Connect2id server 2.1

2014-10-14

Today we released an upgrade to the Connect2id server for OpenID Connect single sign-on, identity provision and OAuth 2.0 access management.

What's in the new 2.1 release:

1. JWT-encoded access tokens is the new default

Self-contained access tokens, where the authorisation information is encoded as a signed JWT, is the new default setting. Resource servers can process self-contained tokens much faster. All they need to do is check the token's RSA signature, which takes a fraction of a millisecond to process, orders of magnitudes faster than making an HTTP call to the Connect2id server to retrieve the underlying authorisation data for an identifier-based token.

There's really no excuse to use identifier-based tokens anymore, with such excellent tools to process JWTs, such as the Nimbus JOSE+JWT library.

2. Extended web API for monitoring client registrations

The client registration web API was extended to enable listing of the registered OAuth 2.0 / OpenID Connect clients.

Admins and devops engineers can now use the web API to monitor the client registrations, in addition to the existing LDAP client method.

To get the registered clients:

GET /client-reg HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

where the Authorization header must specify the master access token which you have configured for the client registration web API.

The response will be a JSON array of the client records:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

[ { /* client record */ },
  { /* client record */ },
  { /* client record */ },
  ...
]

Support for paging, sorting and querying per grant type will be added in a future release of the Connect2id server. Until then you can use direct LDAP access to the client registry store to run complicated queries.

3. Option to preload client and authorisation caches on startup

The persisted client registrations and long-lived authorisations can now be preloaded from the LDAP directory into the cache at server startup.

This is controlled by the following settings:

• op.reg.preloadCache = true | false
• authzStore.options.preloadCache = true | false

Cache preloading is disabled by default. To enable it set the property to true. Don't worry, this should not affect your server startup as the preloading is done asynchronously on a separate thread.

Upgrading

Upgrading to the new 2.1 release is easy:

1. Save / backup your existing Connect2id server configurations in webapps/c2id/WEB-INF.

2. Undeploy your existing c2id instance, e.g. from the Tomcat management panel.

3. Deploy the new c2id.war onto your web server, which you can extract from the download package.

4. Restore your previous configurations and restart the c2id instance.

To enable the new cache preloading feature, just add the two properties to their respective configuration files.

Ready to try out the new Connect2id server?

Proceed to the download section to get the latest package. Should you have any questions, get in touch with us. We'll be delighted to hear from you :-)