Connect2id server 7.13

2019-07-04

This is a mini update to the Connect2id server for OpenID Connect and OAuth 2.0.

Check the release notes for more information.

Download

To download a ZIP package of Connect2id server 7.13:

https://connect2id.com/assets/products/server/download/7.13/Connect2id-server.zip

SHA-256: 8c31a2a41cd659b0c83eac89f0d4177eb889f694b118c5edb0936a13c8c7625b

As WAR package only:

https://connect2id.com/assets/products/server/download/7.13/c2id.war

SHA-256: 7c474253393ae6e66fdae77c3919af6338842892fa68db1c8ddeb5580d1d5510

Questions?

Contact Connect2id support.


Release notes

7.13 (2019-06-25)

Configuration

  • /WEB-INF/infinispan--redis-.xml

    • Upgrades the Redis store configuration XML schema to support two classes of store connectors - a simple connector supporting only load / store operations and an extended connector also supporting bulk operations.

Web API

  • /tenants/rest/v1/{tid}/metadata

    • New resource for storing arbitrary metadata (as JSON object) for a tenant. Supports GET and PUT. Available on the multitenant edition of the Connect2id server.

SPI

  • com.nimbusds.openid.connect.provider.spi.tokens.TokenCodecContext

    • Provides a JWSVerifier in the context of the IdentifierAccessTokenCodec and SelfContainedAccessTokenClaimsCodec SPIs. Can be used to validate the JSON Web Signature (JWS) of custom hybrid access tokens (identifier-based access token encoded in a JWT with metadata) or custom secured fields in a token. Requires version 4.4 of the Connect2id server SDK.

Resolved issues

  • Works around an Infinispan issue which omitted objects in bulk retrieval operations in stateless deployments with a Redis cache and an underlying persisting database (SQL, LDAP). The issue affected listing of client registrations, authorisation records and tenants (in the multitenant edition) via the Connect2id server web APIs (issue server/467).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.4

  • Updates to com.nimbusds:tenant-manager:3.2.1

  • Updates to com.nimbusds:tenant-registry:4.1

  • Upgrades to com.nimbusds:oauth2-authz-store:12.0

  • Updates to com.nimbusds:nimbus-jose-jwt:7.3.1

  • Updates to com.nimbusds:common:2.34

  • Upgrades to com.nimbusds:infinispan-cachestore-common:2.4

  • Upgrades to com.nimbusds:infinispan-cachestore-redis:9.2.7

Connect2id server 7.12.1

2019-06-05

This is a maintenance release of the Connect2id server. Fixes a bug in request object error reporting and a bug in the session store which affected the correct keeping of max idle time. Also updates the session store and the DynamoDB connector for better memory efficiency when purging large numbers of expired sessions.

Check the release notes for more information.

Download

To download a ZIP package of Connect2id server 7.12.1:

https://connect2id.com/assets/products/server/download/7.12.1/Connect2id-server.zip

SHA-256: 8a2743ae1e67249a689306ef2b660fb8f0adb902f31e502757a77243732bc346

As WAR package only:

https://connect2id.com/assets/products/server/download/7.12.1/c2id.war

SHA-256: f97a7a2cbc196e09d06f2351371b4af92191ac3a0ad9b12d4d3b0048a601c4ae

Questions?

Contact Connect2id support.


Release notes

7.12.1 (2019-06-05)

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Upgrades the DynamoDB store configuration schema to v1.6 which introduces a new optional "purge-limit" attribute. It limits the number of expired entries to purge during a run of the expired entry reaper task. The default value is -1 (no limit).

    • Adds new dymamodb.purgeLimit.sessionStore.sessionMap Java system property to set the purge limit for subject sessions persisted to DynamoDB. The default value is -1 (no limit).

Resolved issues

  • A JAR request for a client not registered for JAR should produce an invalid_request_object error with "The client isn't registered for request objects" message (issue server/461).

  • Fixes a session store bug which caused the last access timestamp for subject sessions to not update and the session to expire prematurely if max idle is set. The bug affected Connect2id server deployments in stateless cluster mode (DynamoDB and Redis) (issue session store/78).

  • Updates the session store task for purging orphaned subject keys (subject index entries) to conserve memory (issue session store/79).

  • Updates the expired entry purge task of the DynamoDB store to conserve memory (issue dynamodb/13).

Dependency changes

  • Updates to com.nimbusds:oidc-session-store:11.2

  • Updates to Infinispan 9.4.14.Final.

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:3.5

  • Updates to com.unboundid:unboundid-ldapsdk:4.0.11

Connect2id server 7.12 supports request objects in general OAuth 2.0

2019-05-16

The new Connect2id server 7.12 release focuses on request objects. Unsure what they are and when to use them? Check out our freshly published guide.

Request objects with general OAuth 2.0

The concept of JWT-secured authorisation parameters originally appeared as a feature in OpenID Connect called request objects. The extra security guarantees they provide found use in the FAPI profile for OpenBanking and other financial-grade applications.

Request objects can also be useful in the underlying OAuth 2.0 framework and the OAuth working group caught up with its own compatible and more general spec that bears the acronym JAR, for JWT Secured Authorization Request.

The Connect2id server has supported request objects in OpenID authentication requests since version 6.0. This new release makes it possible to use them with plain OAuth 2.0 authorisation requests as well.

New request object configs

These were necessitated by the most recent FAPI spec:

  • op.authz.requireRequestJWTExpiration -- Specifies if received request object JWTs must include an expiration (exp) claim. The default value is false.

  • op.authz.requireAllParamsInRequestJWT -- Specifies if received request JWTs must include all OAuth 2.0 authorisation request parameters. If enabled authorisation requests with unsecured parameters will be rejected with an invalid_request error. The default value is false.

New OpenID Connect error code

OpenID Connect has been missing an error code for indicating the condition when the end-user couldn't be authenticated at a required strength (Authentication Context Class Reference, or ACR). The omission was fixed earlier this month with a new unmet_authentication_requirements error code, which is now understood by the Connect2id server.

The error code spec is not officially published yet, but you can read its XML source in the OpenID Connect repo.

Other updates and fixes

The token endpoint features a new security measure for the OAuth 2.0 authorisation code grant. The Connect2id server will automatically revoke the received code if the client authentication, with a client secret or some other method, is found invalid.

To support migration from deployments with weak 1024 bit RSA keys a new JOSE configuration was added.

A significant bug in the session store was also fixed.

For more information check out the release notes below.

Download

To download a ZIP package of Connect2id server 7.12:

https://connect2id.com/assets/products/server/download/7.12/Connect2id-server.zip

SHA-256: 02976e88e38ff7310be703a48c0669bbd8ab0d9dd9b179d4cc724e0a153446c7

As WAR package only:

https://connect2id.com/assets/products/server/download/7.12/c2id.war

SHA-256: b71d43e9afc5bba8c26d1d10dd25b92049610f06cfaf130fe5572f2fabdb9372

Questions?

Contact Connect2id support.


Release notes

7.12 (2019-05-16)

General

  • Adds support for JWT-secured OAuth 2.0 authorisation requests (draft-ietf-oauth-jwsreq-17). Previously, request objects were only supported in OpenID authentication requests, passed inline via the "request" parameter or by reference via the "request_uri" parameter.

    JWT-secured OAuth 2.0 authorisation requests (including OpenID authentication requests) with the an inlined request object may include only the "request" parameter, with all required and optional parameters present in the JWT.

    Request with a request object passed by URL may include only the "request_uri" and "client_id" parameters, with all required and optional parameters present in the JWT.

    See https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17

Configuration

  • /WEB-INF/jose.properties

    • Adds new jose.allowWeakKeys configuration property to allow the Connect2id server to be configured with a JWK set that contains weak RSA keys shorter than 2048 bits. May be used to facilitate migration and key roll-over from OpenID providers that use weak RSA keys. If weak RSA keys are allowed and detected in the JWK set, the Connect2id server will log a warning with ID SE1030 at startup. The default value is false.
  • /WEB-INF/oidcProvider.properties

    • Adds new op.authz.requireRequestJWTExpiration configuration property to specify whether received request object JWTs must include an expiration (exp) claim. The default value is false.

      See Financial-grade API - Part 2: Read and Write API Security Profile.

    • Adds new op.authz.requireAllParamsInRequestJWT configuration property to specify whether request JWTs must include all OAuth 2.0 authorisation request parameters. If enabled authorisation requests with unsecured parameters will be rejected with an invalid_request error. The default value is false.

      See Financial-grade API - Part 2: Read and Write API Security Profile.

Web API

  • /token

    • Implements a security measure to revoke the received authorisation code (if valid and not expired) when client authentication at the token endpoint for an authorisation code grant fails.
  • /authz-sessions/rest/v3/

    • Adds support for handling JWT-secured OAuth 2.0 authorisation requests (draft-ietf-oauth-jwsreq-17).

    • Adds support for the new unmet_authentication_requirements OpenID Connect error code, intended to inform the Relying Party that the OpenID provider is unable to authenticate the end-user at the required Authentication Context Class Reference value when requested with an essential "acr" claim. The error code may also be used in other appropriate cases.

      See OpenID Connect Core Unmet Authentication Requirements 1.0.

Resolved issues

  • Fixes a bug in the session store which resulted in closing an active subject (end-user) session when a new session is created and the index for the subject is filled with stale (pending purge) entries up to the configured session quota (sessionStore.quotaPerSubject) (issue session store/77).

  • Trims duplicate text in the error_description of non-redirecting authorisation errors (issue server/449).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:6.13

  • Updates to com.nimbusds:oauth2-authz-store:11.6

  • Updates to com.nimbusds:oidc-session-store:11.0

  • Upgrades to com.nimbusds:nimbus-jwkset-loader:4.1