Incompatible Changes in IG 7.0.2
To prevent redirects to malicious web sites, IG now validates the `goto` query parameter in requests to OAuth2ClientFilter `/login` and `/logout` endpoints.
The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error. To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.
Incompatible Changes in IG 7.0.1
No incompatible changes have been introduced in this release.
Incompatible Changes in IG 7.0.0
The following changes introduced in this release can impact your migration from IG 6.5:
When IG uses AM federation libraries generated from AM 6.5.2 or earlier, add the following lines to the
# Specifies implementation for # org.forgerock.openam.federation.plugin.rooturl.RootUrlProvider interface. # This property defines the default base url provider. com.sun.identity.plugin.root.url.class.default=org.forgerock.openam.federation.plugin.rooturl.impl.FedletRootUrlProvider
entity is used in the StaticResponseHandler,
Content-Type is a required header. In previous releases,
Content-Type was optional.
For an example configuration, see the
headers property of "StaticResponseHandler".
IG 7.0 requires Java 11. Java 8 is not supported.
ForgeRock Directory Services (DS) is now secure by default. Connections between IG and DS must therefore be configured for TLS.
IG now supports Groovy 3.0. For information about the Groovy version, see the Groovy Documentation.
JwtSessionFactory is no longer an alternative type for JwtSession.
The default skew allowance in JwtSession has been reduced from 2 minutes to zero, and a property to configure the skew allowance has been added in JwtSession. For information, see "JwtSession".
Oracle recommends the use of PKCS12 keystores. From Java 9, Oracle has provided more support for PKCS12. From Java 11, Oracle has changed the default keystore to PKCS12.
Following this lead, the default type for KeyStore and KeyStoreSecretStore is now based on the keystore extension. If the keystore extension is not recognized, the default type is PKCS12. In previous releases, the default type was the one used by the platform.
To ensure backward-compatibility, where keys are generated using a non-PKCS12 type (for example, JKS), specify
type in KeyStore or
storeType in KeyStoreSecretStore.
In previous releases, after an access_token resolver validated an access_token, the OAuth2ResourceServerFilter checked that the access_token was not expired. From this release, the OAuth2ResourceServerFilter considers any token returned by an AccessTokenResolver as valid, and checks only that the required scopes are present.
For information, see "OAuth2ResourceServerFilter".
gracefulStop is true, the ScheduledExecutorService now removes submitted jobs and attempts to end running jobs, after respecting the
gracePeriod. In previous releases, when
gracefulStop was true, it did not remove or end jobs.
For information, see "ScheduledExecutorService".
To prevent logging of sensitive data for an event, the Common Audit Framework now uses a whitelist to specify which event fields appear in logs. Compared to previous releases, different event fields are included by default in the logs.
includeIf property has been implemented to include non-whitelisted event fields in the logs. For information about how to include or exclude event fields, see "Safelisting Audit Event Fields for the Logs".
In OAuth2ClientFilter, registrations are now identified by the ClientRegistration property
clientId instead of
name. In this release, IG automatically rewrites OAuth2Session tokens that use
name to use
clientId. Registration by
name will be removed in a later release.
When a user initiates a login with the OAuth2ClientFilter, the login endpoint uses the ClientRegistration property
In previous releases, the login endpoint used the ClientRegistration property
Similarly, the login endpoint in Nascar pages uses
client_id instead of
A client handler named
SplunkClientHandler can now be declared in the heap of a route that uses a SplunkAuditEventHandler. The client handler relays audit events to Splunk.
In previous releases, it was necessary to configure a client handler named
ElasticsearchClientHandler, or use the route's default client handler. For more information, see "SplunkAuditEventHandler".