The maximum allowed length for inputs used for credential validation (e.g. client secrets sent to authenticated OAuth endpoints or user passwords sent to authenticators) is now 128 characters, down from 4096 characters in previous versions. This limit can be changed via a system property.
Refer to the Credential Managers section for more information.
In previous versions of the Curity Identity Server, claims mapped to usages with the userinfo purpose were resolved on the Token endpoint (alongside claims mapped to other usages), even though those claims weren’t meant to be used in that context.
userinfo
This behavior was changed so that claims mapped for userinfo are not implicitly resolved in the Token endpoint. This means that any resulting claim values are no longer captured in the delegation (note that the User Info endpoint doesn’t reuse claim values from the delegation, anyway). Furthermore, any explicit attempt to resolve claim usages with the userinfo purpose from Token endpoint procedures will not yield any result. This means that calls to context.getDefaultData('userinfo') (or with a custom claim usage for the userinfo purpose) now return null.
context.getDefaultData('userinfo')
null
If any custom procedures depend on the previous behavior, the needed claim usages and mappings should be updated to have the access_token purpose (or duplicated in a similar way).
access_token
In User Info endpoint procedures, it continues to be possible to resolve claim usages for any purpose.