Upgrade instructions versions 3.x¶
2.5.x to 3.0.0¶
Property changes¶
The credential configuration for token validation and the payload encryption policy have been replaced with a single set of credential properties.
The following properties have been replaced:
| Old property name | New property name |
|---|---|
| SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_USERNAME | SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_ID |
| SECURITY_PROXY_ENGINE_ENCRYPTION_POLICY_PASSWORD | SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET |
| SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_CLIENT_ID | SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_ID |
| SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_CLIENT_SECRET | SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET |
Embedded Resource gateway migration¶
If you are using The embedded resource gateway functionality you must update your Token Server configuration and Request mapper implementation.
Token Server configuration¶
Since version 3.0.0 of the Security Proxy it uses
the Token introspection API of the Token Server to
validate an access token. You must update your Token Server configuration to ensure the Security Proxy can still validate access tokens. The Token Server
documentation describes
how to configure an API client as resource server
. Since you probably already have an API client configured for the payload encryption policy you only need to add Token introspection as one of the allowed
Token Server API's to the existing API client that was previously only used to fetch the payload encryption policy.
Request mapper implementation¶
A request mapper implementation is used to map an access token into something
that your back-end understands. Since the Security Proxy now uses the Token Introspection API of the Token Server to get all information about an access token
the response containing the Access token metadata give to your request mapper implementation is also changed. The token_validation_result implementation
returns the sub property instead of the reference_id which contains the user id.