Connect2id server 3.4
There’s nothing ground-breaking in the latest 3.4 release of the Connect2id server for OpenID Connect single sign-on (SSO) and identity provision (IdP), just several incremental improvements.
Here’s the summary:
1. Support for the ‘code id_token token’ response type
Application developers typically use the code flow or the implicit flow to obtain ID and / or access tokens from the server. OpenID Connect also specifies a hybrid flow to let the back-end as well as the front-end obtain tokens separately from one another.
Clients can request a particular hybrid response with the following parameters:
- response_type=code id_token
- response_type=code token
- response_type=code id_token token
The hybrid code id_token
and the code token
response types have been
supported since the very first release of the Connect2id server. We decided to
include code id_token token
as well, so that all standard OpenID Connect
response types are fully covered now.
2. Nimbler ID tokens
When ID tokens are issued together with a code and / or access token OpenID
Connect has a recommendation for including their hashes as c_hash
and
at_hash
claims in the ID token payload. This is done to create a secure and
verifiable binding between the tokens when they are obtained from different
endpoints (i.e. authorisation vs token endpoint). Otherwise the inclusion of
these hashes is optional.
The Connect2id server policy was modified to only include the hashes when that’s mandated by the OpenID spec (the previous server policy was to always include them if possible). This should result in smaller ID tokens when the hashes are not required.
3. Advanced claims source SPI
The Connect2id server SDK was upgraded with an additional advanced SPI for
sourcing UserInfo claims.
Customers and integrators who need additional inputs into their claims sourcing
and DB connectors, such as the client_id
of the application, can take
advantage from this interface. All others should stick to the simple
ClaimsSource
SPI.
Download
To download a ZIP package of Connect2id server 3.4:
https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/3.4/Connect2id-server.zip
As WAR package only:
https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/3.4/c2id.war
Questions?
Please contact Connect2id support.
Connect2id Server 3.4 release notes
Configuration
-
/WEB-INF/oidcProvider.properties
* Adds support for the "code id_token token" response type which can be enabled in the op.authz.responseTypes configuration property. This response type is intended for OpenID Connect RPs (clients) using the hybrid flow. See OpenID Connect Core 1.0, section 3.3 for more information.
Web API
- No changes
Dependencies
-
Upgrades to com.nimbusds:c2id-server-sdk:3.3
-
Upgrades to com.nimbusds:oauth2-oidc-sdk:5.0-alpha2
-
Upgrades to com.nimbusds:oauth2-authz-store:3.1.2
-
Upgrades to com.nimbusds:oidc-session-store:3.1.1
-
Upgrades to com.nimbusds:nimbus-jose-jwt:4.0
-
Upgrades to com.nimbusds:common:1.91
-
Upgrades to org.infinispan:infinispan-embedded:7.2.4.Final
-
Upgrades to org.glassfish.jersey.containers:jersey-container-servlet:2.21
-
Upgrades to org.apache.logging.log4j:log4j-web:2.3
-
Upgrades to org.apache.logging.log4j:log4j-slf4j-impl:2.3
Bug fixes
-
Releases LDAP connections for objectClass schema dump back to pool after use (issues authz-store/103 and server/144).
-
Fixes bug which prevented inclusion of preset claims when processing UserInfo requests with no authorised claim names (issue server/136).
-
The Authorisation session web API handles unsupported response_mode in OpenID authentication requests by returning an HTTP 220 authorisation error without redirection (issue server/139).
-
Removes unused PresetClaimsEndpoint from /WEB-INF/web.xml (issue server/137).
Other
-
Includes access token hash (at_hash) and authorisation code hash (c_hash) claims in ID tokens only when mandated by the OpenID Connect specification (issue server/151).
-
Adds support for AdvancedClaimsSource SPI from com.nimbusds:c2id-server-sdk:3.3 to enable passing of additional parameters (client_id) to claims source connectors (issue server/150).
-
Logs a UserInfo endpoint ERROR if the JWT-encoded access tokens are not configured to include all required claims: sub exp cid scp clm cll uip