Connect2id server 8.2

25 February 2020

This is a small update to the OpenID Connect / OAuth 2.0 server addressing several recent feature requests and two discovered bugs.

The Connect2id server can now be configured with basic (client_secret_basic) authentication disabled.
The server can also be configured with a default refresh token lifetime which will apply when no lifetime (or zero for no expiration) is specified in the authorisation handler during consent or in a custom OAuth 2.0 grant handlers for resource owner password, JWT bearer assertion or SAML bearer assertion.
The CORS configuration can be set or overridden via Java system properties.

The release notes below have more information.

Download

To download a ZIP package of Connect2id server 8.2:

SHA-256: 85845d660cf4242c3eee0853c8f2d5f565418f4cbdf89b3edd359bddf7889606

As WAR package only:

SHA-256: 7a9ad96b10f846a6430215b94b76f0e02a8f158ffcc291a780f413436ff04c71

/WEB-INF/oidcProvider.properties
- “op.token.authMethods” – Basic authentication (“client_secret_basic”) is no longer required when configuring the enabled client authentication methods. Connect2id server deployments can now be configured with a single enabled client authentication method other than Basic, for example with “self_signed_tls_client_auth” only for client X.509 certificate authentication.
  
  The first authentication method (ignoring “none”) in the list will now specify the default method for clients which don’t set one explicitly during registration.
/WEB-INF/authzStore.properties
- New “authzStore.refreshToken.defaultLifetime” configuration property. Specifies a default refresh token lifetime in seconds. Can be overridden by individual authorisations. If zero or omitted defaults to permanent (no expiration). Must be zero or a positive integer. The default value is zero (no expiration).
/WEB-INF/cors.properties
- Any property in the configuration file can be overridden with a Java system property, e.g. by setting the optional -D argument at JVM startup -Dcors.allowOrigin=https://example.com

/authz-sessions/rest/v3/
- Includes the OpenID authentication request “purpose” parameter (from OpenID Connect for Identity Assurance 1.0) in the “auth_req” JSON object which exposes selected request parameters when the authorisation session is queried with a GET. Normally the “purpose” parameter is only provided during the consent step. With this the logic page can access it at any one time during the authorisation session.

Fixes the URL encoding of the query parameters in front-channel logout notification URIs. The query parameters were receiving a double URL encoding (issue server/520).
Fixes an OpenID “claims” request parameter sanitisation bug which prevented output of the parameter in the consent prompt when op.authz.includeRawClaimsRequestInPrompt is enabled (issue server/523).
Updates the UserInfo endpoint to log (INFO level, log line with ID OP7301) the missing token scope if a bearer token error “insufficient_scope” is returned (issue server/517).