ForgeRock Identity Gateway

Fixes

The following pages list important fixes in IG major or minor versions since 5.5.0.

Fixed in IG 2024.3

  • OPENIG-7557: Inline named object declarations in IG config interactions with heap objects are misleading

  • OPENIG-7633: Http endRequest metrics should check if handler is null

  • OPENIG-7674: Misleading deprecation notice in ClientRegistration without secretsProvider

  • OPENIG-7680: GzipFlowableTransformer fails when there is empty bytebuffer after actual gzip content

  • OPENIG-7736: IG drops some bytes during POST and PUT of large data/images

  • OPENIG-7738: readWithCharset method doesn’t return the content of the file as a plain string.

  • OPENIG-7790: HTTP Client Active Request Gauge can display negative values

  • OPENIG-7859: org.forgerock.openig.filter.oauth2.client.ClientRegistration#revokeToken logs incorrect endpoint when revocation fails

  • OPENIG-7978: PEF should return 401 when no subjects can be found instead of 500

  • OPENIG-8069: Vertx threads are getting locked on org.forgerock.http.vertx.monitoring.meters.Gauges.get(Tags)

  • OPENIG-8070: vert.x threads are getting locked on SessionInfoCache$IndexTable

Fixed in IG 2023.11.1

  • OPENIG-7633: Http endRequest metrics should check if handler is null

  • OPENIG-7736: IG drops some bytes during POST and PUT of large data/images

Fixed in IG 2023.11

  • OPENIG-7453: SecretsTrustManager fails to load CA-signed certificates due to restrictive KeyUsage

  • OPENIG-7768: Declaring JwtSession named 'Session' in config.json fails

  • OPENIG-7774: CorsFilter should handle invalid policies better instead of throwing NPE

Fixed in IG 2023.9

  • OPENIG-5294: Clear Issuer cache on exception

Fixed in IG 2023.6

  • OPENIG-7429: IG cannot handle requests with IPv6 URL

  • OPENIG-7474: SwitchFilter’s handler fails to send original POST request entity

Fixed in IG 2023.4

  • OPENIG-5913: (UI) Route configuration lost sometime after un-deploy from route list

Fixed in IG 2023.2

  • OPENIG-6911: Failed agent authentication is not clear from the IG logs

Fixed in IG 7.2

  • OPENIG-6911: Failed agent authentication is not clear from the IG logs

  • OPENIG-6394: Stack traces are printed twice in the log files

  • OPENIG-6206: When checking for peer certificates in a request, validate that the SSLSession is available

  • OPENIG-5872: Stop Tyrus WebSocket connection retry when Websocket Client is closed

  • OPENIG-5868: WebSocketClientHandshakeException: Invalid subprotocol seen when using IG standalone to proxy WebSocket requests

  • OPENIG-5805: The notification service should attempt to refresh the caller token when receiving a 401 on WebSocket connections

  • OPENIG-5793: Unexpected behaviour of EL function matches

  • OPENIG-5778: sessionInfo requests can lead to a build up of agent tokens being created

  • OPENIG-5743: Standalone: Possible OOME for large requests

  • OPENIG-5725: Add SNI configuration

  • OPENIG-5683: HTTP/2 : set max connections

  • OPENIG-5610: Null Pointer Exception when using ForwardedRequestFilter with ResourceHandler

  • OPENIG-5540: PEM secret format fails to decode some EC private keys

  • OPENIG-5539: The ForwardedRequestFilter should not change original URI parameter values when rebasing

  • OPENIG-5425: JwkSetHandler: No error displayed when using an invalid configuration such as a public key exported -as jwk- for decryption usage

  • OPENIG-4956: Inbound WebSocket connection is not closed when outbound connection is closed abruptly

Fixes in IG 7.1.2

  • OPENIG-6394: Stack traces are printed twice in the log files

  • OPENIG-6206: When checking for peer certificates in a request, validate that the SSLSession is available

  • OPENIG-5872: Stop Tyrus WebSocket connection retry when Websocket Client is closed

  • OPENIG-5793: Unexpected behaviour of EL function matches

Fixes in IG 7.1.1

  • OPENIG-5868: WebSocketClientHandshakeException: Invalid subprotocol seen when using IG standalone to proxy WebSocket requests

  • OPENIG-5805: The notification service should attempt to refresh the caller token when receiving a 401 on WebSocket connections

  • OPENIG-5778: sessionInfo requests can lead to a build up of agent tokens being created

  • OPENIG-5743: Standalone: Possible OOME for large requests

  • OPENIG-5683: HTTP/2 : set max connections

  • OPENIG-5610: Null Pointer Exception when using ForwardedRequestFilter with ResourceHandler

  • OPENIG-5540: PEM secret format fails to decode some EC private keys

  • OPENIG-5539: The ForwardedRequestFilter should not change original URI parameter values when rebasing

  • OPENIG-4956: Inbound WebSocket connection is not closed when outbound connection is closed abruptly

Fixes in IG 7.1

  • OPENIG-5401: Retries on a ReverseProxyHandler not being triggered

  • OPENIG-5258: IG Standalone must populate the originalUri.port from Host header

  • OPENIG-5219: Vert.x HTTP Client does not replicate current CHF behaviour when request fails and headers have been received

  • OPENIG-5084: WebSocket connections are not being proxied when baseURI scheme is wss

  • OPENIG-4900: AMService cannot connect to AM via TLS with Standalone

  • OPENIG-4034: AuditService does not delete old files when maxDiskSpaceToUse is reached

Fixed in IG 7.0.2

  • OPENIG-5258: IG Standalone must populate the originalUri.port from Host header

  • OPENIG-5219: Vert.x HTTP Client does not replicate current CHF behaviour when request fails and headers have been received

  • OPENIG-5084: WebSocket connections are not being proxied when baseURI scheme is wss

Fixed in IG 7.0.1

  • OPENIG-4900: AMService cannot connect to AM via TLS with Standalone

  • OPENIG-4034: AuditService does not delete old files when maxDiskSpaceToUse is reached

Fixed in IG 7.0.0

  • OPENIG-4190: A WebSocket Origin header is missing the scheme from the URL

  • OPENIG-4168: CacheAccessTokenResolver : missing requests to amService (not available in capture)

  • OPENIG-4037: Global decorators declared in a route cannot refer to decorators declared in the same route

  • OPENIG-3837: WebSocketAdapter#writeBuffersIfStreamIsReady should check if stream is ready before calling flush

  • OPENIG-3821: ResourceHandler should create redirect to a relative URI when requests don’t end in /

  • OPENIG-3819: WebSocket requests should be built using the raw query parameters

  • OPENIG-3783: ClassCastException in scriptable access token resolver occurs when invalid token is returned by delegated access token resolver

  • OPENIG-3755: IG’s decodeBase64 function returns null on JWTs generated by IG or AM

  • OPENIG-3659: SSOFilter logoutEndpoint does not take query parameters into consideration

  • OPENIG-3579: NullPointerException when calling org.forgerock.openig.handler.router.DirectoryMonitor#createFileChangeSet

  • OPENIG-3492: Request and response logged in different files when capture:all and global captureDecorator are in config.json

  • OPENIG-3488: IG fails to stop when started with a config.json with invalid json syntax.

  • OPENIG-3403: ContentTypeHeader quoted directives should be maintained

  • OPENIG-3296: UserProfileFilter and usernames with colons

  • OPENIG-3275: SamlFederationHandler Doesn’t Support Filtering

  • OPENIG-3221: OpenIG is decoding special character ' while sending to the backend which is causing issues

  • OPENIG-3219 When using scan feature in logback.xml the ig.instance.dir property is lost on reload

Fixed in IG 6.5.4

  • OPENIG-5268: IG 6.5.3 Studio UI Welcome screen has formatting/layout issues

  • OPENIG-5084: WebSocket connections are not being proxied when baseURI scheme is wss

  • OPENIG-4034: AuditService does not delete old files when maxDiskSpaceToUse is reached

Fixed in IG 6.5.3

  • OPENIG-4190 A WebSocket Origin header is missing the scheme from the URL

  • OPENIG-4168: CacheAccessTokenResolver : missing requests to amService (not available in capture)

  • OPENIG-3783: ClassCastException in scriptable access token resolver occurs when invalid token is returned by delegated access token resolver

Fixed in IG 6.5.2

  • OPENIG-3837: WebSocketAdapter#writeBuffersIfStreamIsReady should check if stream is ready before calling flush

  • OPENIG-3819 WebSocket requests should be built using the raw query parameters

  • OPENIG-3659 SSOFilter logoutEndpoint does not take query parameters into consideration

  • OPENIG-3492: Request and response logged in different files when capture:all and global captureDecorator are in config.json

  • OPENIG-3296: UserProfileFilter and usernames with colons

Fixed in IG 6.5.1

  • OPENIG-3403: ContentTypeHeader quoted directives should be maintained

Fixed in IG 6.5

  • OPENIG-3226: StaticFilterRequest: request leak

  • OPENIG-3219 When using scan feature in logback.xml the ig.instance.dir property is lost on reload

  • OPENIG-3113: Not possible to use token substitutions within a monitor decorator of a Route

Fixed in IG 6.1

  • OPENIG-2695: UI: Unable to open Freeform editor on Linux

  • OPENIG-2634: UI: Uncaught error on route error

Fixed in IG 6

  • OPENIG-2571: OAuth2ResourceServerFilter requireHttps=true applies to rebased request URI

  • OPENIG-2565: PolicyEnforcementFilter returns 403 instead of 401 when route is accessed with an unauthenticated user

  • OPENIG-2243: AM 6 default CSRF Protection switch breaks Policy Enforcement Filter

  • OPENIG-2004: OAuth2ResourceServerFilter cache configuration can lead to unexpected results if tokens expire early

  • OPENIG-1325: Cannot specify realm in UmaService

  • OPENIG-816: The UmaResourceServerFilter returns with wrong as_uri

Fixed in IG 5.5.2

No issues were fixed in this release.

Fixed in IG 5.5.1

  • OPENIG-3226: StaticFilterRequest: request leak

  • OPENIG-3219 When using scan feature in logback.xml the ig.instance.dir property is lost on reload

  • OPENIG-2571: OAuth2ResourceServerFilter requireHttps=true applies to rebased request URI

  • OPENIG-2243: AM 6 default CSRF Protection switch breaks Policy Enforcement Filter

  • OPENIG-2004: OAuth2ResourceServerFilter cache configuration can lead to unexpected results if tokens expire early

Fixed in IG 5.5

  • OPENIG-1674: UMA examples might not work with Chrome and Safari

  • OPENIG-1152: Facebook Social Authentication not working when OpenAM is proxied behind OpenIG

Security advisories

ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly.

ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.

For details of all the security advisories across ForgeRock products, see Security Advisories in the Knowledge Base library.

Copyright © 2010-2024 ForgeRock, all rights reserved.