Connect2id server 3.3

2015-07-29

We would like to announce a new release of our OpenID Connect / OAuth 2.0 server which improves the login page API in a few small but significant ways.

1. Updating the session cookie when the consent step is skipped

The final HTTP 302 redirect response will include a Subject-Session-ID header if for some reason a new end-user session was created and the consent step was skipped. Whenever this header is present in the 302 redirection response the session cookie must be updated accordingly. Previously developers had to rely on the op.authz.alwaysPromptForConsent configuration to find out the new session ID in such a case.

Example 302 response with a new session ID:

HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=Iebie6wovee9Pai5&state=ahShui6OooHeev8z
Subject-Session-ID: Foapaa8augeeHi0Wvui7er2I

2. New simple method to feed claims into the ID token

Connect2id server integrators can now enjoy a new simple way for including custom claims into the ID token. Whenever the end-user is authenticated one can also store selected claims in the session object. These will then be automatically fed into the ID tokens that are issued during the remainder of the user session (for all clients).

Example new user session, specifying name and email claims to be included in the issued ID tokens:

{
   "sub"    : "alice",
   "claims" : { "name"  : "Alice Adams",
                "email" : "[email protected]" }
}

The resulting ID token claims:

{
   "sub"   : "alice",
   "iss"   : "https://demo.c2id.com,
   "iat"   : 12345678,
   "exp"   : 12345678,
   "name"  : "Alice Adams",
   "email" : "[email protected]" }
 }

This behaviour is controlled by the op.authz.feedSubjectSessionClaimsIntoIDToken configuration setting (enabled by default).

Download

To download a ZIP package of Connect2id server 3.3:

https://connect2id.com/assets/products/server/download/3.3/Connect2id-server.zip

As WAR only:

https://connect2id.com/assets/products/server/download/3.3/c2id.war

Questions?

Don't hesitate to contact Connect2id support.

Connect2id Server 3.3 release notes

Configuration

• /WEB-INF/oidcProvider.properties

  • Adds new op.authz.feedSubjectSessionClaimsIntoIDToken configuration to control automatic feeding of claims stored in the subject (end-user) session into the issued ID tokens for the subject. Applies to regular as well as prompt=none OpenID Connect authentication requests.

• /WEB-INF/infinispan.xml

  • Updates the advanced-externalizer elements for the Subject Session Store objects.

• /WEB-INF/web.xml

  • Updates the com.nimbusds.sessionstore.rest.WebAPI servlet declaration for the Subject Session Store endpoint (JAX-RS).

Web API

• Authorisation session API /authz/sessions/rest/v2:

  • The final HTTP 302 redirection response will include a Subject-Session-ID header if a new subject session has been created and its session ID (SID) could not be communicated due to a skipped consent step. The Subject-Session-ID header will contain the ID of the newly created session, which the API caller should use to update the browser session cookie.

• Session Store API /session-store/rest/v2:

  • Adds a new optional "claims" JSON object field to the session object. The "claims" field may be used to store arbitrary OpenID Connect claims about the subject (end-user) for inclusion into the issued ID tokens.

  • Adds a new /session-store/rest/v2/sessions/claims resource to allow direct update (via HTTP PUT) and removal (HTTP DELETE) of the optional "claims" JSON object field of a subject (end-user) session.

• Monitoring API monitor/v1/metrics:

  • Adds new sessionStore.queuedNotifications gauge to monitor the number of queued session start and session logout / expiration notifications to subscribers. This feature is not used by the Connect2id server at present.

Dependencies

• Upgrades to com.nimbusds:c2id-server-sdk:3.2

• Upgrades to com.nimbusds:oidc-session-store:3.1

Bug fixes

• Fixes a typo in the inline documentation for the op.reg.ldapServer.selectionAlgorithm configuration setting. The ROUND-ROBIN configuration value should read ROUND_ROBIN.

• Fixes a typo in the inline documentation for the authzStore.ldapServer.selectionAlgorithm configuration setting. The ROUND-ROBIN configuration value should read ROUND_ROBIN.