6.2.2

• Home

Table of Contents

• System Admin Guide
  • Alarms
  • Attribute Transformers
  • Audit
  • Authorization Managers
  • Credential Managers
  • Cryptography
  • Data Sources
  • Deployment
  • Email Providers
  • Http Clients
  • Logging
  • Monitoring
  • Scripting
  • Server Events
  • SMS Providers
  • Transport Layer Security
  • Upgrading
    • Upgrading from 4.0.X to 4.1.0
    • Upgrading from 4.1.X to 4.2.0
      • SDK
      • Upgrading the XML Configuration
    • Upgrading from 4.2.X to 4.3.0
    • Upgrading from 4.3.X to 4.4.0
    • Upgrading from 4.4.X to 4.5.0
    • Upgrading from 4.5.X to 5.0.0
    • Upgrading from 5.0.X to 5.1.0
    • Upgrading from 5.2.X to 5.3.0
    • Upgrading from 5.3.X to 5.4.0
    • Upgrading from 5.4.X to 6.0.0
    • Upgrading from 6.0.X to 6.1.0
    • Upgrading from 6.1.X to 6.2.0
    • General Upgrade Procedure
  • Common Usecases
  • DevOps Dashboard
  • System Requirements
  • JVM Configuration
  • Go-live Checklist
  • CORS
  • Cross Site Requests
• Authentication Service Admin Guide
• Token Service Admin Guide
• User Management Admin Guide
• Developer Guide
• Configuration Guide
• Glossary

Upgrading from 4.1.X to 4.2.0

SDK

Version 4.2.0 deprecates the getReturnedClaims() method in the UserInfoOAuthEvent class. Since 4.1.0 there is no claims filtering in the user-info endpoint and getReturnedClaims() method returns the same Map of claims as getClaims(), thus making the former redundant. It is scheduled to be removed in version 5.0.0. The UserInfoOAuthEvent constructor receiving the returnedClaims parameters is also deprecated and a new constructor without this parameter is added.

Version 4.2.0 contains a number of changes to the configuration model. When starting the updated server with existing CDB configuration files, the server will upgrade these automatically. In case you want to upgrade existing XML configuration, read the paragraph Upgrading the XML Configuration

Upgrading the XML Configuration

Description	Applicability	Change Method
Credential Manager config for non-templatized DCR	Non-templatized DCR	No action, automatic using XSLT, or manual
Client authentication methods for non-templatized DCR	Non-templatized DCR	Automatic using XSLT, manual, or skip migration

As with previous releases, the XML configuration can be converted using a provided XSLT and its associated auto-upgrade.sh script or by doing an automatic migration that will run when necessary to perform the same upgrade. To run the XSLT on a configuration data set, run the auto-upgrade.sh script, like this:

Listing 77 Upgrading from 4.1.X to 4.2.0 using the provided XSLT and auto-upgrade.sh

$ $INSTALL_DIR/misc/upgrade/4.1-to-4.2/auto-upgrade.sh $IDSVR_HOME/etc/init/some-config.xml

Credential Manager for Non-templatized DCR

The configuration of non-templatized clients which are authenticated using a credential manager need to have the configuration changed or else an automatic migration will be performed. To perform this manually, the credential manager settings need to be changed as shown in the following figure:

Listing 78 Old configuration of a credential manager that verifies the secret of non-templatized dynamic clients

<profile>
    <type xmlns:as="https://curity.se/ns/conf/profile/oauth">as:oauth-service</type>
    <settings>
    <authorization-server xmlns="https://curity.se/ns/conf/profile/oauth">
        <dynamic-client-registration>
            <client-data-source>DefaultHSQLDB</client-data-source>
            <non-templatized>
                <credential-manager>BCryptCredentialManager</credential-manager>
                <no-authentication/>
            </non-templatized>
        </dynamic-client-registration>
    </authorization-server>
    </settings>
</profile>

Listing 79 New configuration for non-templatized client authentication using a credential manager

<profile>
    <type xmlns:as="https://curity.se/ns/conf/profile/oauth">as:oauth-service</type>
    <settings>
    <authorization-server xmlns="https://curity.se/ns/conf/profile/oauth">
        <dynamic-client-registration>
            <client-data-source>DefaultHSQLDB</client-data-source>
            <non-templatized>
                <client-authentication-method>
                    <secret>
                        <credential-manager>BCryptCredentialManager</credential-manager>
                    </secret>
                </client-authentication-method>
                <no-authentication/>
            </non-templatized>
        </dynamic-client-registration>
    </authorization-server>
    </settings>
</profile>

Authentication Method for Non-templatized Dynamic Clients

Before this release, non-templatized dynamic clients always authenticated using a secret (either verified against the hash stored in config or using a credential manager described above). In 4.2.0, it is now possible for such clients to login using a certificate. To allow for password-based and/or certificate-based login, the non-templatized DCR configuration should be updated. The provided XSLT will add the necessary configuration to maintain backward compatibility, and the absence of this new configuration will continue to work in case the XSLT is not run. However, it is advisable to run the XSLT or manually add it to ease future major upgrades when it will be required. The configuration that should be added is shown in the following listing:

Listing 80 New configuration for non-templatized client authentication using a credential manager

<profile>
    <type xmlns:as="https://curity.se/ns/conf/profile/oauth">as:oauth-service</type>
    <settings>
    <authorization-server xmlns="https://curity.se/ns/conf/profile/oauth">
        <dynamic-client-registration>
            <client-data-source>DefaultHSQLDB</client-data-source>
            <non-templatized>
                <client-authentication-method>
                    <secret/>
                </client-authentication-method>
                <no-authentication/>
            </non-templatized>
        </dynamic-client-registration>
    </authorization-server>
    </settings>
</profile>

If the client-authentication-method element is absent, non-templatized dynamic clients will be able to authenticate as if secret where set (and a credential manager was not used). If, however, client-authentication-method contains mutual-tls (a new element in this release), then secret-based login will have to be explicitly added.