2018-07-06 03:06:01 +08:00
# Migrate to OpenIddict RC3
2018-02-01 23:58:04 +08:00
2018-07-06 03:06:01 +08:00
## What's new in OpenIddict RC3?
2018-02-01 23:58:04 +08:00
2018-07-06 03:06:01 +08:00
The announcement listing the changes introduced in this milestone can be found [here ](https://kevinchalet.com/2018/06/20/openiddict-rc3-is-out/ ).
## Update your packages references
For that, simply update your `.csproj` file to point to the newest OpenIddict packages:
### ASP.NET Core 1.x
```xml
< ItemGroup >
< PackageReference Include = "OpenIddict" Version = "1.0.0-rc3-final" / >
< PackageReference Include = "OpenIddict.EntityFrameworkCore" Version = "1.0.0-rc3-final" / >
< / ItemGroup >
```
### ASP.NET Core 2.x
```xml
< ItemGroup >
< PackageReference Include = "OpenIddict" Version = "2.0.0-rc3-final" / >
< PackageReference Include = "OpenIddict.EntityFrameworkCore" Version = "2.0.0-rc3-final" / >
< / ItemGroup >
```
> [!TIP]
> Note: if you have an explicit reference to `AspNet.Security.OAuth.Validation` or `OpenIddict.Mvc`,
> you can safely remove these dependencies: they are now transitively referenced by the `OpenIddict` metapackage.
> [!IMPORTANT]
> Note: if your application references `OpenIddict.Models` or `OpenIddict.Stores`, you MUST remove them as these packages are no longer used in RC3.
## Use the new OpenIddict services registration APIs
To offer a better user experience, the registrations APIs exposed by OpenIddict have been reworked. Updating your code should be quite straightforward:
```csharp
// In OpenIddict RC2, all the options used to be grouped.
services.AddOpenIddict(options =>
{
options.AddEntityFrameworkCoreStores< ApplicationDbContext > ();
options.AddMvcBinders();
options.EnableAuthorizationEndpoint("/connect/authorize")
.EnableLogoutEndpoint("/connect/logout")
.EnableTokenEndpoint("/connect/token")
.EnableUserinfoEndpoint("/api/userinfo");
options.AllowAuthorizationCodeFlow()
.AllowPasswordFlow()
.AllowRefreshTokenFlow();
options.RegisterScopes(OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
options.RequireClientIdentification();
options.EnableRequestCaching();
options.EnableScopeValidation();
options.DisableHttpsRequirement();
});
```
```csharp
// In OpenIddict RC3, the options are now split into 3 categories:
// the core services, the server services and the validation services.
services.AddOpenIddict()
.AddCore(options =>
{
// AddEntityFrameworkCoreStores() is now UseEntityFrameworkCore().
options.UseEntityFrameworkCore()
.UseDbContext< ApplicationDbContext > ();
})
.AddServer(options =>
{
// AddMvcBinders() is now UseMvc().
options.UseMvc();
options.EnableAuthorizationEndpoint("/connect/authorize")
.EnableLogoutEndpoint("/connect/logout")
.EnableTokenEndpoint("/connect/token")
.EnableUserinfoEndpoint("/api/userinfo");
options.AllowAuthorizationCodeFlow()
.AllowPasswordFlow()
.AllowRefreshTokenFlow();
options.RegisterScopes(OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
// This API was removed as client identification is now
// required by default. You can remove or comment this line.
//
// options.RequireClientIdentification();
options.EnableRequestCaching();
// This API was removed as scope validation is now enforced
// by default. You can safely remove or comment this line.
//
// options.EnableScopeValidation();
options.DisableHttpsRequirement();
});
```
## Move to the OpenIddict validation handler (optional)
While not required, moving to the new validation handler is recommended:
```csharp
// Replace...
services.AddAuthentication()
.AddOAuthValidation();
// ... by:
services.AddOpenIddict()
.AddValidation();
```
> [!TIP]
> Note: the OpenIddict validation handler lives in the `OpenIddict.Validation` package, which is referenced by the `OpenIddict` metapackage.
> You don't have to explicitly add a new `PackageReference` in your `.csproj` file to be able to use it.
## If necessary, create new application entries
OpenIddict now rejects unauthenticated token/revocation requests by default.
If, after migrating to RC3, you see errors similar to this one:
> **invalid_request** : The mandatory 'client_id' parameter is missing.
Add an application entry for the client application and send the corresponding `client_id` as part of the token request:
```csharp
var descriptor = new OpenIddictApplicationDescriptor
{
ClientId = "postman",
DisplayName = "Postman",
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.Password,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Scopes.Roles
}
};
await _applicationManager.CreateAsync(descriptor);
```
If you prefer accepting anonymous clients, use `options.AcceptAnonymousClients()` :
```csharp
services.AddOpenIddict()
.AddServer(options =>
{
options.AcceptAnonymousClients();
});
```
## If necessary, register the scopes used by your clients
Starting with RC3, OpenIddict will reject unrecognized scopes by default.
If, after migrating to RC3, you see errors similar to this one:
> **invalid_scope** : The specified 'scope' parameter is not valid.
Simply add the scopes you want to use to the list of registered scopes:
```csharp
services.AddOpenIddict()
// Register the OpenIddict server handler.
.AddServer(options =>
{
options.RegisterScopes(OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles);
});
```
If you prefer disabling scope validation, use `options.DisableScopeValidation()` :
```csharp
services.AddOpenIddict()
.AddServer(options =>
{
options.DisableScopeValidation();
});
```
## If necessary, adjust the permissions granted to your clients
**Starting with RC3, permissions are no longer optional nor implicit**:
if you don't explicitly grant an application the necessary permissions, it will be blocked by OpenIddict.
To attach permissions to an application, use `OpenIddictApplicationManager` :
```csharp
var descriptor = new OpenIddictApplicationDescriptor
{
ClientId = "mvc",
ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
DisplayName = "MVC client application",
PostLogoutRedirectUris = { new Uri("http://localhost:53507/signout-callback-oidc") },
RedirectUris = { new Uri("http://localhost:53507/signin-oidc") },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Scopes.Roles
}
};
await _applicationManager.CreateAsync(descriptor);
```
If you don't care about permissions (e.g because you don't have third-party clients), you can instead disable them:
```csharp
services.AddOpenIddict()
// Register the OpenIddict server handler.
.AddServer(options =>
{
options.IgnoreEndpointPermissions()
.IgnoreGrantTypePermissions()
.IgnoreScopePermissions();
});
```
---------------------------
2018-02-01 23:58:04 +08:00
# Migrate to OpenIddict RC2
2018-07-06 03:06:01 +08:00
## What's new in OpenIddict RC2?
The full list of changes can be found [here ](https://github.com/openiddict/openiddict-core/milestone/8?closed=1 ). It includes **bug fixes** (including a bug fix in the refresh token handling)
and new features like **application permissions** , that allow limiting the OpenID Connect features (endpoints and flows) an application is able to use.
**Migrating to OpenIddict RC2 (`1.0.0-rc2-final` and `2.0.0-rc2-final` ) requires making changes in your database**: existing properties have been reworked
(e.g [to work around a MySQL limitation ](https://github.com/openiddict/openiddict-core/issues/497 )) and new ones have been added to support the new features.
This procedure is quite easy and only requires a few minutes.
2018-02-01 23:58:04 +08:00
2018-07-06 03:06:01 +08:00
> Note: this guide assumes your application uses the OpenIddict Entity Framework Core 2.x stores. If you use a custom store, changes will have to be made manually.
A list of added/updated/renamed columns is available at the end of this guide.
2018-02-01 23:58:04 +08:00
## Ensure migrations are correctly enabled for your project
2018-07-06 03:06:01 +08:00
**Before migrating to OpenIddict RC2, make sure migrations are already enabled for your application**. If you have a `Migrations`
folder in your application root folder and an `__EFMigrationsHistory` table in your database, you're good to go.
2018-02-01 23:58:04 +08:00
2018-02-14 05:45:45 +08:00
If you don't have these Entity Framework Core artifacts, migrations are likely not enabled. To fix that, add the following entries in your `.csproj` :
2018-02-01 23:58:04 +08:00
```xml
< ItemGroup >
< PackageReference Include = "Microsoft.EntityFrameworkCore.Design"
Version="2.0.0" PrivateAssets="All" />
< / ItemGroup >
< ItemGroup >
< DotNetCliToolReference Include = "Microsoft.EntityFrameworkCore.Tools.DotNet"
Version="2.0.0" />
< / ItemGroup >
```
Then, open a new command line and add an initial migration using `dotnet ef migrations add InitialMigration` (**but don't apply it!**).
## Update your packages references
For that, simply update your `.csproj` file to point to the newest OpenIddict packages:
### ASP.NET Core 1.x
```xml
< ItemGroup >
2018-07-06 03:06:01 +08:00
< PackageReference Include = "OpenIddict" Version = "1.0.0-rc2-final" / >
< PackageReference Include = "OpenIddict.EntityFrameworkCore" Version = "1.0.0-rc2-final" / >
< PackageReference Include = "OpenIddict.Mvc" Version = "1.0.0-rc2-final" / >
2018-02-01 23:58:04 +08:00
< / ItemGroup >
```
### ASP.NET Core 2.x
```xml
< ItemGroup >
2018-07-06 03:06:01 +08:00
< PackageReference Include = "OpenIddict" Version = "2.0.0-rc2-final" / >
< PackageReference Include = "OpenIddict.EntityFrameworkCore" Version = "2.0.0-rc2-final" / >
< PackageReference Include = "OpenIddict.Mvc" Version = "2.0.0-rc2-final" / >
2018-02-01 23:58:04 +08:00
< / ItemGroup >
```
## Add a new migration
1. First, open a new command line and run `dotnet ef migrations add MigrateToOpenIddictRc2` .
2. **If you created an initial migration at step 1, remove it from the `Migrations` folder** .
3. Apply the `MigrateToOpenIddictRc2` migration using `dotnet ef database update MigrateToOpenIddictRc2` .
## Run the migration script to convert columns to the new format
For that, add the following snippet to your `Startup` class:
```csharp
private async Task UpdateOpenIddictTablesAsync(IServiceProvider services)
{
using (var scope = services.GetRequiredService< IServiceScopeFactory > ().CreateScope())
{
// Change ApplicationDbContext to match your context name if you've changed it.
var context = scope.ServiceProvider.GetRequiredService< ApplicationDbContext > ();
await context.Database.EnsureCreatedAsync();
// If you use a different entity type or a custom key,
// change this line (e.g OpenIddictApplication< long > ).
foreach (var application in context.Set< OpenIddictApplication > ())
{
// Convert the space-separated PostLogoutRedirectUris property to JSON.
if (!string.IsNullOrEmpty(application.PostLogoutRedirectUris) & &
application.PostLogoutRedirectUris[0] != '[')
{
var addresses = application.PostLogoutRedirectUris.Split(
new[] { " " }, StringSplitOptions.RemoveEmptyEntries);
application.PostLogoutRedirectUris =
new JArray(addresses).ToString(Formatting.None);
}
// Convert the space-separated RedirectUris property to JSON.
if (!string.IsNullOrEmpty(application.RedirectUris) & &
application.RedirectUris[0] != '[')
{
var addresses = application.RedirectUris.Split(
new[] { " " }, StringSplitOptions.RemoveEmptyEntries);
application.RedirectUris = new JArray(addresses).ToString(Formatting.None);
}
}
// If you use a different entity type or a custom key,
// change this line (e.g OpenIddictAuthorization< long > ).
foreach (var authorization in context.Set< OpenIddictAuthorization > ())
{
// Convert the space-separated Scopes property to JSON.
if (!string.IsNullOrEmpty(authorization.Scopes) & & authorization.Scopes[0] != '[')
{
var scopes = authorization.Scopes.Split(
new[] { " " }, StringSplitOptions.RemoveEmptyEntries);
authorization.Scopes = new JArray(scopes).ToString(Formatting.None);
}
}
await context.SaveChangesAsync();
}
}
```
Then, at the end of the `public void Configure(IApplicationBuilder app)` method, add the following line:
```csharp
public void Configure(IApplicationBuilder app)
{
app.UseDeveloperExceptionPage();
app.UseStaticFiles();
app.UseStatusCodePagesWithReExecute("/error");
app.UseAuthentication();
app.UseMvcWithDefaultRoute();
// Run the migration script synchronously.
UpdateOpenIddictTablesAsync(app.ApplicationServices).GetAwaiter().GetResult();
}
```
Run your application. Once it's correctly started, stop it and remove the migration script.
2018-02-14 05:45:45 +08:00
## If your authorization server uses introspection, make sure resources are set in the authentication ticket
**Setting an explicit list of resources is now required to allow client applications to introspect a token.**
For that, call `ticket.SetResources()` with the list of the client identifiers allowed to validate the token. E.g:
```csharp
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetResources("tracking_api", "marketing_api");
```
2018-02-12 07:54:40 +08:00
## Optionally, update your code to grant applications the minimum required permissions
2018-02-06 22:12:29 +08:00
2018-02-12 07:54:40 +08:00
Starting with RC2, OpenIddict includes an optional feature codenamed "app permissions" that allows
controlling and limiting the OAuth2/OpenID Connect features a client application is able to use.
2018-02-06 22:12:29 +08:00
2018-02-12 07:54:40 +08:00
To learn more about this feature, read the [Application permissions documentation ](~/features/application-permissions.md ).
2018-02-06 22:12:29 +08:00
2018-07-06 03:06:01 +08:00
## List of changes (for applications using custom stores)
2018-02-06 22:12:29 +08:00
2018-07-06 03:06:01 +08:00
### Renamed properties
2018-02-01 23:58:04 +08:00
| Table | Old column name | New column name | Observations |
|--------------------------|-----------------|------------------|----------------------------------------------------------------------------|
| OpenIddictApplications | Timestamp | ConcurrencyToken | The column type was changed to nvarchar to work around a MySQL limitation. |
| OpenIddictAuthorizations | Timestamp | ConcurrencyToken | The column type was changed to nvarchar to work around a MySQL limitation. |
| OpenIddictScopes | Timestamp | ConcurrencyToken | The column type was changed to nvarchar to work around a MySQL limitation. |
| OpenIddictTokens | Timestamp | ConcurrencyToken | The column type was changed to nvarchar to work around a MySQL limitation. |
| OpenIddictTokens | Ciphertext | Payload | |
| OpenIddictTokens | Hash | ReferenceId | |
2018-07-06 03:06:01 +08:00
### Updated properties
2018-02-16 03:59:14 +08:00
| Table | Column name | Observations |
|--------------------------|------------------------|-----------------------------------------------------------------------------|
| OpenIddictApplications | PostLogoutRedirectUris | Values are now formatted as JSON arrays instead of space-separated strings. |
| OpenIddictApplications | RedirectUris | Values are now formatted as JSON arrays instead of space-separated strings. |
| OpenIddictAuthorizations | Scopes | Values are now formatted as JSON arrays instead of space-separated strings. |
2018-07-06 03:06:01 +08:00
### Added properties
2018-02-01 23:58:04 +08:00
| Table | Column name | Type | Nullable |
|--------------------------|-------------|---------------|----------|
2018-02-16 03:59:14 +08:00
| OpenIddictApplications | ConsentType | nvarchar(max) | Yes |
2018-02-01 23:58:04 +08:00
| OpenIddictApplications | Properties | nvarchar(max) | Yes |
| OpenIddictApplications | Permissions | nvarchar(max) | Yes |
| OpenIddictAuthorizations | Properties | nvarchar(max) | Yes |
2018-02-14 01:53:02 +08:00
| OpenIddictScopes | DisplayName | nvarchar(max) | Yes |
2018-02-01 23:58:04 +08:00
| OpenIddictScopes | Properties | nvarchar(max) | Yes |
2018-02-14 01:53:02 +08:00
| OpenIddictScopes | Resources | nvarchar(max) | Yes |
2018-02-01 23:58:04 +08:00
| OpenIddictTokens | Properties | nvarchar(max) | Yes |
