Blog »

Connect2id server 6.5

2017-03-15

Single use of tokens is now also supported by the standard inspection endpoint

The standard token inspection endpoint will now also support optional removal of the queried access token, in order to facilitate use cases where access token replay at the resource server must be prevented. This feature was originally introduced in the proprietary inspection endpoint, in Connect2id server version 6.4 released last week.

To remove the access token after inspection simply add the revoke=true parameter. Note that this feature only works with identifier-based tokens, which represent a key to retrieve the underlying authorisation. It will have no effect if the access token is self-contained (JWT-encoded).

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=45ghiukldjahdnhzdauz&revoke=true

Subsequent inspection requests with the same access token will produce a response that the token is no longer valid.

Importing end-user sessions

The session store web API was updated to enable correct import of user sessions from other servers, preserving the original creation timestamp.

Bug fixes

This release also fixes a bug introduced in Connect2id server version 6.4 which affected session expiration when the maximum authentication lifetime parameter is set. Everybody who has downloaded 6.4 is advised to upgrade.

Download

To download a ZIP package of Connect2id server 6.5:

https://connect2id.com/assets/products/server/download/6.5/Connect2id-server.zip

(SHA-1: fc9045abe2a7ea523c3bcdc1d9e44a05d089458c)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.5/c2id.war

(SHA-1: 4c3a5c54b923674cf0c2b3b091ebcc67e1896b16)

Questions?

Get in touch Connect2id support to receive assistance.

Release notes

6.5 (2017-03-15)

Configuration

  • No changes

Web API

  • /token/introspect

    • Adds an optional non-standard (see RFC 7662) "revoke" query parameter (defaults to "false") to facilitate single use of identifier-based access tokens. Causes the access token to be automatically deleted from the store after successful inspection. Has no effect with self-contained (JWT-encoded) access tokens. Identical with the optional "revoke" query parameter of /authz-store/rest/v2/inspection (introduced in Connect2id server 6.4).

  • /session-store/rest/v2

    • Permits addition of subject sessions created in the past, in order to facilitate the correct import of sessions from another Connect2id server.

Bug fixes

  • Fixes a bug that caused the set authentication lifetime of a subject session to incorrectly cause its expiration (issue session-store/50).

Dependencies

  • Upgrades to com.nimbusds:oidc-session-store:5.1