Connect2id server 14.8 enables client_secret_jwt and private_key_jwt replay prevention
This Connect2id server release receives the capability to prevent replay of JWTs for the client_secret_jwt and private_key_jwt client authentication methods.
The replay prevention relies on the optional
jti (JWT ID),
which when included must be a unique string. Without a jti JWTs using a
deterministic JWS algorithm, such as HMAC, that expire at the same second
cannot be reliably distinguished. For authentication JWTs that have this
identifier the Connect2id server will cache its hash until the JWT's exp and
use that record to prevent replay. This means that for replay prevention to
work an OAuth 2.0 client must includes a unique jti in its authentication
JWTs. Clients using the Nimbus OAuth 2.0
SDK always receive these tokens
with a random 256-bit jti.
In Connect2id server deployments where caching of jti hashes for every
received client_secret_jwt and private_key_jwt is not feasible, this
security feature can be
disabled.
The amount of store required for the jti caching can be regulated by
configuring
the Connect2id server to reject authentication JWTs with an exp that is too
far ahead.
Example configuration to reject authentication JWTs that are more than 60 seconds ahead of the current system time:
op.token.authJWTExpMaxAhead=60
Offending OAuth 2.0 clients will receive a standard
invalid_client error and must
reduce their exp time to fit the server's policy.
Regardless of this configuration, to prevent accidental or malicious DoS, the
Connect2id server will never cache a jti for more that 5 minutes.
This Connect2id server release also updated the available configuration properties for deployments with a PostgreSQL database, which now supports the setting of a database schema (namespace).
Download 14.8
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.8: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: c768514ccb0dc1847866c7eb4ff7316d2aab35c32ee37f4cbfc41d1255d39d29
Connect2id server 14.8 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 946b23ef1d6be563c75faea931b41f33e1e29920ba4016f4bc908413d862e655
Multi-tenant edition
Apache Tomcat package with Connect2id server 14.8: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 4d56948a8c2984f52461f32617613269a0dc15557b08740f65fdbdc4dc5923a3
Connect2id server 14.8 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: e83af7de9192370ff8fcbb4ea1db0791707c1f52eea99246f0c9071436a6a358
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.8 (2023-10-20)
Summary
Implements configurable replay prevention of "client_secret_jwt" and "private_key_jwt" client authentication JWT assertions based on the optional JWT ID ("jti") claim. The implementation is based on the new expended token registry introduced in Connect2id server 14.0.
Updates the PostgreSQL configuration to enable setting of a JDBC "schema" parameter. Intended for Connect2id server deployments that want to use a database schema other than the default "public".
Configuration
/WEB-INF/oidcProvider.properties
op.token.authJWTPreventReplay -- New optional configuration property. If
truereplay of "client_secret_jwt" and "private_key_jwt" client assertions will be prevented, by caching the JWT "jti" claim for the duration of the assertion lifetime but no longer than 5 minutes. The default value istrue.op.token.authJWTExpMaxAhead -- New optional configuration property. Sets the maximum allowed number of seconds of the expiration time (exp) claim in "client_secret_jwt" and "private_key_jwt" client assertions ahead of the current time. Assertions with longer expiration time will be rejected with an
invalid_clienterror. If zero or negative this check is disabled. When enabled the value must be between 10 and 600 seconds. The default value is -1 (disabled).
/WEB-INF/infinispan-*-postgres95.xml
- dataSource.databaseSchema -- New optional Java system property to set the PostgreSQL schema to use. Corresponds to the HikariCP "schema" configuration property. The default value is empty (implies the default "public" PostgreSQL schema).
Web API
/par
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
false.
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
/token
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
false.
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
/token/introspect
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
false.
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
Resolved issues
Updates the authz-session log INFO "OP2101" and "OP2103" messages to include the current issuer URL when issuer aliasing is enabled (issue server/925).
Updates the authz-session log DEBUG "OP2130" and WARN "OP2131", "OP2132" messages to include the authorisation session ID (issue server/925).
Dependency changes
Upgrades to com.nimbusds:oauth2-oidc-sdk:11.4
Upgrades to com.nimbusds:oauth2-authz-store:24.7
Updates to com.nimbusds:software-statement-verifier:2.2.6
Updates to org.apache.santuario:xmlsec:2.2.6
Updates to com.nimbusds:infinispan-cachestore-sql:7.0.6
Updates to org.mariadb.jdbc:mariadb-java-client:2.7.10