Blog »

Connect2id server 12.10

2022-05-03

This release of the Connect2id server introduces support for OpenID authentication requests with prompt=create, implements explicitly typed logout tokens and updates the AWS region selection in the DynamoDB connector.

Applications requesting a sign-up screen with prompt=create

The OpenID Connect working group adopted a new spec that defines a new value for the prompt parameter, called create, to let relying parties request the OpenID provider to present the end-user with a sign-up screen as part of the authentication flow.

https://server.example.com/authorize?
 response_type=code
 &scope=openid
 &client_id=123
 &state=af0ifjsldkj
 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
 &prompt=create

Requests with a prompt=create parameter will cause the Connect2id server to send the login handler an auth prompt message (even if the user is currently authenticated and has a valid session), with the create_account field set to true. This flag can be taken as signal to present the user with a sign-up screen.

If the OpenID provider has no requirement or wish to honour prompt=create requests the login handler can safely ignore the create_account flag and render the usual user authentication screen.

After the user is successfully registered the flow should proceed as usual.

Support for the create prompt value is advertised in the OpenID provider metadata, under prompt_values_supported. This metadata field lists the other standard prompt values defined in OpenID Connect Core and already supported by the Connect2id server: none, login, consent and select_account.

Example:

{
  "issuer"                  : "https://c2id.com",
  "prompt_values_supported" : [ "none", "login", "consent", "create" ],
  ...
}

You can find more information about the prompt=create in the spec and the release notes below.

Explicitly typed logout tokens

As you learned in the announcement of the last Connect2id server release, the explicit typing of JWTs is good for security and the OpenID Connect working group recently took the step to update the back-channel logout spec to define an optional logout+jwt type header for the logout tokens.

Starting with this release the Connect2id server will type all issued logout tokens with the logout+jwt header, unless it's configured to disable their typing for legacy reasons.

op.logout.backChannel.jwtTypeExplicit=true

If you have OpenID relying parties that use our Java SDK to deal with back-channel logout notification tokens check out the updated examples.

AWS region configuration for DynamoDB

The DynamoDB connector received an update to enable deployments to fall back to the default AWS region provider chain. This can be useful in deployments based on the AWS EKS where the AWS access credential is a web token obtained from a regional AWS STS endpoint.

If you are using DynamoDB and don't have any issues with the region selection, you can update to this Connect2id server release, keeping your existing configuration just as it is.

To take advantage of the default AWS region provider chain check out the DynamoDB connector configuration docs and the release notes.

Download 12.10

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.10: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 97d8f6cc1bcb0e237b6e4936f49457142fb9496ddd81a260872992e90133fb9a

Connect2id server 12.10 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: fdc9e2a02d0bc7f3360362bc16625223e1c27fbdcdbeccc75c7945c4bdf6b095

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.10: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 756301ca6269599d2f89e6ff72d7dead39360d36e7c38f4d0d3db453c207c600

Connect2id server 12.10 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 4a6a12104a5b55ccb9f47129ab57dd581629ef33a842849f7b1a3395f8c7fdf8

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.10 (2022-05-03)

Summary

  • Support for OpenID authentication requests with prompt=create to enable relying parties to instruct the OpenID provider to present the user with a sign-up screen. After the user is successfully registered the flow proceeds as usual. Support for the "create" prompt value is advertised in a new "prompt_values_supported" OpenID provider metadata field. Login handlers integrating with the authorisation session API will receive indication of a prompt=create in a new "create_account" {true|false} parameter of the "auth" message. If the OpenID provider has no requirement or wish to honour prompt=create the login handler can safely ignore the "create_account" flag and render the usual user authentication screen. OpenID prompt=create requests will always trigger an "auth" prompt message in the authorisation session API, similarly to OpenID prompt=select requests.

    The Connect2id server will reject OpenID authentication requests with a prompt parameter that contains values other than "create", in accordance with the specification recommendation.

    This new prompt "create" value is specified in Initiating User Registration via OpenID Connect - draft 04, see https://openid.net/ specs/openid-connect-prompt-create-1_0.html

  • Support for minting back-channel logout notification tokens with explicit JWT typing. This is a simple measure to help relying parties simplify the prevention of mix-up of logout token JWTs with other types of JWT without having to examine the JWT claims structure. Enabled by default.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.logout.backChannel.jwtTypeExplicit -- New configuration property to enable / disable explicit typing of the issued back-channel logout tokens by setting the JWT type ("typ") header to "logout+jwt". Explicit logout token typing is a new recommendation in OpenID Connect Back-Channel Logout 1.0 - draft 07, section 4.1. This is a simple measure to prevent mix-up of logout token JWTs with other types of JWT without having to examine the JWT claims structure. Enabled by default.

      See https://openid.net/specs/openid-connect-backchannel-1_0.html

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Removes the default "dynamodb.region" setting of "us-east-1". The purpose of this change is to enable DynamoDB configurations where the AWS region is determined by the default AWS region provider chain, for example by setting the "AWS_REGION" environment variable. The DynamoDB store XML schema is updated to v1.19. See https://docs.aws.amazon.com/ sdk-for-java/v1/developer-guide/java-dg-region-selection.html

Web API

  • /.well-known/openid-configuration

    • prompt_values_supported -- New metadata field defined in Initiating User Registration via OpenID Connect - draft 04. Lists the supported prompt values in OpenID authentication requests. The Connect2id server supports the following prompt values: none, login, consent, select_account and create.

  • /authz-sessions/rest/v3/

    • The authentication prompt (message with type "auth") receives a new "create_account" member of type boolean to indicate an OpenID authentication request with a prompt=create parameter.

Resolved issues

  • Sourcing of "access_token:*" claims must call the AdvancedClaimsSource SPI instead of the basic ClaimsSource SPI in order to pass optional "claims_data" (issue server/753, authz-store/191).

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.43

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.35

  • Updates to com.nimbusds:nimbus-jose-jwt:9.22

  • Upgrades to com.nimbusds:oauth2-authz-store:17.9

  • Updates to com.nimbusds:oidc-claims-source-ldap:1.6.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.2

  • Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.201

  • Updates to com.nimbusds:c2id-server-property-source:1.0.4

  • Updates to org.postgresql:postgresql:42.3.4

  • Updates to org.slf4j:slf4j-api:1.7.36

  • Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.7

  • Updates to com.nimbusds:token-event-publisher-aws-sqs:1.1.3

  • Adds dependency to com.amazonaws:aws-java-sdk-sts:1.12.201