Skip to content

Upgrade instructions 12.x

12.15.0

Changes in database schema

Run the following database script if your installation does not automatically update the database schema:

  • V12_15_00_00__add_open_id_delete_tokens_on_logout.sql

12.14.0

User authentication

The user authentication transaction was kept in a short-lived, persistent cookie named AUTH-TX. This cookie is no longer used. When a user needs to authenticate, the transaction is kept in a session cookie named SESSION. This cookie was already present in earlier versions of the Onegini Token Server.

During the upgrade to this version, users will experience issues when they start the authentication transaction on an older version of the Onegini Token Server and continue on the latest version or vice versa. Using sticky sessions in the load balancer will prevent this issue.

12.12.1

Changes in the database schema

For MySQL or Oracle there are no database migrations.

For Microsoft SQL Server run the following database scripts if your installation does not automatically update the database schema:

  • V12_12_01_00__remove_constraint_for_refresh_token_expires_in.sql

12.10.0

Changes in the database schema

Run the following database scripts if your installation does not automatically update the database schema:

  • V12_10_00_00__OAUTH-3620_cordova_push_messaging.sql

12.6.0

Changes in templates

The default template consent.html has been updated to include the nonce variable in the consent form post. If your custom template set contains this consent.html template, you need to update your customized template set. Download the default template set to compare your version of consent.html with the standard version.

e.g.: <input type="hidden" name="nonce" value="${nonce}"/>

12.5.0

Device API

Device API version 4 has been introduced. It shows more information about the devices of an end-user. Another change is that property names in the JSON response objects of Device API version 4 are using camelCase. The older versions were using snake_case.

Changes in the database schema

Run the following database scripts if your installation does not automatically update the database schema:

  • V12_04_02_00__delete_mobile_platform_version_keys.sql
  • V12_04_03_00__add_jwks_uri_to_client_jwks.sql
  • V12_04_03_01__add_device_model.sql
  • V12_05_00_00__change_mpv_keys_fingerprint_column_type.sql (this script is for Oracle only)

12.4.1

Changes in the database schema

Run the following database scripts if your installation does not automatically update the database schema:

  • V12_04_01_00__delete_mobile_platform_version_keys.sql

12.4.0

Changes in the database schema

Run the following database scripts if your installation does not automatically update the database schema:

  • V12_04_00_00__add_sender_id_to_auth_properties.sql

12.2.0

Changes in the database schema

Run the following database scripts if your installation does not automatically update the database schema:

  • V12_02_00_02__add_mobile_platform_version_keys_on_delete_cascade.sql

12.1.2

Changes in the database schema

Run the following database scripts if your installation does not automatically update the database schema:

  • V12_02_00_01__add_mobile_platform_version_keys.sql

12.1.0

Redis

This release requires a Redis server version 4 or higher.

Changes in the database schema

For MySQL there are no new database scripts.

For Microsoft SQL Server or Oracle run the following database scripts if your installation does not automatically update the database schema:

  • V11_00_00_00__add_pkce_support.sql
  • V11_00_00_01__add_dum_engine_configs.sql
  • V11_00_00_02__add_refresh_token_expiration_time.sql
  • V11_00_01_00__add_integrity_check_to_application_version.sql
  • V11_00_01_01__app_signature_made_optional.sql
  • V11_00_01_02__add_registration_id_and_assertion_public_key_to_the_client.sql

12.0.0

Change in OpenID Connect check session template

The default template check-session.html has been modified to support reading cookies in iOS12 and other browsers that ignore cookies with a SameSite=None flag inside an iframe. If your custom template set contains this check-session.html template, you need to update your customized template set. Download the default template set to compare your version of check-session.html with the standard version.

Change in error handling

When something goes wrong during the OAuth authorization code flow or the OpenID Connect Authentication request the Onegini Token Server often showed an HTML error page, while it could redirect back to the client with an error code. This HTML page was not compliant with parts of the OpenID Connect Authentication request specification. This redirect may also simplify customized error templates for the Onegini Token Server.

The Onegini Token Server will now redirect back to the client with an error code in the following situations if the client_id and redirect_uri are correct:

  • The Onegini Token Server cannot determine which identity provider to use for authentication.
  • Fetching the metadata of a SAML identity provider fails.
  • An OpenID Connect Relying Party requests prompt=none for a user that has a session with Onegini Token Server but lost their session with the SAML identity provider.
  • The SAML identity provider returns an authentication response with a failure status. The underlying cause is returned to the client.

Changes in the database schema

Run the following database scripts if your installation does not automatically update the database schema:

  • V11_00_01_00__add_integrity_check_to_application_version.sql
  • V11_00_01_01__app_signature_made_optional.sql
  • V11_00_01_02__add_registration_id_and_assertion_public_key_to_the_client.sql