Connect2id server 7.17 updates access tokens and introspection

Updated token introspection

Connect2id server 7.17 updates JWT-secured introspection responses to the latest OAuth version 08 draft. Signed introspections are useful for meeting assurance and legal requirements in applications dealing with verified person data, personal certificates and qualified electronic signatures. The changes are detailed in the release notes.

New type header explicitly identifies JWTs that are access tokens

This release also takes a first step in implementing the new OAuth draft for interoperable JWT-encoded access tokens. The spec defines a minimal set of standard JWT claims for OAuth 2.0 servers that issue self-contained access tokens. All JWT-encoded access tokens issued by the Connect2id server will now include the "at+jwt" type designation in the JWT header.

Example JWT header for an access token:

{
  "alg" : "RS256",
  "typ" : "at+jwt",
  "kid" : "AhXoh4fe"
}

The prompt parameter is supported in plain OAuth 2.0 authorisation requests

The optional prompt parameter in OpenID authentication requests enables relying parties to check if an end-user is already logged in and has previously provided consent. It can also be used to force re-authentication, re-consent or a change in the active user account at the IdP:

  • prompt=none -- To check if the end-user is logged in and has previously given consent to the specified scope values. This is typically done from a hidden iframe. On success the server will issue an ID and access token, without requiring any interaction from the user. If the prompt=none request cannot be fulfilled the server will return a login_required, consent_required or a general interaction_required error, indicating that the relying party should repeat the request, but this time allow for user interaction.

  • prompt=login -- To force the end-user to be re-authenticated.

  • prompt=consent -- To force the end-user to re-consent the specified scope values.

  • prompt=select_account -- To hint the IdP to present the end-user with an account selection menu (in case the user has multiple accounts with the IdP).

All prompt values save for none can be combined, e.g. prompt=login consent.

The prompt parameter can also be useful for plain OAuth 2.0 authorisation requests, especially the consent and select_account values. For that reason the Connect2id server will now support it for all authorisation requests.

Note that the id_token_hint parameter cannot be used in conjunction with prompt for a plain OAuth 2.0 authorisation request.

Maintenance updates

This release also updates over a dozen underlying modules and libraries to their latest stable versions.

Download

To download a ZIP package of Connect2id server 7.17:

https://connect2id.com/assets/products/server/download/7.17/Connect2id-server.zip

SHA-256: 06417bab6594d37f34f5a4445bfe6bfa2bd14f077a71afbf38033849e561ef95

As WAR package only:

https://connect2id.com/assets/products/server/download/7.17/c2id.war

SHA-256: adb747202305c33758a268f7118685f2706d44dbdab132aa66cfbff1601b3ea7

Questions?

Contact Connect2id support.


Release notes

7.17 (2019-10-12)

General

  • Issues JWT-encoded access tokens will now include the JOSE header parameter type ("typ") set to "at+jwt". Applies to signed as well as nested (signed and encrypted) access tokens. This explicit marking of access tokens is intended to prevent potential confusion with other JWT types, such as OpenID tokens. See JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (draft-ietf-oauth-access-token-jwt-02), section 2.1.

  • Updates support for JWT Response for OAuth Token Introspection to draft-ietf-oauth-jwt-introspection-response-08.

  • The OpenID "prompt" parameter is now also supported with plain OAuth 2.0 authorisation requests.

Web API

  • /token/introspect

    • Introspection responses now include the JWT ID ("jti") claim for identifier-based access token, set to the first 8 bytes of the SHA-256 hash of the token identifier value.

    • Applies audience restriction to introspected access tokens. If the access token is specified with an audience which doesn't match the caller (client_id), typically that of a resource server, it will be marked as invalid (active=false).

    • Minimises the reported audience of introspected access tokens. If the access token is specified with multiple audiences, of which one matches the caller (client_id), only the caller will be included in the "aud" parameter; any other values (client_id's of resource servers) will be omitted in the response.

    • JWT-secured responses now return JWTs with a type ("typ" header) set to "token-introspection+jwt".

    • JWT-secured responses now always include the issued-at ("iat") claim, set to the time when the response was issued, which will override any token "iat" claim.

    • JWT-secured responses now always include the JWT IT ("jti") claim, see above for details.

  • /authz-sessions/rest/v3/

    • The OpenID "prompt" parameter is now also supported with plain OAuth 2.0 authorisation requests. The prompt values "none", "login", "consent" and "select_account" will be handled identically to OpenID authentication requests. Note that the "id_token_hint" parameter cannot be used in conjunction with "prompt" for a plain OAuth 2.0 authorisation request.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.6

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:6.16.2

  • Upgrades to com.nimbusds:oauth2-authz-store:13.3.1

  • Updates to com.nimbusds:oidc-session-store:12.0.4

  • Updates to com.nimbusds:nimbus-jose-jwt:7.9

  • Updates to com.nimbusds:common:2.35

  • Updates Infinispan to 9.4.16.Final

  • Updates to com.nimbusds:infinispan-cachestore-redis:9.2.8

  • Updates to com.nimbusds:infinispan-cachestore-ldap:3.1.2

  • Updates to com.unboundid:unboundid-ldapsdk:4.0.12

  • Updates to com.nimbusds:infinispan-cachestore-sql:3.1.5

  • Updates to com.zaxxer:HikariCP:3.4.1

  • Updates to org.jooq:jooq:3.11.12

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.4.4

  • Updates to com.h2database:h2:1.4.199

  • Updates to commons-codec:commons-codec:1.13

  • Updates to org.apache.commons:commons-collections4:4.4

  • Updates to commons-io:commons-io:2.6

  • Updates Dropwizard Metrics to 4.0.6

  • Updates Log4j to 2.12.1