Connect2id server 6.14

2017-09-07

This new release of the OpenID Connect server upgrades the authorisation session API to enable a wider range of architectural patterns when integrating login UIs and authentication factors, especially stateless front-ends and services.

There are now two new configuration settings which will include a summary of the registered OAuth 2.0 client details and the end-user session in the final response of an authZ session:

• op.authz.includeClientInfoInFinalResponse
• op.authz.includeSubjectSessionInFinalResponse

Example plain final response, which contains just the URI where the front-end should redirect the browser with the ready OpenID authentication response:

{ 
  "type"        : "response",
  "mode"        : "fragment",
  "parameters"  : { "uri" : "https://example.com/cb#id_token=eyJraWQiOiJDWHVwIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIxZDM5Mzk3ZS0wNzJhLTQ0ZDUtYWFhYS1iOGViZmU0ZWIwNDYiLCJhdWQiOiJuMnl4ZHdhcWJod25jIiwiaXNzIjoiaHR0cDpcL1wvMTI3LjAuMC4xOjgwODBcL2MyaWQiLCJleHAiOjE1MDQ3ODI2MDgsImlhdCI6MTUwNDc4MTcwOCwibm9uY2UiOiJCMENmUHM1dFJTWXdVZThocl8xZENqdExLa3lncnd0SFZXOEY5UW9OcHFBIn0.HNHIQINdwsvulCOxZSt6wLKBecITQ4VxG8-rpcW3StFoIS0g3GuIIHm2UkIiv1IWmTDrejhHC3ihkWJyzbK8eeQZjnM0rr7S947A5nZUx52UfTU7I61EQgLfKUuHnX9VbgygXBrXSmVmszCq4d9t_R6aRsvGrgAdyzwSn3mbKsCBAF3IfDmOPZxHluYsewR6H5E6jutkUqBNuv_wR1WhlFXMRWx09L5DofSKYhcev47DrjPu-gXXEgH4gRVzsA4Xn_IKvrFv9a1OsQt0BkTfe7epFLb4pQcvzxDn1vkkEGPsjNg_1ll5BMjVj4sK8MwmkVTJZzO5RHOyvxDtWsbM5A&state=0wYg7j4v24VMxbUey0dkfI6DcN39oDDLhJW9t3Z4KI0" }
}

Final response, with the above configs enabled:

{ 
  "type"        : "response",
  "mode"        : "fragment",
  "parameters"  : { "uri" : "https://example.com/cb#id_token=eyJraWQiOiJDWHVwIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIxZDM5Mzk3ZS0wNzJhLTQ0ZDUtYWFhYS1iOGViZmU0ZWIwNDYiLCJhdWQiOiJuMnl4ZHdhcWJod25jIiwiaXNzIjoiaHR0cDpcL1wvMTI3LjAuMC4xOjgwODBcL2MyaWQiLCJleHAiOjE1MDQ3ODI2MDgsImlhdCI6MTUwNDc4MTcwOCwibm9uY2UiOiJCMENmUHM1dFJTWXdVZThocl8xZENqdExLa3lncnd0SFZXOEY5UW9OcHFBIn0.HNHIQINdwsvulCOxZSt6wLKBecITQ4VxG8-rpcW3StFoIS0g3GuIIHm2UkIiv1IWmTDrejhHC3ihkWJyzbK8eeQZjnM0rr7S947A5nZUx52UfTU7I61EQgLfKUuHnX9VbgygXBrXSmVmszCq4d9t_R6aRsvGrgAdyzwSn3mbKsCBAF3IfDmOPZxHluYsewR6H5E6jutkUqBNuv_wR1WhlFXMRWx09L5DofSKYhcev47DrjPu-gXXEgH4gRVzsA4Xn_IKvrFv9a1OsQt0BkTfe7epFLb4pQcvzxDn1vkkEGPsjNg_1ll5BMjVj4sK8MwmkVTJZzO5RHOyvxDtWsbM5A&state=0wYg7j4v24VMxbUey0dkfI6DcN39oDDLhJW9t3Z4KI0" },
  "sub_session" : { "sid"           : "6lMAjOPdME7TUP_l-RNOkQ.UFvABcQ3hsNsl668XkUl4Q", 
                    "sub"           : "alice",
                    "creation_time" : 1504781708,
                    "auth_time"     : 1504781708,
                    "max_idle"      : 1440,
                    "auth_life"     : 10080,
                    "max_life"      : 20160 },
  "client"      : { "client_id"        : "n2yxdwaqbhwnc",
                    "client_type"      : "public",
                    "application_type" : "web" }
}

If you're unsure this can benefit you, the upgrade to Connect2id server 6.14 can be skipped.

See the release notes below for additional information.

Download

To download a ZIP package of Connect2id server 6.14:

https://connect2id.com/assets/products/server/download/6.14/Connect2id-server.zip

(SHA-256: 267bacf9a63d62275a3b1aef5c840117237702b7884fe8e72ab1810f8cef452e)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.14/c2id.war

(SHA-256: 0906616ce3f6280badf9c4bea4ed4a3754c87112f20b303b094de6aa36e7d99c)

Questions?

Get in touch with Connect2id support.

---

Release notes

6.14 (2017-09-07)

General

• Updates the authorisation session web API (v3) to optionally include the client information and the subject (end-user) session in final responses.

Configuration

• /WEB-INF/oidcProvider.properties

  • op.authz.includeClientInfoInFinalResponse -- New optional configuration setting. If "true" the Connect2id server will include the registered OAuth 2.0 / OpenID Connect client information in the final response of an authorisation session. Recommended setting: "false" (disabled, as the client information is required typically only at the consent step.

  • op.authz.includeSubjectSessionInFinalResponse -- New optional configuration setting. If "true" the Connect2id server will include the subject (end-user) session in the final response of an authorisation session as well as in non-redirectable error responses. Recommended setting: "false" (disabled, as the subject session is required typically only when a UI is presented, i.e. at the authentication and consent steps).

Web API

• /authz-sessions/rest/v3

  • If the op.authz.includeClientInfoInFinalResponse configuration setting is enabled a JSON object named "client" representing a summary of the registered OAuth 2.0 / OpenID Connect client information will be included in the final response (success or error).

  • If the op.authz.includeSubjectSessionInFinalResponse configuration setting is enabled a JSON object named "sub_session" representing the subject (end-user) session will be included in the final response (success or error) as well as in non-redirectable error responses.

Resolved Issues

• Authorisation session data not included in final response when an OAuth 2.0 error is returned, or when a non-redirectable error is returned (issue server/311).

• Fixes non-redirectable error "error_description" composition (issue server/314).

Dependency changes

• Upgrades to com.nimbusds:oauth2-oidc-sdk:5.36
• Upgrades to com.nimbusds:nimbus-jose-jwt:5.1
• Upgrades to com.nimbusds:oauth2-authz-store:5.17
• Upgrades to com.unboundid:unboundid-ldapsdk:4.0.1