Skip to content
Connect2id
Connect2id server

Connect2id server 16.1

This Connect2id server release updates the web-based single sign-on (SSO), the management of tokens, the JWT claims codec for access tokens and the database connector for AWS DynamoDB.

Custom web SSO eligibility checks

Identity providers that wish to add custom conditions whether an authorisation request qualifies for SSO can do so via a new plugin interface (SPI). These can be executed after the Connect2id server has completed its own standard checks, the main being the presence of a web session for the user.

The ability to specify additional conditions for web SSO can solve cases that demand a class of client applications to always have the user authenticated when sign-in is requested, while keeping the original web session.

Revocation timestamps

The internal revocation API can now support use cases that require exact control over which tokens and authorisations are to be revoked, based on their iat (issued-at time). To support this a new optional timestamp parameter was added, expressing the revocation time as Unix epoch seconds.

Example request to revoke any tokens and authorisations for user alice issued before the specified timestamp:

POST /authz-store/rest/v3/revocation HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/x-www-form-urlencoded

subject=alice&timestamp=1729496043

Claim names compression in access JWT codecs

The Connect2id server utilises a highly efficient bit-field algorithm to compress the names of consented OpenID Connect claims in JWT-encoded access tokens. Up until now this compression could only be utilised when using the default (built-in) codec that ships with the server. Starting with this release, the codec SPI exposes a new TokenCodecContext.getClaimNamesCompressor method to enable a plugin to compress / decompress the claim names.

Example JSON array of claim names for release at the UserInfo endpoint:

"clm": [ "email", "email_verified", "name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "updated_at", "locale" ]

Compressed into a single string:

clm": [ "!5v8H" ]

Deletion protection for DynamoDB tables

The database connector for AWS DynamoDB was updated and now includes a new optional dynamodb.enableDeletionProtection configuration property which the Connect2id server will pick up at startup and flag the tables for deletion protection. Tables with this flag cannot be deleted, unless the flag is first cleared, via the DynamoDB console, API or CLI. This is intended to prevent accidental deletion of the tables.

The connector update also fixes two issues that affected the dynamodb.enableContBackups configuration property.

Download 16.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 16.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5cc1d42e6e355fd4e22c4d41cd1c3e1245c4e0820d2faab4231bf4baddd2357a

Connect2id server 16.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 4fd1661ad1d9893d8bd8aee1c40cde1e53f31774c4d8cb696eb64230579354cc

Multi-tenant edition

Apache Tomcat package with Connect2id server 16.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 2ea1b9a88265c4c92c17654556cbe70cce15b5c35156701ba521cc1701454d7a

Connect2id server 16.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: a609343977fc36e8520853d9608095b7bac9a21952bca96f1314ce1122395129

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

16.1 (2024-10-17)

Summary

  • New plugin interface for adding custom checks whether an OAuth 2.0 authorisation / OpenID authentication request is eligible for web single sign-on (SSO), after the Connect2id server has completed its own checks.

  • It is now possible to specify a timestamp when posting a revocation event to the revocation API of the Connect2id server. This is intended for use cases that require exact control over which tokens and authorisations are to be revoked, based on their iat (issued-at time).

  • Connect2id server deployments with an AWS DynamoDB database can now enable deletion protection for the tables in the database configuration.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.sso.disableForSelectedClients – Deprecated for removal, use the new WebSSOEligibilityChecker SPI instead.

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Upgrades the dynamodb schema to v3.0.

    • New dynamodb.enableDeletionProtection configuration property of type boolean (true|false). If true deletion protection will be enabled
      for all DynamoDB tables. If false this configuration has no effect on
      tables with already enabled deletion protection, so that their protection cannot be accidentally lifted by a change in the Connect2id server configuration. To lift the deletion protection for a table use the AWS console or another method.

Web API

  • /authz-sessions/rest/v3/

    • Adds a WebSSOEligibilityChecker SPI for plug-in of additional custom checks whether an OAuth 2.0 authorisation / OpenID authentication request is eligible for web single sign-on (SSO), after the Connect2id server has completed its own checks.

  • /authz-store/rest/v3/

    • The revocation resource receives a new optional timestamp (revocation timestamp, as seconds since the Unix epoch) form parameter. When posting a new revocation for a subject, client_id or actor this form parameter can be used to specify the time of the revocation event. The default timestamp value is the current time.

  • /session-store/rest/v2/

    • The sessions resource receives a new optional ctx (session context) query parameter for requests to retrieve the sessions for a specified subject. Can be used to filter the returned sessions according to their context, for example web or device.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.10

    • WebSSOEligibilityChecker – New SPI for plugging additional checks whether an OAuth 2.0 authorisation / OpenID authentication request is eligible for web single sign-on (SSO), after the Connect2id server has completed its own checks.

      Prior to calling this SPI the Connect2id server ensures the following conditions are met for a request to be eligible for SSO:

      • A subject (end-user) session is present.

      • The subject session authentication lifetime (auth_life), if specified for the session, has not expired.

      • If the request is an OpenID authentication request with a maximum authentication age (max_age) or an ACR level (acr_values), that the subject session satisfies them.

      • If a particular user identity is required (via an id_token_hint), that it matches session subject.

      • The request doesn’t specify a prompt login, select_account or create.

      • A Connect2id server configuration doesn’t trigger an authentication prompt.

      If the OAuth 2.0 authorisation / OpenID authentication request is eligible for SSO the isEligible check method returns true. Else the method returns false, to cause the Connect2id server to prompt the end-user for authentication.

    • Updates the SelfContainedAccessTokenClaimsCodec SPI. The TokenCodecContext interface receives a new getClaimNamesCompressor() method that returns a ClaimNamesCompressor intended to reduce the size of the consented claims array in self-contained (JWT-encoded) access tokens. The exposed ClaimNamesCompressor has been used by the default SPI implementation included in the Connect2id server to compress the strings in the clm (claim names) JSON array, by employing a highly efficient bitfield-based algorithms which uses the dictionary configured by claimsCompression.properties.

Resolved issues

  • Enabling DynamoDB continuous backups (point-in-time recovery, PITR) for a table may require the request to be retried due to a transient ContinuousBackupsUnavailableException with a message suggesting retrial. This DynamoDB behaviour is observed at times when enabling continuous backups after new table creation, despite the prior waitForActive call. The request will be retried 5 times, with a wait time increasing by 1 second (issue dynamodb/25).

  • Fixes a bug to ensure DynamoDB continuous-backups (PITR) is applied to a table that was left in an incomplete PITR state after a ContinuousBackupsUnavailableException without retrial when DynamoDB reported enabled continuous backups and disabled PITR (issue dynamodb/25).

  • Authorisation requests with an invalid response_type, max_age or display parameter that include illegal characters according to RFC 6749, section 4.1.2.1, must produce an invalid_request error and not result in an HTTP 500 in the authorisation session web API (issues server/1027, oidc-sdk/482, oidc-sdk/483, oidc-sdk/484).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.10

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.20.1

  • Updates to com.nimbusds:oauth2-authz-store:26.7

  • Updates to com.nimbusds:oidc-session-store:20.5

  • Updates to Infinispan 14.0.32.Final