Posted on 2017-05-21
Execute custom logic during prompt=none processing
The latest 6.7 release of the Connect2id server makes it easier to execute custom logic during processing of OpenID prompt=none authentication requests. Clients use the optional prompt=none parameter to "silently" check if the present user is still logged in with the identity provider. If not (signalled by a login_required error), the user is sent back to the OpenID server to re-authenticate.
The new op.authz.alwaysPromptMode configuration setting allows integrators to have a custom script step into the the processing of prompt=none requests, including login_required and consent_required error conditions.
To that end the authorisation session JSON object now also keeps a record of the requested prompt parameter.
Control authorisation response errors
When authorisation is denied the login page / authorisation logic can now specify an OpenID / OAuth 2.0 error code other than the default access_denied to be returned to be client. Unless you intend to implement some quite custom authorisation rule, you need not be concerned with this option; simply leave error processing to the Connect2id server.
Session store fixes for Redis backends
The day when v6.7 was about to be released we had to tackle an issue which prevented new session creation in Connect2id server deployments with Redis as the primary in-memory store (and Infinispan in invalidation mode). Several fixes were made to the session store to address this, hence the combined announcement of 6.7 and 6.7.1 here. If you’re using Redis as backend updating to 6.7.1 is highly recommended.
To download a ZIP package of Connect2id server 6.7.1:
As WAR package only:
Get in touch with Connect2id support.
- No changes
- No changes
Fixes a bug affecting subject session mapping removal and also potentially affecting new subject session addition when Infinispan is configured in invalidation mode (typically with Redis as primary in-memory store / cache) (issue session-store/55).
Fixes concurrency bug which caused the periodic clean up of orphaned subject session mappings to cease if the session store is configured with a persisting backend, such as Redis or an SQL database (issue session-store/53).
Fixes sessionStore.sessionExpirations metering for subject sessions which are expired externally by a persisting backend (issue session-store/57).
- Forces clean up of orphaned subject session mappings if the mapping routine cannot free up a session slot after 10 iterations. Also makes the periodic task for cleaning up orphaned subject session mappings resilient to runtime exceptions (issue session-store/59).
- Upgrades to com.nimbusds:oidc-session-store:5.2.2
- Adds new op.authz.alwaysPromptForAuth configuration setting to control
processing of OpenID prompt=none authentication requests when
op.authz.alwaysPromptForAuth or op.authz.alwaysPromptForConsent is
- LIMITED — No authentication or consent prompt will be returned on a OpenID prompt=none authentication request. The Connect2id server will proceed straight to returning the final response (success or login_required / consent_required error).
- PROMPT_NONE — An authentication or consent prompt will be returned on a OpenID prompt=none authentication request provided an existing session or consent is found and the request can be fulfilled with no end-user interaction. This is the default mode for legacy reasons.
- PROMPT_NONE_WITH_INTERACTION_ERRORS — An authentication or consent prompt will be returned on a OpenID prompt=none authentication request even if the request cannot be fulfilled due to required end-user interaction; in that case the login page must handle the login_required and consent_required errors by itself.
- Adds new op.authz.alwaysPromptForAuth configuration setting to control processing of OpenID prompt=none authentication requests when op.authz.alwaysPromptForAuth or op.authz.alwaysPromptForConsent is enabled:
Adds a new auth_req.prompt field to the authorisation session JSON object, representing the value of the optional OpenID prompt authentication request parameter (if set).
- Adds a new optional "error" and "error_description" query parameters to DELETE requests to allow the login page to signal a different OpenID Connect / OAuth 2.0 error other than "access_denied" when cancelling an authorisation session. Can for example be used to signal an internal login page error with "server_error" or "temporarily_unavailable". All standard OpenID Connect / OAuth 2.0 error codes returned with an authorisation error response are supported: access_denied (default), invalid_request, unauthorized_client, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, login_required, consent_required, interaction_required, account_selection_required, request_uri_not_supported, request_not_supported, invalid_request_uri and invalid_request_object.
- No changes
Posted on 2017-04-26
The OpenID Connect server has now stronger defences in place against timing attacks on OAuth 2.0 client secrets (used in HTTP basic authentication) as well as the master API tokens used to integrate the IdP / AS server with other internal services.
Submitted client secrets are not just compared in constant time manner (to the extent that’s possible with the Java runtime), but this comparison is now done using a (salted) SHA-256 hash of the secret. With such a three-layered defence (salt, hash, constant time string comparison) security shall be greatly enhanced.
The 6.6.2 release also updates a few of the underlying dependencies and fixes a bug related to Infinispan (with Redis and SQL as backends).
To download a ZIP package of Connect2id server 6.6.2:
As WAR package only:
Contact Connect2id support.
Switches to constant time comparison in the master web API token validation routines to guard against side-channel / timing attacks. The token values are salted and hashed with SHA-256 before comparison for additional protection.
- Switches to constant time comparison in the client_secret validation routine to guard against side-channel / timing attacks. The client_secret values are hashed with SHA-256 before comparison for additional protection.
- Checks the supplied elliptic curve (EC) keys on Connect2id server startup to ensure the public ‘x’ and ‘y’ parameters match the curve (P-256, P-384 or P-521).
- No changes
- Fixes intermittent duplication of client objects when listing all clients via the client registration web API (HTTP GET) for Infinispan setups in invalidation mode with Redis as primary cache and an SQL database as persistence store (issue #273).
Upgrades to com.nimbusds:oauth2-oidc-sdk:5.26
Upgrades to com.nimbusds:nimbus-jose-jwt:4.37
Upgrades to com.nimbusds:oauth2-authz-store:5.14.2
- Upgrades to com.nimbusds:common:2.5
Posted on 2017-04-15
Reliable defences work on multiple levels. The latest release of the Nimbus JOSE + JWT library adds an extra protection against invalid curve attacks by preventing construction and parsing of public EC JSON Web Keys whose public coordinates don’t fit the specified curve. With that the number of checks is increased to three:
First level: Preventing parsing and construction of EC JWK instances with invalid curve.
Second level: A curve check is performed prior to ECDH-ES decryption or ECDSA signature validation.
- Third level: Curve check performed by the underlying JCA provider, where available (the default SUN provider after v 1.8.0_51, BouncyCastle).
The invalid curve attack targets ECDH-ES encryption, with the aim to recover the private EC key.
version 4.36 (2017-04-13)
- Adds a check at ECKey construction time to ensure the public ‘x’ and ‘y’ coordinates are on the specified curve (iss #217).
- Adds a check at ECDSAVerifier construction time to ensure the public key is on the specified curve (iss #217).
- Adds a new ECDSAProvider.supportedECDSAAlgorithm() method that returns the name of the supported ECDSA algorithm (ES256, ES384 or ES512).