Blog »

Connect2id server 3.0 for OpenID Connect single sign-on

2015-03-26

We are happy to announce a new major release of the Connect2id server for single sign-on and API security based on the emerging OAuth 2.0 / OpenID Connect stack.

The 3.0 release was a straightforward affair in terms of having all new server features figured out by our customers. We really appreciated that. Our job then was to engineer all these things together into one polished and consistent package. We are proud with the result and believe to have made the Connect2id server an even better platform for enterprises to stage successful OAuth 2.0 and OpenID Connect solutions lasting well into the future.

What are the highlights of the new 3.0 release?

More options for your tokens

  • It is now possible to issue impersonated OpenID tokens. Impersonation can be used to enable privileged users to log in as somebody else. For example, to let administrators log into an app as some regular user.

  • Self-contained (JWT-encoded) access tokens issued by the Connect2id server may optionally be encrypted after signing to ensure confidentiality of the encoded authorisation in transit. Encryption is done with an AES key shared between the Connect2id server and the participating resource servers.

  • Access tokens now also have an optional data field where custom parameters of all sorts may be included.

  • There is a new option to let refresh tokens expire. Permanent refresh tokens (the default setting) are good for most situations, however, there might be cases when you may want to limit their lifetime. For instance, with native clients using the password grant, to force end-users to authenticate after a certain time, thus mimicking a behaviour similar to sessions.

New metrics endpoint to make your DevOps happy

A new monitoring endpoint provides over 100 performance and statistical metrics about the sign-on and authorisation process, the underlying caches and data stores, as well as health checks.

The metrics / health checks can also be exported via JMX.

Scale to millions of users with reduced footprint

The data model was thoroughly revised, freeing up memory from the underlying Infinispan caches and maps. You can expect memory savings of about 20%. Enterprises with very large user bases (1 million plus) should get even greater savings.

Marshalling of objects between the Connect2id server cluster nodes was also optimised, reducing network traffic.

All this allows you to handle even larger loads and user bases, while reducing your hardware and network bills.

Ready to try out the new Connect2id server?

Proceed to the download section to get the new Connect2id server package. Questions? Get in touch with us, we'll be delighted to hear from you.

Connect2id server 3.0 release notes

Configuration

  • /WEB-INF/jwkSet.json

    • Adds support for specifying an optional octet-sequence JSON Web Key (JWK) in the key set for applying additional symmetric encryption of self-contained (JWT-encoded) access tokens.

  • /WEB-INF/oidcProvider.properties

    • Renames op.idToken.lifetime to op.idToken.defaultLifetime and changes the value to signify seconds instead of minutes. The value can be overridden by individual authorisations via the integration APIs.

    • Changes time unit of op.authz.sessionLifetime to seconds.

    • Adds an op.authz.includeClientInfoInAuthPrompt configuration property to include the registered OpenID Connect client information in the authentication prompt. The client details may then be used as an additional input to the determine the appropriate end-user authentication or session settings.

    • Adds an op.authz.includeOtherConsentedScopeAndClaimsInPrompt configuration property to include non-requested scope values and claim names for which previous consent exists in the consent prompt.

    • Renames the op.authz.promptNone.alwaysRequireConsent configuration property to op.authz.alwaysPromptForConsent and changes its semantics to apply to all OpenID authentication requests. If true the Connect2id server will always prompt for consent, even if the end-user is logged in and previous consent is has been recorded; OpenID authentication with prompt=none will produce a consent_required error. If false the Connect2id server will immediately return a successful redirection URI response provided the end-user is logged in and previous consent exists (as with prompt=none).

    • Removes the op.authz.promptNone.alwaysRequireLogin configuration property. OpenID authentication requests with prompt=none will always succeed if the end-user is logged in, previous consent exists and op.authz.alwaysPromptForConsent is set to false.

    • Renames the op.authz.promptNone.requireIDTokenHint configuration property to op.authz.requireIDTokenHintWithPromptNone.

  • /WEB-INF/authzStore.properties

    • Renames the authzStore.accessToken.lifetime configuration property to authzStore.accessToken.defaultLifetime. The value can be overridden by individual authorisations via the integration APIs.

    • Removes the authzStore.accessToken.defaultEncoding configuration property. The encoding of all access tokens will default to self- contained (JWT-encoded) unless overridden by individual authorisations via the integration APIs.

    • Adds a authzStore.accessToken.jweAlgorithm configuration property to specify the optional JSON Web Encryption (JWE) algorithm to apply to self-contained (JWT-encoded) access tokens. The only support algorithm is 'dir' (direct encryption with a shared symmetric key.

    • Adds a authzStore.accessToken.jweMethod configuration property to specify the optional JSON Web Encryption (JWE) method to apply to self-contained (JWT-encoded) access tokens. Supported methods are A128GCM (recommended), A192GCM, A256GCM, A128CBC_HS256, A192CBC_HS384 and A256CBC_HS512.

    • All claims specified in the authzStore.accessToken.selfContainedClaims configuration property are treated as optional for inclusion in self-contained (JWT-encoded) access tokens.

    • The authzStore.ldapDirectory.attributes.rts configuration property adds support for defining an LDAP attribute alias.

    • Adds a authzStore.ldapDirectory.attributes.rtl configuration property to specify the name of the LDAP attribute holding the refresh token lifetime, in seconds.

    • Adds a authzStore.ldapDirectory.attributes.rti configuration property to specify the name of the LDAP attribute holding the refresh token issue date.

    • Adds a authzStore.ldapDirectory.attributes.atc configuration property to specify the name of the LDAP attribute holding the access token encrypt setting.

  • Adds a new /WEB-INF/claimsCompression.properties configuration file to specify an optional claim names compression map for self-contained (JWT) access tokens.

  • Adds a new /WEB-INF/monitor.properties configuration file to specify an OAuth 2.0 bearer access token for the new metrics and health-check endpoint.

  • /WEB-INF/clientGrantHandler.properties

    • Adds a op.grantHandler.clientCredentials.simpleHandler.accessToken.encrypt configuration property to enable encryption of self-contained (JWT- encoded) access tokens.

  • /WEB-INF/infinispan.xml

    • Updates the authorisation store externalisers.

Web API

  • Adds a /clients alias to the /client-reg client registration endpoint.

  • Introduces a new version of the Authorisation session endpoint at /authz-sessions/rest/v2.

    Extends the authentication prompt object as follows:

    • The registered details for the requesting client will be included if the op.authz.includeClientInfoInAuthPrompt configuration property is set.

    Extends and modifies the consent object as follows:

    • Adds a new optional id_token parameter to enable the default ID token lifetime to be overridden and to set an impersonated subject (the original subject will be set in a custom authz_sub ID token claim).

    • Moves the optional issue_refresh_token parameter into a new containing refresh_token parameter which also enables an optional lifetime for the refresh token to be set (zero lifetime implies permanent).

    • Adds a new optional access_token encrypt parameter to additionally encrypt self-contained (JWT-encoded) access tokens with a shared symmetric AES key.

    • Adds an optional data parameter for additional information to be stored in the authorisation record and self-contained (JWT-encoded) access tokens.

    The original version of the Authorisation session endpoint is still available at /authz-sessions/rest/v1.

  • The Authorisation session endpoint will bypass consent and immediately return a successful redirection URI response if the end-user is logged in, previous consent exists and the op.authz.alwaysPromptForConsent configuration property is set to false. This behaviour applies to versions 1 and 2 of the Authorisation session endpoint.

  • Introduces a new version of the Direct authorisation endpoint at /direct-authz/rest/v2. Extends and modifies the direct authorisation request as follows:

    • Adds a new optional id_token parameter to enable the default ID token lifetime to be overridden and to set an impersonated subject (the original subject will be set in a custom authz_sub ID token claim).

    • Moves the optional issue_refresh_token parameter into a new containing refresh_token parameter which also enables an optional lifetime for the refresh token to be set (zero lifetime implies permanent).

    • Adds a new optional access_token encrypt parameter to additionally encrypt self-contained (JWT-encoded) access tokens with a shared symmetric AES key.

    • Adds an optional data parameter for additional information to be stored in the authorisation record and self-contained (JWT-encoded) access tokens.

    The original version of the Direct authorisation session endpoint is still available at /direct-authz/rest/v1.

  • Introduces a new version of the Session store endpoint at /session-store/rest/v2. To prevent leakage of session identifiers (SID) into client and server logs for GET and other HTTP requests these are no longer specified as a path component; a SID request header parameter is used instead. Version 1 of the Session store endpoint is not longer supported.

  • Introduces a new version of the Authorisation store endpoint at /authz-store/rest/v2 to reflect underlying architectural changes. Summary of the changes:

    • Adds a new /authz-store/rest/v2/inspection resource to introspect individual authorisation codes, access tokens and refresh tokens via HTTP POST.

    • The previous access-tokens resource for returning all current access tokens and for introspecting individual access tokens is removed. Use of the new inspection resource is suggested to introspect individual access tokens instead.

    • The authorizations resource no longer supports the access_token or refresh_token query parameters to prevent leakage of these token credentials into client and server logs for GET HTTP requests. Use of the new inspection resource is suggested instead.

    • Adds a new /authz-store/rest/v2/revocation resource to revoke one or more authorisations by access token, refresh token, by subject and / or by client identifier via HTTP POST.

    • Revocation of authorisations by HTTP DELETE on the authorizations resource is no longer supported. Use of the new revocation resource is suggested instead.

    • Revocation of individual access tokens without affecting the underlying authorisation is no longer supported.

    • Revocation of individual refresh tokens without affecting the underlying authorisation is not longer supported.

    Version 1 of the Authorisation store endpoint is no longer supported.

  • Adds a new metrics and health-check endpoint at /monitor/v1 with over 40 data points for usage, request performance and throughput, Infinispan cache and LDAP connection pool. The endpoint is protected by means of an OAuth 2.0 Bearer token and based on the Dropwizard Metrics library.

  • Adds 15K character limit on client registration endpoint HTTP POST and PUT methods to guard against DoS attacks.

  • Adds 2K character limit on the token endpoint HTTP POST method to guard against DoS attacks.

Dependencies

  • Adds io.dropwizard.metrics:metrics-core:3.1.1

  • Adds io.dropwizard.metrics:metrics-healthchecks:3.1.1

  • Adds io.dropwizard.metrics:metrics-servlets:3.1.1

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:4.12.1

  • Upgrades to com.nimbusds:c2id-server-sdk:3.0

  • Upgrades to com.nimbusds:oidc-claims-source-ldap:1.4.1

  • Upgrades to com.nimbusds:oauth-password-grant-web-api:1.3

  • Upgrades to com.nimbusds:oauth-client-grant-handler:1.3

  • Upgrades to com.nimbusds:oauth2-authz-store:3.0.3

  • Upgrades to com.nimbusds:oidc-session-store:2.0.3

  • Upgrades to com.nimbusds:nimbus-jose-jwt:3.9.2

  • Upgrades to com.nimbusds:common:1.89.4

  • Upgrades to net.minidev:json-smart:1.3.1

  • Upgrades to com.thetransactioncompany:cors-filter:2.3

  • Upgrades to com.unboundid:unboundid-ldapsdk:2.3.8

  • Upgrades to org.infinispan:infinispan-embedded:7.1.1.Final

  • Upgrades to rg.glassfish.jersey.containers:jersey-container-servlet:2.17

Bug fixes

  • Returns a meaningful error response message on missing openid scope value in submitted consent to the Authorisation session endpoint (issue server/83).

  • Always returns consent prompt on a OpenID Connect authentication request with prompt=consent or prompt=select_account (issue server/100).

Other

  • Upgrades the LDAP schema for persisted authorisations to version 1.4:

    • Adds an authzRefreshTokenSecret alias to authzRefreshTokenSalt, promotes the former to main attribute name.

    • Adds authzRefreshTokenLifetime attribute.

    • Adds authzRefreshTokenIssueDate attribute.