The OAuth 2.0 / OpenID Connect toolkit for Java gets a makeover

OpenID Connect Nothing stays the same at Connect2id, much less the core SDK for building OAuth 2.0 / OpenID Connect applications. Today it sees its 5th major release since 2012, when OpenID Connect was still an unknown and 2 years away from becoming a standard for SSO and authentication on the Internet.

Much of the technical debt from the early naive years of the SDK project is cleared away now. The good bits appreciated by developers are kept intact, or made even more awesome. Work on complementary specs in the identity space has not ceased, and this is reflected as support for the most recent OAuth RFC on token introspection or the authentication methods reference (still in progress). And yes, the bug cound in the tracker was driven all the way down to zero!

Highlights of the 5th release

  • A robust validator of ID tokens, be they signed, HMACed or encrypted. Issuer, audience and timestamp (with allowance for clock skew) checking is taken care of. The validating credentials are sourced according to their type, typically a local store for ID tokens HMACed with the client secret, or the provider's JWK set endpoint (caching and RSA / EC key rotation supported out of the box).

  • New package for creating and consuming SAML 2.0 assertions, which can be used as a complementary grant in OAuth 2.0 to receive access and ID tokens (to be supported in this week's release of the Connect2id server).

  • A revised package for dealing with JWT bearer assertions, which can also serve as an OAuth 2.0 grant or for assertion-based client authentication. Do take a look at JWT authentication, as it's considerably safer than the commonly used HTTP basic auth. The client credential is not sent during authentcation, only an assertion (token) signed with it. This prevents accidental leakage of the client credential and other potential headaches.

  • New generic framework for verifying basic and JWT-based client authentication on the server side.

  • Adds classes for dealing with OAuth 2.0 token introspection (RFC 7662) requests and responses.

  • Adds OpenID Provider metadata support for custom (not registered) parameters, in case you need to handle such.

  • Did we mention -- all reported bugs and issues have been fixed? :-)

Download

Version 5.0 of the OAuth 2.0 / OpenID Connect SDK was pushed to Maven Central last night.

Here is its POM dependency:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>oauth2-oidc-sdk</artifactId>
    <version>5.0</version>
</dependency>