Connect2id server 7.8

Posted 2018-11-20

November's release of the OpenID Connect server updates OAuth 2.0 mutual TLS client authentication to accept Certificate Authority (CA) signed certificates.

Previously, for clients registered for self_signed_tls_client_auth, the Connect2id server would only accept strictly self-signed certificates. Starting with v7.8 client certificates that are signed by a CA will also be accepted.

In both cases -- self-signed or CA-signed certificate, the public key of the client certificate must be registered with the Connect2id server in JWK format, either by value (using the jwks client registration parameter) or by URL (using jwks_uri). Note that for a CA-signed certificate no PKI-based validation is done by the Connect2id server, only its public key must match the registered one. Prior PKI-based validation can still be performed in a TLS terminator set up in front of the server.

This authentication method is specified in OAuth 2.0 Mutual TLS profile (draft-ietf-oauth-mtls-12).

Check out the release notes below for more information.

Download

To download a ZIP package of Connect2id server 7.8:

https://connect2id.com/assets/products/server/download/7.8/Connect2id-server.zip

SHA-256: 04b4cd5194f2e2e8627aa86af5041c002bff87681537396c9553f682863f4bc2

As WAR package only:

https://connect2id.com/assets/products/server/download/7.8/c2id.war

SHA-256: 47c28265e05da49e003f775ba2e95e7daeed2c40fc831f7a3ce03e938b941622

Questions?

Get in touch with Connect2id support.


Release notes

7.8 (2018-11-20)

Summary

  • Updates self-signed certificate mutual TLS OAuth 2.0 client authentication (self_signed_tls_client_auth) to accept Certificate Authority (CA) signed certificates. Previously only strictly self-signed certificates were accepted. For self-signed as well as CA-signed certificates the public key of the certificate must be registered with the Connect2id server in JWK format, either by value (using the jwks client registration parameter) or by URL (using jwks_uri). See OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-12), section 2.2.

Resolves issues

  • Removes stray System.out.println in authorisation session handler (issue server/406).

  • Updates logging of the configuration for the client X.509 certificate request HTTP header set by the TLS termination proxy (code OP6900).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:6.2

  • Updates to com.nimbusds:oauth-client-grant-handler:1.4