Key takeaways from the OAuth security workshop in Zürich

Posted on 2017-07-21

The 2017 OAuth Security Workshop at the ETH in Zürich was packed with useful talks. Here are the key takeaways.

Best practices for native OAuth apps

Check out the best practices for OAuth apps, presented by John Bradley and William Denniss. The slides are based on the formal BCP document that is being edited the OAuth WG.

Are you developing native apps that require OAuth? The AppAuth libraries developed by the great community at OpenID support Android, iOS as well as NativeJS.

John also updated us on the upcoming SafariViewController changes in iOS 11 and that we’ll have to rely on SFAuthenticationSession instead, in order to achieve SSO between apps and the system browser.

OAuth for JavaScript apps

Jacob Ideskog presented a nice framework for simplifying OAuth and OpenID Connect integration in JavaScript apps. The app can obtain the tokens it needs by simply posting a message to an iframe loaded from the authorisation server / IdP.

OAuth is becoming the new "password"

The proliferation of OAuth 2.0 applications, even to areas like finance, means we must take greater care to secure tokens, through their entire lifecycle — how they are obtained, relayed and consumed. Deployments are also turning more dynamic. This means the basic OAuth 2.0 framework (RFC 6749) published in 2012 is no longer adequate. Security must be enhanced, across the board.

We need more science, i.e. formal analysis, in protocol design

The design of security protocols, like TLS, has been treated like art for a long time. But that’s not good enough. We need more science, meaning formal analysis, to be confident that the desired security properties of the protocols we craft are actually met, and critical bits don’t get overlooked.

  • David Basin from the ETH demonstrated the power of formal analysis tools, used for example, to uncover a terrible security omission in the ISO/IEC 9798 protocol.

  • Cas Cremers made a reassuring presentation that formal analysis has been taken up by the TLS 1.3 working group, to good effect. The whole Internet security relies on TLS, so we must seek to have total confidence in the protocol.

  • Daniel Fett, Ralf Kuesters, and Guido Schmitz from Uni Stuttgart presented their in-depth analysis of OpenID Connect and the conclusion that within their formal model, the protocol is secure. This is great news!

Crypto: Validate all EC keys that you deal with

Antonio Sanso presented the invalid curve attack and how it can lead to JWE ECDH exploits. The lesson: Always validate the curves of EC keys you’re dealing with. In the Nimbus JOSE+JWT library we now perform these validations at EC JWK construction time, even before any crypto operations are attempted with them.

Json2Ldap 3.1

Posted on 2017-07-20

The Json2Ldap web service for working with LDAP directories received several updates under the hood. Most notably, logging was upgraded to Log4j 2. This means that logging can now be reconfigured on the fly, with zero service downtime, and its I/O performance is sped up too.

Note that Log4j 2 requires a new configuration file.

Check the release notes below for details.

Release Notes

version 3.1 (2017-07-20)

  • Switches to Log4j 2 logging, which is now configured by /WEB-INF/log4j.xml.
  • Refactoring and clean up of source code.
  • Upgrades Apache Commons Codec to 1.10.
  • Upgrades NimbusDS Common to 1.108.1.
  • Upgrades CORS Filter to 2.5.
  • Upgrades Property Utils to 1.10.
  • Upgrades JSON Smart to 1.3.1.
  • Upgrades JSON-RPC 2.0 Base to 1.38.
  • Upgrades JSON-RPC 2.0 Server to 1.11.
  • Upgrades JSON-RPC 2.0 Access Filter to 1.5.1.
  • Upgrades Nimbus SRP 6a to 2.0.2.
  • Upgrades UnboundID LDAP SDK to 3.2.1.
  • Upgrades Log4j to 2.8.2.

Aggregated and distributed OpenID claims support in Connect2id server 6.11

Posted on 2017-07-08

Relaying OpenID claims from other providers

The primary purpose of an OpenID Connect provider is to authenticate users for client applications, the secondary provisioning claims (attributes) about users. Normally these claims are asserted directly by the OpenID provider, from locally stored and managed user data.

An OpenID provider, however, can also relay claims from other providers:

  • As aggregated claims — by passing the external claims in a JWT signed by their provider; the client can check the claims’ origin by validating the JWT signature.

  • As distributed claims — by supplying the client with the endpoint URL of the external claims provider where it can fetch the claims by itself, using a bearer access token.

Example UserInfo endpoint response which includes aggregated claims besides the normal ones; the client can obtain the email and email_verified claims supplied by email-provider from the JWT:

  "sub"            : "alice",
  "name"           : "Alice Adams",
  "_claim_names"   : { "email"          : "email-provider",
                       "email_verified" : "email-provider"  },
  "_claim_sources" : { "email-provider" : { "JWT" : "eyooweeSh7..." } }

Example UserInfo response which includes distributed claims:

  "sub"            : "alice",
  "_claim_names"   : { "credit_score" : "credit-score-provider" },
  "_claim_sources" : { "credit-score-provider" : { 
                           "endpoint"     : "",
                           "access_token" : "sheeFei5Ute5oor0" } }

The client app can then fetch the user’s credit score with an HTTP request like this:

GET /claims HTTP/1.1
Authorization: Bearer sheeFei5Ute5oor0

The claim(s) will be returned in a JSON object, or packaged in a JWT, just like regular UserInfo responses.

Relaying external claims with the Connect2id server

The new 6.11 release of the Connect2id server adds support for relaying external claims. To do that create a connector for each external claims provider, using the existing ClaimsSource SPI.

Check out the following guides to find out how:


To download a ZIP package of Connect2id server 6.11:

(SHA-256: 80a8dc1d2cce3a080228c2ce6b256f9c940da4ea9bf58a3be3d1fb788c8854db)

As WAR package only:

(SHA-256: 2813a32cb7b540284a095b5c0264ed75e7e0c12d34dafbedce842bdd90a76c89)


Get in touch with Connect2id support.

Release notes

6.11 (2017-07-08)


  • Adds support for sourcing external aggregated and distributed OpenID claims, as specified in OpenID Connect Core 1.0, section 5.6.2. External claims can be set via the existing ClaimsSource SPI available in the Connect2id server SDK (com.nimbusds:c2id-server-sdk:3.10.1).


  • No changes


  • No changes


  • None


  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.30