Connect2id server 9.3

This release of the Connect2id server adds a new plugin interface and updates the SQL and DynamoDB database connectors.

SPI for customising token responses

A new plugin interface enables customisation of token responses. Deployments willing to experiment with the new OAuth 2.0 Rich Authorization Requests (RAR) spec, in development at the OAuth 2.0 WG, can use it to return the required RAR metadata in the token response. We provided a working example.

Token error responses can also be potentially customised.

Database connector updates

The SQL store connector was updated and now has a default configuration where a single SQL connection pool is shared between all Connect2id server maps and caches with data persistence. Support for vertical partitioning is still available.

There is no need to update your current MySQL PostgreSQL, SQL Server and H2 configurations to use the new settings.

The DynamoDB connector was also updated and can now be configured with an HTTP proxy host and port for connections to the database endpoint.

Other

The authorisation session API of the Connect2id server also received a small update and a bug fix.

Check the release notes below for additional information.

Download

To download a ZIP package of Connect2id server 9.3:

https://connect2id.com/assets/products/server/download/9.3/Connect2id-server.zip

SHA-256: 039822d338d981f9dceacb2d19b6ff02e58bb7221fd9fbd7c4b005279a11eccf

As WAR package only:

https://connect2id.com/assets/products/server/download/9.3/c2id.war

SHA-256: 4b01ffa253ba2b6c485fcb36b407c39a224d93337a778caf56715c69a375785f

Questions?

Contact Connect2id support.


Release notes

9.3 (2020-05-12)

Configuration

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Updates the SQL store schema to v2.7 and switches to a single shared database connection pool for all Infinispan map and cache structures used by the Connect2id server. Support for per map / cache connection pool to spread the load over multiple databases (vertical partitioning) is still available.
  • /WEB-INF/infinispan-*-dynamodb.xml

    • Updates the DynamoDB store schema to v1.7 and adds support for configuring an optional HTTP proxy for connections to the DynamoDB endpoint. The HTTP proxy is configured by setting the Java system properties "dynamodb.httpProxyHost" and "dynamodb.httpProxyPort".

Web API

  • /authz-sessions/rest/v3/

    • Exposes the optional "id_token_hint" OpenID authentication request parameter in the authorisation session object (under "auth_req").

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.20

  • com.nimbusds.openid.connect.provider.spi.tokens.response.CustomTokenResponseComposer

    • New SPI for composing custom token success and error responses. Can be used to include additional parameters in an access token response based on the authorisation (consent) "data" parameter, such as an "authorization_details" parameter required in OAuth 2.0 Rich Authorization Requests (draft-lodderstedt-oauth-rar-03).

Resolved issues

  • Previously consented claims appearing in the consent prompt (authorisation session API) must not include language tags. Fixed a bug which prevented stripping of the tags from claim names retrieved from the "clm" field in authorisation records (issue server/558).

  • Enhances the authorisation session API by automatically stripping language tags in the names of consented claims (issue server/559).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.20

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.5

  • Upgrades to com.nimbusds:oauth2-authz-store:14.6

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:4.2.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:3.6.1