Connect2id server datasheet

Server endpoints

The Connect2id server supports the following standard OpenID Connect endpoints as well as a number of RESTful endpoints for integrating the service with user, reporting and administration interfaces. The OpenID Connect session management endpoint is not supported in this release.

Standard OpenID Connect / OAuth 2.0 endpoints

  • Provider metadata Advertises the OpenID Connect provider’s standard endpoints, capabilities and supported JOSE + JWT algorithms.

  • Provider JWK set Publishes the provider’s JSON Web Key (JWK) set and certificate chain used to secure the issued ID tokens and other artifacts.

  • Client registration Endpoint for registering the OpenID Connect clients for the provider. Can be operated in a public (open registration) or private mode. Supports client add, read, update and delete operations.

  • Authorisation The standard OAuth 2.0 endpoint for receiving OpenID Connect authentication (login) requests from client applications.

  • Token The standard OAuth 2.0 endpoint for exchanging authorisation codes and refresh tokens for an access and / or ID token.

  • UserInfo Protected resource for releasing consented claims (name, contact and other details) about the subject (end-user).

Integration endpoints

  • Authorisation session endpoint Enables integration of one or more login UIs for authenticating subjects and obtaining their consent. Supports arbitrary authentication methods. Supports modification of the authorisation scope. Supports implicit and explicit claims consent. Supports injection of custom (preset) ID token and UserInfo claims.

  • Direct authorisation endpoint Enables direct creation of OpenID Connect sessions and tokens, for the purpose of federating identities from business partners and social networks.

  • Authorisation store endpoint Enables reporting, management and revocation of granted authorisations (scope, claims) for each subject and client. Also supports direct issue of access and refresh tokens.

  • Subject session endpoint Enables creation, lookup, reporting, removal and expiration of subject sessions with the provider. Supports storage or arbitrary data in the session object.

Supported OpenID Connect / OAuth 2.0 response types

The Connect2id server supports the following response types. The server can be configured to accept only a subset of these, either for the entire provider or on a per client basis. The code id_token token response type is not supported in this release. The token response is generally not supported as it falls outside the scope of OpenID Connect.

  • code Used to request an ID token and access token at the Token endpoint.

  • id_token Used to request an ID token (implicit grant).

  • token id_token Used to request an ID token and access token (implicit grant).

  • code id_token Used to request an ID token with the authorisation response as well as an ID token and access token at the Token endpoint.

Supported OAuth 2.0 grant types

The Connect2id server supports the following grant types. The server can be configured to accept only a subset of these, either for the entire provider or on a per client basis.

  • authorization_code Used in the authorisation code flow.

  • implicit Used in the implicit flow.

  • refresh_token Used for long-lived authorisations.

Supported subject identifier types

The Connect2id server supports public subject identifiers. Pairwise subject identifiers are not supported in this release.

  • public Public subject identifier

OpenID Connect authentication request parameters

The Connect2id server supports the mandatory to implement authentication request parameters for all OpenID Connect providers. Optional request objects, passed directly or by URI reference, are not supported in this release.

  • Supported OAuth 2.0 parameters : response_type, client_id, scope, redirect_uri, state

  • Supported OpenID Connect parameters : nonce, display, prompt, max_age, ui_locales, claims_locales, id_token_hint, login_hint, acr_values, claims

  • Unsupported OpenID Connect parameters : registration, request, request_uri

Supported client authentication methods

The Connect2id server supports all standard client authentication methods that are based on a provider-issued client secret. Private key JWT assertions are not supported in this release.

  • client_secret_basic Basic HTTP authentication with client secret
  • client_secret_post Basic HTTP authentication with client secret
  • client_secret_jwt JWT assertion authentication with client secret

Supported ID token algorithms

The Connect2id server supports JSON Web Signature (JWS) protected ID tokens. Encrypted ID tokens are not supported in this release.

  • RS256, RS384, RS512, PS256, PS384, PS512 The ID token is signed with the provider’s RSA JWK.

  • HS256, HS384, HS512 The ID token is integrity protected with the provider-issued client secret.

Supported claim types

The Connect2id server issues normal claims. Aggregated and distributes claim types, asserted by a claims provider other than the OpenID provider, are not supported in this release.

  • normal Claims directly asserted by the provider.

Offline access

The Connect2id server supports authorisations bound to a subject’s session as well as offline access by long-lived OAuth 2.0 refresh tokens.

Subject authentication

The Connect2id server supports arbitrary end-user authentication methods, such as simple password based authentication or two-factor authentication, through its authorisation session endpoint at the time of login. Client applications can be informed of the applied authentication strength and method through the standard acr and amr ID token claims.

LDAP directory-based authentication is provided out of the box with the included LdapAuth service. Connect2id provides support for integrating other authentication factors, such as hardware tokens.

Claims data sources

The Connect2id server supports aggregation of claims (standard UserInfo and others), with optional language tags, from one or more data sources, through a Java SPI. An LDAP directory-based claims source provider is included out of the box. Connect2id provides support for integrating claims sources, such as SQL databases or HR web APIs.

Access token types

The Connect2id server supports both types of OAuth 2.0 access tokens – identifiers and self-contained authorisations.

  • Secure random identifier The access token is represented by a secure random identifier. The corresponding authorisation can be looked up by a RESTful call to the Connect2id token introspection endpoint.

  • Self-contained The access token is represented by a JSON Web Token (JWT) signed with the provider’s RSA key. The supported JWS algorithms are RS256, RS384, RS512, PS256, PS384 and PS512. The following fields can be included in the JWT: subject, client identifier, issuer, audience, scope, token issue time, token expiration time, consented claims, associated subject session identifier, optional custom data. The corresponding authorisation for a self-contained token can still be looked up by a RESTful call to the Connect2id token introspection endpoint.

High-availability and scaling

The Connect2id server can be run in two modes.

  • Single server The Connect2id server runs in a single server instance.

  • Cluster The Connect2id server runs in a replicated cluster configuration for high-availability and load-balancing. Additional server nodes can be added dynamically.

Questions or comments? Get in touch with Connect2id support.