Blog »

Connect2id server 13.2 adds a signed JWKs endpoint for use in OpenID federations

2023-01-12

This release of the Connect2id server builds upon the OpenID Connect Federation 1.0 upgrade that arrived in 13.1 by adding a new signed JWKs endpoint. The signature establishes a digital proof that a server owns its OpenID provider keys, which proof then becomes linked to the server's trust chain in a federation.

The signed OpenID provider JWKs endpoint does not play an actual part in the trust resolution protocol defined in OpenID Connect Federation 1.0. The terms and policies that govern a particular federation may however require it, for non-repudiation and legal purposes. The Italian eID federation requires members to sign their public OpenID provider keys so that end-user authentication events (represented by issued ID tokens) can be linked to the trust chain in a verifiable manner. The Italian federation operator also has a policy to keep a historical archive of the keys of all members, in case disputes over past transactions arise.

Example request to retrieve the server's OpenID provider keys in a signed form:

GET /jwks.jwt HTTP/1.1
Host: demo.c2id.com

The response will be a signed JWT, carrying a keys claim that is a standard JWK set:

HTTP/1.1 200 OK
Content-Type: application/jwk-set+jwt

eyJraWQiOiJleFI1IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJodHRwczpcL1wvZmFwaS5jMmlkLmNv
bSIsIm1ldGFkYXRhIjp7Im9wZW5pZF9wcm92aWRlciI6eyJyZXF1ZXN0X3BhcmFtZXRlcl9zdXBwb3J
ZW5kcG9pbnQiOiJodHRwczpcL1wvZmFwaS5jMmlkLmNvbVwvdG9rZW5cL2ludHJvc3BlY3QiLCJj...

Note that the new signed JWK set endpoint will normally return an HTTP 404 Not Found status code, unless OpenID Connect federation is enabled.

This release also fixes two major bugs introduced in Connect2id server 13.0. Upgrading to 13.2 is strongly recommended if you are currently using an affected 13.0 or 13.1 deployment.

There is more information in the release notes below.

Download 13.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5676fd128a46fbdc113b4b6ffc930ddb636217a715e599356279ffa0f1171b64

Connect2id server 13.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ed815c1404898266ea35b277551addc7e2ca9f44b1036a34e7f30bb8a3ab62f3

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1fc4ac435cbfc1baa8d34a644b0a0720ffc36ba87aca47ed23f3e74151a76008

Connect2id server 13.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 616c1dd0d92bd44d834d334f4fc6bad692c73cd7502ee0b90e5ffab5d9e776d8

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.2 (2023-01-12)

Summary

  • Upgrades OpenID Connect Federation 1.0 draft 25 support to publish a signed JWK set at the URL advertised in the signed_jwks_uri OpenID provider metadata found in the entity configuration.

  • Fixes two bugs affecting deployments of Connect2id server v13.0 and v13.1 with an SQL database. Updating is strongly recommended (see issue server/816 for details).

Web API

  • /.well-known/openid-configuration

    • signed_jwks_uri -- New optional metadata field specifying an endpoint where the OpenID provider JWK set is published as a signed JWT. Available when OpenID Connect Federation 1.0 is enabled, else omitted.

  • /jwks.jwt -- New endpoint publishing the OpenID provider JWK set as a signed JWT when OpenID Connect Federation 1.0 is enabled. The JWT is signed with the RS256 algorithm using the first RSA key in the configured Connect2id server federation entity JWK set. The JWT typ (type) header is set to jwk-set+jwt. The JWT contains the iss (issuer), sub (subject), iat (issued-at time) and keys (JWK set keys) claims, as specified in OpenID Connect Federation 1.0, section 4.1.

Resolved issues

  • Fixes a bug introduced in Connect2id server 13.0, multi-tenant edition, affecting deployments with MySQL, PostgreSQL and MS SQL Server that may cause false HTTP 404 (invalid authorisation session ID) responses from the authorisation session web API. Connect2id server 13.0 and 13.1 multi-tenant deployments are strongly recommended updating (issue server/816).

  • Fixes a bug introduced in Connect2id server 13.0 affecting deployments with MySQL, PostgreSQL and MS SQL Server that causes incorrect PAR URI rejections at the authorisation endpoint. Connect2id server 13.0 and 13.1 deployments are strongly recommended updating (issue server/818).

  • Fixes non-critical NPE when writing HTTP 404 responses at the .well-known/openid-federation endpoint when OpenID Connect Federation 1.0 is disabled (issue server/817).

  • Optimises OpenID Connect Federation 1.0 related logging (issue server/815).

  • The PARValidator SPI must be invoked with an AuthenticationRequest if the validated authorisation request has the "openid" scope value (issue server/819).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.5