Connect2id server 6.18 allows token introspection responses to be JWTs

Posted 2018-03-02

Updated token introspection

The Connect2id server can now return token introspection responses encapsulated in a signed JSON Web Token (JWT). The JWT can provide an additional layer of assurance where required by resource servers.

There are two ways to trigger a JWT to be returned for a token introspection response:

The JWT is signed with the same JWS algorithm and key used for the self-contained (JWT-encoded) access tokens.

Example introspection request:

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Accept: application/jwt

token=ohDaa4co3ohthohm.uochoh8ahhie6Yoo

Example introspection response encoded into a JWT:

HTTP/1.1 200 OK
Content-Type: application/jwt;charset=UTF-8

eyJraWQiOiJDWHVwIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJuMmN4N3EyaHFpbWp3Iiwic2NvcGUi
OiJyZWFkIHdyaXRlIiwiaXNzIjoiaHR0cDpcL1wvMTI3LjAuMC4xOjgwODBcL2MyaWQiLCJhY3RpdmU
iOnRydWUsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJleHAiOjE1MTk5OTU4ODgsImlhdCI6MTUxOTk5NT
I4OCwiY2xpZW50X2lkIjoibjJjeDdxMmhxaW1qdyIsImp0aSI6Ill6NXphX1luN0hJIn0.R2eUTnt0r
KVMs8D9nS91OWmyF-fskdcCxp-d8dVZxOZV-4wtviXOFMB5IMcWyMoJF73r7z112dolT_sJxQ22Nebm
lbtrulfJZZkSGpegPZU6Ze93hM0ll0KDhuP-Ya9oNwtPg-HZ_NWGz2ObsjPLgp7YJZN0gPc4MpAvhrR
kxDMNBFSj6E7CsgEz2O6q3TJRun5XlRCiJAMAK9Axo4HpWqFTYubGV_rRfJAgfiV3d5BYhAvUyigTBB
ojDDNGErgOgZYk7KBLztR9-YqvZbcDgjFNjQpr1kIxR5Cq877gSyqfanBp8RvPTqyy9VxAGSiuQnYHP
1h6yKrunAvdODVZvA

The extracted JSON object is a fully compliant token introspection response:

{
  "active"     : true,
  "token_type" : "Bearer",
  "iss"        : "https://demo.c2id.com",
  "sub"        : "n2cx7q2hqimjw",
  "scope"      : "read write",
  "iat"        : 1519995288,
  "exp"        : 1519995888,
  "client_id"  : "n2cx7q2hqimjw",
  "jti"        : "Yz5za_Yn7HI"
}

Note that the JWT output is a proprietary extension to RFC 7662.

JSON formatted logs and Logstash

The Connect2id server now packages a Log4j plugin to enable logs to be output in JSON format or piped to Logstash. Check the configuration howto.

Download

To download a ZIP package of Connect2id server 6.18:

https://connect2id.com/assets/products/server/download/6.18/Connect2id-server.zip

SHA-256: f985e8f199a82c656881bf54aa5096b02bb3d4aa719ecf55c44035edf5e8b0d0

As WAR package only:

https://connect2id.com/assets/products/server/download/6.18/c2id.war

SHA-256: da0868774f3c865b18aa30e21ae2d0362016c5d105c4600112864b95dfcbc486

Questions?

Get in touch with Connect2id support.


Release notes

6.18 (2018-03-02)

Configuration

  • /WEB-INF/oidcProviderProperties

    • op.token.introspection.alwaysRespondWithJWT — If true causes the token introspection responses to be always returned as a JWT signed with the same JWS algorithm and RSA key configured for self-contained (JWT) access tokens. The default value is false. This is a proprietary extension to RFC 7662, section 2.2.

Web API

  • /token/introspection

    • By passing an "Accept" HTTP request header set to "application/jwt" the Connect2id server will return the token introspection response as a JWT signed with the same JWS algorithm and RSA key configured for self-contained (JWT) access tokens. The default value is false. This is a proprietary extension to RFC 7662, section 2.2.

Resolved Issues

Dependency Changes

  • Adds com.github.dubasdey:log4j2-jsonevent-layout:0.0.4

comments powered by Disqus