Identity Server v1 to V2 Migration

I have been using Identity Server since it was in beta and now that they have released 2.0.0 it is time to upgrade. This is not a complete list of things you will need when migrating but here is what I ran into when upgrading. I specifically went from 1.5.0 to 2.0.0.

Configuration

A few things changed in the configuration of identity server. Some of the Client model has changed. Examples would be class names and property names. These are simple renames most of the time. There was also a change to the CORS policy which is now configured in a different way.

Client Secret

The client secret name has changed in this release and looks like it can be fixed with a simple rename. ClientSecret -> Secret was a part of the epic rename which renamed many classes. In your client clients configuration you might have some code like this:

ClientSecrets = new List<ClientSecret>{ new ClientSecret("IAin'tTellingUmySecretz!".Sha256())},  

You can update it to this and will be just fine.

ClientSecrets = new List<Secret>{ new Secret("IAin'tTellingUmySecretz!".Sha256())},  

Scope Restrictions

Scope restrictions also got a rename and also a change in semantics. Check out the github issue for more information.

//ScopeRescritions -> AllowedScopes
AllowedScopes = new List<string>  
{
    Constants.StandardScopes.OpenId,
    Constants.StandardScopes.Profile,    
    Constants.StandardScopes.Email
}

CORS Policy

The CorsPolicy used to be a configuration option on the main identity server options when setting up the server. Well it has been moved to an ICorsPolicyService and can be configured with the rest of the services and stores. The old code would looks like this:

var options = new IdentityServerOptions  
{
    CorsPolity = GetCorsPolicy(), // this is deleted now
    Factory = Factory.Configure(), // this is where CORS can be configured now
}

CorsPolicy GetCorsPolicy()  
{
  var corsPolicy = new CorsPolicy();
  corsPolicy.AllowedOrigins.Add("https://allowed.domain.com");
  return corsPolicy;
}

Inside your factory code you will need to add another registration for the CORS service.

var factory = new IdentityServerServiceFactory  
{
    CorsPolicyService = new Registration<ICorsPolicyService>(_ => GetPolicyService());
}

ICorsPolicyService GetPolicyService()  
{
  var service = new DefaultCorsPolicyService();
  service.AllowedOrigins.Add("https://allowed.domain.com");
  return service;
}

Services

Two of the custom services I use, IViewService and IUserService had interface signature changes. They had to be modified a little bit with most of the time in the customer user service.

IViewService

IViewService has a few methods that changed signature. Some just added a SignOutMessage. The other added a ValidatedAthorizeRequest parameter on the Consent message. I simply changed the signatures for the methods that needed update and was good to go.

//old
public Task<Stream> Logout(LogoutViewModel model)  
//new
public Task<Stream> Logout(LogoutViewModel model, SignOutMessage message)  

IUserService

IUserService had the most changes. They are mostly signature changes but it has a "got ya" in there that got me a few times. The signatures may have changed but they contain what you need. For example, if you used subject it is now context.Subject and things like provider are now context.ExternalIdentity.Provider.

public Task<bool> IsActiveAsync(ClaimsPrincipal subject)  
{
    // before using subject
    var name = subject.Identity.Name;
    // the active result is returned in the task
    return Task.FromResult(true);
}

public Task IsActiveAsync(IsActiveContext context)  
{
     // now using the context subject
     var name = context.Subject.Identity.Name;
     // don't return the active now. put it in the context
     context.IsActive = true;
     return Task.FromResult(0);
}

Do you see the "got ya"? You don't return the value. This was less obvious to me when doing the other cases for AuthenticationResult. Now, you set it on the context that was passed in. Then you just return an empty task. I personally feel like this a little weird but oh well.

Hopefully this gets you through the migration to Identity Server 2.0.0! Also a special thanks to the people that have worked on Identity Server!