Connect2id server 3.1
The Connect2id server for OpenID Connect single sign-on (SSO) and OAuth 2.0 - based access management has received a small update related to Level of Assurance (LoA or authentication strength) processing as well as two bug fixes. This new release is available for download now as version 3.1.
Should you have any questions about the new release, don't hesitate to contact Connect2id support.
Connect2id server 3.1 release notes
Configuration
/WEB-INF/oidcProvider.properties
- The advertised Authentication Context Class References (ACRs) specified by op.authz.advertisedACRs (if any) should be ordered from weakest to strongest level. This ordering will affect processing of OpenID Connect authentication requests with a given ACR.
Web API
- The Authorisation session endpoint at /authz-sessions/rest/v2 assumes will not prompt for re-authentication if the requested Authentication Context Class Reference (ACR, or authentication strength) is exceeded by the ACR for the current subject session. The relative strength of the current and the requested ACR is determined by the order of the supported ACR values advertised in the op.authz.advertisedACRs configuration setting. Previously the Connect2id server would limit ACR re-authentication checks to exact matches only and would leave relative checks to be taken care of by the login page (business logic).
Dependencies
- Upgrades to com.nimbusds:oauth2-authz-store:3.0.4
Bug fixes
Fixes handling of OpenID Connect authentication requests with prompt=login (issue server/126).
Fixes refresh token return on direct authorisation submission when the authorisation matches an existing authorisation record (issue authz-store/98).