OpenID Connect Access Token Enforcement

Flex support for the Policy.

Error handling responses revised for JSON compliance.

Introduced the capability to configure timeouts when validating OAuth2 tokens for incoming requests.

Added support for policies to validate one or all of the scopes defined in API Manager.

Added OAS3 code snippet in the policy YAML.

Because the Content-Type header of the JSON response from the validate endpoint had additional information, such as charset, the response returned was interpreted as String instead of JSON. The additional modifier is now disregarded.

Responses from the validation endpoint in which the value of the expires_in field was equal to 0 were not being parsed as an expired token.

Error handling responses revised for WSDL APIs to be compliant with SOAP 1.1 and 1.2.

Performance improvements are introduced to the header manipulation engine.

Several performance improvements are introduced in error handling.

After a policy was applied, HTTP headers did not follow the RFC 2616 requirement of case-sensitivity:

Authorization entity attributes that contain non-primitive values were not correctly parsed. These values are now ignored.

An error occured when an object within a JSON object was treated as String type instead of JSON type. This issue is now resolved.

The Fault element in the WSDL APIs now includes the Detail element, with additional error details.

Introduced configuration flag to enable TLS validation on the Authorization Servers' certificates.

Performance improvements.

Fixed expiration time field being mandatory.

An error occurs in Mule versions v4.1.1, v4.1.2, 4,1,3 and 4.1.4 when a policy is deployed to applications that have the mule-secure-configuration-property-module plugin configured. To resolve this issue, upgrade the specified plugin in the application to version 1.1.0.

Introduces support to encrypt sensitive information related to the policy. The runtime version needs to support encryption and needs to be properly configured. Encryption is supported since Mule Runtime v4.2.0.

The default configuration has been modified to avoid propagating or returning policy headers unless explicitly configured by checking the "Expose headers" option.

Performance improvements.

An error occurs in Mule versions v4.1.1, v4.1.2, 4,1,3 and 4.1.4 when a policy is deployed to applications that have the mule-secure-configuration-property-module plugin configured. To resolve this issue, upgrade the specified plugin in the application to version 1.1.0.

Fixed performance issue concerning scheduling.

Improved the RAML and OAS snippets.

Fixed ExpressionRuntimeException error when a WSDL proxy receives an empty payload, or an invalid XML.

Fixed error preventing federated and client ID based policies to apply when a Security Manager is defined in the same app with a tracked endpoint.

Fixed issue causing federated policies to lose query and URI parameters of the requester.