Upgrade instructions 10.x
10.0.0-M2
Run all database scripts
Warning: The migration V10_00_00_03__add_correlation_id_to_access_tokens.sql will take some extra time if the access_tokens table is large.
- V10_00_00_03__add_correlation_id_to_access_tokens.sql
Zip archive handling
Zip files are now by default limited to 10MB and/or 100 files. This includes message and template zip files. These limits can be modified via environment properties as described in Zip archive handling
Thymeleaf upgrade
The Thymeleaf template engine and its dialects have been upgraded. If you have customized the templates based on the default template set they will probably still work. Thymeleaf has made changes to its templating language and logs warnings for the usage of deprecated features. We recommend to plan an upgrade of custom templates.
The most common changes are:
- layout:decorator is deprecated. Use
layout:decorateinstead. - Replace
$DECORATOR_TITLEwith$LAYOUT_TITLE. - The attributes
th:includeandlayout:includeare deprecated. Replace them withth:insertandlayout:insert. Note that insert has a different behavior than include. - Existing fragment expressions are deprecated.
Example of a deprecated Thymeleaf 2 fragment expression:
<th:block th:include="fragments/fragment-inputs :: csrfToken"/>
Example of an updated Thymeleaf 3 fragment expression
<th:block th:insert="~{fragments/fragment-inputs :: csrfToken}"/>
Refer to the Thymeleaf 3 migration guide and Layout dialect migration guide for full details.
Removal of Deprecated APIs and Minimum supported SDKs increased
The minimum supported SDK versions have been increased. Android SDK must be at least version 5.01.00, iOS SDK must be at least version 4.08.03
- V1 & V2 of the Devices API has been removed. Use version 3 of the API.
/api/v1/users/{userId}/devices/*/api/v2/users/{userId}/devices/*
- The Authentication applications API has been removed. Use version 3 of the Device API as a replacement.
/oauth/api/v1/users/{userId}/authentication/apps/*
See other planned deprecations
Changes in custom Token Server plugins
The class com.onegini.tokenserver.engine.OauthEngineConstants was moved to com.onegini.tokenserver.engine.core.OauthEngineConstants. You may need to update
some imports.
Application Version API Updated
The JSON keys for the Application Version API have been updated to be more consistent
with the Admin UI and reflect the type of values each contains (e.g. boolean values have _enabled suffix).
The key changes are applicable for all of the defined endpoints. Here is a summary of the differences:
| Old JSON key | New JSON key |
|---|---|
app_signature |
application_signature |
tampering_protection |
tampering_protection_enabled |
payload_encrypytion |
payload_encrypytion_enabled |
use_apns_development_environment |
use_apns_development_environment_enabled |
send_badge_number |
send_badge_number_enabled |
payload_encrypytion |
payload_encrypytion_enabled |
- List of App versions per platform now returns
the whole object (except
application_signature) instead of just theversion_nameandstatus. - New endpoint for getting a single version of an application version.
- Export now requires an API client with
onegini_api_config.
10.0.0-M1
Run all database scripts
Warning: The migration V10_00_00_02__add_access_token_format_to_client_config.sql will take some extra time if the access_tokens table is large.
- V9_01_00_02__add_additional_audiences_client_config.sql
- V10_00_00_00__add_encryption_cols_for_open_id_config
- V10_00_00_01__add_api_application_version_scope.sql
- V10_00_00_02__add_access_token_format_to_client_config.sql
Changes in API
From this version, the Web Clients API requires access via the Config API scope instead of the Admin API scope.
Create an API Client that supports the Config API scope if you are using the Web
Clients API.
The Admin API scope is still used for the API Clients API.
Database connection configuration
From this version the Token Server uses a different database connection pooling mechanism. Some variables were no longer needed while other custom variable names were removed.
Changed variable names
The following variables were renamed to align with other products of Onegini:
| Old variable name | New variable name |
|---|---|
| TOKEN_SERVER_COMMON_DB_TYPE | DATABASE_TYPE |
| TOKEN_SERVER_COMMON_DB_ENCRYPTION_PASSWORD | DATABASE_ENCRYPTION_PASSWORD |
| TOKEN_SERVER_COMMON_DB_ENCRYPTION_POOLSIZE | DATABASE_ENCRYPTION_POOLSIZE |
Changed to Spring Boot defaults
The following variables were replaced by Spring Boot database variables:
| Old variable name | New variable name |
|---|---|
| TOKEN_SERVER_COMMON_DB_JDBC_URL | SPRING_DATASOURCE_URL |
| TOKEN_SERVER_COMMON_DB_USER | SPRING_DATASOURCE_USERNAME |
| TOKEN_SERVER_COMMON_DB_PASSWORD | SPRING_DATASOURCE_PASSWORD |
| TOKEN_SERVER_COMMON_DB_DRIVER_CLASS | SPRING_DATASOURCE_DRIVER_CLASS_NAME |
| TOKEN_SERVER_COMMON_DB_PLATFORM | SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT |
Changed to Flyway defaults
The following variables were replaced by Flyway environment variables:
| Old variable name | New variable name |
|---|---|
| TOKEN_SERVER_COMMON_DB_MIGRATION_ENABLED | FLYWAY_ENABLED |
| TOKEN_SERVER_COMMON_DB_MIGRATION_INIT_VERSION | FLYWAY_BASELINE_VERSION |
| TOKEN_SERVER_COMMON_DB_MIGRATION_OUT_OF_ORDER | FLYWAY_OUT_OF_ORDER |
| TOKEN_SERVER_COMMON_DB_MIGRATION_FOLDER | FLYWAY_LOCATIONS |
Removed variables
The following variables are no longer used to configure the database connection and should be removed:
TOKEN_SERVER_COMMON_DB_CONNECTIONS_INITIAL_SIZETOKEN_SERVER_COMMON_DB_CONNECTIONS_MAX_ACTIVETOKEN_SERVER_COMMON_DB_CONNECTIONS_MAX_IDLETOKEN_SERVER_COMMON_DB_CONNECTIONS_MAX_WAITTOKEN_SERVER_COMMON_DB_CONNECTIONS_MAX_LIFETIME_MILLISTOKEN_SERVER_COMMON_DB_VALIDATION_QUERYTOKEN_SERVER_COMMON_DB_SHOW_SQL