Connect2id server 11.2
New SPI for custom validation of authorisation requests
This update of the Connect2id server introduces a new
plugin interface (SPI) for carrying out additional validation of authorisation
requests, after all
standard checks, such as the
client_id and the client being registered for
response_type, have passed. The SPI can also be used to modify parameters
of the received request, before passing it on for further processing.
The SPI can be used to enforce compliance with some OAuth 2.0 security profile and mimics the PAR validator SPI that appeared in Connect2id server 8.0. The PAR validator was also updated to enable optional modification of the requests.
The new authorisation request validator SPI is documented here.
Note, the existing web based API for plugging in the user auth, consent and UI is equally capable of carrying out any additional validation and shaping of the authorisation requests. The new SPI is provided for convenience and enables easy sharing of code with the PAR validator.
Upgraded JWT assertion grant handler
The shipped JWT assertion OAuth 2.0 grant handler was upgraded with a new setting for setting access token data from selected client metadata parameters.
For more information and a list of fixed issues check the release notes below.
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 11.2: Connect2id-server.zip
Connect2id server 11.2 WAR package: c2id.war
Apache Tomcat package with Connect2id server 11.2: Connect2id-server-mt.zip
Connect2id server 11.2 WAR package: c2id-multi-tenant.war
Contact Connect2id support.
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.30
New SPI for performing additional custom validation as well as modification of received OAuth 2.0 authorisation / OpenID authentication requests. The validator has access to the registered client information for the client_id in the authorisation request. If the validator rejects the request it can set a standard or custom error code and also optionally disable redirection back to the client redirect_uri.
The loading of an AuthorizationRequestValidator SPI implementation is logged at INFO level under OP2113. The cause for rejection of a request is also logged at INFO level, under OP2114.
Note, to perform additional custom validation of pushed authorisation requests use the PARValidator SPI.
See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/authz/ AuthorizationRequestValidator.html
Adds new PARValidator.validatePushedAuthorizationRequest method that also enables optional modification of received Pushed Authorisation Request (PAR). This method has a default implementation that calls the existing validate only method. Existing plugins need not be updated.
See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/par/PARValidator.html
Upgrades the included OAuth 2.0 self-issued JWT bearer grant handler plugin, see https://bitbucket.org/connect2id/self-issued-jwt-bearer-grant-handler .
New op.grantHandler.selfIssuedJWTBearer.accessToken.includeClientMetadataFields configuration property to specify names of client metadata fields to include in the optional access token
datafield, empty set if none. To specify a member within a field that is a JSON object member use dot (
The op.grantHandler.selfIssuedJWTBearer.enable configuration property receives a default value
Lets op.grantHandler.selfIssuedJWTBearer.accessToken.audienceList also apply to identifier-based access tokens.
Makes the /WEB-INF/selfIssuedJWTBearerHandler.properties configuration file optional.
Adjusts DynamoDB item output of the "clm" and "cls" attributes to the long_lived_authorizations table to prevent false HMAC check errors when a dynamodb.hmacSHA256Key is configured (issue authz-store/179).
Updates revocation_journal DynamoDB parsing to include the illegal string on a parse exception (issue authz-store/180).
Updates OP2209 logging to include the JSON string in the exception message when ID token minting fails due to an "aud" (audience) parse error (issue server/644).
Authorisation and token requests with a parameter included more than once, save for "resource", must result in a invalid_request error (issue oidc-sdk/345).
Fixes new RSASSASigner(RSAKey) conversion to PrivateKey with a Hardware Security Module (HSM) (issue nimbus-jose-jwt/404).
Updates JSON parsing in the OAuth 2.0 SDK to catch non-documented and unexpected exceptions (issue oauth-oidc-sdk/347).
Allows OAuth 2.0 client metadata "software_version" of type JSON number and converts it to a JSON string in new and updated client registrations. This is done to accommodate non RFC 7591 compliant dynamic client registrations in the UK Open Banking profile (issue oauth-oidc-sdk/348).
Upgrades to com.nimbusds:c2id-server-sdk:4.30
Updates to com.nimbusds:oauth2-authz-store:16.5.2
Updates to com.nimbusds:oauth2-oidc-sdk:9.2.2
Updates to com.nimbusds:nimbus-jose-jwt:9.6.1
Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1