Connect2id server 7.6 enhances implicit consent for OpenID claims

Posted 2018-09-08

September commences with a new release of the Connect2id server for enterprise OpenID Connect and OAuth 2.0, with useful updates in consent, global DynamoDB support and the SAML 2.0 grant handler.

Returning implicitly consented OpenID tokens in the ID token

The Connect2id server supports implicit consent, which means the Identity Provider (IdP) can supply the relying party (RP) with OpenID claims (attributes) about the end-user which were not explicitly asked for in the authentication request.

When implicit consent for an OpenID claim is given, the claim will get delivered according to the response_type parameter of the OpenID authentication request, which for all response types other than response_type=id_token makes the claim available at the UserInfo endpoint, together with any other consented claims, in exchange for the access token that is going to be issued.

To enable implicitly consented OpenID claims to be steered into the ID token instead, we made a small update to the authorisation session web API. Simply prefix the claim name with id_token: and this will make it appear in the ID token instead of at the UserInfo endpoint.

Here is an example The OpenID request with scope openid and email, which means the RP is requesting an ID token for the end-user as well as access to their email and email_verified claims:

The RP has initiated a code flow (response_type=code), so the default delivery method for any consented claims will be the UserInfo endpoint. If the IdP decides to additionally release the name claim, that claim will also appear in the UserInfo. To steer the name claim into the ID token, prefix it with id_token: when submitting the consent to the Connect2id server:

  "scope"  : [ "openid", "email" ],
  "claims" : [ "email", "email_verified", "id_token:name" ]

You can also make the name claim appear in both ID token and UserInfo:

  "scope"  : [ "openid", "email" ],
  "claims" : [ "email", "email_verified", "name", "id_token:name" ]

Global DynamoDB tables

If you intend to deploy the Connect2id server in the AWS cloud and persist its data to global DynamoDB tables, for seamless distributed operation across two or more AWS regions, the server can now automatically initialise the tables with the needed streams.

Check out our new guide for setting up the Connect2id server with global DynamoDB tables.

Updated SAML 2.0 grant handler

The SAML 2.0 assertion grant handler was updated from OpenSAML 2.x, which reached its end of life in 2016, to OpenSAML 3.x.

If you implemented a handler for exchanging SAML 2.0 assertions for OAuth 2.0 access tokens, update your code to OpenSAML 3.2 or later. The package names in OpenSAML 3.0 have changed, also the APIs of a few classes, but other than that your your overall handler design and code should not be affected.

The OpenSAML 3 guide by Stefan Rasmusson can help you.


To download a ZIP package of Connect2id server 7.6:

SHA-256: e6b2e33de5b6701eb5224f8ad203e6917306a90825bdeb19df06b9d724f3956d

As WAR package only:

SHA-256: 813fe50a7bf927539d25db527b7312c6fd36a868b3c4e6119c680a495ac93381


Get in touch with Connect2id support.

Release notes

7.6 (2018-09-08)


  • Updates the authorisation session web API to enable implicitly consented (not requested) OpenID claims to be delivered in the ID token instead of at the UserInfo endpoint (for response types other than id_token).

  • Connect2id server deployments with an AWS DynamoDB backend database can now create the required tables with enabled streaming for replicating table data between two or more AWS regions.

  • Updates the SAML 2.0 grant handler SPIs to OpenSAML 3.x (breaking change).


  • /WEB-INF/infinispan-*-dynamodb.xml

    • Adds an optional boolean "enable-stream" configuration XML attribute to create the DynamoDB table with an enabled stream of view type NEW_AND_OLD_IMAGES. Streaming is required to setup the Connect2id server with global DynamoDB tables with replicas in two or more AWS regions. The setting is also exposed via the Java system property "dynamodb.enableStream" (defaults to "false", set to "true" to enable).


  • /authz-sessions/rest/v3/

    • Updates handling of consent in the authorisation session API. Implicitly consented OpenID claims (not requested by the relying party) can be marked for delivery in the ID token instead of at the UserInfo endpoint by prefixing their name with "id_token:" in the submitted consent to the Connect2id server. For example "id_token:email" will cause an implicitly consented "email" claim to be fed into the ID token. An implicitly consented claim can be delivered by both methods by including it twice, with the "id_token:" prefix an without, for example "id_token:email" and "email". Normally, all implicitly consented OpenID claims are delivered at the UserInfo endpoint, save for when the relying party requests only an ID token to be issued (with response_type=id_token).


  • com.nimbusds.openid.connect.provider.spi.grants.SelfIssuedSAML2GrantHandler

    • Updates the SAML 2.0 grant handler from OpenSAML 2.x to OpenSAML 3.x. Due to breaking changes in the OpenSAML 3.x API handler existing implementations need to be updated.
  • com.nimbusds.openid.connect.provider.spi.grants.ThirdPartySAML2GrantHandler

    • Updates the SAML 2.0 grant handler from OpenSAML 2.x to OpenSAML 3.x. Due to breaking changes in the OpenSAML 3.x API handler existing implementations need to be updated.

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.0

  • Updates to com.nimbusds:oauth2-oidc-sdk:6.0

  • Updates to com.nimbusds:nimbus-jose-jwt:6.0.2

  • Updates to OpenSAML 3.2 (breaking change)

  • Updates to com.zaxxer:HikariCP:3.2.0

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:2.2

comments powered by Disqus