OpenID Connect front and back-channel logout support in Connect2id server 7.3

We know, it was a long wait, but now we finally have it, support for OpenID Connect front and back-channel logout in the Connect2id server. The two specs complement core OpenID Connect with mechanisms for notifying concerned relying parties that an end-user has been logged out of the identity provider:

  • The front-channel logout mechanism notifies the relying party by calling a URL via a hidden browser iframe.

  • The back-channel logout mechanism submits the notification as a special logout token (JWT) that is posted directly to the relying party.

The relying party must be registered to receive front or back-channel notifications. Those will be delivered only for sessions into which the relying party previously logged in a user (received an ID token).

Each mechanism has its pros and cons. Back-channel logout for example can also notify the relying party of expired sessions and doesn't rely on the browser being open, however it may fail to notify client applications behind firewalls. At the OAuth security workshop in Trento Mike Jones and Brock Allen made a comprehensive presentation on the topic of logout, check their slides here.

Front-channel logout use

The relying party must be registered with an HTTPS URL for receiving the notifications. A flag can also be set to receive a session ID ("sid" claim) in issued ID tokens and with the logout notification so it can know exactly which end-user identity was logged out (in case sessions with multiple user accounts is possible) and also for additional confirmation.

Example client metadata:

{
  "frontchannel_logout_uri"              : "https://example.com/logout",
  "frontchannel_logout_session_required" : true,
  ...
}

The IdP must then log out all users via the logout session web API of the Connect2id server which will return a list of URLs for any hidden browser iframes that are to be created.

Back-channel logout use

For back-channel logout the relying party needs a similar client registration:

{
  "backchannel_logout_uri"              : "https://example.com/logout",
  "backchannel_logout_session_required" : true,
  ...
}

The Connect2id server will submit a logout token (security event JWT) for each notification. The default HTTP connect and read timeouts are 250ms, and can be adjusted if needed.

Important note: Connect2id server deployments with Redis as the primary in-memory store will not deliver back-channel logout notifications for expired sessions. This issue will be addressed in a future release.

Support for DynamoDB encryption at rest and table name prefix

Connect2id server deployments in the AWS cloud with DynamoDB persistence can now create tables with data encryption at rest (server-side encryption). The tables can also be given a common prefix to differentiate them from other tables in the same AWS region. Check out the updated DynamoDB configuration reference for how to do that.

Other changes and updates

The authorisation session and subject session store web APIs also received small updates, these are described in the release notes below.

Migrating to 7.3

If you're upgrading from 6.x or earlier Connect2id server release first read the 7.0 release notes.

In order to facilitate relying party tracking in the subject sessions and include the new client registration parameters for front and back-channel logout the database schemas were updated where required.

SQL database

If you have configured your Connect2id server to persist its data to a MySQL, PostgreSQL or H2 database the 7.3 server will automatically add the required new table columns on startup (in tables subject_sessions and clients).

LDAP directory

If the Connect2id server is configured to persist its data to an LDAPv3 compatible directory, such as OpenLDAP or OpenDJ, the directly schema will need to be updated manually.

Here are updated LDAP schemas for the subject sessions and client registrations:

For OpenLDAP and compatible directory servers:

oidc-session-schema-openldap.ldif

oidc-client-schema-openldap.ldif

For OpenDJ and compatible directory servers:

oidc-client-schema-opendj.ldif

oidc-session-schema-opendj.ldif

If you need assistance with migration contact Connect2id support.

Download

To download a ZIP package of Connect2id server 7.3:

https://connect2id.com/assets/products/server/download/7.3/Connect2id-server.zip

SHA-256: f4dd1377ec0b55a3381a4bbdc296f8624165c39ce1648284a82003c5cc9b3037

As WAR package only:

https://connect2id.com/assets/products/server/download/7.3/c2id.war

SHA-256: e3634a7f695f4324ae02c492f032b5c37d5968c3d8673c628183c24210df470f

Questions?

Get in touch with Connect2id support.


Release notes

7.3 (2018-07-11)

Summary

  • Implements OpenID Connect front-channel logout 1.0 (draft 02) for notifying subscribed OpenID relying parties when a subject session into which the OpenID relying party was logged in gets closed. The notifications are delivered via the browser, by calling a registered OpenID relying party URL (typically by the OpenID provider creating a hidden iframe for the URL). Front-channel logout is implemented by extending the Connect2id server logout session web API.

  • Implements OpenID Connect back-channel logout 1.0 (draft 04) for delivering logout tokens (JWT) to subscribed OpenID relying parties when a subject session into which the OpenID relying party was logged in gets closed or expires. Note: Connect2id server deployments with Redis as the primary in-memory store will not deliver back-channel logout notifications for expired sessions. This issue will be addressed in a future release.

  • Extends the logout session web API to support OpenID provider initiated logout and to return front-channel logout URLs if OpenID relying parties that were logged in are subscribed to receive such notification.

  • Extends the subject (end-user) session store API to track OpenID relying parties logged in during a session.

  • Extends the authorisation session (login page) web API to include the optional email "contacts" in the OAuth 2.0 client information.

  • Connect2id server deployments with a DynamoDB backend database can enable encryption at rest and set a common prefix when the DynamoDB tables are created. Encryption at rest is enabled by setting the "dynamodb.encryptionAtRest" system property. A common prefix for the table names is set with the "dynamodb.tablePrefix" system property.

  • Updates the MySQL, PostgreSQL, H2 and LDAP schemas to enable storage of front and back-channel logout related data. The Connect2id server will automatically update the schema of existing SQL tables on startup by making a series of ALTER TABLE queries. Connect2id server deployments with an LDAP backend will require a manual schema update. Connect2id server deployments with a DynamoDB backend will not require any schema updates (the item values are schema-less).

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.logout.backChannel.httpConnectTimeout -- New configuration property, specifies the HTTP connect timeout (in milliseconds) for posting a logout token. Zero implies no timeout. Must not be negative. Defaults to 250 ms.

    • op.logout.backChannel.httpReadTimeout -- New configuration property, specifies the HTTP read timeout (in milliseconds) for posting a logout token. Zero implies no timeout. Must not be negative. Defaults to 250 ms.

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Updates the DynamoDB store XML schema to v1.1.

    • Adds support for an "encryption-at-rest" attribute (defaults to "false"), settable via the "dynamodb.encryptionAtRest" system property.

    • Exposes the "table-prefix" attribute (defaults to none), settable via the "dynamodb.tablePrefix" system property.

Web API

  • /authz-sessions/rest/v3/

    • Adds the "contacts" OAuth client registration metadata parameter to the OAuth client details included in the authentication and consent prompt JSON objects. If set it will be represented as a JSON array of strings containing one or more e-email addresses. The "contacts" parameter is intended to designate people responsible for the OAuth client / OpenID relying party.
  • /logout-sessions/rest/v1/

    • Adds an optional "initiator" parameter to the logout request JSON object to indicate the initiator: "RP" for a logout request initiated by an OpenID relying party (see OpenID Connect Session Management 1.0, RP-Initiated Logout), "OP" for a logout request initiated by the OpenID provider. If the "initiator" parameter is not set the default "RP" is assumed.

    • If the logout request is initiated by the OpenID provider ("OP") the API will immediately proceed to return a final logout response or error (i.e. the usual logout prompt for an OpenID relying party initiated logout will be skipped).

    • Extends the logout end JSON object to include "frontchannel_logout_uris" (JSON array of URIs) if there are hidden iframes to be created for OpenID Connect front-channel logout notification.

  • /session-store/rest/v2/

    • Adds an "rps" (relying parties) parameter to the subject session object, of type JSON string array. Lists the OpenID relying parties logged in during the subject session. OAuth 2.0 clients which are issued with an access token but no ID token during the session are not accounted. OpenID relying parties which subsequently submit a logout notification with an ID token hint that identifies them are automatically removed from the list (see OpenID Connect Session Management 1.0, RP-initiated logout).

Resolved issues

  • Changes the handling of subject session updates in the authorisation session web API (/authz-sessions/rest/v3/) when op.authz.alwaysPromptForAuth is enabled or when authentication (ACR) is stepped up so that the optional "claims" and "data" subject session parameters also get set / replaced. Previously only the subject authentication details ("auth_time", "acr" and "amr") could be updated with the PUT request (issue server/373).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.63

  • Upgrades to com.nimbusds:oauth2-authz-store:8.1.5

  • Upgrades to com.nimbusds:oidc-session-store:9.4.3

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:3.0.3

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:2.1.1

  • Upgrades to org.bouncycastle:bcprov-jdk15on:1.60

  • Upgrades to org.bouncycastle:bcpkix-jdk15on:1.60

  • Upgrades to org.jooq:jooq:3.11.2

  • Upgrades to com.amazonaws:aws-java-sdk-bundle:1.11.362

  • Upgrades to commons-codec:commons-codec:1.11

  • Adds dependency to org.asynchttpclient:async-http-client:2.4.9

  • Upgrades to com.h2database:h2:1.4.197

  • Upgrades Log4j2 to 2.11.0