Connect2id server 6.9.1 updates the SQL backend connector

Posted on 2017-06-26

This is a small update to the Connect2id server which adds a new configuration setting for disabling automatic creation of the required SQL backend tables at server startup. This setting is useful in situations when the database permissions granted to the Connect2id server don’t include the SQL "CREATE" command. In that case the database admin must create the tables manually, before the server is started.

See the release notes for more information.

Download

To download a ZIP package of Connect2id server 6.9.1:

https://connect2id.com/assets/products/server/download/6.9.1/Connect2id-server.zip

(SHA-256: 7b13e9d7044f65e478ee676a0d36f94257e1033293f5982f0d81b815292b9726)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.9.1/c2id.war

(SHA-256: bbf9cd49ab5eb8d8dc4a1e3932512985f6848dc5ff991aee098c8474f6d4795f)

Questions?

Get in touch with Connect2id support.


Release notes

6.9.1 (2017-06-26)

Configuration

  • /WEB-INF/infinispan-{mysql|postgres95|h2}.xml

    • Adds new optional boolean "create-table-if-missing" configuration attribute to the "sql-store" XML element (updating the XML schema definition to v2.6) to control the automatic creation of the required backend SQL database tables during Connect2id server startup. If "true" the Connect2id server will execute an SQL "CREATE TABLE IF NOT EXISTS" statement for each required table. This has been the behaviour of the Connect2id server since addition of SQL backend support in v6.0. If "false" execution of the conditional "CREATE" statement will be skipped. If omitted the default setting is "true". "CREATE TABLE IF NOT EXISTS" can be disabled if the database permissions granted to the Connect2id server don’t include the SQL "CREATE" query.

Dependencies

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:2.6.1

Check session iframe support now in Connect2id server 6.9

Posted on 2017-06-23

A client application which has signed in a user with OpenID Connect may need to periodically check if the user is still logged in with the OpenID provider. The core OpenID Connect protocol provides a method to do that, by making a silent (non-interactive) prompt=none OpenID authentication request to the server.

This release of the Connect2id server implements an alternative lightweight protocol for checking the user authentication status at the OpenID provider, by polling a hidden IdP iframe with window.postMessage. Read the check session API docs to find out how to use it and what its advantages are over traditional prompt=none polling.

Version 6.9 of the Connect2id server also includes several minor configuration and dependency updates. See the release notes for more information.

Download

To download a ZIP package of Connect2id server 6.9:

https://connect2id.com/assets/products/server/download/6.9/Connect2id-server.zip

(SHA-256: 1ecec7c5e7a66beaf427aef600aad790ab897130c14d494fd070e68fe5ab11d9)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.9/c2id.war

(SHA-256: fac674339c07579444810bdcd3a6f5ab7c1b0e9aedc900898b0a2369091ac7a4)

Questions?

Get in touch with Connect2id support.


Release notes

6.9 (2017-06-22)

General

  • Adds support for an OpenID provider check session iframe, as defined in OpenID Connect Session Management 1.0, draft 28. In order to enable check session support the following parameters must be set: op.checkSession.iframe and op.checkSession.cookieName

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.policy — Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/policy.html".

    • op.tos — Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/terms-of-service.html".

    • op.serviceDocs — Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/service-docs.html".

    • op.authz.endpoint — Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/login".

    • op.logout.endpoint — Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/logout".

    • op.checkSession.iframe — New optional configuration setting for OpenID Connect Session Management 1.0 support (draft 28). Specifies the OpenID Connect check session iframe URL. The URL schema should be https. The URL can be also be specified relative to the OpenID provider issuer URL. Browser JavaScript code running in the iframe must be able to access the cookie (see op.checkSession.cookieName) used to store the subject (end-user) session ID. This requires the iframe to have the same web origin (domain) as the login page which set the session cookie. The cookie must also be set without the HttpOnly flag. If blank the check session support will be disabled and the iframe will not advertised in the OpenID provider metadata. The Connect2id server provides a default check session iframe at "/check-session.html" relative to the OpenID provider issuer URL (op.issuer).

    • op.checkSession.cookieName — New optional configuration setting for OpenID Connect Session Management 1.0 support (draft 28). Specifies the name of the cookie which is used by the login page to store the subject (end-user) session ID. The cookie must be accessible from browser JavaScript code, i.e. it must not be set with the HttpOnly flag.
  • /WEB-INF/infinispan-h2.xml

    • The Connect2id server will operate in stand-alone mode only when configured with H2 as backend SQL database. Infinispan clustering in replication mode with H2 as backend is no longer supported.

Web API

  • /check-session.html

    • Check session iframe for handling window.postMessage requests for checking if the subject’s (end-user’s) authentication status (logout, session expiration )with the OpenID provider has changed. See OpenID Connect Session Management 1.0, draft 28.

Issues

  • Ensures persisted consent for OpenID authentication requests in the code flow also includes OpenID claims requested to be returned in the ID token (issuer server/289).

Dependencies

  • Adds org.checkerframework:checker:2.1.12 dependency.

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.28

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.39.1

Connect2id server 6.8 adds logout endpoint support

Posted on 2017-06-09

The long anticipated web API for binding a sign out page to the Connect2id server is now here. A user who has ended their session with an OpenID Connect client app can be sent to that endpoint to be given the choice to also log out of the OpenID provider.

The logout endpoint complies with the OpenID Connect session management spec:

  • If you choose to provide a logout page, its URL will be advertised in the end_session_endpoint OpenID provider metadata parameter.

  • To prevent unwanted logouts from the OpenID provider, the user is required to confirm the action. A simple dialogue is sufficient.

  • The id_token_hint parameter is supported so that the OpenID provider can link the end-session event to a particular client app. The ID token hint is also needed if the user has multiple accounts (identities) with the IdP. Use of the ID token hint is therefore recommended.

  • The post_logout_redirect_uri parameter can be used to redirect the browser back to the client app or some other destination after logout. An optional state parameter helps pass additional data to the destination URL. Note that in order to make use of post-logout redirection the client must have registered the possible URLs, and an ID token hint must also be supplied.

Check out the following docs if you want make use of the new logout endpoint:

Download

To download a ZIP package of Connect2id server 6.8:

https://connect2id.com/assets/products/server/download/6.8/Connect2id-server.zip

(SHA-256: 77b4413abc3319b764783735622dc876b1eb7ff8044ab2506e75ecc6e2f606ad)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.8/c2id.war

(SHA-256: efb3de0da3221da122c6aae9129c04e0d0ae9b7862089306c5c50b3ab1dad4dd)

Questions?

Get in touch with Connect2id support.


Release notes

6.8 (2017-06-09)

General

  • Adds support for implementing an OpenID provider end-session endpoint and logout page, as specified in section 5 of OpenID Connect Session Management 1.0, draft 28.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.logout.endpoint — New configuration setting for the OpenID Connect Logout (end-session) endpoint of the Connect2id server. Must be set to the URL of the OpenID provider logout page (hosted separately from the Connect2id server). The URL schema should be https. If not specified the endpoint will be disabled and not advertised in the OpenID provider metadata.

    • op.logout.apiAccessToken — New configuration setting for the access token for the logout session endpoint. The token is of type Bearer and must contain at least 32 random alphanumeric characters to make brute force guessing impractical.

    • op.logout.sessionLifetime — New configuration setting for the logout session lifetime, in minutes.

Web API

  • /logout-sessions/rest/v1

    • Adds new integration API for implementing an OpenID provider end-session endpoint and logout page. The API exposes a simple session-like flow to let the login page process Relying-Party-initiated requests, display a confirmation dialog whether the user also wants to log out of the OpenID provider, and optionally to perform a post logout redirect to a URI registered by the Relying Party.

Issues

  • None

Dependencies

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.27

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.38