Blog »

Connect2id server 2.0

2014-09-29

We're delighted to announce a second major release of the Connect2id server for OpenID Connect single sign-on and OAuth 2.0 access management. Following our philosophy of providing true utility and value to our customers, the new 2.0 release is almost entirely the product of user feedback.

Support for the OAuth 2.0 password and client credentials grants

The Connect2id server has now support for two additional OAuth 2.0 grant types:

  1. Resource owner password credentials grant -- Intended for highly-trusted applications (e.g. the client app is part of the device OS) or when use of a more secure grant type, such as an authorisation code, is not possible.

  2. Client credentials grant -- Intended for applications or services that act on their own behalf (instead of on behalf of an end-user, the common OAuth 2.0 scenario).

The Connect2id server uses pluggable grant handlers. Enterprises enjoy full flexibility: they can choose a standard out-of-the-box handler, or define their own authorisation logic to fit particular business requirements.

Smart client registration

Client applications need to be registered with the Connect2id server before they can make login and authorisation requests. The client registration API gets the following improvements:

  1. The ability to register clients for the new password and client_credentials grants as well as clients that do not make any use of grants (intended for clients authorised via the direct authorisation endpoint only).

  2. In the spirit of Postel's Law, the server can now accept incomplete grant and response type metadata -- the missing values are inferred using a smart algorithm, ensuring registrations are always in a consistent state.

  3. Fine-grained security: enterprises can pre-authorise registrations for specific grants and other registration parameters deemed sensitive. Registration updates are then locked to the pre-authorised set of parameters.

Standard token revocation support

The new Connect2id server release supports standard RFC 7009 style revocation of access and refresh tokens. This complements the existing rich Connect2id web API for managing issued authorisations and tokens.

Boosted logging performance

The logging subsystem is upgraded and now offers a 5 to 10 times gain in performance with the help of asynchronous I/O.

Automatic reconfiguration on the fly is also possible now.

Other changes

LDAP schema

The LDAP schema for the client registrations is updated to reflect a recent change in the OAuth 2.0 specification for dynamic client registration. The attribute holding the application type -- oauthAppType -- is renamed and moved to the OIDC subclass; it is now called oidcAppType.

oauthAppType -> oidcAppType

Direct authorisation API

The web API for obtaining access and refresh tokens directly is slightly optimised to reflect the most common use scenarios. The long_lived and issue_refresh_token authorisation request parameters default to false now.

Ready to try out the new Connect2id server?

Proceed to the download section or get in touch with us. We'll be delighted to hear from you :-)