Connect2id server 7.1

With June arrives a new release of the OpenID Connect / OAuth 2.0 server, featuring updates to the claims (attribute) sources, the OAuth 2.0 mutual TLS profile and support for custom error codes at the authorisation endpoint.

Source OpenID Connect claims from an HTTP endpoint

The connector for sourcing OpenID claims (attributes) from an HTTP endpoint is now part of the official Connect2id server package. You can use it to integrate any database or system as claims source, by setting up a simple web service to act as broker.

Example request for an array of claims associated with user alice:

POST /claims-source HTTP/1.1
Host: www.example.com
Content-Type: application/json; charset=UTF-8
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "iss"    : "https://c2id.com",
  "sub"    : "alice",
  "claims" : [ "email", "email_verified", "name", "given_name", "family_name" ]
}

The response has the JSON format of a UserInfo response:

HTTP/1.1 200 OK
Date: Mon, 23 May 2016 22:38:34 GMT
Content-Type: application/json; charset=UTF-8

{
  "sub"            : "alice",
  "email"          : "[email protected]",
  "email_verified" : true,
  "name"           : "Alice Adams",
  "given_name"     : "Alice",
  "family_name"    : "Adams"
}

Update to the LDAP claims source connector

The configuration which sets the mapping of LDAP attributes to JSON entities can now be passed as an op.ldapClaimsSource.attributeMap property. With that the LDAP connector can now be configured entirely via Java system properties.

op.ldapClaimsSource.attributeMap = {"sub":{"ldapAttr":"uid"},"name":{"ldapAttr":"cn","langTag":true},...

The hosted and multi-tenant Connect2id servers will accept configuration only via Java properties, passed via the configuration API.

Claims sources can use wildcards when advertising support of claims

Every claims source that gets set up with the Connect2id server needs to provide the names of the claims it can handle. The server finds out the names by calling the supportedClaims() of the claims source implementation.

@Override
public Set<String> supportedClaims() {

    return new HashSet<>(Arrays.asList("email", "email_verified"));
}

If the names of the handled claims are not known in advance or can change dynamically, the source can now specify a name with a wildcard character (*), provided the names follow a pattern. To prevent clashes it's good practise to prefix custom names with a prefix, so that can be one suitable naming pattern, e.g. id4me.* for claims having the id4me prefix.

@Override
public Set<String> supportedClaims() {

    return new Collections.singleton("id4me.*");
}

At most one wildcard character may be used per advertised claim name. If the Connect2id server has more than one installed claims source matching a requested claim name, the source precedence is not deterministic.

Support for custom error codes in authorisation responses

If you have the need to return an authorisation error with a custom code, you can now do so, provided the possible custom codes are listed in the new op.authz.customErrorCodes configuration setting.

When cancelling an authorisation session the Connect2id server checks the error code against the list of standard OAuth 2.0 codes (and now custom codes as well) to make sure the client doesn't get sent an invalid error code by accident.

Mutual TLS client authentication and client certificate bound access tokens

Support for the OAuth 2.0 mutual TLS profile was updated to the latest draft-ietf-oauth-mtls-08. There were two naming changes - the client and authorisation server metadata field mutual_tls_sender_constrained_access_tokens was renamed to tls_client_certificate_bound_access_tokens.

The OAuth 2.0 / OpenID Connect SDK was also updated accordingly (v5.62).

Download

To download a ZIP package of Connect2id server 7.1:

https://connect2id.com/assets/products/server/download/7.1/Connect2id-server.zip

SHA-256: 5f65db6b816b9bbd005673e68f3c23097f370ac0838d7e9a98300ab1159b0bb9

As WAR package only:

https://connect2id.com/assets/products/server/download/7.1/c2id.war

SHA-256: 856580b85f636e653c03e484458a67aa36b9c3fcb4284e4715b7cd6652651b14

Questions?

Get in touch with Connect2id support.


Release notes

7.1 (2018-06-01)

Summary

  • Adds new connector for sourcing OpenID Connect claims for a subject (end-user) from an HTTP endpoint. Implements the AdvancedClaimsSource SPI from the Connect2id server SDK.

    • Supports retrieval of arbitrary OpenID Connect claims.

    • Supports multiple scripts and languages via language tags.

    • Access to the HTTP endpoint requires a non-expiring bearer token.

    • Utilises an HTTP POST request to obtain the claims in order to prevent leaking of the request parameters (subject identifier and claim names) into HTTP server logs.

  • Updates support for OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens to draft-ietf-oauth-mtls-08.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.customErrorCodes -- New configuration property, for specifying additional custom OAuth 2.0 error codes that may be returned at the authorisation endpoint. The standard error codes allowed by default are access_denied, invalid_request, unauthorized_client, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable, login_required, consent_required, interaction_required, account_selection_required, request_uri_not_supported, request_not_supported, invalid_request_uri and invalid_request_object. The custom error codes can be specified as a space and / or comma separated list.
  • /WEB-INF/httpClaimsSource.properties -- New configuration file for the HTTP-based OpenID Connect claims sources. Every setting can be overridden with a Java system property.

    • op.httpClaimsSource.enable -- Enables / disables the HTTP claims source. Disabled by default (if omitted).

    • op.httpClaimsSource.supportedClaims -- The names of the supported (standard and custom) OpenID Connect claims, as a comma and / or space separated list.

    • op.httpClaimsSource.url -- The URL of the HTTP endpoint for sourcing the OpenID Connect claims. Should be HTTPS.

    • op.httpClaimsSource.connectTimeout -- The timeout in milliseconds for establishing HTTP connections. If zero the underlying HTTP client library will determine the timeout.

    • op.httpClaimsSource.readTimeout -- The timeout in milliseconds for obtaining HTTP responses after connection. If zero the underlying HTTP client library will determine the timeout.

    • op.httpClaimsSource.trustSelfSignedCerts -- Determines whether to accept self-signed X.509 / TLS certificates presented by the HTTP server. Self-signed certificates are not trusted by default.

    • op.httpClaimsSource.apiAccessToken -- Access token of type bearer (non-expiring) for accessing the HTTP endpoint. Should contain at least 32 random alphanumeric characters to make brute force guessing impractical.

  • /WEB-INF/ldapClaimsSource.properties

    • op.ldapClaimsSource.attributeMap -- New optional configuration setting for passing the LDAP attribute map definition as a property, optionally BASE-64 encoded to ease passing the JSON string as a Java system property via the command line. Can also be set to point to a file resource within the web application. Defaults to "/WEB-INF/ldapClaimsMap.json" if not specified.

SPI

  • ClaimsSource, AdvancedClaimsSource -- The supportedClaims() method may return claim names with a wildcard '' character to indicate support for a pattern of names, e.g. "id4me.". The string "*" can be used to indicate that the source can potentially serve any claim. At most one wildcard character may be used per advertised claim name. If the Connect2id server has more than one installed claims source matching a requested claim name, the source precedence is not deterministic.

Web API

  • /.well-known/openid-configuration

    • Updates the OpenID provider metadata for draft-ietf-oauth-mtls-08 where the mutual_tls_sender_constrained_access_tokens metadata field is renamed to tls_client_certificate_bound_access_tokens.
  • /.well-known/oauth-authorization-server

    • Updates the OAuth 2.0 authorisation server metadata for draft-ietf-oauth-mtls-08 where the mutual_tls_sender_constrained_access_tokens metadata field is renamed to tls_client_certificate_bound_access_tokens.
  • /clients

    • Updates the OAuth 2.0 client metadata for draft-ietf-oauth-mtls-08 where the mutual_tls_sender_constrained_access_tokens metadata field is renamed to tls_client_certificate_bound_access_tokens.

Dependency Changes

  • Adds new dependency to com.nimbusds:oidc-claims-source-http:1.0.1

  • Upgrades to com.nimbusds:oidc-claims-source-ldap:1.6

  • Upgrades to com.nimbusds:c2id-server-sdk:3.26.2

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.62

  • Upgrades to com.unboundid:unboundid-ldapsdk:4.0.6

  • Upgrades Infinispan to 9.2.4.Final.