New in AM 7.4.x

The following new methods let you record users and agents verified to exist in an identity store:

A new advanced server property, org.forgerock.am.auth.trees.authenticate.identified.identity determines whether AM uses these stored identified identities when deciding which user to log in.

This lets custom nodes and decision node scripts correctly resolve identities that have the same username.

The ForgeRock SDKs for Android and iOS can cryptographically bind a mobile device to a user account.

Registered devices generate a key pair and a key ID. The SDK sends the public key and key ID to your AM server for storage in the user’s profile.

The SDK stores the private key on the device in the Android KeyStore or the iOS Secure Enclave. Access to the private keys is protected by biometric security or a PIN.

A user can bind multiple devices to their account, and each device can bind to multiple users.

After binding a device, your authentication journeys can verify ownership of the bound device by requesting that it signs a challenge using its private key, and verifying it corresponds to the public key.

For details, refer to the Device Binding node, Device Binding Storage node, and Device Signing Verifier node.

REST calls to the /oauth2/device/user endpoint return an HTML response by default.

This release adds support for an Accept: application/json header that returns the response in JSON format.

For details, refer to the Device authorization grant.

AM adds the subname claim to access and ID tokens by default. You can now change this behavior by disabling the OAuth2 Provider service property, Include subname claim in tokens issued by the OAuth2 Provider.

The value of the subname claim matches the value of the sub claim used in versions of AM earlier than 7.1. It also matches the value of the sub claim if you disable the org.forgerock.security.oauth2.enforce.sub.claim.uniqueness property.

The OAuth 2.0 Provider service includes a new advanced property, Allow Client Credentials in Token Endpoint Query Parameters, that lets you include client credentials as query parameters in OAuth 2.0 token endpoint requests.

In previous AM versions, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. From AM 7.4 onwards, this is prohibited by default and you must include the credentials within the POST request body.

The new Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior and is false by default in new deployments. For security reasons, keep this property disabled to prevent client credentials from being included as query parameters.

When you upgrade an existing deployment to AM 7.4, this property is initially set to true for legacy support. After upgrading, you should update your scripts and clients to support the new behavior then set the property to false.

The new innerTreeOnly property of an authentication tree lets you specify that the tree is only an inner tree and can’t be accessed directly.

For details, refer to Disable direct access through an inner tree.

The new nodeState.getObject(String key) method lets scripted decision nodes retrieve variables stored in both shared and secure state.

For details, refer to Access shared state data.

The httpClient script binding now automatically adds the current transaction ID as an HTTP header. This lets you correlate caller and receiver logs when you use httpClient from a script, such as a decision node script, to make requests to other proprietary products and services.

For details, refer to Access HTTP services.

Use the new ActionBuilder.withLockoutMessage(String lockoutMessage) method in a Scripted Decision node to customize the message displayed to an end user when their account is locked or inactive.

For details, refer to Set script outcome.

AM 7.4 introduces the Next Generation scripting engine, which offers the following benefits:

For more information, refer to:

Scripts that log debug messages create loggers that now include the name of the script.

The name of a scripting logger uses the format scripts.<context>.<script UUID>.(<script name>); for example, scripts.OIDC_CLAIMS.36863ffb-40ec-48b9-94b1-9a99f71cc3b5.(OIDC Claims Script).

Refer to Debug logging.

You can now access the requestHeaders binding in the following OAuth 2.0 scripts:

For details, refer to the available objects for each script type.

In a future release, AM will read its configuration only from JSON files, not directory servers. Using LDAP data stores for configuration will be deprecated and file-based configuration (FBC) will be the only supported configuration storage mechanism. Dynamic data will continue to be stored in LDAP directories.

To prepare to migrate your configuration from LDAP directories to JSON files, AM 7.4 provides a technology preview of a configuration migration utility based on the existing amupgrade command. The purpose of this technology preview is to let you test migrating custom configuration to FBC.

For details, refer to Migrate to a file-based configuration.

AM now supports mTLS authentication to the following external data stores:

mTLS uses certificates to authenticate and is more secure than username/password authentication. For more security, you should rotate certificates periodically.

The Query Parameter node lets you insert query parameter values from a journey URL into configurable node state properties. This lets you customize journeys based on the query parameter values.

The |Email Suspend Message of the Email Suspend node now supports HTML code in addition to plain text.

This lets you add HTML components, including links and graphics, to the message displayed to end users.