Connect2id server 7.7

Posted 2018-10-15

We have another update of the Connect2id server for you, which is recommended if you have a deployment with an AWS DynamoDB backend, or intend to use the new feature introduced in version 7.6 for steering implicitly consented OpenID claims into the ID token, instead of returning them at the standard location for all code-based flows, the UserInfo endpoint.

For more information check the release notes below.

Download

To download a ZIP package of Connect2id server 7.7:

https://connect2id.com/assets/products/server/download/7.7/Connect2id-server.zip

SHA-256: e6b2e33de5b6701eb5224f8ad203e6917306a90825bdeb19df06b9d724f3956d

As WAR package only:

https://connect2id.com/assets/products/server/download/7.7/c2id.war

SHA-256: 813fe50a7bf927539d25db527b7312c6fd36a868b3c4e6119c680a495ac93381

Questions?

Get in touch with Connect2id support.


Release notes

7.7 (2018-10-02)

Summary

  • Recommended update for Connect2id server deployments utilising a DynamoDB backend. Sanitises DynamoDB items before a database write to prevent DynamoDB ValidationExceptions when the optional data in client registrations, authorisation objects and other persisted objects contains empty strings or sets. Also adds new a configuration option for creating the DynamoDB tables with selected omitted global secondary indices (GSI) to conserve read and write capacity.

  • Recommended update for Connect2id server deployments utilising the "id_token:" prefix introduced in v7.6 to steer selected implicitly consented OpenID claims for delivery with the ID token instead of the UserInfo endpoint. Fixes a bug which included the prefix in persisted consent.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • The global secondary indices (GSI) for the subject (sub), actor (act) and / or client ID (cid) attributes in persisted authorisation (consent) records can be selectively turned off by overriding the default "sub, act, cid" setting with a "dynamodb.authzStore.longLivedAuthzMap.indexedAttributes" Java system property. For example, "sub, act" will cause the creation of GSIs for the subjects and actors only, for client IDs related queries the Connect2id server will fall back to a DynamoDB scan request with a filter expression.

Resolved issues

  • Sanitises DynamoDB items before writing them to the table. Empty strings, empty binary data and empty sets, including those in nested JSON objects (maps), are automatically removed to fit the DynamoDB data model and prevent ValidationExceptions (issue authz-store/154).

  • OAuth 2.0 authorisation requests and OpenID authentication requests with an unsupported PKCE method (RFC 7636) are rejected with an "invalid_request" error and descriptive message, as required in section 4.4.1 of RFC 7636. Previously the Connect2id server would return an HTTP 500 status at the token endpoint if the PKCE method is not supported (other than "plain" and "S256") (issue server/401).

  • Implicitly consented claims with an "id_token:" prefix to trigger release via the ID token instead of at the UserInfo endpoint must be saved without the prefix in persisted authorisation records ("cls") (issue server/399).

Dependency changes

  • Updates to com.nimbusds:infinispan-cachestore-common:2.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:2.5