Skip to content
Connect2id
Connect2id server

Connect2id server 18.1 allows control of the user identity hint types in CIBA

This Connect2id server release ships an important security feature from the roadmap of CIBA enhancements – the ability to control the allowed types of user identity hint that a client application may use in a CIBA request. Back-channel authorisation requests must include a hint of the user identity, so that the IdP can route the request to the IdP app instance of the intended user.

Overview of the three user identity hint types in CIBA:

Hint Risk Typical use case
login_hint_token Low User-initiated flows in the IdP app - PoS transactions
id_token_hint Medium Clients with a current user authentication / session
login_hint High Trusted clients - authenticate users in call centre calls

Of the three hint types, the login_hint is deemed the most risky, as it allows the client to use guessable or public user identifiers in CIBA requests, such as an email address, telephone number or username. In the absence of suitable mitigation, a malicious client would thus be able to trigger unwanted authentication prompts to arbitrary users. This may for instance be exploited in brute-force attacks.

The login_hint also has the privacy and impersonation risk of carrying an accidentally mistyped identifier. In call centres it is thus recommended to fill-in caller IDs automatically, while also being aware that caller IDs can easily be spoofed, as documented by this research article.

Whenever it’s feasible, Connect2id recommends CIBA applications to rely on a login_hint_token to hint the user identity. The Connect2id server mints for these a time-limited, opaque and cryptographically secure token that encapsulates the user identity and IdP app session. The token size is optimised for presentation in a QR code or via NFC.

To control the allowed CIBA hint types for a given client, specify a custom client metadata parameter using the new op.ciba.hintTypesQuery configuration property. The custom parameter is necessary because CIBA itself doesn’t specify one.

Here is an example client registration, using a custom data.login_hint_types parameter:

POST /clients HTTP/1.1
Host: demo.c2id.com
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "grant_types"                     : [ "urn:openid:params:grant-type:ciba" ],
  "backchannel_token_delivery_mode" : "poll",
  "login_hint_types"                : [ "login_hint_token" ]
}

The CIBA client registration guide has more examples.

To sum up, controlling the hint types per CIBA client is a simple yet powerful way to enforce least privilege, minimise abuse and have a generally safer CIBA deployment.

Support for CIBA was introduced in Connect2id server 18.0. The next releases will include further CIBA-related features and security enhancements.

This release also includes an update to the token response customiser SPI and three fixed issued.

Note that the signing key for the Connect2id server artifacts was rotated at the start of 2025. The old key remains at its original URL.

Download 18.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 18.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: af2e76e4da33dafc27365ddb0b9599a3293ca60d6c51ce19d3c67e344df6fd86

Connect2id server 18.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 68cc485a1b47fb9cca594b3f42594af7e0be642606c8e8a4dbe4a37f34d2b2f4

Multi-tenant edition

Apache Tomcat package with Connect2id server 18.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 8cfb8a513549e47977ff66177e09aadc9d51580e808dfd48d32118131f2e8c3f

Connect2id server 18.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 43b0a48fcc733b9be2e8ef0252b9af9b2caac166066c1467c33b6d4ffc931fed

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

18.1 (2025-04-08)

Summary

  • Connect2id server deployments that provide OpenID Connect Client-Initiated Backchannel Authentication (CIBA) flows can now control which types of subject identity hint (login_hint_token, id_token_hint, login_hint) a client may use. For example, an application that deals with financial transactions may be allowed to use login_hint_token only.

  • The plugin interface (SPI) for intercepting and modifying responses from the token endpoint is able to access the Connect2id server codec for compressing / decompressing the OpenID Connect claim names in self-contained (JWT-encoded) access tokens.

  • Improves the resiliency of the object expiration tasks in deployments that use an SQL database.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.ciba.hintTypesQuery – New optional configuration property to specify a JSON query to determine the allowed CIBA hint types for a client. The JSON query is applied to the custom data JSON object of the registered client metadata and must output a JSON array containing the allowed hint types (login_hint_token, id_token_hint, and / or login_hint). If the query output is null all enabled CIBA types are allowed for the client. The default value is no JSON query (all enabled CIBA hint types are allowed).

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.12

    • The CustomTokenResponseComposer SPI is updated to provide access to the Connect2id server codec for compressing / decompressing the OpenID Connect claim names in self-contained (JWT-encoded) access tokens. The codec is accessed by a new getClaimNamesCompressor method of the TokenResponseContext.

Resolved issues

  • The expiration of objects in SQL databases is updated to prevent any encountered unchecked exceptions, such as a jOOQ DataAccessException, from terminating the expiration task. The exceptions are caught and logged (as WARN IS0152). The expiration is retried at the next scheduled timer task invocation. This measure is intended to prevent the timer task from terminating when transient issues occur, such as a temporary loss of network connectivity, an SQL query timeout, or a system clock leap (issue server/1059).

  • Fixes SLF4J(W): Defaulting to no-operation (NOP) logger implementation warning for Slf4j 2.x loggers (issue server/1079).

  • The initial CIBA request processor must be exported to the Servlet context (issue server/1080).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:5.12

  • Updates to com.nimbusds:oauth2-grant-handlers:1.4.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:8.3

  • Updates com.zaxxer:HikariCP:6.3.0

  • Updates to org.postgresql:postgresql:42.7.5

  • Updates to com.microsoft.sqlserver:mssql-jdbc:12.10.0.jre11

  • Updates to com.oracle.database.jdbc:ojdbc11:23.7.0.25.01

  • Updates to Log4j 2.24.3

  • Updates to org.slf4j:slf4j-api:2.0.16

  • Replaces org.apache.logging.log4j:log4j-slf4j-impl:2.24.2 with org.apache.logging.log4j:log4j-slf4j2-impl:2.24.2