Upgrading from 9.0.X to 9.1.0#

JDBC data source#

Oracle database definition#

The type of the account_id column of the accounts table in Oracle was changed from CHAR(36) to VARCHAR2(36) in the database creation scripts, to avoid trailing white spaces on the column values. There’s no practical issue with the trailing white spaces, but the table definition may be updated to fix this detail for new records, if desired.

The simplest way to achieve this is via an ALTER TABLE statement. This requires a table re-write, which may not be ideal, depending on amount of data and system load. If applying the change, take those factors into consideration, or use different approaches to achieve the end result.

HTML Forms authenticator#

The HTML Forms authenticator was updated to present password complexity requirements to the user and validate them in the browser. To that end, the following Velocity templates were changed:

• core/authenticator/html-form/account-activation/set-password.vm
• core/authenticator/html-form/create-account/get.vm
• core/authenticator/html-form/set-password/get.vm

SDK changes#

Database Clients#

The Database Client-related types were modified to support various new features. Custom Plugins using the modified Attributes types may need to be re-compiled.

The following (mostly non-breaking) relevant changes have been made:

• Added new static factory method empty() to ListAttributeValue.
• The ClientAuthenticationType enum has three new variants:
  • JWKS
  • JWKS_URI
  • MUTUAL_TLS_BY_PROXY
• ClientAuthenticationVerifier has new static factory methods to create the new variants:
  • ofJwks(String jwks)
  • ofJwksUri(String jwksUri, @Nullable String httpClientId)
• The sealed interface ClientAuthenticationMethod’s method match, which is used to match against the possible variants, now takes two new arguments to handle the two new cases, Jwks and JwksUriVerifier.
• Related to the previous point: ClientAuthenticationMethod has two new subtypes, as mentioned above.
• The JwtSigningAttributes type also has a new variant for JWKS, which is reflected in its match method.
• The JwksUri record was turned into a class, but its API was kept so no changes are required to code using it.
• Most Database Client Attributes types now have a withDefault method which populates attributes with default values in case the attributes were missing.

Password Policies#

New types were added for the Password Policies feature: for example, the existing UserCredentialManager service now has a method called getCredentialPolicy which returns an object which describes the configured policies.

Configuration Secrets#

This release introduces the EncryptedString type, which can be used in any Plugin Configuration interface to represent secrets. These values are Strings which are transparently encrypted when persisted and decrypted when loaded.

Custom SDK Plugins using this type are not automatically included by the reenc tool. Please refer to the updated documentation of the reenc tool for information on how to include plugins that use EncryptedString.