There are no required changes to the database schema and no changes to the SDK or the configuration model in this version. As a result, it should be possible to upgrade without explicit action. Some changes were made that can be important to know about when upgrading, however. These are described below.
Additional indices have been added to dynamically_registered_clients table for enabling filters and pagination in DevOps Dashboard. These indices are needed for better performance only if Dynamic Client Registration is used and DevOps Dashboard is enabled. Migration scripts for each supported database are provided with the release in the $IDSVR_INSTALL/examples/upgrade/6.5-to-6.6/ directory.
dynamically_registered_clients
$IDSVR_INSTALL/examples/upgrade/6.5-to-6.6/
The Curity Identity Server no longer depends on the libcrypto library from OpenSSL to be available on the target system. The provided version requires GNU C Library version 2.25 on Linux. CentOS 7 ships with an older version, so customers should update GLIBC or use CentOS 8.
libcrypto
Redirect URI validation can be tweaked using the validate-port-on-loopback-interfaces (default true) and allow-per-request-redirect-uris (default false) settings. In 6.7 these two settings will keep on working, but are deprecated in favour of Redirect URI validation policies. To start using Redirect URI validation policies, the two individual options above need to be set to their defaults.
validate-port-on-loopback-interfaces
true
allow-per-request-redirect-uris
false
The file $IDSVR_HOME/usr/share/templates/core/fragments/csp.vm was updated to use a variable for connect-src instead of a hard-coded string. This makes it possible for templates to override connect-src without modifying the csp.vm template.
$IDSVR_HOME/usr/share/templates/core/fragments/csp.vm
connect-src
csp.vm
templates/core/fragments/csp.vm
+ #if(${_cspConnectSrc}) + #set ($connectSrc = ${_cspConnectSrc}) + #else + #set ($connectSrc = "connect-src 'self';") + #end ... - <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; font-src 'self'; $childSrc"> + <meta http-equiv="Content-Security-Policy" content="$!connectSrc font-src 'self'; $childSrc">
The file $IDSVR_HOME/usr/share/templates/core/authentication-action/opt-in-mfa/select.vm was updated to include better WAI-ARIA structures. The following corresponding message files where updated as well.
$IDSVR_HOME/usr/share/templates/core/authentication-action/opt-in-mfa/select.vm
$IDSVR_HOME/usr/share/messages/core/en/authentication-action/opt-in-mfa/select/messages
$IDSVR_HOME/usr/share//messages/core/sv/authentication-action/opt-in-mfa/select/messages