Limitations in IG 7.0.2

No additional limitations have been introduced in this release.

Limitations in IG 7.0.1

No additional limitations have been introduced in this release.

Limitations in IG 7.0.0

The following limitations are inherent to the design, not bugs to be fixed:


When IG is acting as a reverse proxy, and receives HTTP/2 requests, it does not forward the host information provided in the HTTP/2 pseudo-header :autority: to the protected application.

If the protected application is using the HTTP/1 Host header or HTTP/2 :authority: pseudo-header to route requests, an error occurs.


In JBoss, multiple spaces in unquoted cookie values are reduced to one space. For example:

testCookieName=cookie    value

is changed to

testCookieName=cookie value


The value of System.currentTimeMillis() cannot currently be used in filters, such as JwtBuilderFilter, for claims such as exp and iat.


IG scripts are not sandboxed, but instead have access to anything in their environment. You must make sure that the scripts that IG loads are safe.


Shared resources cannot be persisted when IG restarts. They must be shared each time that IG restarts. For more information, see Supporting UMA Resource Servers.


When IG is running in the Jetty application container, it cannot proxy WebSocket traffic.

For more information, see Proxying WebSocket Traffic, and the websocket property of "ClientHandler" or "ReverseProxyHandler".


IG processes responses from asynchronous HTTP clients by using two thread pools of the same size:

  • the first thread pool receive the response headers,

  • the second thread pool completes the promise by to executing the callback and writing the response content to the stream. Reading and writing to the stream are synchronous, blocking operations

synchronous operation can cause routes to declare a blocked ClientHandler.

To recover from blocking, restart the route, or, if the route is config.json, restart the server. To prevent blocking, increase the number of worker threads.


When a customized config.json is configured in Studio, Studio cannot deploy routes.


The log file of audit events can be overwritten when the log file is rotated.

When CsvAuditEventHandler is used to log audit events, the log file is overwritten if it is rotated before the file suffix, rotationFileSuffix, changes. By default, rotationFileSuffix is defined as a date in the format _yyyy-MM-dd.

Log files are rotated when one of the following limits is reached: maxFileSize, rotationInterval, or rotationTimes.

Set the log rotation parameters so that the log is not likely to rotate before rotationFileSuffix changes.


The CookieFilter heap object stores a reference in the session, so that cookies are linked to the HTTP session. This behavior is not compatible with the use of a JwtSession.


When SAML is used with an AM policy agent, class cast exceptions occur.


When the user defined mapping is incorrectly set, missing SAML assertions produce an infinite loop during authentication attempts.


IG can check server certificates for HTTPS. However, for mutual authentication, the client certificate must be the first certificate in the KeyStore.

Read a different version of :