Skip to content
Connect2id
Connect2id server

Connect2id server 7.2

What’s in this week’s release of the Connect2id server for OpenID Connect and OAuth 2.0 security?

More server endpoints accept client authentication with a self-signed X.509 certificate

When we originally implemented the OAuth 2.0 mutual TLS profile in Connect2id server 6.13 only the token endpoint was made to handle client authentication with a self-signed X.509 certificate. Support for this new authentication method is now extended to the following endpoints:

The calling clients must be registered with a token_endpoint_auth_method set to self_signed_tls_client_auth and also provide to the Connect2id server a suitable JWK set, either by URI (with jwks_uri) or inline (with jwks).

In a future release we’ll add support for registering dedicated client introspection_endpoint_auth_method and revocation_endpoint_auth_method parameters.

Client certificate bound tokens also get handled at the introspection endpoint

In addition to the above, the introspection endpoint will also accept token authorisations that are bound to a client certificate. The client must then include a X.509 certificate that matches the cnf.x5t#S256 claim associated with the submitted authorising token.

Custom UserInfo response status codes

When processing a claims request at the UserInfo endpoint a thrown Java exception will cause a 500 Internal Server Error HTTP response to be returned.

To cause the Connect2id server to return a different HTTP status code throw a com.nimbusds.oauth2.sdk.GeneralException from the OAuth 2.0 SDK, with an ErrorObject having the desired status code.

Example:

throw new GeneralException(new ErrorObject(
    "my_error_code",
    "My error message",
    444));

This will result in a HTTP response like this:

HTTP/1.1 444
Content-Type: application/json;charset=UTF-8

{
  "error" : "my_error_code",
  "error_description" : "My error message"
}

Download

To download a ZIP package of Connect2id server 7.2:

https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/7.2/Connect2id-server.zip

SHA-256: f426b28b5623cce0c787ab3edeeea78c6099baec64b8661a346247d041493166

As WAR package only:

https://c2id-downloads.s3.eu-central-1.amazonaws.com/server/7.2/c2id.war

SHA-256: 4768a2cc9d32f35784de61e46e1e002951d6606bf3c7bd97022c234849e950f4

Questions?

Get in touch with Connect2id support.

Release notes

7.2 (2018-06-11)

Summary

  • Adds support for self-signed certificate TLS client authentication (draft-ietf-oauth-mtls-09) at the token introspection and revocation endpoints. The calling clients must be registered for self_signed_tls_client_auth.

  • Adds support for mutual TLS client certificate bound access token authorisation (draft-ietf-oauth-mtls-09) at the token introspection endpoint. The client must include a X.509 certificate that matches the cnf.x5t#S256 claim associated with the submitted access token.

Web API

  • /token/introspect – Adds support for client authentication with a self-signed X.509 certificate (self_signed_tls_client_auth).

  • /token/introspect – Adds support for mutual TLS client certificate bound access token authorisation (self_signed_tls_client_auth).

  • /token/revoke – Adds support for client authentication with a self-signed X.509 certificate (self_signed_tls_client_auth).

SPI

  • The ClaimsSource and AdvancedClaimsSource SPIs can throw a com.nimbusds.oauth2.sdk.GeneralException with an ErrorObject to set a specific HTTP status code and error message when processing UserInfo requests.

    Example:

    throw new GeneralException(new ErrorObject(
    "my_error_code",
    "My error message",
    444));

Resolved issues

  • Logs TokenIntrospectionResponseComposer SPI loading under OP6530 (issue server/369).

Dependency changes

  • Upgrades to com.nimbusds:nimbus-jose-jwt:5.11