Connect2id Server articles

Connect2id server 6.2 makes it easier to implement stateless login / consent front-ends

Posted on 2017-01-12

This new release of the OpenID Connect / OAuth 2.0 server makes it easier to implement nible stateless UIs on top of it. It also exposes Redis client connection pool metrics (initially appeared in v5.0.5) for those of you who choose to deploy the Connect2id server in a two-tiered manner, with Redis / AWS ElastiCache providing the main in-memory store, and Infinispan the secondary (in invalidation mode).

Stateless front-ends

Stateless front-ends are good, because they are easy to maintain, deploy and scale.

One of the defining features of the Connect2id server is the avoidance of any hard-wired UIs; the server comes instead with a set of elegant web APIs so that all UI, such as login and consent interaction, is decoupled, and can be developed, tested and deployed independently. We have a nice guide explaining the advantages and mechanics of that.

Version 6.2 adds a new optional data parameter to the authorisation session, which can be used to store arbitrary state while the end-user credentials are being checked and consent is obtained. This may also include the duration to redirect to an external authentication service or another identity provider (IdP).

For example, the login page may offer the option to sign in with another IdP, such as Google or Twitter. Before the user gets redirected to the IdP of their choice, the state can be stored in the data parameter of the current authorisation session. Upon returning from the IdP, the state is resumed, and the login interaction can continue.

The data can be set at the start of the authorisation session, or at any time after that with a PUT call. To read the stored data do a GET for the authorisation session or a direct GET for the data sub-resource.

Check out the updated authorisation session API reference for details.

Redis connection pool metrics

If you have a Connect2id server cluster deployed with Redis / AWS ElastiCache as primary in-memory store and want to fine tune your Redis connection pools, these new metrics will provide you with the necessary data.

The new Redis connection pool gauges are made available at the existing /monitor/v1 endpoint, which already collects more than 100 metrics for all sorts of things.

Example Redis client connection pool metrics:

{
    "sessionStore.sessionMap.redisStore.numActiveConnections": {
      "value": 1
    },
    "sessionStore.sessionMap.redisStore.numIdleConnections": {
      "value": 6
    },
    "sessionStore.sessionMap.redisStore.numWaitingForConnection": {
      "value": 0
    },
    "sessionStore.sessionMap.redisStore.maxWaitingTimeForConnectionMs": {
          "value": 15
    },
    "sessionStore.sessionMap.redisStore.meanWaitingTimeForConnectionMs": {
      "value": 0
    }
}

Download

To download a ZIP package of Connect2id server 6.2:

https://connect2id.com/assets/products/server/download/6.2/Connect2id-server.zip

(SHA-1: a84329a865d8fa5ed49f2c937bb2e9300706b51a)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.2/c2id.war

(SHA-1: 6ba80693c0fa0e46c0849d41358d9af892d58274)

Questions?

Get in touch Connect2id support, we’ll be delighted to help out.


Release notes

6.2 (2017-01-12)

Configuration

  • No changes

Web API

  • /authz-sessions/rest/v3/

    • Enables storage of additional data in the authorisation session, to enable use cases such as a stateless login front-end that needs to perform a redirection to an external service or IdP as part of the authentication or consent process.
      • Adds new optional "data" parameter of type JSON object to the authorisation session.
      • The optional "data" can be set with the initial POST request for a new authorisation session, or with a dedicated PUT request to the authorisation session data resource.
      • The optional "data" can be retrieved with a GET for the authorisation session, or directly from the authorisation session data resource.
  • /monitor/v1/metrics
    • Adds Redis store connection pool metrics (of type gauge):
      • "[infinispan-cache-name].redisStore.numActiveConnections" — the number of active Redis client connections in the pool.
      • "[infinispan-cache-name].redisStore.numIdleConnections" — the number of idle Redis client connections in the pool.
      • "[infinispan-cache-name].redisStore.numWaitingForConnection" — the number of threads waiting for a Redis client connection.
      • "[infinispan-cache-name].redisStore.meanWaitingTimeForConnectionMs" — the mean time waiting to borrow a Redis client connection from the pool, in milliseconds.
      • "[infinispan-cache-name].redisStore.maxWaitingTimeForConnectionMs" — the maximum time waiting to borrow a Redis client connection from the pool, in milliseconds.

Bug fixes

  • None

Dependencies

  • Upgrades to Nimbus JOSE+JWT 4.34.

  • Upgrades to Redis Store 8.2.1 (private Connect2id release)

Certified OpenID Connect provider server

Posted on 2017-01-09

Last week the Connect2id server received certification for all standard OpenID Connect provider profiles, which also extends to the optional advanced security features that we implemented in 2016:

  • JWT client authentication — Offers a number of security advantages over the common HTTP basic authentication, such as preventing credential leakage if the HTTP request is sent in the plain by accident.
  • Client keys — Clients and relying parties can bring their own assymetric keys (RSA and EC), in order to authenticate with a JWT, or to receive encrypted ID tokens and UserInfo.
  • Encryption — ID token and UserInfo encryption, using a public RSA or EC key registered by the client, or an AES key derived from the client’s secret.
  • Signed authorisation requests — authenticate and integrity-protect the initial OpenID authentication and OAuth 2.0 authorisation requests. Work nicely with public / native clients, regardless of the nature of their registration, to ensure the important parameters get "locked down", and cannot be modified by the end-user or app.
  • Pairwise identifiers — Method (to be used in conjunction with others) that makes it harder for relying parties to correlate the identity of logged in users.

Other organisations that received OpenID provider certification during the same period are Yahoo! Japan and Verizon.

Many thanks to Roland Hedberg, who manages the certification suite at OpenID, for assisting us with the tests, even though it was holiday time, and he probably had better things to do.

We would also like to thank Mike Jones, secretary of the OpenID foundation, for his recognition of Connect2id’s service to the OpenID Foundation and the OpenID community since 2012.

Connect2id server 5.0.5 adds metrics for Redis backends

Posted on 2017-01-02

Connect2id server 5.x received an update to enable retrieval of key metrics on Redis client connection pool usage. If you have a Connect2id server cluster deployed with Redis / AWS ElastiCache as primary in-memory store and want to fine tune your Redis connection pools, these new metrics will provide you with the necessary data.

The new Redis connection pool gauges are made available at the existing /monitor/v1 endpoint, which already collects more than 100 metrics for all sorts of things.

Example Redis client connection pool metrics:

{
    "sessionStore.sessionMap.redisStore.numActiveConnections": {
      "value": 1
    },
    "sessionStore.sessionMap.redisStore.numIdleConnections": {
      "value": 6
    },
    "sessionStore.sessionMap.redisStore.numWaitingForConnection": {
      "value": 0
    },
    "sessionStore.sessionMap.redisStore.maxWaitingTimeForConnectionMs": {
          "value": 15
    },
    "sessionStore.sessionMap.redisStore.meanWaitingTimeForConnectionMs": {
      "value": 0
    }
}

The latest version 6 of the Connect2id server is also going to receive that update later in January. Stay tuned.

Download

To download a ZIP package of Connect2id server 5.0.5:

https://connect2id.com/assets/products/server/download/5.0.5/Connect2id-server.zip

(SHA-1: 29687823f0bd42647407f906dedd780fdd98dd41)

As WAR package only:

https://connect2id.com/assets/products/server/download/5.0.5/c2id.war

(SHA-1: 86167b4096bb85bf44b123e4bb97cc8d6402b147)

Questions?

Get in touch Connect2id support, we’ll be delighted to help out.


Release notes

5.0.5 (2016-12-31)

Configuration

  • No changes

Web API

  • /monitor/v1/metrics
    • Adds Redis store connection pool metrics (of type gauge):
      • "[infinispan-cache-name].redisStore.numActiveConnections" — the number of active Redis client connections in the pool.
      • "[infinispan-cache-name].redisStore.numIdleConnections" — the number of idle Redis client connections in the pool.
      • "[infinispan-cache-name].redisStore.numWaitingForConnection" — the number of threads waiting for a Redis client connection.
      • "[infinispan-cache-name].redisStore.meanWaitingTimeForConnectionMs" — the mean time waiting to borrow a Redis client connection from the pool, in milliseconds.
      • "[infinispan-cache-name].redisStore.maxWaitingTimeForConnectionMs" — the maximum time waiting to borrow a Redis client connection from the pool, in milliseconds.

Bug fixes

  • None

Dependencies

  • Upgrades to Infinispan 8.2.5
  • Upgrades to Redis Store 8.2.1 (private Connect2id release)

Connect2id server 6.1.2 maintenance release

Posted on 2016-12-15

This is a quick maintenance release of the Connect2id server before we head into the holidays. What’s in it:

UTF8 support in MySQL

When the Connect2id server is provisioned with an MySQL backend, the server will automatically create all its tables when it accesses the database for the first time. In prior releases when this was done the tables assumed the default character set encoding of the provisioned database. This is typically set to "Latin1", which is suitable for strings using the latin alphabet, but not for other languages.

Starting from this version on the Connect2id server will explicitly set the character set of the tables that it creates to UTF-8, to ensure complete i18n support.

If you have an existing Connect2id server with an MySQL database where the character set was originally set to "Latin1", and you don’t expect to be using non-western languages, you can upgrade to 6.1.2 and continue with the same database as it is.

If you wish to switch your existing MySQL database to UTF-8, you will need to dump your data, and then import it into a freshly provisioned database. Some of the VARCHAR key columns will need to have their sizes adjusted, so that the total row size with multi-byte characters doesn’t exceed the MySQL restriction of 65535 bytes. Get in touch with our support to receive assistance.

Helpful error reporting on malformed basic client authentication

Every now and then we receive calls from developers who wonder why their client basic authentication at the token endpoint fails, despite having the correct credentials. That’s because the OAuth 2.0 spec (RFC 6749) mandates an additional layer of URL-encoding of the client_id and client_secret before they get concatenated, to prevent potential issues if they happen to contain the ‘:’ character that is meant to delimit them.

We updated the Connect2id server to return a more detailed error description whenever the basic authentication is malformed, and thus save developers and us time.

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error"             : "invalid_request",
  "error_description" : "Invalid request: Malformed client secret basic 
                         authentication (see RFC 6749, section 2.3.1): Missing 
                         credentials delimiter \":\""
}

Download

To download a ZIP package of Connect2id server 6.1.2:

https://connect2id.com/assets/products/server/download/6.1.2/Connect2id-server.zip

(SHA-1: 66ac83671ebb448112a38798a9c212d3d38b5451)

https://connect2id.com/assets/products/server/download/6.1.2/c2id.war

(SHA-1: 55f0663337eccec58e6611a30d02eb59f4a81ac0)

Questions?

For any questions, post to the comments section below or email our support team.


Release notes for Connect2id server 6.1.2 (2016-12-15)

General

  • For Connect2id servers using MySQL as backend, updates the create table statements to explicitly make UTF-8 the default character set. The VARCHAR(x) sizes of key fields are adjusted where needed to accommodate the MySQL row restriction of 65535 bytes. Changes the type of "clients" fields "client_name", "client_uri", "logo_uri", "policy_uri", "tos_uri" and "data" from VARCHAR(X) to JSON. Changes the type of "id_access_tokens" fields "uip" and "dat" to JSON.

  • Improves error reporting on malformed client secret basic authentication at the token endpoint, includes reference to RFC 6749, section 2.3.1 (issue oidc-sdk/201).

Configuration

  • /WEB-INF/infinispan-mysql.xml

    • Updates the MySQL JDBC URL to set the connection encoding to UTF-8, e.g. "jdbc:mysql://localhost/c2id?useUnicode=yes&characterEncoding=UTF-8"

Web API

  • No changes

Bug fixes

  • None

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:5.10

  • Upgrades to com.nimbusds:oidc-session-store:4.13

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.19.1

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.33

  • Upgrades to com.nimbusds:common:2.2

  • Upgrades to com.nimbusds:infinispan-cachestore-ldap:2.2.2

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:2.5.7