For those who upgrades the agent version

For those who upgrades the agent version, I would really notice about environment variables.

Personally I migrated from v2 to v7 and when I setup the agent for the first time with v2 there were no requirement to set FOREST_ENV_SECRET, FOREST_AUTH_SECRET. It was required to pass those values as envSecret and authSecret.
There is no information about environment variables that should be set if you migrate from version x to version y. I didn’t find anything about this in the Upgrade to v3, v4, v5, v6, v7.
But this is specified there
here
Forest team, what do you expect from your users? That we will spent dozens of hours to migrate the app? This is not nice, really.

Maybe it’s just for me, but it’s really not obvious from this

const { objectMapping, connections } = require('../models');

module.exports = async function forestadmin(app) {
  app.use(await Liana.init({
    configDir: path.join(__dirname, '../forest'),
    envSecret: process.env.FOREST_ENV_SECRET,
    authSecret: process.env.FOREST_AUTH_SECRET,
    objectMapping,
    connections,
  }));

  console.log(chalk.cyan('Your admin panel is available here: https://app.forestadmin.com/projects'));
};

that we need to define secret env variables, especially because we passed them as params to init function.

This leads to this error

Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0 [forest] 🌳🌳🌳  Unable to register the client
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0 {
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0   "configuration": {
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "authorization_endpoint": "https://api.forestadmin.com/oidc/auth",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "device_authorization_endpoint": "https://api.forestadmin.com/oidc/device/auth",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "claims_parameter_supported": false,
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "claims_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "sub",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "email",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "sid",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "auth_time",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "iss"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "code_challenge_methods_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "S256"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "end_session_endpoint": "https://api.forestadmin.com/oidc/session/end",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "grant_types_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "authorization_code",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "urn:ietf:params:oauth:grant-type:device_code"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "id_token_signing_alg_values_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "HS256",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "RS256"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "issuer": "https://api.forestadmin.com",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "jwks_uri": "https://api.forestadmin.com/oidc/jwks",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "registration_endpoint": "https://api.forestadmin.com/oidc/reg",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "response_modes_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "query"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "response_types_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "code",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "none"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "scopes_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "openid",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "email",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "profile"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "subject_types_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "public"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "token_endpoint_auth_methods_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "none"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "token_endpoint_auth_signing_alg_values_supported": [],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "token_endpoint": "https://api.forestadmin.com/oidc/token",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "request_object_signing_alg_values_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "HS256",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "RS256"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "request_parameter_supported": false,
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "request_uri_parameter_supported": true,
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "require_request_uri_registration": true,
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "claim_types_supported": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "normal"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ]
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0   },
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0   "registration": {
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "redirect_uris": [
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0       "https://api-staging.xxxxx.io/forest/authentication/callback"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     ],
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "token_endpoint_auth_method": "none"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0   },
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0   "error": {
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "error": "unauthorized_client",
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0     "error_description": "Web clients must be authenticated"
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0   }
Jun 18 19:12:45 api-staging 32ed4ea9d23a33540a099efbe7d0889e1e15fd6e63afb0ac55abe57fd03d06b0 }

Also what about this step.

Running up multiple server instances

Where the command should be executed? Will it return a unique token, because what’s the purpose of doing that.
So let’s assume that I have 2 servers, then I need to execute this command twice and place the client id of each into env variables of different server instances, right?
Could you explain more?

Hello @koralex,

I’m sorry to hear about the problems encountered due to the migration from v2 to v7. Are you still experiencing problems or have you managed to get your forest admin server working as before?

Regarding the FOREST_CLIENT_ID this is necessary when several server instances are deployed (authentication issue with OIDC protocol)

Kind regards,
Louis

We are facing exactly the same issue.

We are upgrading from v6.

Hello @ipetrovic,

Can you please open a new ticket describing your problem and sharing with us all the information useful to understand it?

Kind regards,
Louis

Hello @koralex,

We just released new versions of forest-express-sequelize and forest-express-mongoose that correctly use the envSecret from the configuration option instead of the environment variable.

Can you test with forest-express-mongoose@7.8.3 or forest-express-sequelize@7.11.3?

It looks like it works with a new version of liana.

1 Like