Version 4.2.0 deprecates the getReturnedClaims() method in the UserInfoOAuthEvent class. Since 4.1.0 there is no claims filtering in the user-info endpoint and getReturnedClaims() method returns the same Map of claims as getClaims(), thus making the former redundant. It is scheduled to be removed in version 5.0.0. The UserInfoOAuthEvent constructor receiving the returnedClaims parameters is also deprecated and a new constructor without this parameter is added.
getReturnedClaims()
UserInfoOAuthEvent
Map
getClaims()
returnedClaims
Version 4.2.0 contains a number of changes to the configuration model. When starting the updated server with existing CDB configuration files, the server will upgrade these automatically. In case you want to upgrade existing XML configuration, read the paragraph Upgrading the XML Configuration
As with previous releases, the XML configuration can be converted using a provided XSLT and its associated auto-upgrade.sh script or by doing an automatic migration that will run when necessary to perform the same upgrade. To run the XSLT on a configuration data set, run the auto-upgrade.sh script, like this:
auto-upgrade.sh
$ $INSTALL_DIR/misc/upgrade/4.1-to-4.2/auto-upgrade.sh $IDSVR_HOME/etc/init/some-config.xml
The configuration of non-templatized clients which are authenticated using a credential manager need to have the configuration changed or else an automatic migration will be performed. To perform this manually, the credential manager settings need to be changed as shown in the following figure:
<profile> <type xmlns:as="https://curity.se/ns/conf/profile/oauth">as:oauth-service</type> <settings> <authorization-server xmlns="https://curity.se/ns/conf/profile/oauth"> <dynamic-client-registration> <client-data-source>DefaultHSQLDB</client-data-source> <non-templatized> <credential-manager>BCryptCredentialManager</credential-manager> <no-authentication/> </non-templatized> </dynamic-client-registration> </authorization-server> </settings> </profile>
<profile> <type xmlns:as="https://curity.se/ns/conf/profile/oauth">as:oauth-service</type> <settings> <authorization-server xmlns="https://curity.se/ns/conf/profile/oauth"> <dynamic-client-registration> <client-data-source>DefaultHSQLDB</client-data-source> <non-templatized> <client-authentication-method> <secret> <credential-manager>BCryptCredentialManager</credential-manager> </secret> </client-authentication-method> <no-authentication/> </non-templatized> </dynamic-client-registration> </authorization-server> </settings> </profile>
Before this release, non-templatized dynamic clients always authenticated using a secret (either verified against the hash stored in config or using a credential manager described above). In 4.2.0, it is now possible for such clients to login using a certificate. To allow for password-based and/or certificate-based login, the non-templatized DCR configuration should be updated. The provided XSLT will add the necessary configuration to maintain backward compatibility, and the absence of this new configuration will continue to work in case the XSLT is not run. However, it is advisable to run the XSLT or manually add it to ease future major upgrades when it will be required. The configuration that should be added is shown in the following listing:
<profile> <type xmlns:as="https://curity.se/ns/conf/profile/oauth">as:oauth-service</type> <settings> <authorization-server xmlns="https://curity.se/ns/conf/profile/oauth"> <dynamic-client-registration> <client-data-source>DefaultHSQLDB</client-data-source> <non-templatized> <client-authentication-method> <secret/> </client-authentication-method> <no-authentication/> </non-templatized> </dynamic-client-registration> </authorization-server> </settings> </profile>
If the client-authentication-method element is absent, non-templatized dynamic clients will be able to authenticate as if secret where set (and a credential manager was not used). If, however, client-authentication-method contains mutual-tls (a new element in this release), then secret-based login will have to be explicitly added.
client-authentication-method
secret
mutual-tls