Skip to content
Connect2id
Connect2id server

Connect2id server 17.1 ships a private_key_jwt update

This release of the Connect2id server ships a security update to the private_key_jwt authentication method for clients. Deployments can now configure strict aud (audience) checking of the JWTs, which requires the value to be the identity of the Connect2id server, i.e. its issuer URL.

Example JWT payload with a strict aud:

{
  "iss" : "oe7aiz60",
  "sub" : "oe7aiz60",
  "aud" : "https://demo.c2id.com",
  "exp" : 1453021544,
  "jti" : "Eefaevo0"
}

Private key authentication JWTs where the aud is set to the URL of the endpoint will be rejected in the strict mode:

{
  "iss" : "oe7aiz60",
  "sub" : "oe7aiz60",
  "aud" : "https://demo.c2id.com/token",
  "exp" : 1453021544,
  "jti" : "Eefaevo0"
}

Multi-valued audiences will also be rejected, for example where the aud includes both the issuer URL and the token endpoint URL of the Connect2id server:

{
  "iss" : "oe7aiz60",
  "sub" : "oe7aiz60",
  "aud" : [ "https://demo.c2id.com", "https://demo.c2id.com/token" ],
  "exp" : 1453021544,
  "jti" : "Eefaevo0"
}

To turn on strict private_key_jwt audience checking use the new op.token.authJWTAudience configuration property.

op.token.authJWTAudience=STRICT

The default value is LEGACY, which keeps the currently established audience checking. We chose to call it that way, because the general future direction in specifications and profiles using private_key_jwt is going to be towards use of identity audiences instead of endpoints.

Strict audience checking can be enabled gradually, only for selected clients, by using a custom parameter in the data client metadata parameter, to be picked up by a simple JSON query, configured in the op.token.authJWTAudienceQuery property.

Example:

op.token.authJWTAudienceQuery=.client_auth_aud_check

Note that the new configurations apply to the audience check for client_secret_jwt authentication as well.

The strict private_key_jwt audience check is required by the new FAPI 2.0 security profile, designed for Open Banking and other applications that demand stringent protection of user login and APIs. It requires the JWT aud to be always the identity of the OpenID provider / OAuth 2.0 server, as indicated in the issuer parameter of the published server metadata, regardless of whether the client authenticates to the token endpoint, the PAR endpoint, or some other server endpoint.

The strict identity audience is intended to become a general recommendation, through errata, in section 9 of OpenID Connect Core 1.0, as well as in OAuth 2.0, where JWT authentication is specified in section 3 of RFC 7523.

The coming Monday, the 27th of January, Dr. Michael Jones, who is co-author of the two specifications, and Joseph Heenan, leader of the OpenID certification, are going to talk about that in an online meeting of the OAuth working group. Feel free to join if you wish to find out more. Of course, you can always talk to our tech team.

The OAuth 2.0 / OpenID Connect SDK received an update in v11.21 to make it easier to mint and verify JWTs for private_key_jwt and client_secret_jwt for the strict audience mode.

More information about the new features, changes and resolved issues in the new release can be found in the notes below.

Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.

Download 17.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 17.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 8d4d97c7d202e044b13358ddb79d0ad129b9f9c3f580356e73bd22fac17c55fb

Connect2id server 17.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 5d6196accae764121aab72820175d46484490ee1a9309b8bd4f06d525f014968

Multi-tenant edition

Apache Tomcat package with Connect2id server 17.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: c1b89d048c3710833c54f39628e59bc7a2ef3f330411b20296bdedd4ce527255

Connect2id server 17.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: fe2e4af306fc8870a6e7b19b02d9e7f4a0c4fa9aa2c845514213c6bb9108988e

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

17.1 (2025-01-22)

Summary

  • Enhances the security of private_key_jwt client authentication by supporting strict aud (audience) checking of the received JWTs, as mandated by the new FAPI 2.0 profile and by the soon-to-be published errata of OpenID Connect Core 1.0, RFC 7523 and FAPI 1.0.

    The strict check requires the aud JWT claim to be the issuer URL of the Connect2id server (as configured by op.issuer), and if the aud is a JSON array, to contain no other values. The endpoint URL is not accepted as an aud value when strict checking is enabled.

    The strict JWT audience check can be enabled globally, for all clients, or for selected clients only. Using the latter, deployments can migrate to strict audience checking gradually and over time. The client authentication interceptor SPI can be used to monitor the client usage of private_key_jwt and notify client administrators if an aud change is desired.

    The default JWT audience check remains unchanged, allowing the aud JWT claim to contain the issuer URL, the endpoint URL, and to be multi-valued, in accordance with the original versions of OpenID Connect Core 1.0, section 9, and the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).

  • Upgrades the support for OpenID Connect Native SSO for Mobile Apps 1.0 to draft 07. The token type URI for ID tokens (in the subject_token_type parameter) becomes urn:openid:params:token-type:id_token, for device secrets (in the actor_token_type parameter) urn:openid:params:token-type:device_secret.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.token.authJWTAudience – New optional configuration property for the JWT aud (audience) check in client_secret_jwt and private_key_jwt client authentication.

      Supported JWT audience checks:

      • LEGACY – The aud may be multi-valued and contain values other than the endpoint URL or the issuer URL of the OpenID provider / OAuth 2.0 authorisation server.

      • STRICT – The aud must be single-valued and set to the issuer URL of the OpenID provider / OAuth 2.0 authorisation server.

      The default value is LEGACY.

    • op.token.authJWTAudienceQuery – New optional configuration property to override the JWT aud (audience) check for selected clients.

      The JSON query is applied to the custom data JSON object of the registered client metadata and must return a LEGACY or STRICT string (case-insensitive). The default value is no overriding JSON query.

      Example JSON query to look up the audience check in the custom data client registration field: .authJWTAudience. Clients which registration doesn’t contain a data.authJWTAudience set to LEGACY or STRICT will be authenticated according to the globally configured op.token.authJWTAudience.

Resolved issues

  • HTTP 400 Bad Request responses from the key-store/rest/v1 web API due to a concurrent JWK set modification exception must be given an error_description message (issue server/1043).

  • Hardens authorisation request parsing when dealing with an illegal URI representation in the redirect_uri parameter. URISyntaxException messages must not be included in the error_description to avoid illegal chars according to RFC 6749, section 5.2 (issues oidc-sdk/487, server/1046).

  • Logs an OP5186 error when a client_secret update fails due to a concurrent client removal (issue server/1045).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.21.2

  • Updates to com.nimbusds:c2id-server-jwkset:2.0.1

  • Updates to com.nimbusds:c2id-server-key-store:1.7.3

  • Updates to com.nimbusds:tenant-manager:10.1.6

  • Updates to com.nimbusds:oauth2-authz-store:26.9.1

  • Updates to com.nimbusds:oidc-session-store:21.2.1

  • Updates to com.nimbusds:nimbus-jose-jwt:10.0.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:7.3.1

  • Updates to com.google.crypto.tink:tink:1.16.0

  • Updates to net.thisptr:jackson-jq:1.2.0