Connect2id server 7.0 extends plain OAuth 2.0 support, hardens security, upgrades Infinispan

Posted 2018-05-03

After a series of 19 feature updates to Connect2id server 6 it was time to stage a new major release. What's in it? Coverage for more OAuth 2.0 use cases and a major upgrade to the underlying in-memory, caching and persistence layer. Configuration of the server was also made more secure.

Plain OAuth 2.0

Client applications which only need an access token and are not interested in the end-user's identity (OpenID Connect) can now make plain OAuth 2.0 authorisation requests to the Connect2id server. The requests can be made via the code flow as well as the implicit flow.

Example minimal OAuth 2.0 authorisation request in the code flow:

https://c2id.com/login?response_type=code&client_id=123

The redirect_uri and scope parameters are not mandatory in plain OAuth 2.0 authorisation requests, as opposed to OpenID Connect. If the redirect_uri parameter is omitted, the Connect2id server will take the first registered one for the client. Similarly, if the scope parameter is omitted, the authorisation session handler may assume the client requested the scope values included in its registration.

Everything else regarding the authentication and consent steps remains the same when serving plain OAuth 2.0 authorisation requests.

Securing sensitive configuration details

Access to the integration web APIs of the Connect2id server requires special opaque tokens. Because the tokens are set in the server configuration, this can be a potential security risk. Depending on how the Connect2id server gets deployed and how its configuration gets applied, the token strings may leak through environment variables, Java system properties, logs and package files, to name a few scenarios.

To prevent damage from accidental leaks the Connect2id server will no longer allow the tokens to be configured in plain text. Instead, their SHA-256 hash (in hex) must now be provided. If the server detects the old configuration format it will abort startup with an error.

Script to generate a 32 character token and compute its SHA-256 hash in hex:

#! /bin/sh
TOKEN=`pwgen 32 1`
echo "Access token: $TOKEN"
TOKEN_SHA256=`echo -n $TOKEN | sha256sum`
echo "Access token SHA-256: $TOKEN_SHA256"

With that the only remaining sensitive material in the Connect2id server configuration are the private and secret keys in the server's JWK set. This risk can also be mitigated, by locking the keys away in a Hardware Security Module (HSM). Unfortunately, HSMs are still quite expensive and may not be readily available in some cloud environments. Inexpensive solutions based on open source hardware may however eventually change this.

Infinispan upgrade

The embedded Infinispan module for providing caching, in-memory storage, persistence and replication clustering to the Connect2id server was upgraded to the latest stable version 9.2 of Infinispan. Overall server performance will benefit from that.

Due to breaking changes in Infinispan's object serialisation, direct rolling upgrades from Connect2id server 5.x and 6.x clusters will fail with a warning if attempted. To perform a rolling upgrade to a Connect2id server 7.0 cluster with no downtime a special migration procedure will be required. We intend to devise several options for that. Please, contact Connect2id support if you need assistance.

Tentative 7.x roadmap

Important portions of the Connect2id server were rewritten to prepare the groundwork for front and back-channel logout notifications as well as encrypted request JWTs.

Connect2id server 6.x documentation

The documentation for 6.x was moved to the archive.

Download

To download a ZIP package of Connect2id server 7.0:

https://connect2id.com/assets/products/server/download/7.0/Connect2id-server.zip

SHA-256: 83f27c68db6f56dad706b919d2fffb41a7a0bccdf1c75d2568373262cb8a8e9c

As WAR package only:

https://connect2id.com/assets/products/server/download/7.0/c2id.war

SHA-256: 6bb51245124bd2b915f01ea29ca7a746db40ef4489bf3b41b177a35c7540c43e

Questions?

Get in touch with Connect2id support.


Release notes

7.0 (2018-05-02)

Summary

  • Adds support for processing plain OAuth 2.0 authorisation requests for clients that only require an access token, i.e. end-user authentication with OpenID Connect and ID token is not needed. Plain OAuth 2.0 authorisation requests can be made via the code (response_type=code) and implicit (response_type=token) flows. See RFC 6749 sections 4.1.1 and 4.2.1.

  • The master / API access tokens for the Connect2id server must now be configured by setting their SHA-256 hash, in hexadecimal format. Plain text configuration is no longer accepted. The hashing is intended to prevent accidental token leaks via web server logs, configuration files and Java system properties / environment variables.

  • Upgrades Infinispan from version 8.2 to 9.2. Due to object serialisation changes introduced in Infinispan 9, direct rolling upgrades from Connect2id server 6.x clusters will silently fail if attempted. To perform a rolling upgrade to a Connect2id server 7.0 cluster with no downtime a special migration procedure is required.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.responseTypes -- The OAuth 2.0 "token" response type becomes supported.

    • op.reg.apiAccessTokenSHA256 -- Replaces the op.reg.apiAccessToken configuration property, which is no longer supported. The master access token for the client registration endpoint is configured by setting its SHA-256 hash (in hexadecimal format).

    • op.reg.secondaryAPIAccessTokenSHA256 -- New optional secondary master access token for the client registration endpoint. Has the same format as op.reg.apiAccessTokenSHA256. Must not be set if not used.

    • op.authz.apiAccessTokenSHA256 -- Replaces the op.authz.apiAccessToken configuration property, which is no longer supported. The access token for the authorisation session endpoint and for the direct authorisation endpoint is configured by setting its SHA-256 hash (in hexadecimal format).

    • op.logout.apiAccessTokenSHA256 -- Replaces the op.logout.apiAccessToken configuration property, which is no longer supported. The access token for the logout session endpoint is configured by setting its SHA-256 hash (in hexadecimal format).

  • /WEB-INF/authzStore.properties

    • authzStore.apiAccessTokenSHA256 -- Replaces the authzStore.apiAccessToken configuration property, which is no longer supported. The access token for the authorisation store web API is configured by setting its SHA-256 hash (in hexadecimal format).

    • authzStore.secondaryAPIAccessTokenSHA256 -- New optional secondary access token for the authorisation store web API. Has the same format as authzStore.apiAccessTokenSHA256. Must not be set if not used.

  • /WEB-INF/sessionStore.properties

    • sessionStore.apiAccessTokenSHA256 -- Replaces the sessionStore.apiAccessToken configuration property, which is no longer supported. The access token for the session store web API is configured by setting its SHA-256 hash (in hexadecimal format).

    • sessionStore.secondaryAPIAccessTokenSHA256 -- New optional secondary access token for the session store web API. Has the same format as sessionStore.apiAccessTokenSHA256. Must not be set if not used.

  • /WEB-INF/monitor.properties

    • monitor.apiAccessTokenSHA256 -- Replaces the monitor.apiAccessToken configuration property, which is no longer supported. The access token for the logout session endpoint is configured by setting its SHA-256 hash (in hexadecimal format).
  • /WEB-INF/infinispan-*.xml

    • Updates the Infinispan configurations to match the schema of Infinispan 9.2.
  • CLASSPATH/default-jgroups-*.xml

    • Updates the JGroups configurations to match the schema of JGroups 4.

Web API

  • /.well-known/oauth-authorization-server

    • New endpoint for publishing the OAuth 2.0 Authorisation Server metadata of the Connect2id server at a well-known URL. The published metadata implements OAuth 2.0 Authorization Server Metadata (draft-ietf-oauth-discovery-10) and is identical to the OpenID Provider metadata provided at /.well-known/openid-configuration.

Dependency Changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.61

  • Upgrades to com.nimbusds:oauth2-authz-store:8.0.1

  • Upgrades to com.nimbusds:oidc-session-store:8.0.2

  • Upgrades to com.nimbusds:common:2.27

  • Upgrades to org.infinispan:infinispan-core:9.2.1.Final

  • Upgrades to org.infinispan:infinispan-query:9.2.1.Final

  • Upgrades to org.infinispan:directory-provider:9.2.1.Final

  • Upgrades to org.infinispan:directory-provider:9.2.1.Final

  • Upgrades to com.nimbusds:infinispan-cachestore-ldap:2.3.2

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:2.9.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:1.6.2

  • Upgrades to com.nimbusds:infinispan-cachestore-redis:9.2.1