Upgrading 1.0 to 1.1
The 1.1 version of MITREid Connect contains several changes from the 1.0 version series that will require a manual upgrade process. There is not currently any automated upgrade process, though one is being developed.
The project now contains four modules instead of three. The openid-connect-server module now produces a .jar file, and the new openid-connect-server-webapp module produces the .war file that was previously produces by the openid-connect-server module. All overlays must be updated to point to this new module.
The underlying data model has changed between 1.0 and 1.1, and updates to the database are required.
If you are running the server with a persistent database store, you will need to run the database upgrade script found in openid-connect-server-webapp/src/main/resources/db/upgrade. Upgrade scripts are included for both MySQL and HSQL databases. These are designed to be run in-place on the database in question. The safest process is as follows:
- Shut down the version 1.0 server
- Connect to the MySQL or HSQL database as a user with appropriate rights
- Run the appropriate upgrade script
- Deploy the version 1.1 server
Due to an upstream library change, existing authorizations are incompatible between 1.0 and 1.1. This effectively means that all active access tokens must be revoked (or translated using some form of external process) during the upgrade process. Note that this includes any Registration Access Tokens used for dynamically registered clients.
Otherwise, all authorization grants, clients, whitelists, blacklists, and scopes may remain in place following the instructions above.
As of version 1.0.17, there is an admin-accessible API that can export data from a running system. To access this API, log in as an administrator and send a GET request to /api/data to return the JSON object representing the server's current state. NOTE WELL: this export includes information including tokens, authentication objects, client secrets, and other sensitive security information.
To re-import this data, log in as an administrator on a newly-installed server and send a POST request to /api/data with a content type of application/json and the fully-formed JSON document exported from the API. This import MUST be done on an empty database with full schema or else you risk newly imported objects conflicting with existing objects.
A version of the import/export API is currently in the works for the 1.1 branch, which will allow for import of 1.0 data into the 1.1 database.
