Skip to content

Commit 9ff6e47

Browse files
TimHessTimHess
committed
config value sorting, use a server-port instead of potentially implied discovery, add note about cert header
1 parent 6d5a71c commit 9ff6e47

File tree

1 file changed

+35
-12
lines changed

1 file changed

+35
-12
lines changed

docs/docs/v4/welcome/migrate-quick-steps.md

Lines changed: 35 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1267,12 +1267,12 @@ appsettings.json:
12671267
"Client": {
12681268
- "AuthDomain": "http://localhost:8080",
12691269
+ "Authority": "http://localhost:8080/uaa",
1270-
"CallbackPath": "/signin-oidc",
1271-
"ClientId": "steeltoesamplesclient",
1272-
"ClientSecret": "client_secret",
12731270
+ "MetadataAddress": "http://localhost:8080/.well-known/openid-configuration",
12741271
+ "RequireHttpsMetadata": false,
1275-
+ "AdditionalScopes": "sampleapi.read"
1272+
+ "AdditionalScopes": "sampleapi.read",
1273+
"CallbackPath": "/signin-oidc",
1274+
"ClientId": "steeltoesamplesclient",
1275+
"ClientSecret": "client_secret"
12761276
}
12771277
}
12781278
}
@@ -1345,9 +1345,9 @@ appsettings.json:
13451345
- "ClientId": "steeltoesamplesclient",
13461346
- "ClientSecret": "client_secret",
13471347
- "MetadataAddress": "http://localhost:8080/.well-known/openid-configuration",
1348-
- "AdditionalScopes": "sampleapi.read",
1348+
- "RequireHttpsMetadata": false,
13491349
- "SaveTokens": true,
1350-
- "RequireHttpsMetadata": false
1350+
- "AdditionalScopes": "sampleapi.read"
13511351
- }
13521352
- }
13531353
- }
@@ -1531,9 +1531,9 @@ var builder = WebApplication.CreateBuilder(args);
15311531
-builder.Configuration.AddCloudFoundryContainerIdentity(orgId, spaceId);
15321532
+builder.Configuration.AddAppInstanceIdentityCertificate(new Guid(orgId), new Guid(spaceId));
15331533

1534-
-builder.Services.AddCloudFoundryCertificateAuth(options => options.CertificateHeader = "X-Client-Cert");
1534+
-builder.Services.AddCloudFoundryCertificateAuth(options => options.CertificateHeader = "X-Forwarded-Client-Cert");
15351535
+builder.Services.AddAuthentication().AddCertificate();
1536-
+builder.Services.AddAuthorizationBuilder().AddOrgAndSpacePolicies();
1536+
+builder.Services.AddAuthorizationBuilder().AddOrgAndSpacePolicies("X-Forwarded-Client-Cert");
15371537

15381538
var app = builder.Build();
15391539

@@ -1558,6 +1558,24 @@ app.MapGet("/sameSpace", async httpContext =>
15581558
+ .RequireAuthorization(CertificateAuthorizationPolicies.SameSpace);
15591559
```
15601560

1561+
> [!NOTE]
1562+
> Prior to Steeltoe 3.3.0, Steeltoe Certificate Auth used the header `X-Forwarded-Client-Cert`, which was not configurable.
1563+
> The code shown above is provided for compatibility between the versions. The preferred header name is `X-Client-Cert`.
1564+
> In Steeltoe 4.0, the default header is `X-Client-Cert`, so the parameter can be omitted if cross-compatibility is not required.
1565+
1566+
launchsettings.json (server-side):
1567+
1568+
```diff
1569+
{
1570+
"profiles": {
1571+
"http": {
1572+
"commandName": "Project",
1573+
"applicationUrl": "https://+:7107" // bind to all host names and IP addresses
1574+
}
1575+
}
1576+
}
1577+
```
1578+
15611579
Program.cs (client-side):
15621580

15631581
```diff
@@ -1579,13 +1597,13 @@ var builder = WebApplication.CreateBuilder(args);
15791597
builder.Services
15801598
- .AddHttpClient<PingClient>((services, client) =>
15811599
-{
1582-
- client.BaseAddress = new Uri("http://example-service/")
1600+
- client.BaseAddress = new Uri("https://localhost:7107")
15831601
- var options = services.GetRequiredService<IOptions<CertificateOptions>>();
15841602
- var b64 = Convert.ToBase64String(options.Value.Certificate.Export(X509ContentType.Cert));
1585-
- client.DefaultRequestHeaders.Add("X-Client-Cert", b64);
1603+
- client.DefaultRequestHeaders.Add("X-Forwarded-Client-Cert", b64);
15861604
-});
1587-
+ .AddHttpClient<PingClient>(httpClient => httpClient.BaseAddress = new Uri("http://example-service/"))
1588-
+ .AddAppInstanceIdentityCertificate();
1605+
+ .AddHttpClient<PingClient>(httpClient => httpClient.BaseAddress = new Uri("https://localhost:7107"))
1606+
+ .AddAppInstanceIdentityCertificate("X-Forwarded-Client-Cert");
15891607

15901608
var app = builder.Build();
15911609

@@ -1604,6 +1622,11 @@ public class PingClient(HttpClient httpClient)
16041622
}
16051623
```
16061624

1625+
> [!NOTE]
1626+
> Prior to Steeltoe 3.3.0, Steeltoe Certificate Auth used the header `X-Forwarded-Client-Cert`, which was not configurable.
1627+
> The code shown above is provided for compatibility between the versions. The preferred header name is `X-Client-Cert`.
1628+
> In Steeltoe 4.0, the default header is `X-Client-Cert`, so the parameter can be omitted if cross-compatibility is not required.
1629+
16071630
### DataProtection Key Store using Redis/Valkey
16081631

16091632
```diff

0 commit comments

Comments
 (0)