Blog »

Check session iframe support now in Connect2id server 6.9

2017-06-23

A client application which has signed in a user with OpenID Connect may need to periodically check if the user is still logged in with the OpenID provider. The core OpenID Connect protocol provides a method to do that, by making a silent (non-interactive) prompt=none OpenID authentication request to the server.

This release of the Connect2id server implements an alternative lightweight protocol for checking the user authentication status at the OpenID provider, by polling a hidden IdP iframe with window.postMessage. Read the check session API docs to find out how to use it and what its advantages are over traditional prompt=none polling.

Version 6.9 of the Connect2id server also includes several minor configuration and dependency updates. See the release notes for more information.

Download

To download a ZIP package of Connect2id server 6.9:

https://connect2id.com/assets/products/server/download/6.9/Connect2id-server.zip

(SHA-256: 1ecec7c5e7a66beaf427aef600aad790ab897130c14d494fd070e68fe5ab11d9)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.9/c2id.war

(SHA-256: fac674339c07579444810bdcd3a6f5ab7c1b0e9aedc900898b0a2369091ac7a4)

Questions?

Get in touch with Connect2id support.

Release notes

6.9 (2017-06-22)

General

  • Adds support for an OpenID provider check session iframe, as defined in OpenID Connect Session Management 1.0, draft 28. In order to enable check session support the following parameters must be set: op.checkSession.iframe and op.checkSession.cookieName

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.policy -- Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/policy.html".

    • op.tos -- Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/terms-of-service.html".

    • op.serviceDocs -- Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/service-docs.html".

    • op.authz.endpoint -- Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/login".

    • op.logout.endpoint -- Can also be specified as relative URL to the OpenID provider issuer URL (op.issuer), e.g. "/logout".

    • op.checkSession.iframe -- New optional configuration setting for OpenID Connect Session Management 1.0 support (draft 28). Specifies the OpenID Connect check session iframe URL. The URL schema should be https. The URL can be also be specified relative to the OpenID provider issuer URL. Browser JavaScript code running in the iframe must be able to access the cookie (see op.checkSession.cookieName) used to store the subject (end-user) session ID. This requires the iframe to have the same web origin (domain) as the login page which set the session cookie. The cookie must also be set without the HttpOnly flag. If blank the check session support will be disabled and the iframe will not advertised in the OpenID provider metadata. The Connect2id server provides a default check session iframe at "/check-session.html" relative to the OpenID provider issuer URL (op.issuer).

    • op.checkSession.cookieName -- New optional configuration setting for OpenID Connect Session Management 1.0 support (draft 28). Specifies the name of the cookie which is used by the login page to store the subject (end-user) session ID. The cookie must be accessible from browser JavaScript code, i.e. it must not be set with the HttpOnly flag.

  • /WEB-INF/infinispan-h2.xml

    • The Connect2id server will operate in stand-alone mode only when configured with H2 as backend SQL database. Infinispan clustering in replication mode with H2 as backend is no longer supported.

Web API

  • /check-session.html

    • Check session iframe for handling window.postMessage requests for checking if the subject's (end-user's) authentication status (logout, session expiration )with the OpenID provider has changed. See OpenID Connect Session Management 1.0, draft 28.

Issues

  • Ensures persisted consent for OpenID authentication requests in the code flow also includes OpenID claims requested to be returned in the ID token (issuer server/289).

Dependencies

  • Adds org.checkerframework:checker:2.1.12 dependency.

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.28

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.39.1