Migration from v3 to V4 #4592
Comments
|
would also be interested for a migration guide. |
https://identityserver4.readthedocs.io/en/latest/topics/resources.html#apis |
|
OK - I pinned this issue. Please report all migration issues you run into. This can be then used to create a guide at some point. This is a community effort. |
|
Thank you Brock and Dominick for your replies. I have my solution working now. I will try and summarise my experience in case it helps others or in case I am "doing it wrong" and others can learn. My system has multiple clients (currently ASP.NET Core web applications and in the future mobile apps). They are related apps in a safety management system for mining/construction/engineering scenarios. Each client basically has its own API. They are relatively simple and small in size. IdentityServer is used for authentication for each app and API and I am using ASPNET Identity. It very similar to the Quickstart examples. I keep Identity resources, API resources and Clients in The relevant part of my v3 The relevant part of my v3 I upgraded the Nuget packages to v4 and ran the appropriate migrations scripts from https://github.com/RockSolidKnowledge/IdentityServer4.Migration.Scripts/tree/CreateScripts for my database. The first problem I had was IdentityServer returned an 'invalid_scope' error. After reading the docs I changed my I then changed to include BOTH The relevant part of my v4 The relevant part of my v4 Hope that helps and I am not leading people in the wrong direction. |
|
I have a fairly simple API so I just switched out the ApiResource for ApiScope and it worked fine. The update blurb was helpful but it would be nice if it was more visible instead of hidden at the bottom of that page. I also ran into an issue where the ClientId property was removed from the AuthorizationRequest model and replaced with Client (which has the missing ClientId property) so that was a fairly easy fix. I create a PR for the documentation which still has ClientId in it even though it isn't there. Everything else seems to be working fine. |
|
One of the issue I am encountering, is that version 4.0 is checking Content-Type header for "application/x-www-form-urlencoded" I'm calling token endpoint from Axios in React Native 0.62 and there are some compatiblity issues with Flipper causing Content-Type header to be stripped out. I understand it's not specifically a bug but it would be nice if there is a way to disable HasApplicationFormContentType checking. Additionally I have legacy client apps deployed without using Content-Type header which prevents upgrade to version 4. |
|
Few issues I've run into that I'm unsure how to handle: 1: Current broken code:
Is an empty 2: Current broken code: I notice that there is now an overload that takes 3: Current broken code: There used to be a 4: Above, @jt-pt-dev links to some SQL scripts for updating the database, but are there Entity Framework migration files available? If so, how do we use them? |
There's a new DenyConsent API. |
|
@brockallen Gotcha - I will take a look at that. Are there simple answers for my other questions? Was just hoping to get some guidance on the breaking changes. |
|
I am getting the error "Unable to resolve service for type - 'IdentityServer4.Services.IReplayCache' when i run my IdentityServer project after upgrading IdentityServer4 nuget package from 3.1.0 to 4.0.1. Please let me know if you need more details on this. Appreciate any help on this. Would also be interested for a migration guide. Thanks. |
|
@hallidev I can help with this question:
If you look at the updated quickstart sample you can see an example of how to construct I suspect you'll be able to answer some of your other questions by looking through the updated quickstart code as well, but I've not had to cross those particular bridges 😄 |
|
Hi, An exception was thrown while activating IdentityServer4.Endpoints.TokenEndpoint -> IdentityServer4.Validation.ClientSecretValidator -> IdentityServer4.Validation.SecretValidator -> λ:IdentityServer4.Validation.ISecretValidator[] -> IdentityServer4.Validation.PrivateKeyJwtSecretValidator." |
|
Finished deploying the migration to production yesterday. The overall migration experience was smooth, it took around 2 days to finish preparing the upgrade script, code changes, test and deployment. Thanks to the migration script: https://github.com/RockSolidKnowledge/IdentityServer4.Migration.Scripts One gotcha was the Thanks for all the resources and hope this also helps a bit. |
for Q1 for Q3: |
|
Hi, I am using the also in my I get the ScopeRequested failing what should this call be replaced with? Thank you |
|
two ways to fix it app.Use(async (context, next) =>
{
//升级到v4后这publicorigin选项不见了,改为在中间件中设置publicorigin
var config = context.RequestServices.ResolveConfig_();
var publicOrigin = config["public_origin"];
if (publicOrigin?.Length > 0)
{
context.SetIdentityServerOrigin(publicOrigin);
context.SetIdentityServerBasePath(context.Request.PathBase.Value.TrimEnd('/'));
}
await next.Invoke();
}); |
|
Thank you - has anyone any idea on my other point above? I have also now moved forward to testing the new system and get the following error in my logs (and this all used to work on the old version of IdentityServer4): I can see an entry with [redacted scope name] in the following tables in my database: ApiScopes, ClientScopes but NOT IdentityResources I can see in the code this error arising from a failed call to: but it's there - any thoughts and ideas given the changes? |
|
OK - one update on the error above - I needed to set |
|
For anyone that has implemented their own ISecretsListValidator the params the Validate async method receives have been switched: |
|
I'm having some issues in my ProfileService after updating to v4. When the |
|
And
|
|
After adding migrations and updating the database schema we ended up with an Changed the |
|
Also had to change the After switching library we also had to add this to Startup.cs for our API as the "sub" claim was missing: Also note the comment on ValidateAudience:
See:https://identityserver4.readthedocs.io/en/latest/topics/apis.html |
|
Hi, i'm just having an issue around API's when updating from v3 > v4 I have migrated my db to v4, my API was setup using AddIdentityServerAuthentication (is this still supported?) (I have no ApiResourceClaims(ApiClaims)/ApiResourceProperties(ApiProperties)/ApiResourceSecrets(ApiSecrets) records) Now, testing with Postman, I can get the JWT token fine but I get a 401 accessing the API. Is there anything new that I need to add or anything I need to change in order for this to work? |
|
Ah, I have found the issue, I need to populate ApiResourceScopes from ApiScopes Does that mean ApiScopes is deprecated? |
ApiScopes is not deprecated, the relationship between the ApiResource was moved to another table. To populate the table I added this line on the Up() method of the migration.
|
|
Thanks, there seems to be duplication in the db. I have my ApiScopes data, my ApiResources data, surely ApiResourceScopes should be a link table between those 2 eg Id, ApiScopeId (instead of Scope), ApiResourceId, rather than duplicating the Scope name in ApiResourceScopes. Or am I misunderstanding it |
|
Yes, you are right, idk why the ApiResourceScopes table doesn't use the ApiScopeId instead of the Name. The same happens on the ClientScopes table IIRC |
|
Hi, After migrating, we have the following issue related with JWKS: Previous version: '"kid": "01D94A4A417A86B10366467C70980FCC9442E6D3"' We will appreciate any guidance how to set it to it's previous value. Thanks |
|
I think What kind of problem causes this? |
|
Seems some of the clients using our service keep this value hardcoded on their side. They are using it to validate the JWTs that we send to them and they fail as the "kid" in the JWT is not the same anymore. I think I found something that might be causing this: We are calling the AddSigningCredential(X509Certificate2) without passing a signingAlgorithm. Its default value is "RS256" and it's appended to the key id as the code shows. Probably will try with the AddSigningCredential(SigningCredentials) that you suggested, to skip this appending. Thanks for the quick response |
well - this is wrong. The kid can change at any point in time. |
|
Maybe I missed this somewhere in the conversation, but... Why was |
|
Nevermind. Saw the comments in the linked issues. Worked for me. |
Any Update |
Any Update |
|
@viveknaragude Due to the missing relation between ApiResourceScopes and ApiScopes, we ended up duplicating the scopes data into both of these tables after upgrading to v4 unfortunately... |
Thank you. |
|
I had issues with claim mappings and audience, but none of the previous comments quite got me there. services.AddAuthentication("token")
.AddJwtBearer("token", o =>
{
o.Authority = BoundConfiguration.AuthConfig.AuthBaseUrl;
o.Audience = "manager";
o.TokenValidationParameters.ValidateAudience = false;
o.TokenValidationParameters.ValidTypes = new[] { "at+jwt" };
o.SecurityTokenValidators.Clear();
o.SecurityTokenValidators.Add(new JwtSecurityTokenHandler { MapInboundClaims = false });
o.TokenValidationParameters.NameClaimType = ClaimConstants.NameIdentifier; // "sub"
o.TokenValidationParameters.RoleClaimType = ClaimConstants.Role; // "role"
}); |
|
i tried the above steps , it worked on the identity server, but test application is using the pipelinefactory , modified the add scopes and resource but still failing on all the controller test here is pipeline factory code public static TestServer CreateServer(Action options, please suggest do i miss anything |
and others
Question
I am struggling a little with the migration from v3 to v4. I understand consulting is a paid for option and that is fair, but will a migration doc be released at some point?
My solution followed the Quickstart docs pretty closely for v3. Now with v4 I have changed ApiResources to ApiScopes (as I was getting an 'invalid_scope' error) but now I get 'Audience validation error' when the MVC app calls the Api. Database migrations were run based on RockSolidKnowledge/IdentityServer4.Migration.Scripts but only needed the new columns in DeviceCodes and PersistedGrants as Api, Clients and Identity resources are run in memory.
The text was updated successfully, but these errors were encountered: