Airlock IAM 8.1 - Actions required when upgrading

This section describes changes in Airlock IAM 8.1 that require manual changes. Whether changes are necessary depends on the used features and/or custom extensions.

Upgrading an Airlock IAM version may require special actions. Consult the respective upgrade requirements:
Actions required when upgrading from IAM 7.7 to IAM 8.0
Actions required when upgrading from IAM 7.6 to IAM 7.7

Removed features

Check if using discontinued features. Further information can be found in features removed in Airlock IAM 8.1.

Various

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
All	New Features	-	If using new IAM 8.1 features, the database schema must be upgraded. It is especially important for the following features: Flow conditions on first device usage. Single sign-on (SSO) ticket authentication (if storing tickets in the IAM database). IAM with Microgateway 4.x It is recommended to upgrade the database schema when upgrading even if not using new features. See Relational databases for IAM.	8.1
Loginapp, Adminapp	Session timeout settings	AI-17616	The session timeout settings in the Loginapp and Adminapp have been made more flexible and should be reviewed after config migration. Adminapp >> Session Idle Timeout and Session Lifetime. Loginapp >> Session Idle Timeout and Session Lifetime.	8.1
Loginapp	OAuth 2.0 / OIDC with Basic Auth	AI-16970	IAM does now implement OAuth 2.0 Basic Auth correctly (both as client and as authorization server) by applying an additional URL-encoding/decoding on the client ID and secrets. If OAuth 2.0 Basic Auth is used with credentials containing special characters (characters that would be encoded when applying URL-encoding; for example the colon, percent-sign, etc.), the client now sends them URL-encoded and the authorization server now expects them correctly URL-encoded. In very rare cases this may result in credentials being rejected by the Authorization Server. In this case, the credentials must be set correctly in the client or stored correctly in the authorization server.	8.1
Loginapp	OAuth 2.0 dynamic client registration	AI-16806	Persisted OAuth 2.0 Clients (registered using Dynamic Client Registration) now honor their registered scopes correctly. If no explicit scopes were registered, all requested scopes are accepted (as before). However, this behavior can now be configured in the OAuth 2.0 Persisted Clients settings in the authorization server configuration.	8.1
Loginapp	Loginapp UI redirect URI patterns	AI-9385	The Target URI Resolver in the Loginapp's Authentication UI Settings now prevents too lax patterns allowing open redirects. Existing configurations may not be activated if too open patterns are used (e.g. `.*`). Review the configuration before upgrading to this bugfix release!	8.1.2

Custom code

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
Loginapp, Admnapp	Custom Event Handlers	AI-14083	Custom event handlers must be adapted and have an `AsynchronousExecuter` injected. The logic processing the event must be passed to the injected executor using a `Runnable`. Not doing so results in the event handlers being executed synchronously. This may lead to blocking IAM requests.	8.1
Loginapp, Adminapp	Custom code	AI-17382	The method `UserSession.sessionId()` has been removed. It can no longer be used in custom code. As a replacement, the `SessionId` object can be injected.	8.1
Loginapp	Custom code	AI-17799	To be able to store session data in an external Redis session repository, custom implementations of `StepSession`, `StepResultData`, `SingleFlowScopedFlowAttribute`, and `MultiFlowScopedFlowAttribute` must implement the `Mapifiable` interface (including the static `demapify` method). Note that support for custom code not implementing the `Mapifiable` interface may be removed in a future minor version.	8.1

Further information and links

Upgrade Airlock IAM
Upgrading database schemas: Relational databases for IAM