Connect2id server 13.2 adds a signed JWKs endpoint for use in OpenID federations
This release of the Connect2id server builds upon the OpenID Connect Federation 1.0 upgrade that arrived in 13.1 by adding a new signed JWKs endpoint. The signature establishes a digital proof that a server owns its OpenID provider keys, which proof then becomes linked to the server's trust chain in a federation.
The signed OpenID provider JWKs endpoint does not play an actual part in the trust resolution protocol defined in OpenID Connect Federation 1.0. The terms and policies that govern a particular federation may however require it, for non-repudiation and legal purposes. The Italian eID federation requires members to sign their public OpenID provider keys so that end-user authentication events (represented by issued ID tokens) can be linked to the trust chain in a verifiable manner. The Italian federation operator also has a policy to keep a historical archive of the keys of all members, in case disputes over past transactions arise.
Example request to retrieve the server's OpenID provider keys in a signed form:
GET /jwks.jwt HTTP/1.1
The response will be a signed JWT, carrying a
keys claim that is a standard
HTTP/1.1 200 OK
Note that the new signed JWK set endpoint will normally return an HTTP
Not Found status code, unless OpenID Connect federation is
This release also fixes two major bugs introduced in Connect2id server 13.0. Upgrading to 13.2 is strongly recommended if you are currently using an affected 13.0 or 13.1 deployment.
There is more information in the release notes below.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 13.2 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 13.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 13.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Upgrades OpenID Connect Federation 1.0 draft 25 support to publish a signed JWK set at the URL advertised in the
signed_jwks_uriOpenID provider metadata found in the entity configuration.
Fixes two bugs affecting deployments of Connect2id server v13.0 and v13.1 with an SQL database. Updating is strongly recommended (see issue server/816 for details).
- signed_jwks_uri -- New optional metadata field specifying an endpoint where the OpenID provider JWK set is published as a signed JWT. Available when OpenID Connect Federation 1.0 is enabled, else omitted.
/jwks.jwt -- New endpoint publishing the OpenID provider JWK set as a signed JWT when OpenID Connect Federation 1.0 is enabled. The JWT is signed with the
RS256algorithm using the first RSA key in the configured Connect2id server federation entity JWK set. The JWT
typ(type) header is set to
jwk-set+jwt. The JWT contains the
iat(issued-at time) and
keys(JWK set keys) claims, as specified in OpenID Connect Federation 1.0, section 4.1.
Fixes a bug introduced in Connect2id server 13.0, multi-tenant edition, affecting deployments with MySQL, PostgreSQL and MS SQL Server that may cause false HTTP 404 (invalid authorisation session ID) responses from the authorisation session web API. Connect2id server 13.0 and 13.1 multi-tenant deployments are strongly recommended updating (issue server/816).
Fixes a bug introduced in Connect2id server 13.0 affecting deployments with MySQL, PostgreSQL and MS SQL Server that causes incorrect PAR URI rejections at the authorisation endpoint. Connect2id server 13.0 and 13.1 deployments are strongly recommended updating (issue server/818).
Fixes non-critical NPE when writing HTTP 404 responses at the
.well-known/openid-federationendpoint when OpenID Connect Federation 1.0 is disabled (issue server/817).
Optimises OpenID Connect Federation 1.0 related logging (issue server/815).
The PARValidator SPI must be invoked with an AuthenticationRequest if the validated authorisation request has the "openid" scope value (issue server/819).
- Upgrades to com.nimbusds:oauth2-oidc-sdk:10.5