom PAPs causes NPE failure

OPENAM-14362: UMA load test fails with Invalid resource type error

OPENAM-14353: Error Message not Displayed when Change Password does not Meet Password Policy

OPENAM-14337: Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

OPENAM-14313: Audit Logging - STS transformations create duplicate entries

OPENAM-14310: CheckSession page indicates the session is not valid

OPENAM-14294: am-external Git repository 6.5 have bad source

OPENAM-14281: IdP Proxy relays wrong AuthnContextClassRef

OPENAM-14239: FMSigProvider.verify NPE with null input for certificates

OPENAM-14233: updated_at claim in the ID Token is returned as a string and not a number

OPENAM-14232: Performance issue when creating resource_set in UMA with many existing resource_set

OPENAM-14229: custom AuthorizeTemplate under theme not used

OPENAM-14213: Cannot view SAML SP entity imported with missing AuthnRequestsSigned attribute

OPENAM-14212: SAML redirect to login page fails if AM installed into the root context

OPENAM-14200: Social auth modules do not work when AM is installed into the root context

OPENAM-14189: effectiveRange of Time environment has issue

OPENAM-14175: CTS updates on multivalue attributes may throws Duplicate values exception

OPENAM-14174: AM shows Ldapter.delete exception when session expires is triggered

OPENAM-14167: HTML tags are shown part of the messages in Change Password section of AD Authentication module.

OPENAM-14147: arg=newsession in XUI just shows the "Loading…​" page

OPENAM-14115: Sample Auth module does not work in a chain when used with Shared-state

OPENAM-14112: Using client-based sessions when acting as SP can lead to an out-of-date client-based session cookie

OPENAM-14111: Refresh Token flow not enabled on OAuth2 Client can still use Refresh Token flow

OPENAM-14062: Redirect to Failure URL does not occur when authentication tree is not interactive

OPENAM-14054: XUI Custom templates and Partials not applied consistently

OPENAM-14053: Cannot build AM UI in Windows for Yarn using mvn

OPENAM-14040: LdifUtils debug logging prints out wrong classname

OPENAM-14018: Radius Authentication Module Primary and Secondary Radius Server help button shows server:port when it should be server

OPENAM-13999: Custom node containing ConfirmationCallbacks fails when dropped in a page node.

OPENAM-13991: 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

OPENAM-13978: Session Upgrade - AuthLevel format changes

OPENAM-13942: SAML2 Circle of Trust - REST Update doesn’t update the metadata of the provider

OPENAM-13934: saml2error.jsp fails with exception when malformed SAML2 response given

OPENAM-13900: OAuth2 Device flow - duplicate user_code error after authenticating user

OPENAM-13892: Erroneous "Response’s InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not

OPENAM-13890: Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext

OPENAM-13851: Rest STS cannot be created in the Console when upgrading to 6

OPENAM-13831: RP-Initiated Logout does not handle state parameter

OPENAM-13779: Session API - _action=refresh requires an admin token

OPENAM-13764: Monitoring logs in ERROR for "Agent.configAgentsOnly:agent type = OAuth2Client"

OPENAM-13720: Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals

OPENAM-13490: Software Publisher Agent - Secret is not saved when creating an Agent

OPENAM-13465: Dynamic client registration sets wrong subjectType

OPENAM-13446: Social Auth Service doesn’t redirect if already using another chain

OPENAM-13419: LDAPPolicyFilterCondition doesn’t set request timeout

OPENAM-13324: /users/{user}/devices/trusted REST queryFilter expression does not work and acts as "true"

OPENAM-13064: OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

OPENAM-13000: Custom authentication module with a single ChoiceCallback value is processed without confirmation

OPENAM-12955: Resource Owner Password Credentials Grant does not work with trees

OPENAM-12759: max_age should a number, not a string

OPENAM-12574: SAML2Utils.sendRequestToOrigServer throws NullPointerException on processing Cookies

OPENAM-12498: Authorization Grant response returns scope(s) in the URL

OPENAM-12228: WebAgent REST API queryFilter expression does not work and acts all "true"

OPENAM-12186: Introspect endpoint for RPT does not check the authorization scheme

OPENAM-11921: Incorrect NameId Format offered for SAML2 auth module in console

OPENAM-11863: CORSFilter position in web.xml should come before most filters

OPENAM-11778: Getting accessToken using authorization_code result in Unhandled exception

OPENAM-11338: OpenID Connect id_token bearer auth module mixes up aud, azp during verification

OPENAM-10869: SAML2 Authentication module return "Unable to link local user to remote user" ambiguous.

OPENAM-10843: When generating an OIDC token through STS a "kid" value is not specified

OPENAM-10127: SessionMonitoringStore should only be instantiated when monitoring is enabled

OPENAM-9931: Global Session Service - two fields with the exact same name (Redundant 'Global Attributes' setting should be removed)

OPENAM-9777: Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly

OPENAM-9459: 500 Internal Server Error from changePassword endpoint with AD repo

OPENAM-5867: Data Store LDAP server (admin-ordered) list is reordered by OpenAM

OPENAM-11834: Passwords being set to empty strings in tabbed forms in XUI

OPENAM-11646: Cookie values wrapped in double quotes

OPENAM-11632: CDCServlet does not work with realm

OPENAM-11610: WindowSSO module broken in AM 5.5 after upgrade

OPENAM-11526: Realm Authentication chain post authentication classes PAP not triggered on chains with multiple modules

OPENAM-11391: Requesting 'OAuth2.0/OIDC' auth module a second time results in display of AM’s "Authentication Failed" page

OPENAM-11300: OIDC request parameter is failing when message level is enabled

OPENAM-11280: authentication with noSession=true fails if post authentication plugin class is present

OPENAM-11218: OpenAM throws service error for Application Module

OPENAM-11217: SAML2 Authentication module is not invoking custom SP Adapter class implementing a preSingleSignOnRequest() method

OPENAM-11196: Incorrect debug logging level used in FMEncProvider.getEncryptionKey

OPENAM-11154: Memory leak in SMSEventListenerManager#subNodeChanges

OPENAM-11115: Push authentication should use alias attributes to find identities

OPENAM-11101: Social Auth links do not contain the goto url

OPENAM-11070: Need OAuth2 authentication to work in Android with implied consent

OPENAM-11057: Global User Self Service UI does not display values

OPENAM-11015: ForceAuth session upgrade does not work

OPENAM-10971: FR-OATH auth module can not be used in auth chain if the username in sharedstate map does not 'match' the search attribute of the data store

OPENAM-10970: logout response binding should be selected based on the capabilities of the SP

OPENAM-10965: Stateless OAuth2 can’t verify access and refresh token

OPENAM-10931: IdentitySubject not adding isMember() result to cache after entry has changed

OPENAM-10782: endSession with an id_token generated from a refresh_token request does not destroy the session

OPENAM-10756: setSucessModuleNames in AMLoginModule calls AuthModule’s getPrincipal multiple times

OPENAM-10585: The "claims" Request Parameter from the openid standard isn’t functional

OPENAM-10578: Stateless access token doesn’t contain the grant type

OPENAM-10562: Audit log 'Configuration' entries are not written when using external configuration store

OPENAM-10332: Quota constraints exceeded - Interim Fix

OPENAM-10129: OAuth2 Device flow - user code verification is case-insensitive

OPENAM-10103: output from re-indexing action during initial configuration is lost

OPENAM-10102: insufficient progress information during configuration

OPENAM-10013: HOTP session upgrade not possible in XUI if the wrong code is entered first time

OPENAM-9979: Authentication chain post authentication classes are not used if realm level PAP setting exists

OPENAM-9885: Oauth2 load: Tomcat keeps logging "WARNING: Addition of the standard header "Pragma" is discouraged as a future version of the Restlet API will directly support it"

OPENAM-9156: 'Not Found' error in UI when opening a custom auth module created with ssoadm with the name the same as type

OPENAM-8771: "Unknown Error: Please contact your administrator", shown with FacebookSocialAuthentication option "Prompt for password setting and activation code" (org-forgerock-auth-oauth-prompt-password-flag)

OPENAM-8270: Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens

OPENAM-8063: Merge Debug Files feature does not work correctly

OPENAM-7781: persistent cookie auth module does not allow to change cookie name by default

OPENAM-7437: Finish button of Identity Provider wizard doesn’t work

OPENAM-5864: Quota constraints exceeded in multi-instance with LB and CTS enabled

OPENAM-5153: Auth modules should call setAuthLevel after successful login

OPENAM-5152: AMAuthLevelManager miscalculates auth level

OPENAM-3679: IDP Finder fails to validate relaystate

OPENAM-1325: OpenAM fails to setup when deployed under the root uri ( '/' )