Updated RP-initiated logout in Connect2id server 12.15

2022-07-18

The Connect2id server logout endpoint, used to implement single logout across participating applications, received an update to make it compliant with the latest 02 revision of the OpenID Connect RP-Initiated Logout 1.0 spec.

The logout endpoint can now support ID token hints (id_token_hint) encrypted for confidentiality. There is also support for a logout_hint parameter, similar to the login_hint in OpenID authentication requests, and a ui_locales to personalise the logout UI. Relying parties that for some reason cannot save the user's ID token in order to pass it later in the id_token_hint logout parameter, can use a client_id to at least hint the application's identity. The logout session API, which lets Connect2id server deployments implement a logout UI, journeys and policies around logout, was updated to reflect the changes.

Logout confirmation

The mini guide for developing a logout UI and the sample project were also revised.

Other changes

The plugin SPI for verifying qualified certificates in a private_key_jwt client authentication was also updated to allow for custom error_description and error_uri fields when an invalid_client error is returned.

Connect2id server deployments that use DynamoDB receive a new optional dynamodb.enableContBackups configuration property, to enable point-in-time recovery (PITR) for all tables where crucial or long-lived server data is persisted. Note that when continuous backups are enabled they will not apply to sessions, codes, caches and other transient data, as there is no practical utility in recovering such data. If you want to have PITR for that data, it must be enabled directly via the AWS APIs for those DynamoDB tables.

You can find detailed information about the changes in Connect2id server 12.15 in the notes below.

Download 12.15

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.15: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 16af5e3afa5e4810f7df7a204c1206ed9d6eafe66ac2bf5ecd6935e556d129f0

Connect2id server 12.15 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8d3feaa7da130f19866ff9fe498a9cbcf440f243d1a23d06eaec733d815a79f9

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.15: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 79c3b72dd0601ef4e583a7174ae27e4c48e2f5d6e490f9dba14e0a99d48b51f3

Connect2id server 12.15 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 2bee27a9d1a131c11c86fe433e768877ac7d35f43f846fbd3c722b85c0be3956

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.15 (2022-07-17)

Summary

  • Updates OpenID Connect RP-Initiated Logout 1.0 support to draft 02. Introduces new logout_hint, client_id and ui_locales request parameters. See https://openid.net/specs/openid-connect-rpinitiated-1_0.html

  • PrivateKeyJWTCertificateVerifier SPI plugins can override the default error_description and error_uri in invalid_client errors returned to the authenticating OAuth 2.0 client.

  • New dynamodb.enableContBackups configuration property to enable DynamoDB continuous backups / point-in-time recovery for tables holding crucial or long-lived Connect2id server data. Previously continuous backups could be enabled only via the AWS CLI, SDK, API or web console.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • New dynamodb.enableContBackups configuration property of type boolean (true|false) to enable continuous backups / point-in-time recovery for all DynamoDB tables where crucial or long-lived Connect2id server data is persisted: id_access_tokens, long_lived_authorizations, revocation_journal, clients, federation_clients andtenants (in the multi-tenant Connect2id server edition). Applied at Connect2id server startup on new table creation as well as for existing tables. The default value is false (no continuous backups).

Web API

  • Logout (end-session) endpoint

    • id_token_hint -- Relying parties can submit ID token hints encrypted with JSON Web Encryption (JWE) for confidentiality. The ID token can be encrypted with a public encryption RSA or EC JWK published at the Connect2id server's jwks.json endpoint. A relying party that is provisioned with a client_secret can alternatively encrypt the ID token with a symmetric AES key using the JWE dir algorithm and a JWE method listed in the id_token_encryption_enc_values_supported OpenID provider metadata field, as specified in OpenID Connect Core 1.0 incorporating errata set 1, section 10.2.

    • client_id -- New optional RP-initiated logout request parameter, of type string, representing the client ID of the relying party. A relying party should use it to identify itself in a request when the recommended id_token_hint parameter isn't included or when the id_token_hint represents a symmetrically encrypted (JWE) ID token so the OpenID provider can resolve the relying party's registered client_secret necessary for the ID token decryption. If both id_token_hint and client_id are included in a logout request the client ID must be found in the ID token audience.

      Note, a valid id_token_hint remains required for RP-initiated logout requests that include a post_logout_redirect_uri parameter.

    • logout_hint -- New optional RP-initiated logout request parameter, of type string, representing a hint about the end-user that is logging out, such as the user's email address, telephone number or username. Analogous to the login_hint OpenID authentication request parameter.

    • ui_locales -- New optional parameter, of type string and consisting of one or more space delimited BCP47 (RFC 7231) language tags, representing the end-user's preferred languages and scripts for the logout UI.

  • /logout-sessions/rest/v1/

    • Adds support for the optional client_id RP-initiated logout request parameter. The Connect2id server will use it to identify the calling relying party when the recommended id_token_hint logout request parameter isn't included or represents an ID token that is symmetrically encrypted with a client_secret. If both id_token_hint and client_id are present in a logout request the Connect2id will check the ID token was issued to the client_id; if not an invalid_id_token_hint error will be returned.

    • New id_token_hint_present parameter in the logout prompt message, of type boolean (true|false), to show if the relying party included an id_token_hint in the logout request.

      Note, if the id_token_hint logout request parameter failed the Connect2id server verification (covers all standard ID token checks, save for its exp claim), the logout session API will return an invalid_id_token_hint error. Hence, the id_token_hint_present when true will always indicate a valid ID token.

    • New optional op_logout parameter in the logout confirmation message, of type boolean (true|false) and a default value false, to indicate an end-user request for IdP-wide logout in addition to confirming the RP logout. This new parameter deprecates the existing confirm_logout parameter.

    • New optional logout_hint parameter in the logout prompt message, of type string, representing the logout_hint RP-initiated logout request parameter.

    • New optional ui_locales parameter in the logout prompt, logout end and logout error messages, of type string array, representing the ui_locales RP-initiated logout request parameter.

    • New invalid_request error code to indicate an invalid RP-initiated logout request.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.49

    • New ExposedInvalidClientException class that extends the common InvalidClientException for representing OAuth 2.0 invalid_client errors, to indicate that the default Connect2id server error_description and error_uri must be overridden with specific values.

      The Connect2id has a security policy to log the message of InvalidClientException instances and return a general error_description in the HTTP 401 Unauthorized response that doesn't reveal the exact cause why client authentication failed. The new ExposedInvalidClientException lets client authentication related plugins override this policy and set the error_description and error_uri in the HTTP 401 Unauthorized response. This facility must be used judiciously.

    • Connect2id server plugins implementing the PrivateKeyJWTCertificateVerifier SPI can throw the new ExposedInvalidClientException instead of the common InvalidClientException to override the default Connect2id server error_description and error_uri in the resulting HTTP 401 Unauthorized response.

      When using the ExposedInvalidClientException to set a custom invalid client error_description care must be taken not to divulge sensitive or more information than necessary.

Resolved issues

  • Updates the access token (as subject_token) introspection in token exchange grant handling (RFC 8693) to mark tokens which client_id doesn't match the client_id of the requesting OAuth 2.0 client as invalid. In addition, an OP6216 warning will be logged when this condition is encountered (issue server/768).

  • The logout session web API must not log request query strings at INFO level (issue server/770).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.49

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.38

  • Upgrades to com.nimbusds:lang-tag:1.7

OAuth 2.0 token exchange (RFC 8693) support in Connect2id server 12.14

2022-07-01

This Connect2id server release introduces support for OAuth 2.0 token exchange (RFC 8693). Deployments can use it to let clients obtain an access token from the token endpoint by presenting a grant (credential) that is also a token.

The ability to utilise tokens as grants can be useful in cases such as:

  • Letting a client obtain tokens for backend services based on a initial access token from a user authorisation in a browser based OAuth flow. The client needs the additional token(s) in order to fulfil a complex operation that involves calls to multiple services / APIs.

  • A client obtaining a local access token using a credential from another domain. This external credential can be another access token, a JWT, a SAML assertion, or something else.

  • Obtaining tokens in a delegation (on-behalf-of) scenario.

  • Obtaining tokens in a impersonation (act-as) scenario.

  • Obtaining tokens for special purposes.

Following the established Connect2id server tradition for handling OAuth 2.0 grants where deployments are given a plugin interface to freely implement their own grant-specific logic and policy, the server receives a new token exchange handler SPI.

The SPI is designed to support arbitrary ingress tokens, in terms of their type, purpose, encoding and cryptographic protection. If the token that the client submits as OAuth grant is a locally issued access token, the Connect2id server will automatically inspect it and make its authorisation details available to the plugin. If the token is issued by another server and the deployment has a policy to accept such tokens the plugin must handle its verification. A future Connect2id server release may add a facility to simplify the task of validating JWTs and OAuth access tokens from other issuers.

If the plugin logic determines that the token exchange is allowed to proceed, it creates a simple object specifying the scope and other properties of the access token to return. The Connect2id server will then use this spec to mint the actual token and return it to the requesting client. In a next release the Connect2id server will receive the capability to support the issue of a refresh token on a token exchange.

You can find more information in the token exchange handler SPI documentation.

This Connect2id server release also took the opportunity to revise the other existing OAuth 2.0 grant handler SPIs. They received a new default method for processing grants that exposes additional token request parameters besides the requested scope; a context object is also added to facilitate the creation of plugins in the multi-tenant edition of the Connect2id server. The client credentials grant handler SPI was additionally updated so that plugins can now support access tokens that give access or include OpenID claims from the provisioned claims source.

Download 12.14

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.14: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 2ab142228d456e2ff9efec3c9e7ad196062a7d39f0116923c5f1e9d489f46f28

Connect2id server 12.14 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 1b6a273ff7625bf62d4dc1ae4c6dba06c34a44ff0b91a4c8d317fae8a7c2c223

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.14: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0fdf5a6fe700f2861d7c74d9a9f0c08e3fae8897c69e36f8046c02e28dbc4007

Connect2id server 12.14 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: f32676fd296eb3ea00da3daa684bbe1b1027a361892b05af0be9f427da9db278

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.14 (2022-06-30)

Summary

  • Support for OAuth 2.0 Token Exchange (RFC 8693). This is an OAuth 2.0 extension that specifies a generic mechanism for clients to obtain an access token in exchange for another token, which type and encoding can be arbitrary and which issuer can be the same OAuth 2.0 authorisation server or another trusted 3rd party token service. This grant also supports impersonation (act-as) and delegation (on-behalf-of) scenarios. See https://datatracker. ietf.org/doc/html/rfc8693

Web API

  • /clients

    • Supports registration of clients for the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange"). The clients can be confidential (with authentication credentials) or public.

  • /token

    • Supports the OAuth 2.0 token exchange grant (RFC 8693), identified by the grant_type "urn:ietf:params:oauth:grant-type:token-exchange". Requires a TokenExchangeGrantHandler SPI plugin.

  • /monitor/v1/metrics

    • Adds new tokenEndpoint.tokenExchange.successfulRequests, tokenEndpoint.tokenExchange.invalidClientErrors, tokenEndpoint.tokenExchange.unauthorizedClientErrors, tokenEndpoint.tokenExchange.invalidGrantErrors and tokenEndpoint.tokenExchange.invalidScopeErrors meters for the OAuth 2.0 token exchange grant.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.48

    • TokenExchangeGrantHandler -- New SPI for implementing OAuth 2.0 token exchange (RFC 8693) scenarios. Accepts subject_token and actor_token instances of any token type and issuer. The requested_token_type must be an access token (locally issued). The access token can be of type Bearer, with a client X.509 certificate binding (RFC 8705), or DPoP bound (draft-ietf-oauth-dpop-09). Issue of other types of tokens as well as refresh tokens currently isn't supported.

    • ClientCredentialsGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ResourceOwnerPasswordCredentialsGrant -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • SelfIssuedJWTGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ThirdPartyJWTGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • SelfIssuedSAML2GrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ThirdPartySAML2GrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • Adds a ClaimsSpec field to the GrantAuthorization class. This enables plugins implementing the ClientCredentialsGrantHandler SPI to authorise OAuth 2.0 clients registered for the client_credentials grant to receive an access token for OpenID claims at the UserInfo endpoint. This also enables the existing Connect2id server feature where authorised OpenID claims specified with the access_token: prefix will be fed into the access token.

Resolved issues

  • Increases the entity size limit of HTTP requests to the client registration endpoint from 20K chars to 250K chars to cater for client registrations with exceptionally large metadata. The entity size limit has been present to prevent DoS attacks in client registration that is open or managed in a way that doesn't enforce a limit on the submitted client metadata (issue server/765).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.48

New access token configurations in Connect2id server 12.13

2022-06-20

This release of the Connect2id server ships new possibilities for feeding additional (custom) claims into JWT-encoded access tokens and laying them out in a suitable way for the intended resource servers.

Feeding custom claims from the client registration

There is now a new authzStore.accessToken.codec.jwt.copyClientData configuration to direct the Connect2id server to take selected members from the optional "data" field in client registrations and make them available as top-level JWT claims in access tokens issued to the client.

For example, to copy the data.org_id member (if present) from client registrations and paste into the access tokens:

authzStore.accessToken.codec.jwt.copyClientData=org_id

The updated access token guide has details, tips and examples how to use this new configuration parameter.

Moving authorisation data claims to the top-level

The "dat" (data) field in internal authorisation objects has provided Connect2id server deployments with a simple method for storing custom parameters related to the authorisation grant and making them available in issued access tokens. This is done by simply copying the "dat" JSON object into the token claims set.

Example access token claims with a custom dat claim:

{
  "sub"       : "449d693f-c0b8-4088-8ed6-6607d3c95853",
  "client_id" : "ieJ0iefo",
  "scope"     : "https://api.example.com/read",
  "dat"       : {
     "enforce_single_use" : true,
     "app_ctx"            : "ext"
  }
  ...
}

eployments that need to have selected members from the "dat" JSON object appear as top-level access token claims can now do so with the following configuration: authzStore.accessToken.codec.jwt.moveAuthzData

Example config to make dat.enforce_single_use a top-level claim:

authzStore.accessToken.codec.jwt.moveAuthzData=enforce_single_use

The resulting access token claims:

{
  "sub"                : "449d693f-c0b8-4088-8ed6-6607d3c95853",
  "client_id"          : "ieJ0iefo",
  "scope"              : "https://api.example.com/read",
  "enforce_single_use" : true,
  "dat"                : {
     "app_ctx" : "ext"
  }
  ...
}

The usage of this new configuration is also explained in the access token guide.

Download 12.13

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.13: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 2ab142228d456e2ff9efec3c9e7ad196062a7d39f0116923c5f1e9d489f46f28

Connect2id server 12.13 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 1b6a273ff7625bf62d4dc1ae4c6dba06c34a44ff0b91a4c8d317fae8a7c2c223

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.13: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0fdf5a6fe700f2861d7c74d9a9f0c08e3fae8897c69e36f8046c02e28dbc4007

Connect2id server 12.13 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: f32676fd296eb3ea00da3daa684bbe1b1027a361892b05af0be9f427da9db278

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.13 (2022-06-20)

Summary

  • The default Connect2id server codec for self-contained (JWT-encoded) access tokens can now insert selected elements from the client data field and the authorisation data fields as top-level JWT claims. Deployments can use this feature to conform to access token profiles without a custom SelfContainedAccessTokenClaimsCodec plugin.

Configuration

  • /WEB-INF/authzStore.properties

    • authzStore.accessToken.codec.jwt.copyClientData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists names of members in the client registration's "data" JSON object to copy as top-level JWT claims. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.

    • authzStore.accessToken.codec.jwt.moveAuthzData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists the names of members in the authorisation "dat" (data) JSON object to move to top-level JWT claims in access tokens minted by the default self-contained access token encoder. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.45

    • Updates the SelfContainedAccessTokenClaimsCodec SPI by adding a new TokenEncoderContext.getOIDCClientInformation method.

    • Updates the AccessTokenIssueEventListener and IDTokenIssueEventListener SPIs by adding a new EventContext.getOIDCClientInformation method.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.45

  • Upgrades to com.nimbusds:oauth2-authz-store:18.1

  • Upgrades to com.nimbusds:common:2.49

Qualified X.509 certificates for private_key_jwt client authentication in Connect2id server 12.12

2022-06-06

Connect2id server 12.12 focuses on shipping new client authentication capabilities. It also packs an additional plugin for web-hook based handling of OAuth 2.0 client credential grants.

Qualified certificates for private_key_jwt

To process token and other requests with private_key_jwt client authentication the Connect2id server needs a copy of the public key for the JWT assertions in order to verify their signature. The public key has been traditionally set in the client registration, in JWK format, using the standard jwks or jwks_uri parameter.

Starting with this release the public key can now also be passed in a X.509 certificate included in the private_key_jwt itself.

Use cases and benefits of this method:

  • Enables straightforward use of qualified certificates to establish the client credential. The certificate can be issued by a national, industry or some other authority recognised by the identity provider. For internal applications and services the issuer can be a local CA.

  • The need for explicit registration of a client JWK set is obviated.

  • Since no client JWKs are registered with the Connect2id server the need for the client to manage key roll-over also falls away.

Clients include the certificate BASE64 encoded in the x5c (X.509 certificate chain) header of the JWT assertion.

Example JWT header and claims for a private_key_jwt with certificate:

{
  "alg" : "RS256",
  "x5c" : [ "MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMC..." ]
}

{
  "iss" : "oe7aiz60",
  "sub" : "oe7aiz60",
  "aud" : "https://demo.c2id.com/token",
  "exp" : 1453021544,
  "jti" : "Eefaevo0"
}

Deployments that wish to support certificates for establishing the public key for private_key_jwt authentication are provided with a new plugin interface (SPI) where they can define the policy and verification logic for the certificates.

Note that the existing tls_client_auth also supports certificate-based authentication, but over mutual TLS, and with the extra benefit of sender constraining any issued access tokens to the client. This enhanced token security is missing in private_key_jwt authentication, even when it makes use of a X.509 certificate to establish the public key.

Plugin interface for client authentication events

Another new plugin interface (SPI) that arrives in this release is for intercepting client authentication success and error events. Identity providers and authorisation servers can now create plugins for custom logging, auditing and reporting of client authentications, in real time.

public class MyPlugin implements ClientAuthenticationInterceptor {

        @Override
        public void interceptSuccess(
            final ClientAuthentication clientAuth,
            final ClientAuthenticationContext ctx)
                throws InvalidClientException {

            // do something on client auth success...
        }

        @Override
        public void interceptError(
            final ClientAuthentication clientAuth,
            final InvalidClientException exception,
            final ClientAuthenticationContext ctx) {

            // do something on client auth error...
        }
}

Client authentications accepted by the Connect2id server can be subjected to additional checks and potentially rejected with an invalid_client error if they shouldn't proceed due to some custom rule or policy.

client_auth_id

Every incoming client authentication, at the token endpoint or elsewhere, is now tagged with a unique client_auth_id. This identifier will appear in the Connect2id server log messages, in the plugin invocation contexts related to client authentication, and in the HTTP 401 error responses if the client authentication failed.

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "error"             : "invalid_client",
  "error_description" : "Invalid client: Possible causes may be missing /
                         invalid client_id, missing client authentication,
                         invalid or expired client secret, invalid or expired
                         JWT authentication, invalid or expired client X.509
                         certificate, or an unexpected client authentication
                         method",
  "client_auth_id"    : "cgXB4EyYViWPt6g2"
}

The client_auth_id and how to use it to debug or report client authentications is explained here.

Web-based handler plugin for the OAuth 2.0 client credentials grant

The c2id.war now packs a plugin (disabled by default) for delegating the authorisation logic for OAuth 2.0 client credentials grant handling to a web-hook.

The web API resembles the one for the existing web-based handler of OAuth 2.0 password grant.

Download 12.12

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.12: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 343efc3e1c4214ca93b854a5beb3935a29397d5cf9b3d86484c0ebd4b6e21703

Connect2id server 12.12 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: feadd400abe9c9516de2490af39d5070c81d26c32fbd64e15f2f706415e909af

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.12: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 4114b573604979badf3c537e00f553a273dfa8abf554a88552003a891d41fc80

Connect2id server 12.12 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: ddaf350a3c6087e61a2387db7293d2b5db5d079b0bfc95d8e0394663bacb5f42

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.12 (2022-06-03)

Summary

  • New plugin interface (Service Provider Interface, or SPI) for accepting qualified X.509 certificates to verify the digital signature in private_key_jwt client authentications.

  • New plugin interface (SPI) for intercepting client authentication success and failure events at all Connect2id server endpoints where client authentication occurs. Can be used for logging, reporting, audit, debugging and other purposes.

  • Introduces a secure random 12 byte "client_auth_id" to identify each individual client authentication performed by the Connect2id server in log messages, OAuth 2.0 invalid_client errors and calls to SPIs like the new private key JWT certificate verifier and the client authentication interceptor.

  • Includes a web-based handler plugin for the OAuth 2.0 client credentials grant, implementing the ClientCredentialsGrantHandler SPI from the Connect2id server SDK. This handler is not compatible with the multi-tenant edition of the Connect2id server. Disabled by default. The default client credentials handler remains the existing local one (com. nimbusds:oauth-client-grant-handler:2.0.2).

Web API

  • /token

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.

  • /token/introspect

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.

  • /token/revoke

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.

  • /par

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.

Configuration

  • /WEB-INF/clientGrantHandlerWebAPI.properties -- New configuration file for the client credentials grant handler plugin that delegates processing of the grant authorisation to a web-service. The configuration properties can be overridden or set with Java system properties.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.44

    • com.nimbusds.openid.connect.provider.spi.clientauth. PrivateKeyJWTCertificateVerifier -- New SPI for verifying an X.509 certificate (x5c) in private_key_jwt} client authentications. This can be used to enable private_key_jwt authentication based on qualified certificates and without a prior client JWK set registration (via the "jwks" or "jwks_uri" client metadata parameters).

      The SPI enables implementation of policies where only selected clients are allowed or required to include a certificate for the private_key_jwt, based on the client's registered metadata or other criteria.

      A client can place the certificate in the private_key_jwt "x5c" header. Alternatively, the certificate can be put in the "x5c" parameter of a matching public JWK and have the key pre-registered via the "jwks" or "jwks_uri" client metadata parameter.

      Implementations must be thread-safe.

    • com.nimbusds.openid.connect.provider.spi.clientauth. ClientAuthenticationInterceptor -- New SPI for intercepting successful and failed client authentications at all Connect2id server endpoints where client authentication occurs, such as the token, token introspection, token revocation and pushed authorisation request (PAR) endpoints. Successful client authentications can be subjected to additional checks and rejected with an OAuth 2.0 invalid_client error.

      Implementations must be thread-safe. Interceptors that create events should use a separate thread for blocking operations.

Resolved issues

  • Fixes an HTTP 500 Internal Server Error on a token revocation request with client authentication where the client_id resolves to an invalid client registration (issue server/760).

  • The message OP0131 ("Couldn't determine Connect2id server local host") should be logged at WARN level, not ERROR (issue server/759).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.44

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.37.2

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.23

  • Updates to Infinispan 9.4.24

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.5

  • Updates to com.nimbusds:oauth-password-grant-web-api:1.5

  • Updates to com.nimbusds:oauth-client-grant-handler:2.0.2

  • Adds com.nimbusds:oauth-client-grant-web-api:1.4

Connect2id server 12.11

2022-05-23

This is a mini update to give Connect2id server deployments simple and precise control over the splash / landing page that is displayed when the configured issuer URL is opened in a browser. A new op.splashPage configuration property lets deployments choose between the current default splash page, a blank page, a redirection to the OpenID provider metadata, or to some other URL.

Example configuration to redirect HTTP requests to the issuer URL to the OpenID provider metadata:

op.splashPage=urn:c2id:splash_page:op_metadata

To redirect to some other URL:

op.splashPage=https://example.com

To show a blank page:

op.splashPage=urn:c2id:splash_page:blank

This release also fixes two issues. You can find more information in the release notes below.

Download 12.11

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.11: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: b3bd5cc5011c0cc31fe3465cbc6137da0e113a9185b88bff0acfa0b83f1d90f6

Connect2id server 12.11 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ac0537550ead4e4b6e409d34b95e98b10b84ff1a1f0fb2d47548e5d09378172b

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.11: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 4aa967b1d02b7e748d57570922a119e8da23985ec8c447bb84e97f20cb439a07

Connect2id server 12.11 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 6cbab334668f3a6ac863ec177b7be8bdd7f5171e496748a9e91cdaef5ee42b90

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.11 (2022-05-22)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.splashPage -- New configuration property for the splash page to display at the Connect2id server issuer URL (op.issuer).

      Supported values:

      • urn:c2id:splash_page:default -- The default splash page, an HTML page showing the Connect2id server version, a list of the available endpoints and links to public online documentation.
      • urn:c2id:splash_page:blank -- A blank page.
      • urn:c2id:splash_page:op_metadata -- Redirects (HTTP 301) to the OpenID provider metadata at /.well-known/openid-configuration
      • https or http URL -- Redirects (HTTP 301) to the specified HTTPS or HTTP URL.

Resolved issues

  • Fixes a bug that affected the correct handling of the subject session "auth_life" property (for values > 0) in the authorisation session web API, used to determine when the authentication lifetime (in minutes) of a session expires and the subject (end-user) must be re-authenticated in the same session (issue server/756).

  • Adds custom static error pages for 404, 405 and other HTTP status codes handled by the Servlet container to hide the Servlet container version and other potentially sensitive information (issue server/745).