Incremental authorisation, resource indicators and EdDSA in release 6.0 the OAuth 2.0 / OpenID Connect SDK

Posted 2018-09-03

The slow summer period is now over and it’s now time to announce a new major release of our popular open source OAuth 2.0 / OpenID Connect SDK, on which a number of application frameworks as well as client and server implementations rely.

What’s in the new 6.0 release?

  • Experimental support for incremental authorisation, which allows OAuth 2.0 clients to ask for more consent (access) while preserving any previously granted scopes. The intent of this draft to improve the user experience around consent, so that users are asked for things only as needed and when needed (and also make the process easier for application developers).

  • Also experimental support for the resource parameter draft, which lets clients indicate the URL of the resource server in authorisation and token requests. We are a bit sceptical of the actual utility of this proposed spec, save for servers that require it for some legacy reason. If you need to issue tokens for multiple resource servers (web APIs), we suggest you encode the resource server identity (or URL) in the scope value instead, e.g. by prefixing the resource URL to the scope, which should be easier to understand and handle, while also effectively preventing clashes of scope values between resource servers.

  • The Nimbus JOSE+JWT dependency was bumped to 6.0 to enable issue and handling of ID tokens secured with high-performance Ed25519 digital signatures. According to our benchmarks signing of tokens with Ed25519 is 63x cheaper compared to RSA.

  • The optional OpenSAML dependency was also bumped, to the latest stable 3.2, for those applications that need to exchange SAML 2.0 assertions for OAuth 2.0 access tokens.

  • The authorisation and token requests can now support multi-valued parameters. This is a breaking change which opens up the SDK to more potential use cases, such as handling multiple resource parameters.

  • A bunch of classes and methods marked as deprecated in 5.x were removed.

Check the release notes below for a full list of all changes.


version 6.0 (2018-09-02)

  • Adds experimental support for Resource Indicators for OAuth 2.0 (draft-ietf-oauth-resource-indicators-00).
  • Adds experimental support for OAuth 2.0 Incremental Authorization (draft-ietf-oauth-incremental-authz-00).
  • Updates AuthorizationRequest and AuthenticationRequest to support multi-valued query parameters (breaking change).
  • Updates the AuthorizationResponse classes to support multi-valued parameters (breaking change).
  • Updates TokenRequest to support multi-valued parameters in the request body (breaking change).
  • Updates the AuthorizationGrant classes to support multi-valued parameters in the request body (breaking change).
  • Updates HTTPRequest to support multi-valued parameters in the query and body (breaking change).
  • Switches com.nimbusds.openid.connect.sdk.op.AuthenticationRequestResolver to com.nimbusds.jose.util.ResourceRetriever (breaking change).
  • Updates HTTPRequest and HTTPResponse to support multi-valued HTTP headers (breaking change) (iss #252).
  • Removes deprecated com.nimbusds.oauth2.sdk.http.Resource class.
  • Removes deprecated com.nimbusds.oauth2.sdk.http.ResourceRetriever interface.
  • Removes deprecated com.nimbusds.oauth2.sdk.http.RestrictedResourceRetriever interface.
  • Removes deprecated com.nimbusds.oauth2.sdk.http.AbstractRestrictedResourceRetriever class.
  • Removes deprecated com.nimbusds.oauth2.sdk.http.DefaultResourceRetriever class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.JWKSource interface.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.AbstractJWKSource class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.ImmutableJWKSet class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.ImmutableClientSecret class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.RemoteJWKSet class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.AbstractJWKSelector class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.JWSVerificationKeySelector class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.JWEDecryptionKeySelector class.
  • Removes deprecated com.nimbusds.oauth2.sdk.jose.jwk.KeyConverter class.
  • Removes deprecated com.nimbusds.openid.connect.sdk.id.AESBasedPairwiseSubjectCodec class.
  • Upgrades optional OpenSAML dependency to 3.0+ (breaking change for all OpenSAML APIs).
  • Updates Nimbus JOSE+JWT to 6.0.1 with Ed25519 and X25519 support.

comments powered by Disqus