Connect2id server 1.4

2014-07-24

Changes in Connect2id server 1.4

Today we released a new version of the Connect2id server for Single Sign-On (SSO) with OpenID Connect and access management using the popular OAuth 2.0 framework.

The changes in version 1.4:

Improved direct authorisation API

The direct authorisation API for federating external IdP's was improved in several places:

1. It is now possible to make simple requests for an access / refresh token only, skipping the ID token.

2. We added three extra HTTP status codes to ease client-side development:

   • 460 Invalid Client ID
   • 461 Invalid / Expired Subject Session ID
   • 462 Missing / Expired Client Secret

Other API changes

The optional request parameter for specifying the preferred access token encoding (secure identifier vs self-contained) was renamed from access_token.type to access_token.encoding. That was done to prevent confusion with the standard OAuth token term type (e.g. Bearer, MAC, etc).

This affects the following JSON objects from the Connect2id web API:

• Authorisation session consent -- the JSON object representing the end-user's consent.
• Direct authorisation request -- the JSON object representing a direct authorisation request.
• Authorisation store -- the JSON object representing a stored authorisation (the ate member).

Configuration changes

The above naming change also affected two of the configuration settings:

1. The authorisation store setting authzStore.accessToken.defaultType was renamed to authzStore.accessToken.defaultEncoding.

2. Also, in a similar manner. authzStore.ldapDirectory.attributes.att, was renamed to authzStore.ldapDirectory.attributes.ate.

LDAP schema changes

The underlying LDAP schema for the authorisation objects was also updated to reflect the above change of naming: the authzAccessTokenType attribute is now called authzAccessTokenEncoding.

The LDAP schema for the client registrations was changed to match the latest OAuth 2.0 draft for dynamic client registration: the oidcAppType attribute was moved up to the parent OAuth object class and is now called oauthAppType.

Bug fixes

Client information responses will now return zero instead of omitting the client_secret_expires_at member when the client secret is marked as non-expiring.

Why choose the Connect2id server?

• Simplifies identity and access management with OpenID Connect and OAuth 2.0.

• Ready to fit the most demanding enterprise needs. The Connect2id server comes with powerful web APIs for plugging in arbitrary authentication and authorisation mechanisms as well as claims sources.

• Engineered for 100% uptime, distributed operation within and across data-centres, and efficient DevOps.

• Based on leading and industry-proven open source components.

• We actively participate in the OpenID Connect, OAuth and JOSE work groups and are ready to provide you with in-depth expertise on subject matter.

Ready to try out the new Connect2id server release? Proceed to the download section or schedule a call with us.