WSO2 Identity Server 5.4.0-M1 Released!

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

WSO2 Identity Server 5.4.0-M1 Released!

Pulasthi Mahawithana
The WSO2 Identity Server team is pleased to announce the 1st Milestone of WSO2 IdentityServer 5.4.0. You can download this distribution from following location.

Following list contains all the features, improvements and bug fixes available with this milestone.



  • [IDENTITY-5834] - Under high concurrency UserStoreConfigXMLProcessor fails to decrypt the connection password in the secondary userstore file
  • [IDENTITY-5846] - Facebook authenticator does not work properly after recent Facebook API changes
  • [IDENTITY-5852] - OIDC logout fails when opbs cookie not properly cleared
  • [IDENTITY-5853] - SQL Syntax Error in VALIDATE_AUTHZ_CODE Query.
  • [IDENTITY-5919] - No tenant check when validating scopes in JDBCScopeValidator
  • [IDENTITY-5985] - In Postgres CON_APP_KEY constraint becomes all lower case, causing it to skip error handling procedure.
  • [IDENTITY-6026] - Retrieving user claims from cache always assume token, even when authorization code is given.


  • [IDENTITY-3001] - Exchanging SAML2 bearer tokens with OAuth2 not working when server(AM) is restarted
  • [IDENTITY-3198] - IS Dashboard Account Recovery blank page and exception in backend after changing challenge question of the user from SoapUI calling UserIdentityManagementAdminService
  • [IDENTITY-3222] - Challenge questions set through setChallengeQuestions operation are not shown in dashbaord
  • [IDENTITY-3473] - Web UI not creating valid XACML
  • [IDENTITY-3815] - [IS510][Cluster][OAuth/SAML][Load/Long] NPE - exception while processing task:com.hazelcast.spi.impl.eventservice.impl.LocalEventDispatcher
  • [IDENTITY-3863] - [RemoteUserStoreManagerService] Secondary user store users are not listed with getUserList
  • [IDENTITY-3967] - Claim related error after authenticating with OpenID Connect
  • [IDENTITY-4003] - Can not add users from console UI when multiple 'user search base' configured to user-mgt with '#' separated
  • [IDENTITY-4043] - [IS510][Cluster][OAuth/SAML][Long][mysql] SQLException: The total number of locks exceeds the lock table size
  • [IDENTITY-4112] - Revoked Access Token and Revoked Refresh Token returned back in token revoke endpoint response
  • [IDENTITY-4172] - ClassNotFoundException when trying to authentication with fido
  • [IDENTITY-4173] - Unlocking the locked users when restarting the server
  • [IDENTITY-4276] - Encrypting values in file with cipher tool fails to deploy authenticationendpoint web app
  • [IDENTITY-4332] - [Dashboard] Internal Error occured when Password is inputted with less than 5 characters via Create Account
  • [IDENTITY-4394] - OpenID Connect Session Management Assumptions and Limitations
  • [IDENTITY-4420] - Error adding SAML2 Web SSO Configuration on Identity Server
  • [IDENTITY-4423] - Error in marshalling SAML response when use custom claim for objectSID
  • [IDENTITY-4427] - The regular expression to check valid user/rolename in user-mgmt.xml is wrong
  • [IDENTITY-4464] - SQL error while running following query - UPDATE IDN_OAUTH2_ACCESS_TOKEN set USER_DOMAIN = 'PRIMARY' where USER_DOMAIN is null;
  • [IDENTITY-4470] - Tenant domain is not returning within the JWT.
  • [IDENTITY-4512] - Cannot generate signed Authentication Context JWT for custom grant type sample
  • [IDENTITY-4534] - Error response for implicit flow is in wrong format
  • [IDENTITY-4915] - 'sub' claim not returned in id_tokens generated with Client credential grant type
  • [IDENTITY-4925] - Repeated parameters and multiple credentials are allowed in token requests
  • [IDENTITY-4927] - Incorrect error responses for missing grant_type parameter and value
  • [IDENTITY-4931] - Claims are not retreived properly for id_tokens generated based on client_credentials grant type for SP's created by email users
  • [IDENTITY-4935] - UserInfo is not retrieved for the password grant type even though it is returned in the decoded id token
  • [IDENTITY-4936] - sub claim returned from user info endpoint behaves inconsistently with required claim values in SP
  • [IDENTITY-4937] - 'sub' claim returned for a id_token obtained using authorization grant from userinfo endpoint behaves inconsistently after change in SP claim config
  • [IDENTITY-4941] - Single Logout fail depend of logout sequence from Service Providers
  • [IDENTITY-4942] - Cannot Try SAML passive Auth from travelocity sample application
  • [IDENTITY-4943] - Userinfo subject format inconsistency among grant types
  • [IDENTITY-4950] - Token obtained from SAML bearer grant active until cache timeout even after being revoked when subject claim contains @ value
  • [IDENTITY-4963] - Access token is not revoked when Call back URL/allowed grant types are updated
  • [IDENTITY-4966] - Inconsistent behaviour when UserInfo is retrieved after updating the profile
  • [IDENTITY-4967] - OAuth2TokenValidation service returns a server error when trying a validate a token issued by a deleted app
  • [IDENTITY-4976] - Time Skew is not properly handled in OAuth2
  • [IDENTITY-4981] - Access token generated for SP for a different tenant's user is not revoked when SaaS is disabled
  • [IDENTITY-4983] - General SP initiated SAML SSO and Request path SAML SSO need to be consistent
  • [IDENTITY-4999] - OAuth response token expiry times are not consistent and accurate
  • [IDENTITY-5006] - Claim attribute ID inconsistency in ID token for federated authentication in super tenant
  • [IDENTITY-5013] - Observed inconsistency in returning "sub" attribute for userinfo endpoint when simply click on update button of SP
  • [IDENTITY-5022] - Inapplicable claims returned for OIDC scopes when mapped attributes are updated
  • [IDENTITY-5023] - Observed a SQL Exception when requesting token mulitiple time with implicit grant - using mssql DB
  • [IDENTITY-5039] - [JIT provision] Issue when provisioning Facebook user to IS' secondary userstore AD
  • [IDENTITY-5052] - [IS520][Cluster]NPE occurred issuing the access token .
  • [IDENTITY-5055] - CLONE - Trying to connect to Disabled user stores at the server startup
  • [IDENTITY-5068] - Footer is not at the right place while resolution is changing in Authentication Endpoint Login page
  • [IDENTITY-5073] - Subject claim could not be found amongst service provider mapped unfiltered local claims
  • [IDENTITY-5100] - Identity Password timestamp is not updated in user profile
  • [IDENTITY-5104] - Tenant domain is appended to the subject claim even when 'Use tenant domain in local subject identifier' is not selected
  • [IDENTITY-5116] - Cannot create user with "-" character
  • [IDENTITY-5124] - Logout issue with Request path authenticator
  • [IDENTITY-5128] - Server Error response when calling the token revocation endpoint with invalid authorization header
  • [IDENTITY-5129] - Exception thrown when updating claims with EncryptionDecryptionPersistenceProcessor
  • [IDENTITY-5131] - Deadlock during session cleanup task (SAML SSO)
  • [IDENTITY-5134] - Cache invalidation does not happend when PKCE mandatory option is removed from an OAuth App configuration
  • [IDENTITY-5148] - Incorrect error response for token request using authorization code when the authorization code is invalid
  • [IDENTITY-5157] - Get request to identity/register and identity/connect/register endpoints causes NullPointerException
  • [IDENTITY-5161] - Under OIDC - the service provider requested claims should take the priority over the scopes
  • [IDENTITY-5175] - Role claim is not returned when added as a requested claim
  • [IDENTITY-5189] - Deadlock while doing user registration
  • [IDENTITY-5207] - Email template changes done from management console are lost after server restart
  • [IDENTITY-5217] - Regex specified in the error message is not correct when "EnableEmailUserName" is true
  • [IDENTITY-5231] - Functionality worked in IS 5.1 is not working in IS 5.2
  • [IDENTITY-5240] - Sql exception thrown when authorizing role
  • [IDENTITY-5278] - Logout request is generated for other session participants, although SP is not enabled for SLO
  • [IDENTITY-5305] - Intermitantly getting error when trying to logout from dashboard app
  • [IDENTITY-5306] - Error when session timeout from dashboard app
  • [IDENTITY-5314] - Result set is not properly close in user core
  • [IDENTITY-5334] - Warning messages for unfilled fields are incorrect in email template edit
  • [IDENTITY-5344] - Returns refresh tokens for saml bearer grant type
  • [IDENTITY-5384] - Intermittent NPE in OAuth endpoint
  • [IDENTITY-5463] - Can't assign all permissions to a role
  • [IDENTITY-5464] - No Bulk Import Users possible
  • [IDENTITY-5508] - Access Token Partitioning does not work
  • [IDENTITY-5529] - Getting HTTP/1.1 201 every time as a response when run the same curl command in DCR
  • [IDENTITY-5541] - Authenticated IdPs list not returned
  • [IDENTITY-5547] - Cannot login after the account lock timeout is passed
  • [IDENTITY-5550] - Typo in userstore add page
  • [IDENTITY-5554] - User having Login permissions can't change his password neither edit his profile
  • [IDENTITY-5571] - CONFIRM_SIGN_UP entry get created at recovery DB even when account lock on creation disabled
  • [IDENTITY-5577] - "Clear Decision Cache" of XACML PDP is not working
  • [IDENTITY-5580] - Engaging access control policies in authentication flow is broken in Tenants
  • [IDENTITY-5581] - oauth2/authorize call throws a NPE when the session is expired
  • [IDENTITY-5596] - Make oauth direction page 'message and button' editable.
  • [IDENTITY-5597] - SAML federated authenticated has hard coded NameID format for Authn request and LogoutRequest
  • [IDENTITY-5607] - Blank page after clicking on Resident in "Service Providers" in 5.3.0
  • [IDENTITY-5636] - Provide and endpoint to keep the session live in WSO2 IS side that can be called by Applications.
  • [IDENTITY-5659] - Error in uploading sp metadata file in tenant
  • [IDENTITY-5660] - Certificate added through sp metadata not persisted properly
  • [IDENTITY-5661] - Need a way to sync the certificates uploaded from saml sp metadata file among the cluster nodes
  • [IDENTITY-5724] - IDN_OPENID_USER_RPS table data not getting removed when removing authorized apps from the dashboard.
  • [IDENTITY-5757] - PDP's Decision cache is not working for REST API call with JSON body
  • [IDENTITY-5783] - Oauth2 session doesn't invalidate in (APIM 1.10 & IS 5.1.0)
  • [IDENTITY-5802] - OPT Email uses wrong template for email
  • [IDENTITY-5803] - SCIM cannot be changed using UI in secundary user store
  • [IDENTITY-5804] - Xacml policy change does not get affected. Instead response comes from cache
  • [IDENTITY-5811] - There exist image files which are not available in distribution but refered in the html hence throwing 404
  • [IDENTITY-5812] - PDP Caches are not sync inside the clustered environment
  • [IDENTITY-5818] - Identity Server is throwing an error when deleting a user which has + sign in the username
  • [IDENTITY-5822] - Unable to share samlssoTokenId cookie with SPs in subdomain
  • [IDENTITY-5825] - When LDAP userstore is used, H2 database is used to store claim mapping
  • [IDENTITY-5828] - Fido authentication does not work in 5.3.0
  • [IDENTITY-5830] - When same auth code is used twice while OAuth cache is not enabled, Getting a null pointer.
  • [IDENTITY-5831] - reCaptcha on the self-registration page dose not working
  • [IDENTITY-5848] - SAML Inbound Extension Points Broken
  • [IDENTITY-5856] - Add proper error message for
  • [IDENTITY-5858] - Incorrect error logged when UI validation fails for the identity dashboard
  • [IDENTITY-5867] - Stack Overflow message occurs when processing a WS-Security message
  • [IDENTITY-5870] - Handle expired token correctly in UserInfo flow
  • [IDENTITY-5874] - Logins with leading whitespace Identity Server lead to partially successful authentication and assertions missing claims
  • [IDENTITY-5875] - Exceptions being swallowed and not printed when carrying out worklflows
  • [IDENTITY-5880] - Application created using DCR is not properly populated in Mgt Console UI
  • [IDENTITY-5881] - NPE in DefaultClaimHandler#retrieveAllNunNullUserClaimValues if the MultiAttributeSeparate property is not specified in user-mgt.xml
  • [IDENTITY-5882] - Possible NPE error in authentication framework
  • [IDENTITY-5886] - Refresh token requests fails in a multiple node deployments when servers are not time synchronized
  • [IDENTITY-5888] - OpenID connect token spec violation when we try to get JWT Bearer Grant working
  • [IDENTITY-5900] - Tenant registry is not loading with enableing the SaaS
  • [IDENTITY-5909] - OIDC claims parameter does not work in userinfo endpoint
  • [IDENTITY-5910] - When the access token type is set invalid in tokenValidationResponse, the response comes as Server error.
  • [IDENTITY-5911] - If the custom grant type registration has any issues, oauth app registration also fails
  • [IDENTITY-5925] - Default JITUserProvisioningEnabled property in authenticators.xml is incorrect
  • [IDENTITY-5936] - OAuth application allowed grant types are not updating without restarting the server.
  • [IDENTITY-5939] - JWT token generation at OAuth 2 token validation, needs to properly handle federated scenario
  • [IDENTITY-5947] - Password updates via notification email causing exhaustion of database connection pool
  • [IDENTITY-5950] - Identity Management 'RegistryCleanUpTask' loads all tenants when being executed
  • [IDENTITY-5953] - HTML email templates are not working for tenant users
  • [IDENTITY-5959] - Incorrect error message for OAuth Token Request with a non exisitng client_id
  • [IDENTITY-5962] - Incorrect tenant id stored when persisting session data
  • [IDENTITY-5970] - Null Pointer due to fix in IDENTITY-4120
  • [IDENTITY-5990] - Error when adding Resident Identity Provider entry for super tenant
  • [IDENTITY-6035] - Making <Resource context="(.*)/.well-known(.*)" secured="false" http-method="all"/> doesn't work



  • [IDENTITY-5241] - Improve error log in SAML carbon authenticator certificate not found scenario
  • [IDENTITY-5303] - We can't get different type of property on UI when we create custom federated authenticator.
  • [IDENTITY-5423] - OAuth Error code "temporarily_unavailable".
  • [IDENTITY-5484] - Package Name Update
  • [IDENTITY-5570] - Mandatory Claims are not retrieved from user profile when Custom Claim Dialect is used
  • [IDENTITY-5574] - Adding Form-Post support to Playground2 App
  • [IDENTITY-5575] - Wrong extension point config name is given for PostAuthenticationHandler
  • [IDENTITY-5635] - Custom grant handlers won't show up in UI
  • [IDENTITY-5814] - Any audiences to be added in ID token should be added in identity.xml
  • [IDENTITY-5865] - Pass all request parameters sent in Token Request to grant handlers
  • [IDENTITY-5873] - NPE while rendering resident IDP UI when governance connectors are not available
  • [IDENTITY-5923] - Event publishers in IS 5.3.0 in a fresh pack have encrypted passwords


  • [IDENTITY-6044] - Fixing possible Null Pointer in scope validator

How To Contribute

Your feedback are most welcome!

Mailing Lists

Join our mailing list and correspond with the developers directly. 

Reporting Issues

We encourage you to report issues, improvements and feature requests regarding WSO2 IdentityServer through public WSO2 Identity Server Runtime JIRA and Analytics JIRA 

~ The WSO2 Identity Server Team ~

Pulasthi Mahawithana
Senior Software Engineer
WSO2 Inc.,
Mobile: <a href="tel:+94%2071%20517%209022" value="+94715179022" target="_blank">+94-71-5179022

Architecture mailing list
[hidden email]