Upgrading from 9.2.X to 9.3.0

JDBC data source: multi-tenancy and discoverable credentials support

From this Curity Identity Server release, the database initialization scripts support multi-tenancy and Discoverable Credentials by default. To use Discoverable Credentials for Passkeys authenticator, the following database schema updates are necessary to improve device lookup queries:

  • Addition of a required index to the devices table - IDX_DEVICE_ID. This was already done in the migrations scripts included in version 9.2 ($IDSVR_INSTALL/misc/upgrade/9.1-to-9.2/ directory).
  • Update the device_id column size. Migration scripts are provided with this release in the $IDSVR_INSTALL/misc/upgrade/9.2-to-9.3/ directory.

The database schema migration (including migration scripts) is optional (when not using multi-tenancy or discoverable credentials) in this minor release and the Curity Identity Server supports both versions of the schema.

However, it is advised to consider migrating the database schema as soon as possible. The migration procedure is described in 9.2.0 upgrade guide.


Database schema initialization scripts without multi-tenancy support are provided in Curity Identity Server releases under misc/database-schemas directory.

DynamoDB Database changes

No mandatory changes are included in this release, however, the new feature Discoverable Credentials for the Passkeys authenticator requires a new global secondary index (GSI) to be added to the curity-devices table - deviceId-index: with deviceId attribute as partition key. To facilitate updating the devices table’s schema, JSON configuration files are provided with this release, in the $IDSVR_INSTALL/misc/upgrade/9.2-to-9.3/dynamodb directory. Files can be used with the aws dynamodb update-table command and passed as arguments to, respectively, the --global-secondary-index-updates and the --attribute-definitions options, to create the required index. This update is only required if discoverable credentials are to be enabled on the Passkeys authenticator.

SDK changes

Device Data Access Provider plugins

New methods - getByDeviceId (used to return a device based on device ID) and update (used to update device attributes, including device ID) have been added to the SDK. Both methods provide a default implementation and are only required when Discoverable Credentials is to be enabled.

Data Sources AttributeSorting type

The SDK type se.curity.identityserver.sdk.datasource.query.AttributesSorting has been modified so that it has a new variant, AttributesSorting.NAME (which allows sorting resources by their name). Also, it no longer extends ResourceQuery.Sorting. That means AttributeSorting no longer inherits a getSortBy method. That allows each Data Source to determine which attribute should be used for sorting by default, and when the new NAME variant is used.

Notice that AttributeSorting.DEFAULT and AttributeSorting.DONT previously returned default and none in the getSortBy method, which are not actually attribute names - that was bug-prone.

This may require a small change in Data Source plugins which implement methods using this type.

Mutual TLS Attributes

New type - client_certificate_pem was introduced as a subtype of the pinned certificate. It represents a plain text certificate in the PEM format and it’s used for the Database Clients to be able to manage certificates by GraphQL.

Token Handler Applications

The name of a configuration parameter changed from backend-for-frontend-base-url to backend-for-frontend-parent-domain in token handler applications. The parameter was originally not used and was mandatory. Now it was made optional and it is used to set the domain on proxy cookies. Previously it had to be a URL, now it is interpreted as the name of a domain (e.g. example.com).

In 9.2 the proxy-keystore required to configure an RSA public key. Now it requires an elliptic curve key instead.


Since the token handler application plugin was experimental until now, it is required to delete any existing Token Handler applications before upgrading, because there are breaking configuration changes between version 9.2 and 9.3. Make sure to back up any configuration values that may be required when re-creating token handler applications in 9.3.