Blog »

Third preview of the upcoming Connect2id server 6.0

2016-08-30

We have another preview of the upcoming Connect2id server 6.0, this time to demonstrate issue of encrypted ID tokens and UserInfo endpoint responses. ID tokens normally come with a digital signature certifying that they have been issued by the IdP (or alternatively, an HMAC using the client_secret as key). Encryption applies an additional layer of security to them, by making their content (claims) confidential.

Digital signature support has also been extended, and now covers EC DSA, besides the commonly used RSA signatures.

Signing up for encrypted ID tokens

Client apps can register to receive encrypted ID tokens by specifying the desired encryption algorithm.

The two fundamental encryption variants are supported:

  • Symmetric encryption: The ID token is encrypted with an AES key derived from the client_secret. The client can decrypt the ID token by performing its own AES key derivation from the client_secret.

  • Asymmetric encryption: Also called public key encryption. The ID token is encrypted with an RSA or EC public key supplied by the client at registration time (via the jwks_uri or jwks registration parameters). Decryption is performed with the corresponding private key.

The Connect2id server supports all standard JWE algorithms for symmetric and public key encryption.

Example client registration request stating that ID tokens are to be first
signed with RSA PKCS #1 and then encrypted with a 128-bit AES key derived from the client secret, using the AES GCM KW algorithm:

POST /clients HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "redirect_uris"                   : [ "https://client.example.org/callback" ],
  "client_name"                     : "My Cool App",
  "id_token_signed_response_alg"    : "RS256",
  "id_token_encrypted_response_alg" : "A128GCMKW",
  "id_token_encrypted_response_enc" : "A128CBC-HS256"
}

If your client app is written in Java you can use the popular Connect2id libraries for OpenID Connect development and JOSE + JWT to decrypt and validate the ID tokens.

Encrypted UserInfo

Claims (profile information) about the end-user released at the UserInfo endpoint are normally returned as a plain JSON object.

Example plain UserInfo response:

HTTP/1.1 200 OK
Content-Type: application/json

{
 "sub"         : "248289761001",
 "name"        : "Jane Doe"
 "given_name"  : "Jane",
 "family_name" : "Doe",
 "email"       : "[email protected]",
 "picture"     : "http://example.com/janedoe/me.jpg"
}

Clients can however opt in to receive the claims packaged as a JSON Web Token (JWT), signed by the IdP. The JWT can be additionally encrypted. This is also stated at client registration time.

POST /clients HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "redirect_uris"                   : [ "https://client.example.org/callback" ],
  "client_name"                     : "My Cool App",
  "userinfo_signed_response_alg"    : "RS256",
  "userinfo_encrypted_response_alg" : "A128GCMKW",
  "userinfo_encrypted_response_enc" : "A128CBC-HS256"
}

The Connect2id server supports the exact same JWE algorithms for UserInfo JWT encryption (that is, all).

Example encrypted UserInfo:

HTTP/1.1 200 OK
Content-Type: application/jwt

eyJraWQiOiJlMSIsImN0eSI6IkpXVCIsImVuYyI6IkExMjhHQ00iLCJhbGciOiJSU0ExXzUifQ.WR0Y
05FSyPrgFCdLvp_UAjr44wE5_jY0BEekZw5K7mUkDxeBBN_zAjd8Wmt055iA9QsGFN0qFzGsin7P05R
2BSZKuXPPRis-iqmxwvIPF5hSFrWVpA3XL7I5u91DKl1t_nnw1NVbn6MgVw4wf8Ca7yfoanYF-jaj3w
HGSXwASrk.t7OTawT4hj5Q3YW5.3no2XbKPTnStuS-xXGmuQv6n-Y0hZfUPYz-NhP6Zeg1_NURcr0vv
_e0e0eP5q6G2fRgxO_DICYCREwxzQ0mjMs8JMrwT5bkMwMkJP2w0zJsGEFyIhRtAH2r43fL42XaXo6H
3DBU2Gw4Fo9w7ze4WNKMZIRCd42BkSubLNrsMSVbX2RsHGRlovbV5j7ADnCtkhvM2QPiejcW0UCY6Cv
pS5zCBvA3rw9-wtSV4Pfqh-B5DY8k-7bWuE0gbvDupmMvloBa_FhX4M0866_KfV2SE-xD4jXVPyEznN
cVkuJZut1bIZjRE3Xn57dgu-NcyOTXAeIsmtqUbpYx7Ra4TB9Xcw448KUg9AQfZjOG9qSfe-alMDt1x
JPfHOsPTalQRF9CD-NNNVVkj7EP-P9iMly1BwLYeSxkiWlv4L6rH37upW3t8p7d_RFZ8rralvg.tAvZ
Vj1W1OmDl37qSQRryg

Download

To preview the upcoming Connect2id server 6.0 release download the following ZIP package and follow the instructions in the README.txt file:

https://connect2id.com/assets/products/server/download/6.0-pre-3/Connect2id-server.zip

https://connect2id.com/assets/products/server/download/6.0-pre-3/c2id.war

Questions?

For any questions, write the comments section below or email our support team.

Release notes 6.0-pre-3 (2016-08-30)

General

  • Switches to Infinispan's persistent store APIs to enable support of other Connect2id server backends besides LDAP, such as flat file storage, DynamoDB and LevelDB.

  • Adds support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for encrypted ID tokens. A client can receive ID tokens encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for encrypted UserInfo. A client can receive UserInfo JWTs encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for registering OpenID Connect / OAuth 2.0 clients with a JWK set specified by URI (jwks_uri). Intended for handling private_key_jwt client authentication, self-issued JWT and SAML 2.0 bearer grants, signed request objects, encrypted ID tokens and encrypted UserInfo responses. The downloaded client JWK set is cached by the Connect2id server to ensure quick processing of requests that rely on remote JWKs.

  • Updates handling of the optional max_age OpenID authentication request parameter. If max_age is set to zero (max_age=0) the Connect2id server will prompt the end-user for (re)authentication, even if the end-user has an existing valid session with the Connect2id server. This is equivalent to setting the optional prompt OpenID authentication request parameter to login (prompt=login). See issue #993 with the OpenID Connect working group (https://bitbucket.org/openid/connect/issues/993).

  • Adds experimental support for pairwise subject (end-user) identifiers, based on deterministic AES encryption in SIV mode (see RFC 5297).

  • Adds an extra layer of security to issued session IDs, authorisation codes and identifier-based access tokens by provisioning them with a SHA-256 based Message Authentication Code (MAC) (truncated to 128 bits). The HMAC enables detection of online guessing attacks and may also be used to block certain DoS attacks the utilise the above objects.

  • Switches to new JSON-based marshalling of Connect2id server objects stored in Infinispan.

  • Refines diagnostic messages on a client registration error due to invalid or inconsistent client metadata.

  • Refines logging of invalid client authentication attempts at the token endpoint (issue server/199).

Configuration

  • /WEB-INF/jwkSet.json

    • All JSON Web Keys (JWKs) in the Connect2id server JWK set must have a key identifier ("kid" JWK parameter) and specify the intended key use ("use" JWK parameter).

    • All RSA JWKs intended for signing of objects (ID tokens, UserInfo JWTs and self-contained access tokens) must have their use parameter set to "sig" (signature). Required to prevent mix up with future RSA JWKs intended for encrypting objects to the Connect2id server.

    • Adds support for optional EC JWKs with curves P-256, P-384 and P-521 for signing of ID tokens and UserInfo JWTs. The EC JWKs must have a key identifier ("kid" JWK parameter) and be flagged for specify signature use ("use":"sig").

    • All AES JWKs intended for symmetric encryption of self-contained access tokens must have their use parameter set to "enc" (encryption). Required to prevent mix up with the introduced secret JWKs for HMAC protection and pairwise subject encryption (see below).

    • Adds new secret JSON Web Key (JWK) with ID "hmac" and use "sig" to facilitate HMAC-SHA256 protection of session IDs, authorisation codes and identifier-based access tokens. The HMAC key size must be 256 bits.

    • Adds new symmetric JSON Web Key (JWK) with ID "subject-encrypt" to facilitate AES SIV-mode (RFC 5297) encryption of pairwise subject identifiers. The accepted AES key sizes are 128, 192 and 256 bits.

  • /WEB-INF/oidcProvider.properties

    • Extends the op.idToken.jwsAlgs configuration setting to include support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.idToken.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued ID tokens. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.idToken.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued ID tokens. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

    • Adds new op.authz.requestJWSAlgs configuration setting for the accepted
      JWS algorithms for signed OpenID authentication requests passed with the optional request_uri or request parameter. The following JWS algorithms are supported: HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512 and none.

    • Adds new op.reg.resourceRetriever.httpConnectTimeout configuration setting for the HTTP connect timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Adds new op.reg.resourceRetriever.httpReadTimeout configuration setting for the HTTP read timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Removes the op.reg.preloadCache, op.reg.ldapServer.*, op.reg.ldapUser.*, op.reg.ldapDirectory.*, op.reg.customTrustStore.* and op.reg.customKeyStore.* settings for configuring an LDAP store for the OpenID Connect and OAuth client registration. Configuration of the client registration store is now assumed by the Infinispan.

    • Extends the op.userinfo.jwsAlgs configuration setting to include support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.userinfo.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued UserInfo JWTs. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.userinfo.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued UserInfo JWTs. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

  • /WEB-INF/authzStore.properties

    • Removes the authzStore.options.preloadCache, authzStore.ldapServer.*, authzStore.ldapUser.*, authzStore.ldapDirectory.*, authzStore.customTrustStore.* and authzStore.customKeyStore.* settings for configuring an LDAP store for the long-lived (persisted) OpenID Connect and OAuth authorisations. Configuration of the long-lived authorisations store is now assumed by Infinispan.

    • Adds new authzStore.options.discardedAttributes settings to list the optional authorisation attributes that are to be automatically discarded from new authorisation objects, in order to conserve cache memory and backend storage.

    • Adds the "iat" (issued-at) claim to the list of recommended JWT claims to include in self-contained access tokens. Required to facilitate correct inspection of revoked self-contained access tokens.

  • /WEB-INF/infinispan.xml

    • Updates all advanced externalisers for Connect2id server data stored in Infinispan. The externalisers are now declared programmatically, instead of using the Infinispan XML configuration.

    • Adds new "clients.remoteJWKSetCache" cache.

    • Replaces the "op.regCache" cache with "clients.registrationsMap".

    • Replaces the "op.regTokenCache" cache with "op.clientRegTokenMap".

    • Replaces the "authzStore.authzCache" cache with "authzStore.longLivedAuthzMap".

Web API

  • /.well-known/openid-configuration

    • Advertises support for pairwise subject identifiers (subject_types_supported).

  • /clients/

    • Supports registration of OAuth 2.0 and OpenID Connect clients with a JWK set specified by URL (jwks_uri).

    • Supports registration of OpenID Connect clients for pairwise subject identifiers. OpenID Connect clients can be registered for pairwise subject identifiers by setting the "subject_type" parameter to "pairwise"; if more than one redirection URI is specified in the "redirect_uris" parameter, a "sector_identifier_uri" parameter must also be provided.

  • /session-store/rest/v2/sessions

    • Support for the optional "SID" header parameter on POST new session is removed, due to the introduction of HMAC secured session IDs. The key portion of the session ID can be set with the new "SID-Key" header parameter; the Connect2id server will then return the final SID (session key with appended HMAC).

  • /authz-store/rest/v2/revocation

    • Extends the effect of revocation to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).

  • /authz-store/rest/v2/inspection

    • Access tokens that fall under the scope of a previous revocation event will be resolved as invalid. Previously, access tokens will appear as valid until they expire, unless the access token is identifier-based and had been explicitly revoked.

  • /monitor/v1/metrics

    • Replaces the "authzStore.numCachedAuthorizations" metric with "authzStore.numLongLivedAuthorizations".

    • Adds new "clientStore.numCachedRemoteJWKSets" metric for the number of cached client JWK sets.

Bug fixes

  • Adds check to prevent client registration of redirect_uris with a fragment component (issue sdk/188).

  • Fixes NPE in the LDAP connector when the asynchronous LDAP result listener receives a notification before the associated timer context is cached (issuer authz-store/117).

  • Fixes Log4j class loading conflict caused by shadowing of Log4j by the Infinispan Embedded package (iss #219).

  • Enables stack trace logging on Infinispan cache manager launch failure.

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:5.4.1

  • Upgrades to com.nimbusds:oidc-session-store:4.7.1

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.16.1

  • Upgrades to com.nimbusds.nimbus-jose-jwt:4.26

  • Upgrades to com.nimbusds:common:1.108.1

  • Upgrades to Infinispan 8.2.4.Final

  • Upgrades to JAX-RS Jersey 2.23.1

  • Upgrades to Log4j 2.6.2

  • Adds JHades dependency to diagnose class loader issuer at runtime (issue server/219).