Connect2id server 4.1

2016-03-08

This is a maintenance release of the OpenID Connect server which deals with data replication errors when Infinispan (the data grid layer) selects an incorrect serialiser version for a session or other object that needs to be transported across a Connect2id cluster.

If your Connect2id server cluster is affected you will be seeing serialisation errors in your logs at node startup or when performing a live roll-over from a 3.x cluster to the latest 4.x release.

The exceptions may look like this:

org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete() throws java.lang.Exception on object of type StateTransferManagerImpl

or

java.io.UTFDataFormatException: Invalid byte
        at org.jboss.marshalling.UTFUtils.readUTFBytes(UTFUtils.java:173) ~[infinispan-embedded-7.2.5.Final.jar:?]
        at org.jboss.marshalling.river.RiverUnmarshaller.readUTF(RiverUnmarshaller.java:1833) ~[infinispan-embedded-7.2.5.Final.jar:?]

The replication error may also manifest as some other exception.

Upgrading to 4.1

Download the 4.1 package and make sure the infinispan.xml configuration is updated to include a new externaliser declaration (see the release notes for more info).

Basically, replace the lines

<advanced-externalizer class="com.nimbusds.sessionstore.impl.ext.SubjectSessionExternalizerV1"/>
<advanced-externalizer class="com.nimbusds.sessionstore.impl.ext.SubjectSessionExternalizerV2"/>

with

<advanced-externalizer class="com.nimbusds.sessionstore.impl.ext.SubjectSessionExternalizer"/>

Unfortunately, the nature of the fix is such that a live automatic roll-over to 4.1 is not possible. To mitigate we extended the session store web API to allow creation of new sessions with a preset identifier (SID). With that an external job can be set up to copy existing user sessions from the old to the new cluster:

1. Get the active user sessions from your current cluster with

   GET /session-store/rest/v2/sessions HTTP/1.1
   Host: c2id.com
   Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
   

2. Then recreate them in the new 4.1 cluster with

   POST /session-store/rest/v2/sessions HTTP/1.1
   Host: c2id.com
   Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
   SID: session-id
   Content-Type: application/json
   
   {
     "session-data"  : "..."
   }
   

Download

To download a ZIP package of Connect2id server 4.1:

https://connect2id.com/assets/products/server/download/4.1/Connect2id-server.zip

As WAR package only:

https://connect2id.com/assets/products/server/download/4.1/c2id.war https://connect2id.com/assets/products/server/download/4.1/c2id-4.1.war

Questions?

Get in touch Connect2id support, we'll be delighted to help out.

---

Release notes

4.1 (2016-03-04)

Configuration

• /WEB-INF/infinispan.xml

  • Replaces the advanced externaliser classes com.nimbusds.sessionstore.impl.ext.SubjectSessionExternalizerV1 and com.nimbusds.sessionstore.impl.ext.SubjectSessionExternalizerV2 with com.nimbusds.sessionstore.impl.ext.SubjectSessionExternalizer (see issue session-store/27).

Web API

• Session Store API /session-store/rest/v2:

  • The POST method adds support for an optional "SID" header to allow creation of new subject (end-user) sessions with a predefined session identifier (SID). Intended to assist migration of sessions (issue session-store/28).

• Session Store API /session-store/rest/v2/sessions/count:

  • Modifies the behaviour of the GET method to only return the number of session present in memory, in order to avoid hitting the cache loader (in cases where the session store is configured to overflow or backup sessions to disk) (issue session-store/29).

Bug fixes

• Fixes a serialisation bug that affected Infinispan replication of subject (end-user) sessions between Connect2id server nodes due to non-deterministic selection of versioned serialisers for session objects by Infinispan (issue session-store/27). The bug fix necessitated changes to the Infinispan configuration (see above). Live roll-over from previous Connect2id server versions to 4.1 will not migrate existing end-user sessions automatically; these may however be copied by an external job via the updated session store web API.

Dependencies

• Upgrades to com.nimbusds:oidc-session-store:3.4.2

• Upgrades to com.nimbusds:oauth2-authz-store:4.1

• Upgrades to com.nimbusds:oauth2-oidc-sdk:5.5.1

• Upgrades to org.glassfish.jersey.containers:jersey-container-servlet:2.22.1