Connect2id server 17.1 ships a private_key_jwt update
This release of the Connect2id server ships a security
update to the
private_key_jwt
authentication method for clients. Deployments can now configure strict aud
(audience) checking of the JWTs, which requires the value to be the identity of
the Connect2id server, i.e. its issuer
URL.
Example JWT payload with a strict aud:
{
"iss" : "oe7aiz60",
"sub" : "oe7aiz60",
"aud" : "https://demo.c2id.com",
"exp" : 1453021544,
"jti" : "Eefaevo0"
}
Private key authentication JWTs where the aud is set to the URL of the
endpoint will be rejected in the strict mode:
{
"iss" : "oe7aiz60",
"sub" : "oe7aiz60",
"aud" : "https://demo.c2id.com/token",
"exp" : 1453021544,
"jti" : "Eefaevo0"
}
Multi-valued audiences will also be rejected, for example where the aud
includes both the issuer URL and the token endpoint URL of the Connect2id
server:
{
"iss" : "oe7aiz60",
"sub" : "oe7aiz60",
"aud" : [ "https://demo.c2id.com", "https://demo.c2id.com/token" ],
"exp" : 1453021544,
"jti" : "Eefaevo0"
}
To turn on strict private_key_jwt audience checking use the new
op.token.authJWTAudience
configuration property.
op.token.authJWTAudience=STRICT
The default value is LEGACY, which keeps the currently established audience
checking. We chose to call it that way, because the general future direction in
specifications and profiles using private_key_jwt is going to be towards use
of identity audiences instead of endpoints.
Strict audience checking can be enabled gradually, only for selected clients,
by using a custom parameter in the data client metadata parameter, to be
picked up by a simple JSON query, configured in the
op.token.authJWTAudienceQuery
property.
Example:
op.token.authJWTAudienceQuery=.client_auth_aud_check
Note that the new configurations apply to the audience check for client_secret_jwt authentication as well.
The strict private_key_jwt audience check is required by the new FAPI
2.0 security profile,
designed for Open Banking and other applications that demand stringent
protection of user login and APIs. It requires the JWT aud to be always the
identity of the OpenID provider / OAuth 2.0 server, as indicated in the
issuer parameter of the published server
metadata, regardless of whether
the client authenticates to the token endpoint, the PAR endpoint, or some other
server endpoint.
The strict identity audience is intended to become a general recommendation, through errata, in section 9 of OpenID Connect Core 1.0, as well as in OAuth 2.0, where JWT authentication is specified in section 3 of RFC 7523.
The coming Monday, the 27th of January, Dr. Michael Jones, who is co-author of the two specifications, and Joseph Heenan, leader of the OpenID certification, are going to talk about that in an online meeting of the OAuth working group. Feel free to join if you wish to find out more. Of course, you can always talk to our tech team.
The OAuth 2.0 / OpenID Connect SDK
received an update in v11.21 to make it easier to mint and verify JWTs for
private_key_jwt and client_secret_jwt for the strict audience mode.
More information about the new features, changes and resolved issues in the new release can be found in the notes below.
Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.
Download 17.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 17.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 8d4d97c7d202e044b13358ddb79d0ad129b9f9c3f580356e73bd22fac17c55fb
Connect2id server 17.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 5d6196accae764121aab72820175d46484490ee1a9309b8bd4f06d525f014968
Multi-tenant edition
Apache Tomcat package with Connect2id server 17.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: c1b89d048c3710833c54f39628e59bc7a2ef3f330411b20296bdedd4ce527255
Connect2id server 17.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: fe2e4af306fc8870a6e7b19b02d9e7f4a0c4fa9aa2c845514213c6bb9108988e
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
17.1 (2025-01-22)
Summary
-
Enhances the security of
private_key_jwtclient authentication by supporting strictaud(audience) checking of the received JWTs, as mandated by the new FAPI 2.0 profile and by the soon-to-be published errata of OpenID Connect Core 1.0, RFC 7523 and FAPI 1.0.The strict check requires the
audJWT claim to be the issuer URL of the Connect2id server (as configured byop.issuer), and if theaudis a JSON array, to contain no other values. The endpoint URL is not accepted as anaudvalue when strict checking is enabled.The strict JWT audience check can be enabled globally, for all clients, or for selected clients only. Using the latter, deployments can migrate to strict audience checking gradually and over time. The client authentication interceptor SPI can be used to monitor the client usage of
private_key_jwtand notify client administrators if anaudchange is desired.The default JWT audience check remains unchanged, allowing the
audJWT claim to contain the issuer URL, the endpoint URL, and to be multi-valued, in accordance with the original versions of OpenID Connect Core 1.0, section 9, and the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523). -
Upgrades the support for OpenID Connect Native SSO for Mobile Apps 1.0 to draft 07. The token type URI for ID tokens (in the
subject_token_typeparameter) becomesurn:openid:params:token-type:id_token, for device secrets (in theactor_token_typeparameter)urn:openid:params:token-type:device_secret.
Configuration
-
/WEB-INF/oidcProvider.properties
-
op.token.authJWTAudience– New optional configuration property for the JWTaud(audience) check inclient_secret_jwtandprivate_key_jwtclient authentication.Supported JWT audience checks:
-
LEGACY– Theaudmay be multi-valued and contain values other than the endpoint URL or the issuer URL of the OpenID provider / OAuth 2.0 authorisation server. -
STRICT– Theaudmust be single-valued and set to the issuer URL of the OpenID provider / OAuth 2.0 authorisation server.
The default value is
LEGACY. -
-
op.token.authJWTAudienceQuery– New optional configuration property to override the JWTaud(audience) check for selected clients.The JSON query is applied to the custom
dataJSON object of the registered client metadata and must return aLEGACYorSTRICTstring (case-insensitive). The default value is no overriding JSON query.Example JSON query to look up the audience check in the custom
dataclient registration field:.authJWTAudience. Clients which registration doesn’t contain adata.authJWTAudienceset toLEGACYorSTRICTwill be authenticated according to the globally configuredop.token.authJWTAudience.
-
Resolved issues
-
HTTP 400 Bad Request responses from the
key-store/rest/v1web API due to a concurrent JWK set modification exception must be given anerror_descriptionmessage (issue server/1043). -
Hardens authorisation request parsing when dealing with an illegal URI representation in the redirect_uri parameter. URISyntaxException messages must not be included in the error_description to avoid illegal chars according to RFC 6749, section 5.2 (issues oidc-sdk/487, server/1046).
-
Logs an OP5186 error when a
client_secretupdate fails due to a concurrent client removal (issue server/1045).
Dependency changes
-
Upgrades to com.nimbusds:oauth2-oidc-sdk:11.21.2
-
Updates to com.nimbusds:c2id-server-jwkset:2.0.1
-
Updates to com.nimbusds:c2id-server-key-store:1.7.3
-
Updates to com.nimbusds:tenant-manager:10.1.6
-
Updates to com.nimbusds:oauth2-authz-store:26.9.1
-
Updates to com.nimbusds:oidc-session-store:21.2.1
-
Updates to com.nimbusds:nimbus-jose-jwt:10.0.1
-
Updates to com.nimbusds:nimbus-jwkset-loader:7.3.1
-
Updates to com.google.crypto.tink:tink:1.16.0
-
Updates to net.thisptr:jackson-jq:1.2.0