Skip to content
Connect2id
Connect2id server

Connect2id server 3.4

There’s nothing ground-breaking in the latest 3.4 release of the Connect2id server for OpenID Connect single sign-on (SSO) and identity provision (IdP), just several incremental improvements.

Here’s the summary:

1. Support for the ‘code id_token token’ response type

Application developers typically use the code flow or the implicit flow to obtain ID and / or access tokens from the server. OpenID Connect also specifies a hybrid flow to let the back-end as well as the front-end obtain tokens separately from one another.

Clients can request a particular hybrid response with the following parameters:

  • response_type=code id_token
  • response_type=code token
  • response_type=code id_token token

The hybrid code id_token and the code token response types have been supported since the very first release of the Connect2id server. We decided to include code id_token token as well, so that all standard OpenID Connect response types are fully covered now.

2. Nimbler ID tokens

When ID tokens are issued together with a code and / or access token OpenID Connect has a recommendation for including their hashes as c_hash and at_hash claims in the ID token payload. This is done to create a secure and verifiable binding between the tokens when they are obtained from different endpoints (i.e. authorisation vs token endpoint). Otherwise the inclusion of these hashes is optional.

The Connect2id server policy was modified to only include the hashes when that’s mandated by the OpenID spec (the previous server policy was to always include them if possible). This should result in smaller ID tokens when the hashes are not required.

3. Advanced claims source SPI

The Connect2id server SDK was upgraded with an additional advanced SPI for sourcing UserInfo claims. Customers and integrators who need additional inputs into their claims sourcing and DB connectors, such as the client_id of the application, can take advantage from this interface. All others should stick to the simple ClaimsSource SPI.

Download

To download a ZIP package of Connect2id server 3.4:

https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/3.4/Connect2id-server.zip

As WAR package only:

https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/3.4/c2id.war

Questions?

Please contact Connect2id support.

Connect2id Server 3.4 release notes

Configuration

  • /WEB-INF/oidcProvider.properties

    * Adds support for the "code id_token token" response type which can be
  enabled in the op.authz.responseTypes configuration property. This
  response type is intended for OpenID Connect RPs (clients) using the
  hybrid flow. See OpenID Connect Core 1.0, section 3.3 for more
  information.

Web API

  • No changes

Dependencies

  • Upgrades to com.nimbusds:c2id-server-sdk:3.3

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.0-alpha2

  • Upgrades to com.nimbusds:oauth2-authz-store:3.1.2

  • Upgrades to com.nimbusds:oidc-session-store:3.1.1

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.0

  • Upgrades to com.nimbusds:common:1.91

  • Upgrades to org.infinispan:infinispan-embedded:7.2.4.Final

  • Upgrades to org.glassfish.jersey.containers:jersey-container-servlet:2.21

  • Upgrades to org.apache.logging.log4j:log4j-web:2.3

  • Upgrades to org.apache.logging.log4j:log4j-slf4j-impl:2.3

Bug fixes

  • Releases LDAP connections for objectClass schema dump back to pool after use (issues authz-store/103 and server/144).

  • Fixes bug which prevented inclusion of preset claims when processing UserInfo requests with no authorised claim names (issue server/136).

  • The Authorisation session web API handles unsupported response_mode in OpenID authentication requests by returning an HTTP 220 authorisation error without redirection (issue server/139).

  • Removes unused PresetClaimsEndpoint from /WEB-INF/web.xml (issue server/137).

Other

  • Includes access token hash (at_hash) and authorisation code hash (c_hash) claims in ID tokens only when mandated by the OpenID Connect specification (issue server/151).

  • Adds support for AdvancedClaimsSource SPI from com.nimbusds:c2id-server-sdk:3.3 to enable passing of additional parameters (client_id) to claims source connectors (issue server/150).

  • Logs a UserInfo endpoint ERROR if the JWT-encoded access tokens are not configured to include all required claims: sub exp cid scp clm cll uip