Connect2id server 15.5
This Connect2id server release updates the plugin interface for sourcing user claims (attributes). It also adds a special configuration to mitigate false token revocation positives due to timing issues.
Consented scope hint in the claims source SPI
The Connect2id server comes with a plugin interface for sourcing user claims, such as contact details, profile information and entitlements. These claims are then fed into UserInfo responses, ID tokens or access tokens, subject to consent.
To aid decisions in claims source plugins, the Connect2id server is now going
to make the associated consented scope available with each request to the
claims source. If you implement your own SPI plugin the scope can be obtained
via the new
ClaimsSourceRequestContext.getScope
method. If you use a web hook
it will appear in the optional scope
parameter, which must first be
enabled.
Example request:
POST /claims-source HTTP/1.1
Host: www.example.com
Content-Type: application/json; charset=UTF-8
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
{
"iss" : "https://c2id.com",
"sub" : "alice",
"claims" : [ "email",
"email_verified",
"name",
"given_name",
"family_name" ],
"scope" : [ "openid",
"email",
"profile",
"offline" ],
"claims_transport" : "userinfo"
}
More information how the scope gets determined for a particular claims request can be found in the ClaimsSourceRequestContext JavaDoc and the release notes below.
Note that the scope is intended only as a hint in plugin logic. Claims will
continue getting sourced by providing an explicit list of their names,
regardless of the consented scope value. That’s because end-users may not
consent to all claims that expand from a certain scope value. Claims can also
be requested individually, with a scope value like email
or profile
, using the
claims
OpenID authentication request parameter.
Revocation timestamp check bias
The Connect2id server provides an API where clients, end-user access and their
tokens can be revoked.
POSTed revocations are given a timestamp and recorded in the server’s database.
Whenever a token is inspected, the server checks for any recorded revocations
after the token issue time (iat
). If a revocation is found the token is
considered invalid.
After a typical revocation the end-user must log in and give their consent again in order for the client application to regain access. In special scenarios where this is done by an automated process the token revocation and subsequent new token issue may occur at the same second. Due to the second resolution of token and revocation timestamps, this can lead to timing issues, for example in clusters where the clocks of the computers are out of sync. To mitigate such issues deployments can adjust the “bite” point of revocation time checks with a special new configuration:
authzStore.revocation.checkBias
Its documentation has hints when and how to use it. If in doubt leave it at its default value (zero bias).
Dependency updates
A range of dependencies were updated, including the BouncyCastle JCA provider to 1.78. The BouncyCastle update clears several reported CVEs, none of them critical for Connect2id server operation.
Download 15.5
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.5: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 5fae4e5c8201ec0f72dba96c78724dff702fdeb2a30eb7b4f0159114afbd620f
Connect2id server 15.5 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 9a4e6fa5e062cbe70d19c248966be3102d286f90836c6fd1c8b39ae8d456dbd9
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.5: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 1b89b280dd28094dede54eef43086c4139e913ceae2c803c39d77645202894b0
Connect2id server 15.5 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: fef049716b8773a47fa64d7436ed010883c15e99fc9faf4a44f1f2c9a9524335
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.5 (2024-04-23)
Configuration
-
/WEB-INF/authzStore.properties
-
authzStore.revocation.checkBias – New optional configuration property to adjust the checking of revocation timestamps by adding a negative or positive time bias, in seconds. The default value is 0 seconds (no bias).
A token is deemed active (non-revoked) if there are no recorded revocations for the token subject and / or client ID after the token issued-at time (“iat”). The resolution of revocations and token issued-at times is in seconds.
With no (zero) bias tokens issued at the same second when a revocation is recorded are considered active (non-revoked). This enables a subject and / or client ID to have its tokens revoked and then be immediately issued again with active tokens, within the same second.
A positive bias of 1 ensures tokens issued within the same second of a revocation are considered revoked, preventing any ambiguity in the time sequence of revocation and token issue events. A bias greater than 1 should generally not be used.
A negative bias can mitigate false revocation positives in a Connect2id server cluster where the clocks of the individual server instances are out of sync.
-
-
/WEB-INF/httpClaimsSource.properties
- op.httpClaimsSource.includeScope – New optional configuration property of type boolean. Enables / disables inclusion in the request of the associated consented scope. Disabled by default.
SPI
-
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.3
-
New
ClaimsSourceRequestContext.getScope
method that returns the associated consented scope:-
When sourcing claims for a UserInfo endpoint response this is the scope of the access token.
-
When sourcing claims for an ID token to be returned at the token endpoint this is the scope of the OAuth 2.0 grant (such as an
authorization_code
orrefresh_token
grant). -
When sourcing claims for an ID token to be returned at the authorisation endpoint (for a
response_type
that contains theid_token
value) this is the scope of the end-user consent. -
When sourcing claims for an ID token returned at the Connect2id server direct authorisation endpoint.
-
In all other cases the scope is not provided and will be
null
.
-
-
Resolved issues
-
The Connect2id server must reject
op.claims.map.*
configuration properties withid_token:
andaccess_token:
prefixed claim names. These prefixes are intended for use in the authorisation session API and other documented locations only, using them in a custom OpenID claims map can lead to unintended side effects (issue server/991). -
The AS0214 log INFO message must be recorded at the start of a revocation (issue authz-store/233).
Dependency changes
-
Upgrades to com.nimbusds:c2id-server-sdk:5.3
-
Upgrades to com.nimbusds:oauth2-authz-store:26.3
-
Updates to com.nimbusds:oidc-session-store:17.4
-
Updates to com.nimbusds:oidc-claims-source-http:3.1
-
Updates to net.minidev:json-smart:2.5.1
-
Updates to BouncyCastle 1.78
-
Updates to com.google.crypto.tink:tink:1.13.0
-
Updates to commons-codec:commons-codec:1.16.1
-
Updates to commons-io:commons-io:2.16.1
-
Updates to Log4j 2.23.1