Blog »

Second preview of the upcoming Connect2id server 6.0

2016-07-20

We are delighed to announce a 2nd preview of the upcoming Connect2id server 6.0 for token based security based on the emerging OpenID Connect / OAuth 2.0 protocol stack. This is probably the most significant update of the Connect2id server in terms of advancing security for the IdP and its relying parties, as well as opening up new avenues for deployment of the server.

Summary of the key features introduced since the first preview about a month ago:

Clients can register their JSON Web Keys (JWK) by URI

Client applications that want to use their own RSA or EC keys for advanced JWT authentication with the server can simply publish them in JSON Web Key (JWK) format at a https URL, and then register this URL with the Connect2id server. Previously client JWKs could only be registered by value.

The server will cache the published keys so that processing of token requests doesn't get slowed down. If the client ever updates the published JWK set and makes use of a new key, the Connect2id server will automatically pick it up. Key-rollover must be as seamless as possible.

Note that for extra security the Connect2id server will impose an HTTP timeout limit of 250 milliseconds when fetching remote JWK sets, and will also limit their size. You can modify these limits if needed.

Extra HMAC protection for session IDs, code and ID-based access tokens

We decided to add an extra layer of cryptographic protection to browser session IDs, authorisation codes and identifier-based access tokens. This is done by appending a SHA256-based authentication code to the ID (HMAC).

The additional HMAC allows the Connect2id server to differentiate between expired and invalid browser session IDs, and raise an alarm if the latter is detected (may be a sign of a online SID guessing attack). The Connect2id server will proceed to lookup the SID in the underlying session store only if the HMAC check has passed.

The HMAC also provides protection in the event of a failure or compromise of the secure random generator on the host machine.

Revocation journal

The Connect2id server is now keeping a journal of all revocation events.

This allows the effect of revocation to be extended to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).

We're playing with the idea to make the revocation journal available at the authz store web API, for audit purposes and also to enable syncing of the revocation events with resource servers.

Download

To preview the upcoming Connect2id server 6.0 release download the following ZIP package and follow the instructions in the README.txt file:

https://connect2id.com/assets/products/server/download/6.0-pre-2/Connect2id-server.zip

This will launch a instance of the Connect2id server where data is persisted to a local file store (Infinispan's Soft-Index File Store).

An LDAP directory is still included in the package, but that's only to provide a sample user database.

Important: The Tomcat web server must be launched from the base of the extracted file tree, otherwise the Connect2id server will not be able to find the correct base directory for the file store. We intend to fix this by the time 6.0 gets released.

Questions?

If you have any questions or comments about the new persistence backends, don't hesitate to get in touch with Connect2id support.

Release notes

6.0-pre-2 (2016-07-20)

General

  • Switches to Infinispan's persistent store APIs to enable support of other backends besides LDAP, such as flat file storage, DynamoDB and LevelDB.

  • Adds support for registering OpenID Connect / OAuth 2.0 clients with a JWK set specified by URI (jwks_uri). Intended for handling private_key_jwt client authentication, self-issued JWT and SAML 2.0 bearer grants, signed request objects, encrypted ID tokens and encrypted UserInfo responses. The downloaded client JWK set is cached by the Connect2id server to ensure quick processing of requests that rely on remote JWKs.

  • Updates handling of the optional max_age OpenID authentication request parameter. If max_age is set to zero (max_age=0) the Connect2id server will prompt the end-user for (re)authentication, even if the end-user has an existing valid session with the Connect2id server. This is equivalent to setting the optional prompt OpenID authentication request parameter to login (prompt=login). See issue #993 with the OpenID Connect working group (https://bitbucket.org/openid/connect/issues/993).

  • Adds experimental support for pairwise subject (end-user) identifiers.

  • Adds an extra layer of security to issued session IDs, authorisation codes and identifier-based access tokens by provisioning them with a SHA-256 based Message Authentication Code (MAC) (truncated to 128 bits). The HMAC enables detection of online guessing attacks and may also be used to block certain DoS attacks the utilise the above objects.

  • Switches to new JSON-based marshalling of Connect2id server objects stored in Infinispan.

  • Refines logging of invalid client authentication attempts at the token endpoint (issue server/199).

Configuration

  • /WEB-INF/jwkSet.json

    • All RSA JSON Web Keys (JWKs) intended for signing of objects (ID tokens, self-contained access tokens, etc) must have their use parameter set to "sig" (signature). Required to prevent mix up with future RSA JWKs intended for encrypting objects to the Connect2id server.

    • All AES JSON Web Keys (JWKs) intended for symmetric encryption of self-contained access tokens must have their use parameter set to "enc" (encryption). This is required to prevent mix up with the introduced secret JWKs for HMAC protection and pairwise subject encryption (see below).

    • Adds new secret JSON Web Key (JWK) with ID "hmac" and use "sig" to facilitate HMAC-SHA256 protection of session IDs, authorisation codes and identifier-based access tokens. The HMAC key size must be 256 bits.

    • Adds new symmetric JSON Web Key (JWK) with ID "subject-encrypt" to facilitate AES/CBC/PKCS5Padding encryption of pairwise subject identifiers. The acceptable AES key sizes are 128, 192 and 256 bits.

    • Adds new salt JSON Web Key (JWK) with ID "subject-salt" to facilitate AES/CBC/PKCS5Padding encryption of pairwise subject identifiers. The salt must be at least 128 bits long.

  • /WEB-INF/oidcProvider.properties

    • Adds new op.reg.resourceRetriever.httpConnectTimeout configuration setting for the HTTP connect timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Adds new op.reg.resourceRetriever.httpReadTimeout configuration setting for the HTTP read timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Removes the op.reg.preloadCache, op.reg.ldapServer.*, op.reg.ldapUser.*, op.reg.ldapDirectory.*, op.reg.customTrustStore.* and op.reg.customKeyStore.* settings for configuring an LDAP store for the OpenID Connect and OAuth client registration. Configuration of the client registration store is now assumed by the Infinispan.

  • /WEB-INF/authzStore.properties

    • Removes the authzStore.options.preloadCache, authzStore.ldapServer.*, authzStore.ldapUser.*, authzStore.ldapDirectory.*, authzStore.customTrustStore.* and authzStore.customKeyStore.* settings for configuring an LDAP store for the long-lived (persisted) OpenID Connect and OAuth authorisations. Configuration of the long-lived authorisations store is now assumed by Infinispan.

    • Adds new authzStore.options.discardedAttributes settings to list the optional authorisation attributes that are to be automatically discarded from new authorisation objects, in order to conserve cache memory and backend storage.

    • Adds the "iat" (issued-at) claim to the list of recommended JWT claims to include in self-contained access tokens. Required to facilitate correct inspection of revoked self-contained access tokens.

  • /WEB-INF/infinispan.xml

    • Updates all advanced Infinispan externalisers.

    • Adds new "clients.remoteJWKSetCache" cache.

    • Replaces the "op.regCache" cache with "clients.registrationsMap".

    • Replaces the "op.regTokenCache" cache with "op.clientRegTokenMap".

    • Replaces the "authzStore.authzCache" cache with "authzStore.longLivedAuthzMap".

Web API

  • /.well-known/openid-configuration

    • Advertises support for pairwise subject identifiers (subject_types_supported).

  • /clients/

    • Supports registration of OAuth 2.0 and OpenID Connect clients with a JWK set specified by URL (jwks_uri).

    • Supports registration of OpenID Connect clients for pairwise subject identifiers. OpenID Connect clients can be registered for pairwise subject identifiers by setting the "subject_type" parameter to "pairwise"; if more than one redirection URI is specified in the "redirect_uris" parameter, a "sector_identifier_uri" parameter must also be provided.

  • /session-store/rest/v2/sessions

    • Support for the optional "SID" header parameter on POST new session is removed, due to the introduction of HMAC secured session IDs. The key portion of the session ID can be set with the new "SID-Key" header parameter; the Connect2id server will then return the final SID (session key with appended HMAC).

  • /authz-store/rest/v2/revocation

    • Extends the effect of revocation to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).

  • /authz-store/rest/v2/inspection

    • Access tokens that fall under the scope of a previous revocation event will be resolved as invalid. Previously, access tokens will appear as valid until they expire, unless the access token is identifier-based and had been explicitly revoked.

  • /monitor/v1/metrics

    • Replaces the "authzStore.numCachedAuthorizations" metric with "authzStore.numLongLivedAuthorizations".

    • Adds new "clientStore.numCachedRemoteJWKSets" metric for the number of cached client JWK sets.

Bug fixes

  • Adds check to prevent client registration of redirect_uris with a fragment component (issue sdk/188).

  • Fixes NPE in the LDAP connector when the asynchronous LDAP result listener receives a notification before the associated timer context is cached (issuer authz-store/117).

  • Fixes Log4j class loading conflict caused by shadowing of Log4j by the Infinispan Embedded package (iss #219).

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:5.3.4

  • Upgrades to com.nimbusds:oidc-session-store:4.4

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.13

  • Upgrades to com.nimbusds.nimbus-jose-jwt:4.22

  • Upgrades to com.nimbusds:common:1.107

  • Upgrades to Infinispan 8.2.3.Final

  • Upgrades to JAX-RS Jersey 2.23.1

  • Upgrades to Log4j 2.6.2

  • Adds JHades dependency to diagnose class loader issuer at runtime (issue server/219).