Connect2id server 6.19 updates the client registration and the session store APIs

Posted 2018-04-02

Today's release of the OpenID Connect server updates the web API for registering clients and relying parties. It also adds a flag to disable web API output when deleting all end-user sessions.

Initial access tokens for the registration endpoint can now be client X.509 certificate bound

As you know client applications need to be registered with the server before they can request tokens from it. The registration endpoint is normally protected and requires a token. This can be the configured master access token or a regular token issued by the Connect2id server, via some OAuth flow, that includes the client-reg scope and endpoint URL as the audience.

Here are the JWT claims for one such initial access token:

  "iss" : "",
  "sub" : "izad7cqy34bg4",
  "cid" : "izad7cqy34bg4",
  "scp" : [ "client-reg" ],
  "aud" : [ "" ],
  "iat" : 1448324500,
  "exp" : 1448367412

In 2017 we introduced support for client certificate bound access tokens, a simple yet effective measure to prevent replay by an unauthorised party if the client somehow leaks the token. This security feature is being developed at the OAuth working group, to fix the bearer weakness of regular OAuth tokens.

Starting with today's 6.19 release, the client registration endpoint of the Connect2id server will detect and enforce initial access tokens that are bound to a client's certificate. The binding is set by the SHA-256 thumbprint (cnf.x5t#S256) of the client's X.509 certificate.

Here are the JWT claims for a token that is bound that way:

  "iss" : "",
  "sub" : "izad7cqy34bg4",
  "cid" : "izad7cqy34bg4",
  "scp" : [ "client-reg" ],
  "aud" : [ "" ],
  "iat" : 1448324500,
  "exp" : 1448367412,
  "cnf" : { "x5t#S256" : "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" }

When the registration request is made, if no client certificate is submitted, or there is a mismatch between the encoded thumbprint and that of the client certificate presented during the TLS handshake, the following bearer token error will get returned:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer error="invalid_token" error_description="Missing / invalid client X.509 certificate for x5t#S256 bound access token"

Configuration to disable the audience restriction of initial access tokens

As we mentioned above, the initial access tokens are expected to have an audience that includes the registration endpoint URL. If you need to disable this check we created a new op.reg.requireInitialAccessTokenAudience configuration setting for that.

op.reg.requireInitialAccessTokenAudience = false

The default setting is true (audience always required).

Disabling output when deleting all end-user sessions

The Connect2id server provides a special API call that delete all end-user sessions with the OpenID provider / authorisation server at once, thus causing all users to get logged out.

This call normally returns a JSON map of all user sessions, which may become a problem and cause timeouts if millions of sessions are present in the store.

To disable output we introduced a quiet query parameter:

DELETE /session-store/rest/v2/sessions?all=true&quiet=true HTTP/1.1
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

The response will then be a minimal 204:

HTTP/1.1 204 No Content


To download a ZIP package of Connect2id server 6.19:

SHA-256: 8d5e343373297ab9813a46039a94acf60771c88f86cf16e46772bb5d0e46c3b4

As WAR package only:

SHA-256: 3d22ee822da2a75832ab214ab7f6540020565c8c7a051246732a68e0eb9b0773


Get in touch with Connect2id support.

Release notes

6.19 (2018-04-02)


  • /WEB-INF/oidcProviderProperties

    • op.reg.requireInitialAccessTokenAudience -- If true the initial registration access token must include an audience value that is the OpenID Provider / Authorisation Server issuer URI or the client registration endpoint URI, else the access token won't be accepted. Defaults to true.


  • /clients

    • The client registration endpoint adds support for initial access tokens that are client X.509 certificate bound (see draft-ietf-oauth-mtls-07).
  • /session-store/rest/v2/sessions

    • Adds support for an optional "quiet" query parameter when deleting all subject (end-user) sessions from the store. When set to true an HTTP 204 No Content response will be returned and the deleted sessions will not be included in the response body.

Dependency Changes

  • Upgrades to session store 6.0.

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.57

  • Upgrades to com.nimbusds:nimbus-jose-jwt:5.6

  • Upgrades to com.nimbusds:nimbus-jwkset-loader:1.5

  • Upgrades to com.nimbusds:tenant-manager:1.4

  • Upgrades to com.nimbusds:tenant-manager:1.4

  • Upgrades to com.unboundid:unboundid-ldapsdk:4.0.5