Connect2id server 18.1 allows control of the user identity hint types in CIBA
This Connect2id server release ships an important security feature from the roadmap of CIBA enhancements – the ability to control the allowed types of user identity hint that a client application may use in a CIBA request. Back-channel authorisation requests must include a hint of the user identity, so that the IdP can route the request to the IdP app instance of the intended user.
Overview of the three user identity hint types in CIBA:
Hint | Risk | Typical use case |
---|---|---|
login_hint_token | Low | User-initiated flows in the IdP app - PoS transactions |
id_token_hint | Medium | Clients with a current user authentication / session |
login_hint | High | Trusted clients - authenticate users in call centre calls |
Of the three hint types, the login_hint
is deemed the most risky, as it
allows the client to use guessable or public user identifiers in CIBA requests,
such as an email address, telephone number or username. In the absence of
suitable mitigation, a malicious client would thus be able to trigger unwanted
authentication prompts to arbitrary users. This may for instance be exploited
in brute-force attacks.
The login_hint
also has the privacy and impersonation risk of carrying an
accidentally mistyped identifier. In call centres it is thus recommended to
fill-in caller IDs automatically, while also being aware that caller IDs can
easily be spoofed, as documented by this research
article.
Whenever it’s feasible, Connect2id recommends CIBA applications to rely on a
login_hint_token
to hint the user identity. The Connect2id server
mints
for these a time-limited, opaque and cryptographically secure token that
encapsulates the user identity and IdP app session. The token size is optimised
for presentation in a QR code or via NFC.
To control the allowed CIBA hint types for a given client, specify a custom client metadata parameter using the new op.ciba.hintTypesQuery configuration property. The custom parameter is necessary because CIBA itself doesn’t specify one.
Here is an example client registration, using a custom data.login_hint_types
parameter:
POST /clients HTTP/1.1
Host: demo.c2id.com
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
{
"grant_types" : [ "urn:openid:params:grant-type:ciba" ],
"backchannel_token_delivery_mode" : "poll",
"login_hint_types" : [ "login_hint_token" ]
}
The CIBA client registration guide has more examples.
To sum up, controlling the hint types per CIBA client is a simple yet powerful way to enforce least privilege, minimise abuse and have a generally safer CIBA deployment.
Support for CIBA was introduced in Connect2id server 18.0. The next releases will include further CIBA-related features and security enhancements.
This release also includes an update to the token response customiser SPI and three fixed issued.
Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.
Download 18.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 18.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: af2e76e4da33dafc27365ddb0b9599a3293ca60d6c51ce19d3c67e344df6fd86
Connect2id server 18.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 68cc485a1b47fb9cca594b3f42594af7e0be642606c8e8a4dbe4a37f34d2b2f4
Multi-tenant edition
Apache Tomcat package with Connect2id server 18.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 8cfb8a513549e47977ff66177e09aadc9d51580e808dfd48d32118131f2e8c3f
Connect2id server 18.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 43b0a48fcc733b9be2e8ef0252b9af9b2caac166066c1467c33b6d4ffc931fed
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
18.1 (2025-04-08)
Summary
-
Connect2id server deployments that provide OpenID Connect Client-Initiated Backchannel Authentication (CIBA) flows can now control which types of subject identity hint (
login_hint_token
,id_token_hint
,login_hint
) a client may use. For example, an application that deals with financial transactions may be allowed to uselogin_hint_token
only. -
The plugin interface (SPI) for intercepting and modifying responses from the token endpoint is able to access the Connect2id server codec for compressing / decompressing the OpenID Connect claim names in self-contained (JWT-encoded) access tokens.
-
Improves the resiliency of the object expiration tasks in deployments that use an SQL database.
Configuration
-
/WEB-INF/oidcProvider.properties
op.ciba.hintTypesQuery
– New optional configuration property to specify a JSON query to determine the allowed CIBA hint types for a client. The JSON query is applied to the customdata
JSON object of the registered client metadata and must output a JSON array containing the allowed hint types (login_hint_token
,id_token_hint
, and / orlogin_hint
). If the query output isnull
all enabled CIBA types are allowed for the client. The default value is no JSON query (all enabled CIBA hint types are allowed).
SPI
-
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.12
- The
CustomTokenResponseComposer
SPI is updated to provide access to the Connect2id server codec for compressing / decompressing the OpenID Connect claim names in self-contained (JWT-encoded) access tokens. The codec is accessed by a newgetClaimNamesCompressor
method of theTokenResponseContext
.
- The
Resolved issues
-
The expiration of objects in SQL databases is updated to prevent any encountered unchecked exceptions, such as a jOOQ DataAccessException, from terminating the expiration task. The exceptions are caught and logged (as WARN
IS0152
). The expiration is retried at the next scheduled timer task invocation. This measure is intended to prevent the timer task from terminating when transient issues occur, such as a temporary loss of network connectivity, an SQL query timeout, or a system clock leap (issue server/1059). -
Fixes
SLF4J(W): Defaulting to no-operation (NOP) logger implementation
warning for Slf4j 2.x loggers (issue server/1079). -
The initial CIBA request processor must be exported to the Servlet context (issue server/1080).
Dependency changes
-
Upgrades to com.nimbusds:c2id-server-sdk:5.12
-
Updates to com.nimbusds:oauth2-grant-handlers:1.4.1
-
Updates to com.nimbusds:infinispan-cachestore-sql:8.3
-
Updates com.zaxxer:HikariCP:6.3.0
-
Updates to org.postgresql:postgresql:42.7.5
-
Updates to com.microsoft.sqlserver:mssql-jdbc:12.10.0.jre11
-
Updates to com.oracle.database.jdbc:ojdbc11:23.7.0.25.01
-
Updates to Log4j 2.24.3
-
Updates to org.slf4j:slf4j-api:2.0.16
-
Replaces org.apache.logging.log4j:log4j-slf4j-impl:2.24.2 with org.apache.logging.log4j:log4j-slf4j2-impl:2.24.2