Connect2id server 7.10

Posted 2019-04-15

Release 7.10 of the OpenID Connect / OAuth 2.0 server adds a new SPI for plugging custom checks when registering or updating clients. Shaping (modification) of the registered client metadata is also supported.

The SPI can be particularly useful when the Connect2id server is configured for open client registration and there is no developer portal in front of the client registration endpoint to enforce specific checks and policies.

For more details check out the release notes below.

Download

To download a ZIP package of Connect2id server 7.10:

https://connect2id.com/assets/products/server/download/7.10/Connect2id-server.zip

SHA-256: a388b3827a53dbf2f53767a31086c66bf200eb7985192eab1eda45f9e85f714d

As WAR package only:

https://connect2id.com/assets/products/server/download/7.10/c2id.war

SHA-256: 51146f1294e5d962dc0262aaef010badb5d5acd0df2970e128ee886f3aa8e39f

Questions?

Contact Connect2id support.


Release notes

7.10 (2019-04-15)

Configuration

  • /WEB-INF/additionalClientMetadataChecks.properties

    • See FinalMetadataValidator SPI description below.

SPI

  • com.nimbusds.openid.connect.provider.spi.reg.FinalMetadataValidator

    • New Service Provider Interface (SPI) for performing additional validation and / or shaping of OAuth 2.0 client / OpenID relying party metadata, after the Connect2id server has completed its own standard validations. The loaded and enabled SPI implementations will be called (in no particular order) when a new client is registered (via HTTP POST request) or updated (via HTTP PUT request).

      A simple internal implementation is included to check if the hostname of the logo_uri and policy_uri parameters (if set) matches a host in the redirect_uris (if set), according to OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1, section 9.1. see https://openid.net/specs/openid-connect-registration-1_0.html#Impersonation. These checks can be enabled / disabled from the /WEB-INF/additionalClientMetadataChecks.properties configuration file. Java system property override is supported.

Resolved issues

  • Return a redirecting login_required error instead of a non-redirecting error in the authorisation session web API when the OpenID authentication request includes an id_token_hint and its subject doesn't match the one which got logged in (issue server/430).

  • Moves ID token generation for OpenID authentication requests with response_type=code from the authorisation session endpoint to the token endpoint. This ensures ID token issue events are not falsely generated when the relying party fails to complete the token request. This bug affects plugins that use the IDTokenIssueEventListener SPI (issue server/434). The retrieval of OpenID claims to be fed into the ID token is also moved to the token endpoint.

  • Clearing a tenant's data now also covers the cached JWT claims of request objects (JAR). Applies to the multi-tenant edition only (issue server/427).

  • Updates log messages OP5167, OP5166, OP5184 and OP5169 to include additional information on the number of revoked authorisations when a client is deleted (issue server/435).

  • Removes incompatible shared="true" attribute for all SQL store connectors in WEB-INF/infinispan-local-h2.xml (issue server/426).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.2

  • Updates to com.nimbusds:oauth2-oidc-sdk:6.8

  • Upgrades to com.nimbusds:oauth2-authz-store:11.3

  • Updates to com.nimbusds:common:2.33