Connect2id server 14.7
This Connect2id server release ships updates in three different areas.
Native application redirect_uri updates
The OpenID Connect standard is going to receive an
errata that allows
native applications to register redirection URIs using an IPv4 or IPv6 loopback
IP, in addition to the previous localhost for HTTP URLs.
For example:
POST /clients HTTP/1.1
Content-Type: application/json
{
"application_type" : "native",
"redirect_uris" : [ "http://127.0.0.1:8080/cb" ],
"token_endpoint_auth_method" : "none",
"code_challenge_method" : "S256"
}
This upcoming change was implemented and is now available.
Native applications can now also be registered to use variable ports in their
localhost or loopback IP redirection URL. This is done by registering the URL
with the port number set to zero (0). In situations where the application is
not guaranteed to be able to bind to a predetermined port this can be
indispensable.
POST /clients HTTP/1.1
Content-Type: application/json
{
"application_type" : "native",
"redirect_uris" : [ "http://127.0.0.1:0/cb" ],
"token_endpoint_auth_method" : "none",
"code_challenge_method" : "S256"
}
Note, the port zero to signify that the native application may vary the port number in its redirection URL is not a standard convention (yet).
You can find more information and examples about native application registration as OAuth 2.0 clients in the dedicated guide.
Filtering of PKCS#11 / HSM keys
Connect2id server deployments where the token signing is handled by Hardware Security Module (HSM) can now specify a list of keys to load. The selective HSM key loading can enable deployments where the HSM is shared with other applications.
Example list of three key IDs representing UUIDs:
pkcs11.keyIDs.1=9d64c4f5-724f-4057-af36-1dd2679c00a4
pkcs11.keyIDs.2=cb8dc79c-7ec9-4488-8723-e50fe32a2ff3
pkcs11.keyIDs.3=d274a2c2-9af7-4fbd-b669-8e337672443c
Publishing of historical keys
The Connect2id server now also supports the publishing of JWKs for historical or other purposes. These can be supplied as public-only JWKs (without any their parameters).
Infinispan object expiration and purge updates
The shipped Infinispan configurations received an update that enables deployments to override the default interval of the object expiration tasks. This can be used to tune the expiration or to implement stateless cluster strategies with a dedicated expiration node.
Other related changes:
The orphaned subject key purge task is now disabled by default, since it's redundant in most practical cases.
The session store purge resource received new optional parameters and will now by default purge only the subject session map, ignoring the rest.
The default expiration interval of sessions was increased from 5 to 10 minutes.
You can find more information the release notes below.
Download 14.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 265ea89d12c7fd81a96ac7ad0b31dc72df8252489d54933b384f38773615838f
Connect2id server 14.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: fdb6beffdfdda8861ba057d370bfda6af594b72b99d1724584008d83e5724490
Multi-tenant edition
Apache Tomcat package with Connect2id server 14.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 1919a2815f3c5a8bf319656d2e963165461d1a0966e9de8b42ed87b88e59a6a8
Connect2id server 14.7 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: b0c5198444ce02957e9045c6d1e2451a57fcdaccc779e43c508deb75cee0e055
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.7 (2023-10-15)
Summary
The support for native applications is updated to enable registration of redirection http URIs with a loopback IP. Native applications with a localhost or loopback http redirection URI may also use a variable port, in cases when the application is not guaranteed to be able to bind to a predetermined port.
The Connect2id server can now be configured to load only selected signing keys from a PKCS#11 (HSM) store. This can enable deployments where the HSM is shared with other applications.
The Connect2id server
/jwks.jsonendpoint may include public-only signing keys, for historical or other purposes.The Infinispan configuration supports the setting of custom expiration intervals for all Connect2id server objects that require expiration. The expiration interval of subject sessions remains separately configurable. This enables strategies such as:
Dedicating a set of Connect2id server nodes to processing OAuth 2.0 and OpenID Connect requests and one (or more) nodes to the task of object expiration.
Disabling the periodic execution of the subject session expiration task and invoking it externally, for example by a cron-style job at a time that is deemed optimal.
Configuration
/WEB-INF/jwkSet.json
The JWK set may include JWK instances without private parameters. These keys will be published at the
/jwks.jsonendpoint and not used internally by the Connect2id server.Public signing and encryption Connect2id server keys may be included to be published at the
/jwks.jsonendpoint for historical purposes.
/WEB-INF/federationJWKSet.json
The federation entity JWK set may include JWK instances without private parameters. These keys will be included in issued Entity Configurations and not used internally by the Connect2id server.
Public signing federation entity keys may be included for historical purposes.
/WEB-INF/jose.properties
pkcs11.keyIDs.* -- New optional configuration property. Specifies an explicit list of identifiers (aliases) of PKCS#11 keys to load from the HSM device (when an HSM is configured). If omitted or blank all recognised keys will be loaded.
This configuration property can be used to filter the PKCS#11 keys to load from an HSM that is shared by several applications.
/WEB-INF/sessionStore.properties
sessionStore.sessionMap.expirationInterval -- Increases the default value from 300000 ms (5 minutes) to 600000 ms (10 minutes).
sessionStore.internal.subjectIndexPurgeInterval -- Receives a new default value of -1 (disabled).
/WEB-INF/infinispan-*.xml
- Adds a new "infinispan.defaultExpirationInterval" configuration property with a default value of 300000 ms (5 minutes) to enable override of the default expiration purge interval for all Infinispan maps and caches where an expiration is required by the Connect2id server. Non-expiring maps and caches are not affected by this configuration property. The session map expiration interval override remains in the "sessionStore.sessionMap.expirationInterval" configuration property.
/WEB-INF/infinispan-stateless-{mysql|oracle|postgres95|sqlserver}.xml
- Enabled for the "sessionStore.sessionMap.expirationInterval" configuration property.
/WEB-INF/infinispan-multitenant-stateless-{mysql|oracle|postgres95|sqlserver}.xml
- Enabled for the "sessionStore.sessionMap.expirationInterval" configuration property.
Web API
/clients/
Native applications (with the
application_typemetadata parameter set tonative) may register redirection URIs with a loopback IP address -- 127.0.0.1 in IPv4 and 0:0:0:0:0:0:0:1 (short form ::1) in IPv6. Previously clients using the loopback interface to receive OAuth 2.0 redirections could only register with the "localhost" hostname in the URL.Native applications (with the
application_typemetadata parameter set tonative) may register localhost and loopback IP redirection URIs with a variable port, by specifying port zero in the URI, for examplehttp://localhost:0/callback. Authorisation requests can then use any port in the 1 to 65535 range, provided the other components in the redirection URI match the registered URI exactly. Example permitted redirection URI for on the given registered example:http://localhost:1234/callback.
/session-store/rest/v2/
The
/purgeresource is updated, changing the default action to force a purge of the expired session only. The purging of expired and orphaned index keys is redundant and become optional operations now.Changes to the resource:
Adds a new form parameter with name
sessionsand a default valuetrue. Whentrueall expired sessions will be purged. Whenfalsethe expired sessions purge will be skipped.Adds a new form parameter with name
indexand a default valuefalse. Whentrueall expired subject index keys will be purged. Whenfalsethe expired subject index keys purge will be skipped.Adds a new form parameter with name
orphaned_index_keysand a default valuefalse. Whentrueall orphaned subject index keys will be purged. Whenfalsethe orphaned subject index keys purge will be skipped.Adds a new form parameter with name
asyncand a default valuefalse. Whentruethe purges will be performed asynchronously.The
asyncquery parameter of the/purgeresource is deprecated. Use the newasyncform parameter instead.
Resolved issues
The default value of sessionStore.internal.subjectIndexPurgeInterval is changed to -1 (disabled). In most practical cases the periodic purge task is redundant, due to the automatic subject index max_life expiration (in deployments with DynamoDB or Redis) or the purge on new subject session insertion when the subject session quota is reached. The session store
/purgeresource remains available (issue session-store/91).Changes the SS0233 log message to level WARN when the purged number of orphaned subject keys is greater than zero, otherwise the level remains INFO (issue session-store/90).
Fixes an issue affecting grant isolation at the token endpoint when the Connect2id server is configured with issuer aliasing in mode PERSISTED_GRANT_ISOLATION (issue server/923).
Dependency changes
Upgrades to com.nimbusds:oauth2-oidc-sdk:11.2
Updates to com.nimbusds:oauth2-authz-store:24.6.4
Updates to com.nimbusds:oidc-session-store:16.7.1
Updates to com.nimbusds:c2id-server-jwkset:1.30
Upgrades to com.nimbusds:nimbus-jwkset-loader:5.3
Updates to Infinispan to 14.0.19.Final