Upgrading 1.0 to 1.1

The 1.1 version of MITREid Connect contains several changes from the 1.0 version series that will require a manual upgrade process.

Project Layout

The project now contains four modules instead of three. The openid-connect-server module now produces a .jar file, and the new openid-connect-server-webapp module produces the .war file that was previously produces by the openid-connect-server module. All overlays must be updated to point to this new module.

Data Model

The underlying data model has changed between 1.0 and 1.1, and updates to the database are required. Two methods are available for managing this update with different tradeoffs.

Existing data

Due to an upstream library change, existing authorizations are incompatible between 1.0 and 1.1 and must be revoked before upgrade. Otherwise, all authorization grants, clients, whitelists, blacklists, and scopes may remain in place following the instructions above.

Database Update Scripts

The database update method can be used to update a persistent database store in place. To do so, run the database upgrade script found in openid-connect-server-webapp/src/main/resources/db/upgrade. Upgrade scripts are included for both MySQL and HSQL databases. These are designed to be run in-place on the database in question.

The recommended process is as follows:

1. Shut down the version 1.0 server
2. Connect to the MySQL or HSQL database as a user with appropriate rights
3. Run the appropriate upgrade script
4. Deploy the version 1.1 server

Data Import/Export

As of version 1.0.17 and 1.1.10, there is an admin-accessible API that can export data from a running system and import data from a saved export. The 1.0 server can import and export data from other 1.0 servers, and the 1.1 server can import and export data from both 1.0 and 1.1 servers. This process is meant to be run on a clean server installation, and it does not involve loss of any database information.

To access this API, log in as an administrator and send a GET request to /api/data to return the JSON object representing the server's current state. NOTE WELL: this export includes information including tokens, authentication objects, client secrets, and other sensitive security information. Therefore, the data export must be protected.

To re-import this data, log in as an administrator on a newly-installed server and send a POST request to /api/data with a content type of application/json and the fully-formed JSON document exported from the API. This import MUST be done on an empty database with full schema or else you risk newly imported objects conflicting with existing objects.

The recommended process is as follows:

1. Log into the 1.0 server as an administrator
2. Export the server state by performing a GET request on /api/data, save as a JSON file
3. Shut down the 1.0 server
4. Connect to the MySQL or HSQL database as a user with appropriate rights
5. Clear the database, remove all tables related to OIDC
6. Initialize the database with the empty schema
7. Deploy the version 1.1 server
8. Log into the 1.1 server as an administrator
9. Import the server state from the saved JSON file by performing a POST request with the data