Incompatible Changes

Incompatible Changes in IG 7.0.2

To prevent redirects to malicious web sites, IG now validates the `goto` query parameter in requests to OAuth2ClientFilter `/login` and `/logout` endpoints.

The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error. To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.

For more information, see "OAuth2ClientFilter" and "ForwardedRequestFilter".

Incompatible Changes in IG 7.0.1

No incompatible changes have been introduced in this release.

Incompatible Changes in IG 7.0.0

The following changes introduced in this release can impact your migration from IG 6.5:

When IG uses AM federation libraries generated from AM 6.5.2 or earlier, add the following lines to the file:

# Specifies implementation for
    # org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider interface.
    # This property defines the default base url provider.

When entity is used in the StaticResponseHandler, Content-Type is a required header. In previous releases, Content-Type was optional.

For an example configuration, see the headers property of "StaticResponseHandler".

IG 7.0 requires Java 11. Java 8 is not supported.

ForgeRock Directory Services (DS) is now secure by default. Connections between IG and DS must therefore be configured for TLS.

IG now supports Groovy 3.0. For information about the Groovy version, see the Groovy Documentation.

JwtSessionFactory is no longer an alternative type for JwtSession.

The default skew allowance in JwtSession has been reduced from 2 minutes to zero, and a property to configure the skew allowance has been added in JwtSession. For information, see "JwtSession".

Oracle recommends the use of PKCS12 keystores. From Java 9, Oracle has provided more support for PKCS12. From Java 11, Oracle has changed the default keystore to PKCS12.

Following this lead, the default type for KeyStore and KeyStoreSecretStore is now based on the keystore extension. If the keystore extension is not recognized, the default type is PKCS12. In previous releases, the default type was the one used by the platform.

To ensure backward-compatibility, where keys are generated using a non-PKCS12 type (for example, JKS), specify type in KeyStore or storeType in KeyStoreSecretStore.

For information, see "KeyStore" and "KeyStoreSecretStore".

In previous releases, after an access_token resolver validated an access_token, the OAuth2ResourceServerFilter checked that the access_token was not expired. From this release, the OAuth2ResourceServerFilter considers any token returned by an AccessTokenResolver as valid, and checks only that the required scopes are present.

For information, see "OAuth2ResourceServerFilter".

When gracefulStop is true, the ScheduledExecutorService now removes submitted jobs and attempts to end running jobs, after respecting the gracePeriod. In previous releases, when gracefulStop was true, it did not remove or end jobs.

For information, see "ScheduledExecutorService".

To prevent logging of sensitive data for an event, the Common Audit Framework now uses a whitelist to specify which event fields appear in logs. Compared to previous releases, different event fields are included by default in the logs.

The AuditService includeIf property has been implemented to include non-whitelisted event fields in the logs. For information about how to include or exclude event fields, see "Whitelisting Audit Event Fields for the Logs".

In OAuth2ClientFilter, registrations are now identified by the ClientRegistration property clientId instead of name. In this release, IG automatically rewrites OAuth2Session tokens that use name to use clientId. Registration by name will be removed in a later release.

When a user initiates a login with the OAuth2ClientFilter, the login endpoint uses the ClientRegistration property clientId:


In previous releases, the login endpoint used the ClientRegistration property name:


Similarly, the login endpoint in Nascar pages uses client_id instead of name.

For information, see "ClientRegistration", and the example route in "Using Multiple OpenID Connect Providers".

A client handler named SplunkClientHandler can now be declared in the heap of a route that uses a SplunkAuditEventHandler. The client handler relays audit events to Splunk.

In previous releases, it was necessary to configure a client handler named ElasticsearchClientHandler, or use the route's default client handler. For more information, see "SplunkAuditEventHandler".

Read a different version of :