Connect2id server 6.6 eases migration of data between instances

Posted on 2017-03-20

This new release of the Connect2id server makes the job of migrating data between instances much safer and easier. Migration can now be performed entirely via the server web APIs, and is independent from the type of backend database used by the source and target server. This can be especially helpful if you consider migrating from Connect2id server v5 or an older release.

Check out our new migration guide for details.

Download

To download a ZIP package of Connect2id server 6.6:

https://connect2id.com/assets/products/server/download/6.6/Connect2id-server.zip

(SHA-1: 2bfa21f208bae49f9cb30f2b1f68d541b597e0dd)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.6/c2id.war

(SHA-1: 3e3ce6b4b5244145334a974c4c9197421c1500cc)

Questions?

Get in touch Connect2id support to receive assistance.


Release notes

6.6 (2017-03-20)

General

  • Adds comprehensive support for importing subject sessions and persisted authorisation records from another Connect2id server.

Configuration

  • /WEB-INF/sessionStore.properties

    • Adds new optional sessionStore.acceptLegacySIDs configuration property. Set to "true" to enable import of sessions from Connect2id server versions 5x and older. Defaults to "false".

Web API

  • /session-store/rest/v2 POST

    • Adds new optional "Legacy-SID" header parameter to enable import of a subject session from a Connect2id server that doesn’t support HMAC-protected SIDs (version 5x and older). Note that the Connect2id server must also be configured to accept legacy SIDs with sessionStore.acceptLegacySIDs = true.
  • /authz-store/rest/v2/authorizations POST

    • Adds new optional "import" query parameter to enable import of a long-lived authorisation from another Connect2id server instance.

Bug fixes

  • None

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store5.14.1

  • Upgrades to com.nimbusds:oidc-session-store:5.2.1

Connect2id server 6.5

Posted on 2017-03-15

Single use of tokens is now also supported by the standard inspection endpoint

The standard token inspection endpoint will now also support optional removal of the queried access token, in order to facilitate use cases where access token replay at the resource server must be prevented. This feature was originally introduced in the proprietary inspection endpoint, in Connect2id server version 6.4 released last week.

To remove the access token after inspection simply add the revoke=true parameter. Note that this feature only works with identifier-based tokens, which represent a key to retrieve the underlying authorisation. It will have no effect if the access token is self-contained (JWT-encoded).

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=45ghiukldjahdnhzdauz&revoke=true

Subsequent inspection requests with the same access token will produce a response that the token is no longer valid.

Importing end-user sessions

The session store web API was updated to enable correct import of user sessions from other servers, preserving the original creation timestamp.

Bug fixes

This release also fixes a bug introduced in Connect2id server version 6.4 which affected session expiration when the maximum authentication lifetime parameter is set. Everybody who has downloaded 6.4 is advised to upgrade.

Download

To download a ZIP package of Connect2id server 6.5:

https://connect2id.com/assets/products/server/download/6.5/Connect2id-server.zip

(SHA-1: fc9045abe2a7ea523c3bcdc1d9e44a05d089458c)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.5/c2id.war

(SHA-1: 4c3a5c54b923674cf0c2b3b091ebcc67e1896b16)

Questions?

Get in touch Connect2id support to receive assistance.


Release notes

6.5 (2017-03-15)

Configuration

  • No changes

Web API

  • /token/introspect

    • Adds an optional non-standard (see RFC 7662) "revoke" query parameter (defaults to "false") to facilitate single use of identifier-based access tokens. Causes the access token to be automatically deleted from the store after successful inspection. Has no effect with self-contained (JWT-encoded) access tokens. Identical with the optional "revoke" query parameter of /authz-store/rest/v2/inspection (introduced in Connect2id server 6.4).
  • /session-store/rest/v2

    • Permits addition of subject sessions created in the past, in order to facilitate the correct import of sessions from another Connect2id server.

Bug fixes

  • Fixes a bug that caused the set authentication lifetime of a subject session to incorrectly cause its expiration (issue session-store/50).

Dependencies

  • Upgrades to com.nimbusds:oidc-session-store:5.1

Improved claims and access token lifecycle support in Connect2id server 6.4

Posted on 2017-03-08

This release of the OpenID Connect server introduces a number of small but useful new features.

Define your own scope to claims expansions

OpenID Connect allows client apps to request claims (assertions) about the user by including special OAuth 2.0 scope values in the OpenID authentication request.

For example, apps can use the profile scope value to request access to the following user attributes at the IdP:

Scope value Claims
profile name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at

OpenID Connect defines four such scope values that expand to specific sets of claims.

This neat concept can be used with other (custom) scope values and claims that the identity provider needs to support. Up until now, identity providers with a Connect2id server had to maintain these mappings externally, and apply them during the authorisation session. With v6.4 such scope value to claim expansions can be defined internally.

Example definition of a custom org_profile scope value and the claims that it expands to:

org_profile: roles, supervisor, employee_number

Guaranteeing single use of access tokens

Applications and resource servers which require an access token to be used once only and prevent its replay have these two choices:

  1. The resource server caching the access token signature (or its JTI claim) for the duration of the token lifetime after it’s validated. Subsequent requests with the same token will cause a cache hit, indicating that the
    token has already been used.

  2. With identifier (key) based tokens, which are inspected with a call to the Connect2id server. This call now has an optional query parameter revoke
    which will cause the token to be deleted when it’s inspected. A subsequent inspection call will yield a 404 status code - signalling that that token is no longer valid.

    POST /authz-store/rest/v2/inspection?remove=true HTTP/1.1
    Host: c2id.com
    Content-Type: application/x-www-form-urlencoded
    
    access_token=kiuf7oPaFaePoo5tzieS8eeMEChoo7Ko

Prometheus support

The Connect2id server collects over 100 useful metrics to monitor identity provider usage and performance. These can now be exported in Prometheus format at a dedicated endpoint.

Other new features

Other new features include improved support for implicit consent of OpenID claims, additional Infinispan configurations for using Redis as a primary in-memory and cache store, and a more efficient expiration of user sessions. Check the release notes below for details.

Download

To download a ZIP package of Connect2id server 6.4:

https://connect2id.com/assets/products/server/download/6.4/Connect2id-server.zip

(SHA-1: 6814cde422140d84e6fde0fbf816d7ec9be3cf2e)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.4/c2id.war

(SHA-1: 761e982431ca0d597c9f7ebca85aa1ed45c2c191)

Questions?

Get in touch Connect2id support to receive assistance.


Release notes

6.4 (2017-03-08)

General

  • Adds new optional configuration file for defining custom scope value to OpenID Connect claim mappings.

  • Adds support for implicit consent of OpenID Connect claims.

  • Adds a new optional "revoke" parameter to the token introspection call to facilitate single use of identifier-based access tokens where required by the resource server / application.

  • Adds endpoint for scraping the Connect2id server metrics in Prometheus (https://prometheus.io) format.

  • Expiration of subject (end-user) sessions is now handled by Infinispan, simplifying configuration (see below) and improving the performance of session retrieval.

  • Updates the Infinispan configuration files.

Configuration

  • /WEB-INF/customClaimsMap.properties

    • New optional configuration file for defining custom scope value to OpenID Connect claim mappings. Can be used to automatically expand selected custom scope values to one or more custom claim names, e.g. "my_scope_value" to claim names "claim_a", "claim_b", etc.
  • /WEB-INF/oidcProvider.properties

    • Adds new optional "op.authz.alwaysPromptForAuth" configuration property, defaults to "false". If "true" the Connect2id server will always prompt for authentication, even if the end-user is currently authenticated (by means of a valid session cookie), or "prompt=none" was requested by the client. Intended to facilitate authentication step-up by using selected scope values.
  • /WEB-INF/sessionStore.properties

    • The sessionStore.purgeInterval configuration property is removed. Expiration of subject (end-user) sessions is now handled by Infinispan. The expiration interval can be fine tuned by changing the expiration interval attribute of "sessionStore.sessionMap" of the chosen Infinispan XML configuration (infinispan-.xml).
  • /WEB-INF/jose.properties

    • Adds support for overriding the PKCS#11 configuration via Java system properties.
  • /WEB-INF/infinispan-mysql-redis.xml

    • Adds new configuration for using Infinispan in invalidation mode, with MySQL as the persistence store and Redis as the primary in-memory / cache store.
  • /WEB-INF/infinispan-postgres95-redis.xml

    • Adds new configuration for using Infinispan in invalidation mode, with PostgreSQL 9.5+ as the persistence store and Redis as the primary in-memory / cache store.
  • /WEB-INF/infinispan-ldap-redis.xml

    • Renames the previous configuration file for using Infinispan in invalidation mode with LDAP as the persistence store and Redis as the primary in-memory / cache store.
  • /WEB-INF/infinispan-*.xml

    • Declares the required application specific AdvancedExternalizer instances in the XML configuration (see issue server/253 below).
  • /WEB-INF/web.xml

    • Configures eager servlet loading.

Web API

  • /authz-sessions/rest/v3, /authz-sessions/rest/v2

    • Adds support for implicit consent of OpenID Connect claims.
  • /authz-store/rest/v2/inspection

    • Adds an optional "revoke" query parameters (defaults to "false") to facilitate single use of identifier-based access tokens. Causes the access token to be automatically deleted from the store after successful inspection. Has no effect with self-contained (JWT-encoded) access tokens.
  • /monitor/v1/metrics/prometheus

    • Adds new resource for retrieving Connect2id server metrics in Prometheus (https://prometheus.io) format (exported from Dropwizard). Requires a
      bearer access token, which is configured in /WEB-INF/monitor.properties.

Bug fixes

  • Fixes processing of refresh token grant requests from public OAuth 2.0 clients to ensure a mismatch of the top-level client_id and the client_id encoded in the refresh token produces an invalid_grant error (issue server/254).

  • Switches to XML-based declaration of the application specific Infinispan AdvancedExternalizer classes to address startup situations when the programmatically configured externalisers don’t get picked up by Infinispan (issue server/253).

  • Fixes handling of illegal URL-encoding in client secret basic authentication HTTP Authorization headers so that instead of failing with HTTP 500 status code a proper HTTP 400 status and message is returned (issue oidc-sdk/208).

  • Prevents inconsistent direct authorisation requests for a refresh token with disabled authorisation persistence (long_lived = false). Such requests will now produce a HTTP 400 status code with the error message "Invalid request: Refresh token issue requires the authorization to be persisted with long_lived=true" (issue server/262).

  • Fixes a bug that prevented the timely removal of authorisation sessions in Infinispan invalidation mode (issue server/265).

  • Removes stray System.out.println in userInfo endpoint code (issue server/261).

Dependencies

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.24

  • Upgrades to com.nimbusds:oauth2-authz-store:5.13.1

  • Upgrades to com.nimbusds:oidc-session-store:5.0

  • Upgrades to com.nimbusds:nimbus-jwkset-loader:1.3

  • Upgrades to com.nimbusds:common:2.4

  • Upgrades to com.unboundid:unboundid-ldapsdk:3.2.1