Connect2id server 6.7.1
Execute custom logic during prompt=none processing
The latest 6.7 release of the Connect2id server makes it easier to execute custom logic during processing of OpenID prompt=none authentication requests. Clients use the optional prompt=none parameter to "silently" check if the present user is still logged in with the identity provider. If not (signalled by a login_required error), the user is sent back to the OpenID server to re-authenticate.
The new op.authz.alwaysPromptMode configuration setting allows integrators to have a custom script step into the the processing of prompt=none requests, including login_required and consent_required error conditions.
To that end the authorisation session JSON object now also keeps a record of the requested prompt parameter.
Control authorisation response errors
When authorisation is denied the login page / authorisation logic can now specify an OpenID / OAuth 2.0 error code other than the default access_denied to be returned to be client. Unless you intend to implement some quite custom authorisation rule, you need not be concerned with this option; simply leave error processing to the Connect2id server.
Session store fixes for Redis backends
The day when v6.7 was about to be released we had to tackle an issue which prevented new session creation in Connect2id server deployments with Redis as the primary in-memory store (and Infinispan in invalidation mode). Several fixes were made to the session store to address this, hence the combined announcement of 6.7 and 6.7.1 here. If you're using Redis as backend updating to 6.7.1 is highly recommended.
Download
To download a ZIP package of Connect2id server 6.7.1:
https://connect2id.com/assets/products/server/download/6.7.1/Connect2id-server.zip
(SHA-256: 7a0bb9f78b3d313ae25be54aa6d8ac686c5eb473bd4e5f7324f574b43cbb45ab)
As WAR package only:
https://connect2id.com/assets/products/server/download/6.7.1/c2id.war
(SHA-256: 7f79eb5e5098ecb1c7b391938399d5605c875330f51e8d215af457117c31e763)
Questions?
Get in touch with Connect2id support.
Release notes
6.7.1 (2017-05-21)
Configuration
- No changes
Web API
- No changes
Issues
Fixes a bug affecting subject session mapping removal and also potentially affecting new subject session addition when Infinispan is configured in invalidation mode (typically with Redis as primary in-memory store / cache) (issue session-store/55).
Fixes concurrency bug which caused the periodic clean up of orphaned subject session mappings to cease if the session store is configured with a persisting backend, such as Redis or an SQL database (issue session-store/53).
Fixes sessionStore.sessionExpirations metering for subject sessions which are expired externally by a persisting backend (issue session-store/57).
Forces clean up of orphaned subject session mappings if the mapping routine cannot free up a session slot after 10 iterations. Also makes the periodic task for cleaning up orphaned subject session mappings resilient to runtime exceptions (issue session-store/59).
Dependencies
- Upgrades to com.nimbusds:oidc-session-store:5.2.2
6.7 (2017-05-18)
Configuration
/WEB-INF/oidcProvider.properties
- Adds new op.authz.alwaysPromptForAuth configuration setting to control
processing of OpenID prompt=none authentication requests when
op.authz.alwaysPromptForAuth or op.authz.alwaysPromptForConsent is
enabled:
- LIMITED -- No authentication or consent prompt will be returned on a OpenID prompt=none authentication request. The Connect2id server will proceed straight to returning the final response (success or login_required / consent_required error).
- PROMPT_NONE -- An authentication or consent prompt will be returned on a OpenID prompt=none authentication request provided an existing session or consent is found and the request can be fulfilled with no end-user interaction. This is the default mode for legacy reasons.
- PROMPT_NONE_WITH_INTERACTION_ERRORS -- An authentication or consent prompt will be returned on a OpenID prompt=none authentication request even if the request cannot be fulfilled due to required end-user interaction; in that case the login page must handle the login_required and consent_required errors by itself.
- Adds new op.authz.alwaysPromptForAuth configuration setting to control
processing of OpenID prompt=none authentication requests when
op.authz.alwaysPromptForAuth or op.authz.alwaysPromptForConsent is
enabled:
Web API
/authz-sessions/rest/v3/
Adds a new auth_req.prompt field to the authorisation session JSON object, representing the value of the optional OpenID prompt authentication request parameter (if set).
Adds a new optional "error" and "error_description" query parameters to DELETE requests to allow the login page to signal a different OpenID Connect / OAuth 2.0 error other than "access_denied" when cancelling an authorisation session. Can for example be used to signal an internal login page error with "server_error" or "temporarily_unavailable". All standard OpenID Connect / OAuth 2.0 error codes returned with an authorisation error response are supported: access_denied (default), invalid_request, unauthorized_client, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, login_required, consent_required, interaction_required, account_selection_required, request_uri_not_supported, request_not_supported, invalid_request_uri and invalid_request_object.
Issues
- None
Dependencies
- No changes