IG 7.1.2

Incompatible Changes

Incompatible Changes in IG 7.1.2

The following change introduced in this release can impact your migration from IG 7.1.1:

Logback Upgrade

IG has upgraded the version of Logback, used for the logging framework. The Logback update introduces changes that can affect your existing deployment. For more information about changes in Logback, see the Logback website.

Incompatible Changes in IG 7.1.1

The following change introduced in this release can impact your migration from IG 7.1:

Proxying WebSocket Traffic in Standalone Mode

When IG is in standalone mode, proxying Websocket traffic can produce errors where requested subprotocols not supported. To prevent these error, you must now list the subprotocols that are proxied by IG in the vertx property of admin.json.

Incompatible Changes in IG 7.1

The following changes introduced in this release can impact your migration from IG 7.0:

Name of TimerDecorator in Prometheus Output

In the Prometheus output, information for the default TimerDecorator is always included as name="gateway.timer".

In previous releases, information is included in the Prometheus output as follows:

  • When a default TimerDecorator is not declared in config.json, information is included as name="timer".

  • When a default TimerDecorator is declared in config.json, information is included as name="gateway.timer".

For more information, see TimerDecorator.

Runtime expressions that consume streamed content written with a #

To prevent IG from blocking executing threads, write runtime expressions that consume streamed content with # instead of $. This ensures that IG does a deferred evaluation.

For IG in standalone mode, when the new streamingEnabled property in admin.json is true, expressions that consume streamed content must be written with # instead of $.

For more information, see runtime expression.

New methods for asynchronous execution of scripts
This change is required if the new streaming property in admin.json is true. Otherwise, the change is recommended but not required.

APIs that read the entity content have been updated to execute scripts asynchronously.

Username of an AM Identity is Now subname

Before AM 7.1, the sub claim of OAuth 2.0 access_tokens and id_tokens contained only the username. From AM 7.1, the username is contained in the subname claim. The sub claim includes additional information.

Update scripts and expressions in IG that use the sub claim.

Secrets From Secret Stores Expire by Default

Secrets from FileSystemSecretStore, HsmSecretStore, KeyStoreSecretStore, and SystemAndEnvSecretStore, now expire after a default of five minutes, or after the time specified in the property leaseExpiry. In the previous release, secrets from these secret stores never expired or had other expiry times.

Entity.toString() Function Does Not Return Content

The Entity.toString() function no longer returns the entity content as a string. Instead, it returns only metadata. This change prevents buffering of the entity content during logging, which, when the entity is big, can impede asynchronous operation.

To return the entity content as a string, replace request.entity.toString() and response.entity.toString() functions with request.entity.string and response.entity.string.

Capture and Logging of Entity

To faciltate asynchronous processing in this release, when the CaptureDecorator property captureEntity is false, the decorator does not capture the message entity, and writes nothing to the logs.

In previous releases, when captureEntity was false, the decorator wrote [entity] in the log to show that there was an entity but that capture was not configured.

RSA Keys MUST be at Least 2048 Bits

For security, RFC 7518 - Digital Signature with RSASSA-PKCS1-v1_5 requires that RSA keys must be 2048 bits or larger. Smaller keys are now rejected.

Validation of goto Parameter in OAuth2ClientFilter

To prevent redirects to malicious web sites, IG now validates the goto query parameter in requests to OAuth2ClientFilter /login and /logout endpoints.

The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error.

To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.

For more information, see OAuth2ClientFilter and ForwardedRequestFilter.

Copyright © 2010-2022 ForgeRock, all rights reserved.