Connect2id server 7.6 with more options for OpenID claims delivery

Posted 2018-09-08

September commences with a new release of the Connect2id server for enterprise OpenID Connect and OAuth 2.0, with useful updates in consent, global DynamoDB support and the SAML 2.0 grant handler.

Returning non-requested OpenID claims in the ID token

The Connect2id server can supply the relying party (RP) with OpenID claims (attributes) about the end-user that were not asked for in the authentication request.

When a non-requested OpenID claim is consented, it will get delivered according to the response_type parameter of the OpenID authentication request. For all response types other than response_type=id_token, this means the claim will be made available at the UserInfo endpoint.

To enable non-requested OpenID claims to be steered into the ID token instead, we made a small update to the authorisation session web API. Simply prefix the claim name with id_token: and this will make it appear in the ID token instead of at the UserInfo endpoint.

Here is an example The OpenID request with scope openid and email, which means the RP is requesting an ID token for the end-user as well as access to their email and email_verified claims:

https://c2id.com/login?
 response_type=code
 &scope=openid%20email
 &client_id=123
 &state=af0ifjsldkj
 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

The RP has initiated a code flow (response_type=code), so the default delivery method for any consented claims will be the UserInfo endpoint. If the IdP decides to additionally release the name claim, that claim will also appear in the UserInfo. To steer the name claim into the ID token, prefix it with id_token: when submitting the consent to the Connect2id server:

{
  "scope"  : [ "openid", "email" ],
  "claims" : [ "email", "email_verified", "id_token:name" ]
}

You can also make the name claim appear in both ID token and UserInfo:

{
  "scope"  : [ "openid", "email" ],
  "claims" : [ "email", "email_verified", "name", "id_token:name" ]
}

Global DynamoDB tables

If you intend to deploy the Connect2id server in the AWS cloud and persist its data to global DynamoDB tables, for seamless distributed operation across two or more AWS regions, the server can now automatically initialise the tables with the needed streams.

Check out our new guide for setting up the Connect2id server with global DynamoDB tables.

Updated SAML 2.0 grant handler

The SAML 2.0 assertion grant handler was updated from OpenSAML 2.x, which reached its end of life in 2016, to OpenSAML 3.x.

If you implemented a handler for exchanging SAML 2.0 assertions for OAuth 2.0 access tokens, update your code to OpenSAML 3.2 or later. The package names in OpenSAML 3.0 have changed, also the APIs of a few classes, but other than that your your overall handler design and code should not be affected.

The OpenSAML 3 guide by Stefan Rasmusson can help you.

Download

To download a ZIP package of Connect2id server 7.6:

https://connect2id.com/assets/products/server/download/7.6/Connect2id-server.zip

SHA-256: e6b2e33de5b6701eb5224f8ad203e6917306a90825bdeb19df06b9d724f3956d

As WAR package only:

https://connect2id.com/assets/products/server/download/7.6/c2id.war

SHA-256: 813fe50a7bf927539d25db527b7312c6fd36a868b3c4e6119c680a495ac93381

Questions?

Get in touch with Connect2id support.


Release notes

7.6 (2018-09-08)

Summary

  • Updates the authorisation session web API to enable non-requested OpenID claims to be delivered in the ID token instead of at the UserInfo endpoint (for response types other than id_token).

  • Connect2id server deployments with an AWS DynamoDB backend database can now create the required tables with enabled streaming for replicating table data between two or more AWS regions.

  • Updates the SAML 2.0 grant handler SPIs to OpenSAML 3.x (breaking change).

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Adds an optional boolean "enable-stream" configuration XML attribute to create the DynamoDB table with an enabled stream of view type NEW_AND_OLD_IMAGES. Streaming is required to setup the Connect2id server with global DynamoDB tables with replicas in two or more AWS regions. The setting is also exposed via the Java system property "dynamodb.enableStream" (defaults to "false", set to "true" to enable).

Web API

  • /authz-sessions/rest/v3/

    • Updates handling of consent in the authorisation session API. Consented OpenID claims that are not requested by the relying party can be marked for delivery in the ID token instead of at the UserInfo endpoint by prefixing their name with "id_token:" in the submitted consent to the Connect2id server. For example "id_token:email" will cause an implicitly consented "email" claim to be fed into the ID token. A non-requested claim can be delivered by both methods by including it twice, with the "id_token:" prefix an without, for example "id_token:email" and "email". Normally, all non-requested OpenID claims are delivered at the UserInfo endpoint, save for when the relying party requests only an ID token to be issued (with response_type=id_token).

SPI

  • com.nimbusds.openid.connect.provider.spi.grants.SelfIssuedSAML2GrantHandler

    • Updates the SAML 2.0 grant handler from OpenSAML 2.x to OpenSAML 3.x. Due to breaking changes in the OpenSAML 3.x API handler existing implementations need to be updated.
  • com.nimbusds.openid.connect.provider.spi.grants.ThirdPartySAML2GrantHandler

    • Updates the SAML 2.0 grant handler from OpenSAML 2.x to OpenSAML 3.x. Due to breaking changes in the OpenSAML 3.x API handler existing implementations need to be updated.

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.0

  • Updates to com.nimbusds:oauth2-oidc-sdk:6.0

  • Updates to com.nimbusds:nimbus-jose-jwt:6.0.2

  • Updates to OpenSAML 3.2 (breaking change)

  • Updates to com.zaxxer:HikariCP:3.2.0

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:2.2