Upgrading from 6.6.X to 6.7.0

There are no required changes to the database schema and no changes to the SDK or the configuration model in this version. As a result, it should be possible to upgrade without explicit action. Some changes were made that can be important to know about when upgrading, however. These are described below.

Updating Databases

Additional indices have been added to dynamically_registered_clients table for enabling filters and pagination in DevOps Dashboard. These indices are needed for better performance only if Dynamic Client Registration is used and DevOps Dashboard is enabled. Migration scripts for each supported database are provided with the release in the $IDSVR_INSTALL/examples/upgrade/6.5-to-6.6/ directory.

Removal of OpenSSL dependency

The Curity Identity Server no longer depends on the libcrypto library from OpenSSL to be available on the target system. The provided version requires GNU C Library version 2.25 on Linux. CentOS 7 ships with an older version, so customers should update GLIBC or use CentOS 8.

Redirect URI validation

Redirect URI validation can be tweaked using the validate-port-on-loopback-interfaces (default true) and allow-per-request-redirect-uris (default false) settings. In 6.7 these two settings will keep on working, but are deprecated in favour of Redirect URI validation policies. To start using Redirect URI validation policies, the two individual options above need to be set to their defaults.

Template Updates

Csp connect-src Variable

The file $IDSVR_HOME/usr/share/templates/core/fragments/csp.vm was updated to use a variable for connect-src instead of a hard-coded string. This makes it possible for templates to override connect-src without modifying the csp.vm template.

Listing 104 Changes to templates/core/fragments/csp.vm
+   #if(${_cspConnectSrc})
+       #set ($connectSrc = ${_cspConnectSrc})
+   #else
+       #set ($connectSrc = "connect-src 'self';")
+   #end
...
-    <meta http-equiv="Content-Security-Policy" content="connect-src 'self'; font-src 'self'; $childSrc">
+    <meta http-equiv="Content-Security-Policy" content="$!connectSrc font-src 'self'; $childSrc">

Opt-In MFA Select Method

The file $IDSVR_HOME/usr/share/templates/core/authentication-action/opt-in-mfa/select.vm was updated to include better WAI-ARIA structures. The following corresponding message files where updated as well.

  • $IDSVR_HOME/usr/share/messages/core/en/authentication-action/opt-in-mfa/select/messages
  • $IDSVR_HOME/usr/share//messages/core/sv/authentication-action/opt-in-mfa/select/messages