Connect2id server 6.18 allows token introspection responses to be JWTs
Updated token introspection
The Connect2id server can now return token introspection responses encapsulated in a signed JSON Web Token (JWT). The JWT can provide an additional layer of assurance where required by resource servers.
There are two ways to trigger a JWT to be returned for a token introspection response:
-
By passing an
Accept: application/jwtHTTP header with the token introspection request. -
By enabling op.token.introspection.alwaysRespondWithJWT which will cause a JWT to be returned for all introspection responses, regardless of how the
Acceptheader is set.
The JWT is signed with the same JWS algorithm and key used for the self-contained (JWT-encoded) access tokens.
Example introspection request:
POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Accept: application/jwt
token=ohDaa4co3ohthohm.uochoh8ahhie6Yoo
Example introspection response encoded into a JWT:
HTTP/1.1 200 OK
Content-Type: application/jwt;charset=UTF-8
eyJraWQiOiJDWHVwIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJuMmN4N3EyaHFpbWp3Iiwic2NvcGUi
OiJyZWFkIHdyaXRlIiwiaXNzIjoiaHR0cDpcL1wvMTI3LjAuMC4xOjgwODBcL2MyaWQiLCJhY3RpdmU
iOnRydWUsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJleHAiOjE1MTk5OTU4ODgsImlhdCI6MTUxOTk5NT
I4OCwiY2xpZW50X2lkIjoibjJjeDdxMmhxaW1qdyIsImp0aSI6Ill6NXphX1luN0hJIn0.R2eUTnt0r
KVMs8D9nS91OWmyF-fskdcCxp-d8dVZxOZV-4wtviXOFMB5IMcWyMoJF73r7z112dolT_sJxQ22Nebm
lbtrulfJZZkSGpegPZU6Ze93hM0ll0KDhuP-Ya9oNwtPg-HZ_NWGz2ObsjPLgp7YJZN0gPc4MpAvhrR
kxDMNBFSj6E7CsgEz2O6q3TJRun5XlRCiJAMAK9Axo4HpWqFTYubGV_rRfJAgfiV3d5BYhAvUyigTBB
ojDDNGErgOgZYk7KBLztR9-YqvZbcDgjFNjQpr1kIxR5Cq877gSyqfanBp8RvPTqyy9VxAGSiuQnYHP
1h6yKrunAvdODVZvA
The extracted JSON object is a fully compliant token introspection response:
{
"active" : true,
"token_type" : "Bearer",
"iss" : "https://demo.c2id.com",
"sub" : "n2cx7q2hqimjw",
"scope" : "read write",
"iat" : 1519995288,
"exp" : 1519995888,
"client_id" : "n2cx7q2hqimjw",
"jti" : "Yz5za_Yn7HI"
}
Note that the JWT output is a proprietary extension to RFC 7662.
JSON formatted logs and Logstash
The Connect2id server now packages a Log4j plugin to enable logs to be output in JSON format or piped to Logstash. Check the configuration howto.
Download
To download a ZIP package of Connect2id server 6.18:
https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/6.18/Connect2id-server.zip
SHA-256: f985e8f199a82c656881bf54aa5096b02bb3d4aa719ecf55c44035edf5e8b0d0
As WAR package only:
https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/6.18/c2id.war
SHA-256: da0868774f3c865b18aa30e21ae2d0362016c5d105c4600112864b95dfcbc486
Questions?
Get in touch with Connect2id support.
Release notes
6.18 (2018-03-02)
Configuration
-
/WEB-INF/oidcProviderProperties
- op.token.introspection.alwaysRespondWithJWT – If true causes the token introspection responses to be always returned as a JWT signed with the same JWS algorithm and RSA key configured for self-contained (JWT) access tokens. The default value is false. This is a proprietary extension to RFC 7662, section 2.2.
Web API
-
/token/introspection
- By passing an “Accept” HTTP request header set to “application/jwt” the Connect2id server will return the token introspection response as a JWT signed with the same JWS algorithm and RSA key configured for self-contained (JWT) access tokens. The default value is false. This is a proprietary extension to RFC 7662, section 2.2.
Resolved Issues
- Adds Log4j 2 appender with JSON layout support and optional ability to send output to Logstash. See https://github.com/dubasdey/log4j2-jsonevent-layout (issue server/351).
Dependency Changes
- Adds com.github.dubasdey:log4j2-jsonevent-layout:0.0.4