Blog »

Connect2id server 6.16

2017-12-08

Improved DevOps support

DevOps engineers will love the new Connect2id server release:

  • The server JWK set for signing the issued tokens and performing other cryptographic operations can now be passed via a Java system property, just like the rest of the configuration. This means that the server WAR package can be distributed and deployed onto Apache Tomcat without any secrets (keys, master API tokens, database credentials) included in it. These can be applied at startup time, from a script or a secure configuration vault.

  • The server can optionally load configuration properties from a local file, an Amazon S3 object or an Amazon DynamoDB table. The external properties location is specified by a URL like https://s3-us-west-2.amazonaws.com/loh0uuji/c2id-config/6.16.

  • A new /config/check endpoint was added. It can be used as part of a DevOps pipeline, to perform quick online validation of a set of server configuration properties.

Token events and SETs

The new Connect2id server release also exposes two Java SPIs for installing listeners for ID and access token issue events.

The events can be passed to a message queue, time-series database or some other service to monitor sign-in activity and OAuth 2.0 authorisations in real time, for purposes such as security audit logging and usage metering.

The events can optionally be turned into Security Event Tokens (SET), to protect their integrity and cryptographically assert their origin.

Sample SET claims for an ID token issue event:

{
  "iss"    : "https://c2id.com",
  "sub"    : "[email protected]",
  "iat"    : 1458496404,
  "jti"    : "cuiqu8isaixo6Ien",
  "aud"    : [ "https://risk.c2id.com" ],
  "events" : { "urn:com:c2id:op:id_token_issue": { "client_id" : "doh9Kool",
                                                   "acr"       : "0",
                                                   "amr"       : [ "pwd" ] } }
}

Updated login UI

The sample login page that comes with the Connect2id server is now more capable, thanks to a contribution from Para:

  • The UI can also handle logout requests initiated by client applications.
  • The session cookie is now set as HTTP-only to guard against XSS attacks.

Download

To download a ZIP package of Connect2id server 6.16:

https://connect2id.com/assets/products/server/download/6.16/Connect2id-server.zip

SHA-256: d2e38dee9acc71e83fc23c16ab047c25b00a4dd31686d565261bb7d3c77251df

As WAR package only:

https://connect2id.com/assets/products/server/download/6.16/c2id.war

SHA-256: 762c96b84d3423f4e93060ad6220912e263ccb3163a1bc46143bacf43d1375c5

Questions?

Get in touch with Connect2id support.

Release notes

6.16 (2017-12-08)

Configuration

  • The Connect2id server JWK set can be alternatively passed via a jose.jwkSet Java system property, overriding the content of /WEB-INF/jwkSet.json. The JWK set can be passed in its standard JSON string format, or with additional BASE64URL encoding (to work around the need to escape special characters in the shell).

  • Adds support for loading Java system properties at Connect2id server startup from a local file, an AWS S3 object or an AWS DynamoDB item. The properties location is specified by a URL passed via a systemPropertiesURL Java system property, for example file:////etc/c2id/server.properties to retrieve them from a local file or http://s3-us-west-2.amazonaws.com/loh0uuji/ieg1koik to retrieve them from an S3 object.

    The AWS credentials for accessing the S3 bucket or DynamoDB table must be configured in way that the default AWS credentials provider chain can look them up, ideally via IAM instance profile roles. See http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html

    The loaded Java system properties can be used to override Connect2id server configuration properties found in the /WEB-INF/*.properties and /WEB-INF/*.xml configuration files.

Web API

  • /config/check -- New endpoint for online validation of a Connect2id server configuration property set, consisting of the combined properties specified in /WEB-INF/oidcProvider.properties, /WEB-INF/sessionStore.properties, /WEB-INF/authzStore.properties and /WEB-INF/monitor.properties. The properties are validated by a HTTP POST request to the endpoint. The endpoint is not protected by an access token. Upon successful validation a 204 No Content status code is returned, else a 400 Bad Request with a JSON object body with the name of the invalid property and additional information to aid debugging.

SPI

  • com.nimbusds.openid.connect.provider.spi.config.SystemPropertiesSource -- Adds new optional SPI for loading system properties from alternative sources such as databases and cloud stores.

  • com.nimbusds.openid.connect.provider.spi.events.IDTokenIssueEventListener -- Adds new SPI for listening to ID token issue events.

  • com.nimbusds.openid.connect.provider.spi.events.AccessTokenIssueEventListener -- Adds new SPI for listening to access token issue events.

  • com.nimbusds.openid.connect.provider.spi.claims.AdvancedClaimsSource -- Adds the OpenID Provider Issuer URI to the ClaimsRequestContext.

  • com.nimbusds.openid.connect.provider.spi.ServiceContext -- Adds a new getJWTIssuer method to the service context interface. Intended for issuing JWTs created by SPI implementations, for example security events (SET).

Resolved Issues

  • Switches to shadowed AWS SDK dependency to prevent transient dependency conflicts with other packages. The issue was observed in AWS Elastic Beanstalk deployments (issue hosted-server/20).

  • Logs loading of monitor API servlets at Connect2id server startup (issue server/316).

  • Adds trace logging of first 16 characters of submitted bearer access token at the client registration endpoint for debugging purposes (issue server/337).

Dependency Changes

  • Adds com.nimbusds:c2id-server-property-source:1.0.1 dependency

  • Upgrades to com.nimbusds:c2id-server-sdk:3.16

  • Upgrades to com.nimbusds:nimbus-jwkset-loader:1.4

  • Upgrades to org.bouncycastle:bcprov-jdk15on:1.58

  • Upgrades to org.bouncycastle:bcpkix-jdk15on:1.58

  • Upgrades to com.nimbusds:oauth2-authz-store:5.22

  • Upgrades to com.nimbusds:oidc-session-store:5.2.14

  • Upgrades to com.nimbusds:common:com.nimbusds:2.18

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:1.5.3

  • Upgrades to com.nimbusds:jgroups-dynamodb-ping:1.2.2

  • Upgrades to com.amazonaws:aws-java-sdk-bundle:1.11.235