Connect2id server 6.10 optimises API support for stateless login front-ends

Posted 2017-07-03

This week’s release of the OpenID Connect server focuses on optimising support for stateless front-ends.

Easier access to optional authZ session data

During authorisation the Connect2id server allows the login page to store various data in the authZ session, such as front-end state, state if redirecting the user to an external social IdP, and any other variables that may be necessary to walk the user through the authentication and consent steps.

Until now, in order to get at this data the login page had to access its dedicated resource.

From v6.10 on, the authZ session data gets also included in the output authentication and consent prompts, to save the login page an extra HTTP GET call to the data resource.

Example consent prompt including optional data:

{
  "type"        : "consent",
  "sid"         : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
  "display"     : "popup",
  "sub_session" : { ... },
  "client"      : { ... },
  "scope"       : { ... },
  "claims"      : { ... },
  "data"        : { "param-1" : "abc",
                    "param-2" : "xyz",
                    ... }
}

If no data is stored with the authZ session, the field is omitted.

Shorthand keyword for consenting all requested scope values and claims

When submitting end-user’s consent an "*" (asterisk) can be used to signify that all requested scope values or OpenID claims are approved.

Indicating consent for all scope values requested by the client:

{
  "scope" : [ "*" ]
}

Indicating consent for all claims requested by the client:

{
  "scope"  : [ "openid", "email", "myapi:read", "myapi:write" ],
  "claims" : [ "*" ]
}

Indicating consent for both requested scope and claims:

{
  "scope"  : [ "*" ],
  "claims" : [ "*" ]
}

If you need to include additional non-requested scope values and claims in the consent:

{
  "scope"  : [ "*", "myapi:notify" ],
  "claims" : [ "*", "phone_number" ]
}

Check the release notes for the full list of changes and fixed issues in v6.10.

Download

To download a ZIP package of Connect2id server 6.10:

https://connect2id.com/assets/products/server/download/6.10/Connect2id-server.zip

(SHA-256: 4db2d133194c50ad4df8fd078a0b819551b15c7f5497b78497e5550ff9627df8)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.10/c2id.war

(SHA-256: 4ccb5f782bc5515ca6c0202bfe2703d1df714d3ada0250553bca01195bb5c5cc)

Questions?

Get in touch with Connect2id support.


Release notes

6.10 (2017-07-03)

General

  • Optimises authorisation session API support for stateless login and consent front-ends.

Web API

  • /authz-sessions/rest/v3, /authz-sessions/rest/v2

    • Adds new "data" JSON object field to the authentication and consent prompts which includes the optional authorisation session data. The "data" field is omitted from the prompts if it isn’t set. Previously the authorisation session data could be obtained only by a HTTP GET to its
      /authz-sessions/rest/v3/{sid}/data resource.

    • When submitting an end-user’s consent to the Connect2id server, the keyword * (asterisk) in the consented scope can be used to indicate consent for all requested scope values. Example: "scope":["*"].

    • When submitting an end-user’s consent to the Connect2id server, the keyword * (asterisk) in the consented claim names can be used to indicate consent for all requested claims. Example: "claims":["*"].

Issues

  • Fixes NPE in the logout endpoint configuration logger when the configured logout endpoint URI is relative (issue server/294).

  • Fixes ClassCastException when logging adding a new entry to the subject session store with logging at TRACE level (issue session-store/62).

  • Updates the LDAP claims source to not log the LDAP connection details if the claims source is disabled, to prevent false warnings for the LDAP connections not being configured with StartTLS or SSL security (issue ldap-claims-source/4).

  • Reinstates Infinispan sql-store XSD version 2.2 support.

Dependencies

  • Upgrades to com.nimbusds:oidc-claims-source-ldap:1.5

  • Upgrades to com.nimbusds:oidc-session-store:5.2.4

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:2.6.2

  • Upgrades to com.unboundid:unboundid-ldapsdk:4.0.0

comments powered by Disqus