Connect2id server 7.8.1

2018-12-14

This update of the Connect2id server fixes a bug which affects retrieval of authorisation session data persisted in DynamoDB. All deployments that use DynamoDB should update.

Check out the release notes below for more information.

Download

To download a ZIP package of Connect2id server 7.8.1:

https://connect2id.com/assets/products/server/download/7.8.1/Connect2id-server.zip

SHA-256: aef1cb40d1b50f42d0250304abbdc9e24bac00a6e26ebfd0682007b5e71e4dab

As WAR package only:

https://connect2id.com/assets/products/server/download/7.8.1/c2id.war

SHA-256: 1d8dbf23d2457ebf476e05efa5ee59c9bb7911ef8ce10ccdc434822487fc5f1a

Questions?

Get in touch with Connect2id support.


Release notes

7.8.1 (2018-12-13)

Resolves issues

  • Updates persistence of consent sessions in DynamoDB to prevent exceptions on null claims, claims.id_token and claims.userinfo fields. All deployments utilising DynamoDB should update (issue server/411).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:6.3

Connect2id server 7.8

2018-11-20

November's release of the OpenID Connect server updates OAuth 2.0 mutual TLS client authentication to accept Certificate Authority (CA) signed certificates.

Previously, for clients registered for self_signed_tls_client_auth, the Connect2id server would only accept strictly self-signed certificates. Starting with v7.8 client certificates that are signed by a CA will also be accepted.

In both cases -- self-signed or CA-signed certificate, the public key of the client certificate must be registered with the Connect2id server in JWK format, either by value (using the jwks client registration parameter) or by URL (using jwks_uri). Note that for a CA-signed certificate no PKI-based validation is done by the Connect2id server, only its public key must match the registered one. Prior PKI-based validation can still be performed in a TLS terminator set up in front of the server.

This authentication method is specified in OAuth 2.0 Mutual TLS profile (draft-ietf-oauth-mtls-12).

Check out the release notes below for more information.

Download

To download a ZIP package of Connect2id server 7.8:

https://connect2id.com/assets/products/server/download/7.8/Connect2id-server.zip

SHA-256: 04b4cd5194f2e2e8627aa86af5041c002bff87681537396c9553f682863f4bc2

As WAR package only:

https://connect2id.com/assets/products/server/download/7.8/c2id.war

SHA-256: 47c28265e05da49e003f775ba2e95e7daeed2c40fc831f7a3ce03e938b941622

Questions?

Get in touch with Connect2id support.


Release notes

7.8 (2018-11-20)

Summary

  • Updates self-signed certificate mutual TLS OAuth 2.0 client authentication (self_signed_tls_client_auth) to accept Certificate Authority (CA) signed certificates. Previously only strictly self-signed certificates were accepted. For self-signed as well as CA-signed certificates the public key of the certificate must be registered with the Connect2id server in JWK format, either by value (using the jwks client registration parameter) or by URL (using jwks_uri). See OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-12), section 2.2.

Resolves issues

  • Removes stray System.out.println in authorisation session handler (issue server/406).

  • Updates logging of the configuration for the client X.509 certificate request HTTP header set by the TLS termination proxy (code OP6900).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:6.2

  • Updates to com.nimbusds:oauth-client-grant-handler:1.4

Connect2id server 7.7

2018-10-15

We have another update of the Connect2id server for you, which is recommended if you have a deployment with an AWS DynamoDB backend, or intend to use the new feature introduced in version 7.6 for steering implicitly consented OpenID claims into the ID token, instead of returning them at the standard location for all code-based flows, the UserInfo endpoint.

For more information check the release notes below.

Download

To download a ZIP package of Connect2id server 7.7:

https://connect2id.com/assets/products/server/download/7.7/Connect2id-server.zip

SHA-256: e6b2e33de5b6701eb5224f8ad203e6917306a90825bdeb19df06b9d724f3956d

As WAR package only:

https://connect2id.com/assets/products/server/download/7.7/c2id.war

SHA-256: 813fe50a7bf927539d25db527b7312c6fd36a868b3c4e6119c680a495ac93381

Questions?

Get in touch with Connect2id support.


Release notes

7.7 (2018-10-02)

Summary

  • Recommended update for Connect2id server deployments utilising a DynamoDB backend. Sanitises DynamoDB items before a database write to prevent DynamoDB ValidationExceptions when the optional data in client registrations, authorisation objects and other persisted objects contains empty strings or sets. Also adds new a configuration option for creating the DynamoDB tables with selected omitted global secondary indices (GSI) to conserve read and write capacity.

  • Recommended update for Connect2id server deployments utilising the "id_token:" prefix introduced in v7.6 to steer selected implicitly consented OpenID claims for delivery with the ID token instead of the UserInfo endpoint. Fixes a bug which included the prefix in persisted consent.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • The global secondary indices (GSI) for the subject (sub), actor (act) and / or client ID (cid) attributes in persisted authorisation (consent) records can be selectively turned off by overriding the default "sub, act, cid" setting with a "dynamodb.authzStore.longLivedAuthzMap.indexedAttributes" Java system property. For example, "sub, act" will cause the creation of GSIs for the subjects and actors only, for client IDs related queries the Connect2id server will fall back to a DynamoDB scan request with a filter expression.

Resolved issues

  • Sanitises DynamoDB items before writing them to the table. Empty strings, empty binary data and empty sets, including those in nested JSON objects (maps), are automatically removed to fit the DynamoDB data model and prevent ValidationExceptions (issue authz-store/154).

  • OAuth 2.0 authorisation requests and OpenID authentication requests with an unsupported PKCE method (RFC 7636) are rejected with an "invalid_request" error and descriptive message, as required in section 4.4.1 of RFC 7636. Previously the Connect2id server would return an HTTP 500 status at the token endpoint if the PKCE method is not supported (other than "plain" and "S256") (issue server/401).

  • Implicitly consented claims with an "id_token:" prefix to trigger release via the ID token instead of at the UserInfo endpoint must be saved without the prefix in persisted authorisation records ("cls") (issue server/399).

Dependency changes

  • Updates to com.nimbusds:infinispan-cachestore-common:2.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:2.5