Blog »

Connect2id server 14.4 introduces Rich Authorisation Request (RAR) type checking

2023-08-11

RAR

This Connect2id server release is another step towards a complete built-in support for OAuth 2.0 Rich Authorisation Requests (RFC 9396).

Identity providers and OAuth 2.0 servers that implement this recent OAuth 2.0 extension can now use the op.rar.supportedTypes configuration property to list the supported RAR types. In RAR the JSON objects that express the authorization_details have an explicit "type" to aid their parsing and validation.

Example configuration listing two supported RAR object types:

op.rar.supportedTypes=account_information,payment_initiation

The supported types will then be published in the OpenID provider metadata where clients and developers can discover them.

Example server metadata snippet:

{
  "issuer"                                : "https://c2id.com",
  "jwks_uri"                              : "https://c2id.com/jwks.json",
  ...
  "authorization_details_types_supported" : [ "account_information",
                                              "payment_initiation" ],
  ...
}

When RAR types are configured the Connect2id server will not only include them in the published server metadata, but will also use them to check the authorization_details parameter in received authorisation and token requests. If the type is supported the request can proceed, if not the server will return an invalid_authorization_details to the client. Previously this check had to be done by creating dedicated PAR validator and / or authorisation request validator plugins.

Within the authorisation session web API the authorization_details parameter can now be accessed by handler logic in the session object under auth_req.authorization_details.

H2 database upgrade

This release also changes the version number of the embedded H2 database, from v2.1.x to v2.2.x. Connect2id server deployments that use this database must migrate any records they wish to retain, because the newer version uses an updated DB file format.

You can find more information about this new release in the notes below.

Download 14.4

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.4: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 9958cc9a99096f671a5b202d7ba2bc75e0491a5337c1c2051eaffeb7b5549d8d

Connect2id server 14.4 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e497e17a1c52d5b26d4e90bb80bf0cf04d928ce0b3ed2638c1a203400a976d9a

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.4: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 5bd816bf6c8787011cad227665817a88fa023cb1ca701beef7bd739a11bb4f62

Connect2id server 14.4 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 35890ad0202c329f9521c8a4db0f49e9f36a9981b9a1bab7f7ee7599a1547065

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.4 (2023-08-11)

Summary

  • Connect2id server deployments that implement OAuth 2.0 Rich Authorisation Requests (RAR) (RFC 9396) can use a new "op.rar.supportedTypes" configuration property to let the server check the types of "authorization_details" in received requests and reject requests with unsupported RAR types. The supported types will also be advertised in the "authorization_details_types_supported" OpenID provider metadata field.

  • Connect2id server deployments with an embedded H2 database are upgraded from 2.1.x to the latest stable 2.2.x release. Database files created in the older H2 version are not compatible. Existing records (where they must be retained) must be migrated.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.rar.supportedTypes -- New optional configuration property to list the supported OAuth 2.0 Rich Authorisation Request (RAR) (RFC 9396) types. When specified the "authorization_details" in OAuth 2.0 authorisation / OpenID authentication requests and token requests will be checked and those with an unsupported type will be rejected with an "invalid_authorization_details" error. The types will also be advertised in the "authorization_details_types_supported" OpenID provider metadata field. The default value is none (no check).

Web API

  • /.well-known/openid-configuration

    • authorization_details_types_supported -- New optional metadata field listing the supported OAuth 2.0 Rich Authorisation Request (RAR) (RFC 9396) types. Omitted if not specified.

  • /authz-sessions/rest/v3/

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.authorization_details" member to represent the Rich Authorization Request (RAR) (RFC 9396) parameter in OAuth 2.0 authorisation requests and OpenID authentication requests.

Resolved issues

  • The UserInfo endpoint must not request claims from the sourcing SPI that are pre-set (e.g. supplied via "preset_claims.userinfo" in the authorisation session API) (issue server/885).

  • Updates JWT minting to support the inclusion of null-valued top-level claims, which can legitimately occur in data returned from the claims source SPI. The claims set in plain (unsecured) UserInfo responses and JWT-secured UserInfo responses will thus be identical for those cases when claims with null values are included, previously omitted in a JWT (issue server/906).

  • The "authorization_details" parameter must be obtainable in the AuthorizationRequestValidator and PARValidator SPIs (issue server/907).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.5.3

  • Updates to com.nimbusds:oidc-session-store:16.4.4

  • Updates to com.h2database:h2:2.2.220