Blog »

Connect2id server 15.6 introduces a new plugin interface for authentication and consent events

2024-05-10

The Connect2id server received a new plugin interface (SPI) for receiving an event every time a user authenticates and submits their consent at the authorisation endpoint. The events can be used for purposes such as audit logging and resolving disputes. Contextual information about the user authentication can be obtained from the referenced ID token claims set (if an ID token is issued) as well as the referenced subject session. Information about the user consent can be obtained from the referenced authorised scope, claim names and data.

This release also relaxes the back-channel logout notifications policy for Connect2id server deployments configured with issuer aliasing in the PERSISTED_GRANT_ISOLATION mode, allowing delivery of notifications in response to logout requests. Notification delivery in response to session expiration remains blocked in this mode.

Finally, this release resolves four issues, three related to SPI plugins.

Download 15.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5ad5fc679f9c33837ab46690ae0d23edf692e522622005579bd5c06fa5be9139

Connect2id server 15.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 87c3c7075ac32244ea5b860a7218cbc56e18ea9b0e076e784f84e9f2085be991

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: f77623867ef95bfad50ddf896d86294e77419d8b2bb4c8275ae39e11bcfcb384

Connect2id server 15.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 89e6cb73cbec7f3f8789f9871d4e60e139fed8af1f26eee0ce4acd4d850f89a8

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.6 (2024-05-10)

Summary

  • New plugin interface (Service Provider Interface, or SPI) for listening to end-user authentication and consent events at the authorisation endpoint of the Connect2id server.

  • Enables delivery of back-channel logout notifications in the issuer aliasing mode "isolation" in response to end-user logout at the logout session API.

Web API

  • /logout-sessions/rest/v1/

    • Delivers back-channel logout notifications when OpenID provider / OAuth 2.0 server issuer aliasing mode PERSISTED_GRANT_ISOLATION is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from logout session API calls to be blocked.

  • /session-store/rest/v2/

    • Delivers back-channel logout notifications in response to end-session (DELETE) calls when OpenID provider / OAuth 2.0 server issuer aliasing mode PERSISTED_GRANT_ISOLATION is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from end-session API calls to be blocked.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.4

    • New SubjectAuthAndConsentEventListener SPI for listening to subject authentication and consent events.

      For clients using the code flow (response_type=code), the event is dispatched when the client submits a valid authorisation code at the token endpoint of the Connect2id server.

      For clients using an implicit (response_type=token, response_type=id_token, id_token token) or hybrid flow (response_type=code id_token, response_type=code token, response_type=code id_token token), the event is dispatched when the request at the authorisation endpoint of the Connect2id server successfully completes.

Resolved issues

  • Fixes StackOverflowException in SPI calls that use the com.nimbusds.openid. connect.provider.spi.internal.sessionstore.SubjectAuthentication.getAMRList method (issue server/993).

  • Revises the OpenID Connect Back-Channel Logout 1.0 policy when issuer alias mode PERSISTED_GRANT_ISOLATION is configured. Back-channel logout notifications were previously blocked in this mode. Starting with this release notifications resulting from API-originating logout / end-session requests will be delivered. Note that the delivery of back-channel logout notifications on subject session expiration remains blocked since subject sessions do not record issuer alias information (issue server/992).

  • Prevents Connect2id server startup when a given OpenID claim is advertised as supported by two or more enabled claims sources. Disabled claims sources are not checked. The exception will be logged at FATAL level using the OP7004 code, detailing the name of the claim and the claim source (issue server/994).

  • Compressed (zip=DEFLATE) JWE request objects (JARs) with cipher texts of compressed plain text that are too large must be rejected to conserve CPU and memory resources on decompression. When JWE DEFLATE compression is utilised a limit of 100K cipher text characters is enforced. Note that all request objects passed by URL (request_uri) are already being limited to 50 KBytes in size (issue jose-jwt/545).

  • Support serialisation of null valued JWT top-level claims returned by the encode and advancedEncode methods of SelfContainedAccessTokenClaimsCodec SPI implementations. Previously such JWT claims were ignored and serialised (issue authz-store/234).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.4

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.10.3

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.39

  • Updates to com.nimbusds:c2id-server-jwkset:1.30.2

  • Upgrades to com.nimbusds:oauth2-authz-store:26.5.1

  • Upgrades to com.nimbusds:oidc-session-store:19.0

  • Upgrades to com.nimbusds:tenant-manager:9.1

  • Updates to com.nimbusds:tenant-registry:9.0.1