Connect2id server 7.2
What's in this week's release of the Connect2id server for OpenID Connect and OAuth 2.0 security?
More server endpoints accept client authentication with a self-signed X.509 certificate
When we originally implemented the OAuth 2.0 mutual TLS profile in Connect2id server 6.13 only the token endpoint was made to handle client authentication with a self-signed X.509 certificate. Support for this new authentication method is now extended to the following endpoints:
The calling clients must be registered with a token_endpoint_auth_method set
to self_signed_tls_client_auth and also provide to the Connect2id server a
suitable JWK set, either by URI (with jwks_uri) or inline (with jwks).
In a future release we'll add support for registering dedicated client
introspection_endpoint_auth_method and revocation_endpoint_auth_method
parameters.
Client certificate bound tokens also get handled at the introspection endpoint
In addition to the above, the introspection
endpoint will also accept token authorisations that are bound to a client
certificate. The client must then include a X.509 certificate that matches the
cnf.x5t#S256 claim associated with the submitted authorising token.
Custom UserInfo response status codes
When processing a claims request at the UserInfo endpoint a thrown Java exception will cause a 500 Internal Server Error HTTP response to be returned.
To cause the Connect2id server to return a different HTTP status code throw a com.nimbusds.oauth2.sdk.GeneralException from the OAuth 2.0 SDK, with an ErrorObject having the desired status code.
Example:
throw new GeneralException(new ErrorObject(
"my_error_code",
"My error message",
444));
This will result in a HTTP response like this:
HTTP/1.1 444
Content-Type: application/json;charset=UTF-8
{
"error" : "my_error_code",
"error_description" : "My error message"
}
Download
To download a ZIP package of Connect2id server 7.2:
https://connect2id.com/assets/products/server/download/7.2/Connect2id-server.zip
SHA-256: f426b28b5623cce0c787ab3edeeea78c6099baec64b8661a346247d041493166
As WAR package only:
https://connect2id.com/assets/products/server/download/7.2/c2id.war
SHA-256: 4768a2cc9d32f35784de61e46e1e002951d6606bf3c7bd97022c234849e950f4
Questions?
Get in touch with Connect2id support.
Release notes
7.2 (2018-06-11)
Summary
Adds support for self-signed certificate TLS client authentication (draft-ietf-oauth-mtls-09) at the token introspection and revocation endpoints. The calling clients must be registered for self_signed_tls_client_auth.
Adds support for mutual TLS client certificate bound access token authorisation (draft-ietf-oauth-mtls-09) at the token introspection endpoint. The client must include a X.509 certificate that matches the cnf.x5t#S256 claim associated with the submitted access token.
Web API
/token/introspect -- Adds support for client authentication with a self-signed X.509 certificate (self_signed_tls_client_auth).
/token/introspect -- Adds support for mutual TLS client certificate bound access token authorisation (self_signed_tls_client_auth).
/token/revoke -- Adds support for client authentication with a self-signed X.509 certificate (self_signed_tls_client_auth).
SPI
The ClaimsSource and AdvancedClaimsSource SPIs can throw a com.nimbusds.oauth2.sdk.GeneralException with an ErrorObject to set a specific HTTP status code and error message when processing UserInfo requests.
Example:
throw new GeneralException(new ErrorObject( "my_error_code", "My error message", 444));
Resolved issues
- Logs TokenIntrospectionResponseComposer SPI loading under OP6530 (issue server/369).
Dependency changes
- Upgrades to com.nimbusds:nimbus-jose-jwt:5.11