The OpenID Connect server adds support for SQL backends

Posted 2016-09-29

The upcoming 6th release of the Connect2id server introduces support for SQL databases for persisting its own data, such as client registrations and authorisations. With this preview you can now test drive the server with a MySQL database.

  1. Download the ZIP file and unpack it.

  2. Provision a fresh MySQL database, and an account for it that the Connect2id server can use.

  3. Edit /webapp/WEB-INF/infinispan-mysql.xml in the c2id.war:

    • Set the dataSource.url properties to point to the MySQL database.

    • Set dataSource.user and dataSource.password to the user credentials for accessing the MySQL database.

  4. Start the LDAP directory with the sample users with opendj/bin/start-ds.

  5. Start the Tomcat web server with tomcat/bin/startup.sh.

  6. Point your browser to http://127.0.0.1:8080/oidc-client/ when the server has started.

That's it!

The Connect2id server will automatically create the required SQL tables if they are missing. The /WEB-INF/web.xml is also configured with a simple script that will create a demo OpenID client account for oidc-client with client_id 000123, so you can test drive OpenID Connect login.

To disable creation of this account (in production) simply comment out or delete the following lines from the /WEB-INF/web.xml descriptor:

<!-- Demo client registration installer (remove in production) -->
<listener>
    <listener-class>com.nimbusds.openid.connect.provider.demo.DemoClientRegInstaller</listener-class>
</listener>

You can also test drive the Connect2id server with a PostgreSQL 9.5 database. To do that edit /WEB-INF/web.xml to point to the Postgres specific Infinispan config like this:

<context-param>
    <description>
        The location of the Infinispan configuration file. Must be
        relative to the web application root directory.
    </description>
    <param-name>infinispan.configurationFile</param-name>
    <param-value>/WEB-INF/infinispan-postgres95.xml</param-value>
</context-param>

Then edit the data source parameters as explained above.

Download

To preview the upcoming Connect2id server 6.0 release download the following ZIP package and follow the instructions above, plus those in the README.txt file:

https://connect2id.com/assets/products/server/download/6.0-pre-4/Connect2id-server.zip

https://connect2id.com/assets/products/server/download/6.0-pre-4/c2id.war

Questions?

For any questions, write the comments section below or email our support team.


Release notes 6.0-pre-4 (2016-09-29)

General

  • Switches to Infinispan's persistent store APIs to enable support of other Connect2id server backends besides LDAP, such as MySQL, PosgreSQL, H2, flat file storage, Redis (experimental) and AWS Elasticache (experimental).

  • Adds support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for encrypted ID tokens. A client can receive ID tokens encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for encrypted UserInfo. A client can receive UserInfo JWTs encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for registering OpenID Connect / OAuth 2.0 clients with a JWK set specified by URI (jwks_uri). Intended for handling private_key_jwt client authentication, self-issued JWT and SAML 2.0 bearer grants, signed request objects, encrypted ID tokens and encrypted UserInfo responses. The downloaded client JWK set is cached by the Connect2id server to ensure quick processing of requests that rely on remote JWKs.

  • Updates handling of the optional max_age OpenID authentication request parameter. If max_age is set to zero (max_age=0) the Connect2id server will prompt the end-user for (re)authentication, even if the end-user has an existing valid session with the Connect2id server. This is equivalent to setting the optional prompt OpenID authentication request parameter to login (prompt=login). See issue #993 with the OpenID Connect working group (https://bitbucket.org/openid/connect/issues/993).

  • Adds experimental support for pairwise subject (end-user) identifiers, based on deterministic AES encryption in SIV mode (see RFC 5297).

  • Adds an extra layer of security to issued session IDs, authorisation codes and identifier-based access tokens by provisioning them with a SHA-256 based Message Authentication Code (MAC) (truncated to 128 bits). The HMAC enables detection of online guessing attacks and may also be used to block certain DoS attacks the utilise the above objects.

  • Switches to new JSON-based marshalling of Connect2id server objects stored in Infinispan.

  • Refines diagnostic messages on a client registration error due to invalid or inconsistent client metadata.

  • Refines logging of invalid client authentication attempts at the token endpoint (issue server/199).

Configuration

  • /WEB-INF/jwkSet.json

    • All JSON Web Keys (JWKs) in the Connect2id server JWK set must have a key identifier ("kid" JWK parameter) and specify the intended key use ("use" JWK parameter).

    • All RSA JWKs intended for signing of objects (ID tokens, UserInfo JWTs and self-contained access tokens) must have their use parameter set to "sig" (signature). Required to prevent mix up with future RSA JWKs intended for encrypting objects to the Connect2id server.

    • Adds support for optional EC JWKs with curves P-256, P-384 and P-521 for signing of ID tokens and UserInfo JWTs. The EC JWKs must have a key identifier ("kid" JWK parameter) and be flagged for specify signature use ("use":"sig").

    • All AES JWKs intended for symmetric encryption of self-contained access tokens must have their use parameter set to "enc" (encryption). Required to prevent mix up with the introduced secret JWKs for HMAC protection and pairwise subject encryption (see below).

    • Adds new secret JSON Web Key (JWK) with ID "hmac" and use "sig" to facilitate HMAC-SHA256 protection of session IDs, authorisation codes and identifier-based access tokens. The HMAC key size must be 256 bits.

    • Adds new symmetric JSON Web Key (JWK) with ID "subject-encrypt" to facilitate AES SIV-mode (RFC 5297) encryption of pairwise subject identifiers. The accepted AES key sizes are 128, 192 and 256 bits.

  • /WEB-INF/oidcProvider.properties

    • Extends the op.idToken.jwsAlgs configuration setting to include support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.idToken.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued ID tokens. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.idToken.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued ID tokens. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

    • Adds new op.authz.requestJWSAlgs configuration setting for the accepted
      JWS algorithms for signed OpenID authentication requests passed with the optional request_uri or request parameter. The following JWS algorithms are supported: HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512 and none.

    • Adds new op.reg.resourceRetriever.httpConnectTimeout configuration setting for the HTTP connect timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Adds new op.reg.resourceRetriever.httpReadTimeout configuration setting for the HTTP read timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Removes the op.reg.preloadCache, op.reg.ldapServer.*, op.reg.ldapUser.*, op.reg.ldapDirectory.*, op.reg.customTrustStore.* and op.reg.customKeyStore.* settings for configuring an LDAP store for the OpenID Connect and OAuth client registration. Configuration of the client registration store is now assumed by the Infinispan.

    • Extends the op.userinfo.jwsAlgs configuration setting to include support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.userinfo.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued UserInfo JWTs. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.userinfo.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued UserInfo JWTs. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

  • /WEB-INF/authzStore.properties

    • Removes the authzStore.options.preloadCache, authzStore.ldapServer.*, authzStore.ldapUser.*, authzStore.ldapDirectory.*, authzStore.customTrustStore.* and authzStore.customKeyStore.* settings for configuring an LDAP store for the long-lived (persisted) OpenID Connect and OAuth authorisations. Configuration of the long-lived authorisations store is now assumed by Infinispan.

    • Adds new authzStore.options.discardedAttributes settings to list the optional authorisation attributes that are to be automatically discarded from new authorisation objects, in order to conserve cache memory and backend storage.

    • Adds the "iat" (issued-at) claim to the list of recommended JWT claims to include in self-contained access tokens. Required to facilitate correct inspection of revoked self-contained access tokens.

  • /WEB-INF/infinispan.xml

    • Updates all advanced externalisers for Connect2id server data stored in Infinispan. The externalisers are now declared programmatically, instead of using the Infinispan XML configuration.

    • Adds new "clients.remoteJWKSetCache" cache.

    • Replaces the "op.regCache" cache with "clients.registrationsMap".

    • Replaces the "op.regTokenCache" cache with "op.clientRegTokenMap".

    • Replaces the "authzStore.authzCache" cache with "authzStore.longLivedAuthzMap".

Web API

  • /.well-known/openid-configuration

    • Advertises support for pairwise subject identifiers (subject_types_supported).
  • /clients/

    • Supports registration of OAuth 2.0 and OpenID Connect clients with a JWK set specified by URL (jwks_uri).

    • Supports registration of OpenID Connect clients for pairwise subject identifiers. OpenID Connect clients can be registered for pairwise subject identifiers by setting the "subject_type" parameter to "pairwise"; if more than one redirection URI is specified in the "redirect_uris" parameter, a "sector_identifier_uri" parameter must also be provided.

  • /session-store/rest/v2/sessions

    • Support for the optional "SID" header parameter on POST new session is removed, due to the introduction of HMAC secured session IDs. The key portion of the session ID can be set with the new "SID-Key" header parameter; the Connect2id server will then return the final SID (session key with appended HMAC).
  • /authz-store/rest/v2/revocation

    • Extends the effect of revocation to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).
  • /authz-store/rest/v2/inspection

    • Access tokens that fall under the scope of a previous revocation event will be resolved as invalid. Previously, access tokens will appear as valid until they expire, unless the access token is identifier-based and had been explicitly revoked.
  • /monitor/v1/metrics

    • Replaces the "authzStore.numCachedAuthorizations" metric with "authzStore.numLongLivedAuthorizations".

    • Adds new "clientStore.numCachedRemoteJWKSets" metric for the number of cached client JWK sets.

Bug fixes

  • Adds check to prevent client registration of redirect_uris with a fragment component (issue sdk/188).

  • Fixes NPE in the LDAP connector when the asynchronous LDAP result listener receives a notification before the associated timer context is cached (issuer authz-store/117).

  • Fixes Log4j class loading conflict caused by shadowing of Log4j by the Infinispan Embedded package (iss #219).

  • Enables stack trace logging on Infinispan cache manager launch failure.

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:5.5.4

  • Upgrades to com.nimbusds:oidc-session-store:4.8

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.17.1

  • Upgrades to com.nimbusds.nimbus-jose-jwt:4.26.1

  • Upgrades to com.nimbusds:common:2.0

  • Upgrades to Infinispan 8.2.4.Final

  • Upgrades to JAX-RS Jersey 2.23.2

  • Upgrades to com.unboundid:unboundid-ldapsdk:3.2.0

  • Upgrades to Log4j 2.6.2

  • Adds JHades dependency to diagnose class loader issuer at runtime (issue server/219).