Version 5.4.0 contains a single change to the configuration model that affects those customers that used the beta version of the Hypermedia Authentication API (HAAPI). Also, one configuration setting is now obsolete and can be deleted if set. Other changes to be aware of when upgrading are also described below.
The required-claim setting of a service provider in authentication profiles is now obsolete. Having it in the configuration will be ignored. Customers are recommended to remove this settings, as it will be removed from the data model in a future major version. In particular, configuration like this should be changed to have the highlighted line removed:
The OAuth client setting authorization-api-client that allows it to consume the API was renamed haapi. Clients that were previously configured with the old capability name will need to be updated to use the new one before the configuration can be loaded. To do this, change authorization-api-client in configuration like that shown on line 13 of listing Listing 95 to haapi.
<authorization-api-client/> <!-- Change to <haapi/> -->
<!-- ... -->
Authorization requests that include response types specific to OpenID Connect (e.g. id_token, code id_token) without including the openid scope now result in the unsupported_response_type error. According to the OpenID Connect standard, if the openid scope is not present, the behavior is entirely unspecified. This change was made to always make OpenID Connect requests explicit instead of relying on unspecified behavior.
Clients relying on the previous behavior need to be updated to request the openid scope.
A new _setPasswordUrl variable is available to the core/authenticator/html-form/email/reset-password email templates, containing the password reset URL (without query parameters) that should be included in the email.
The default templates were updated to use the _setPasswordUrl variable. This is an optional and non-breaking change, but we do recommend that custom templates are updated accordingly.
Before this change, the templates included:
#set ($url = "$_anonymousUrl/set-password?token=$nonce$!oq")
This can be updated to:
#set ($url = "$_setPasswordUrl?token=$nonce$!oq")
The TokenDataAccessProvider has been updated with a deprecation notice for getById. This was used during introspection when
passing a token_value_hint of type “id”. This is a non-standard usage that will no longer be supported from the next major version.
A robots.txt file was added to $IDSVR_HOME/webroot that will block search engine indexing of all resources served by the Curity Identity Server. If this is not desirable, this file should be deleted before being deployed.
When the /metrics endpoint reports token and delegation issuance it used to include the label client_id. This would cause too many label values for Prometheus to handle when using Dynamic Client Registration or having a large number of clients.
For this reason the default behaviour is to not report unique values for the client_id label when tokens are issued.
To enable client_id values to be reported use the following system property when starting the Curity Identity Server.
The Debug Attribute Action is now included in the distribution.
Any overlays with this action should be removed as they will now conflict with the shipped version during boot.
The Release Candidate 1 version of HAAPI introduces the following major representation changes:
The default behaviour for alarms caused by HTTP Clients have been changed. By default the HTTP clients will only trigger alarms when servers respond with 5xx status codes. It is possible to enable alarms for 4xx status codes as well. See the alarm documentation for more details.