Connect2id server 12.8
This is a mini plugin interface (SPI) and maintenance / security update of the Connect2id server for OpenID Connect identity provisioning and OAuth 2.0 authorisation.
The PAR validator SPI and the authorisation request validator SPI let plugins access the original raw requests, for purposes such as inspecting the presence of a signed request object (JAR).
Example check for signed JAR presence:
boolean jarPresent = validatorContext.getRawRequest() .specifiesRequestObject(); JWSAlgorithm jwsAlg = validatorContext.getOIDCClientInformation() .getMetadata() .getRequestObjectJWSAlg(); if (jarPresent && jwsAlg != null && JWSAlgorithm.Family.SIGNATURE.contains(jwsAlg)) { // Detected signed request }Minor vulnerability and bug fixes. Upgrading is generally recommended.
Selected library updates.
Detailed information is available in the release notes below.
Download 12.8
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.8: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 8fe22c0494af181be220ff73cc24d65e7b0fa4b5acd389efc9cf1f08b748aff6
Connect2id server 12.8 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: dd427ec8c873825537ab966e17e06e9be6a3f037d2e442965d418898cde503ed
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.8: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 4587ec28a84b1ce0853430d594afe3d9911523127d2b1d8b077abebf73e12c52
Connect2id server 12.8 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
SHA-256: 42582f3e352d2d5e726e976faadaffba33cd35d5058aed2fe8a59dad9736b65f
Questions?
Contact Connect2id support.
Release notes
12.8 (2022-03-12)
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.42
com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getRawRequest method returning the original raw OAuth 2.0 authorisation / OpenID authentication request, as received at the authorisation endpoint and prior to any JAR unwrapping / resolution if JWT-secured.
com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getRawRequest method returning the original raw OAuth 2.0 authorisation / OpenID authentication request, as received at the authorisation endpoint and prior to any JAR unwrapping / resolution if JWT-secured.
Resolved issues
Fixes a vulnerability in the Connect2id server banner (splash) page that allowed injection of HTML or JavaScript via an invalid "Issuer" HTTP header. No feasible exploits found, but upgrading is generally recommended. The banner page also receives a Content-Security-Policy to allow only local content (issue server/733).
Fixes a vulnerability at the token endpoint that allowed log injection of CR and LF characters via a client_id prior to client validation. In Connect2id server deployments with a plain text Log4j appender the vulnerability may be exploited to compromise the integrity of the log messages. The severity of the vulnerability is deemed low, upgrading is recommended (issue server/734).
Fixes the log label for the token introspection HTTP request logging and the OP6500 internal server error message (issue server/735).
The token and UserInfo endpoints must return an HTTP 400 Bad Request with an invalid_dpop_proof error when receiving a DPoP HTTP request header with a header value that doesn't parse to a signed JWT. Previously the Connect2id server ignored th DPoP header when JWT parsing failed (issue server/736).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.42
Updates to com.nimbusds:oauth2-oidc-sdk:9.28
Updates to com.nimbusds:nimbus-jose-jwt:9.21
Updates to com.nimbusds:common:2.48
Updates to org.cryptomator:siv-mode:1.4.4
Updates to net.minidev:json-smart:2.4.8