Connect2id server 14.8.3
This Connect2id server release fixes a bug in the SQL connector that was introduced in v14.8.1 last week. Connect2id server 14.8.* deployments are encouraged to upgrade to this release.
More information is available in the release notes below.
Download 14.8.3
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.8.3: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: b02d2d0bb9a3af71d887fddf51748fdfef8b3196d2a46efb37820402a99ba5e1
Connect2id server 14.8.3 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: f311f7f871c49c5d2e10ac72bdce615da9f187e5a4a8fae9c688f7fdfc595981
Multi-tenant edition
Apache Tomcat package with Connect2id server 14.8.3: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: b1de2efc8c26da1b178bc4c0699597da5fcded48f319204f1f991608226ffce7
Connect2id server 14.8.3 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: dc9247aa06deb0d530de5b74e066e23ecd9a72d13f70a1e4f7c2117cbb67bf5d
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.8.3 (2023-11-08)
Resolved issues
Fixes a bug introduced in v14.8.1 that affects Connect2id server deployments with an SQL database. The bug resulted in repeat duplicate SQL delete queries when purging expired records in the database, causing excessive slowdown of the purge task in SQL tables with many expired records, such as records for subject sessions (issue server/938, sql-store/25).
The
*.sqlStore.deleteTimer
metrics must include SQL delete queries performed as part of purges of expired records (issue sql-store/26).
Dependency changes
Updates to com.nimbusds:oauth2-authz-store:24.7.2
Updates to com.nimbusds:oidc-session-store:16.7.4
Updates to com.nimbusds:infinispan-cachestore-sql:7.1.1
Connect2id server 14.8.2
This second Connect2id server release for today fixes an issue in v14.8.1 with the Log4j Web 2.21.1 BOM that introduced an erroneous transitive dependency to two Spring artifacts. The erroneous dependency is now removed and we'll make a report upstream.
As always, more information can be found in the release notes below.
Download 14.8.2
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.8.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: d76f0d31096f495b0861ba9e79b8905d70ba2ef1b6571b9f17a8e6b305963620
Connect2id server 14.8.2 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 43e5667e20ed952395bce8ece3c50d4fb359976a499cdd68d7bcb7d4a7cac419
Multi-tenant edition
Apache Tomcat package with Connect2id server 14.8.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 2959666e0cc7ea55311c962650d7008511f191de4024dda8de6ac05257bf2b61
Connect2id server 14.8.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 3390a7eb98c809d5ade60d23d47aa4bae858f2dfaa6a7514b98bc52fffd8068f
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.8.2 (2023-11-02)
Resolved issues
- Forces removal of the org.springframework:spring-test dependency erroneously introduced as compile scope dependency of org.apache.logging.log4j:log4j-web:2.21.1 (issue server/936).
Dependency changes
- Forces removal of org.springframework:spring-test
Connect2id server 14.8.1
This maintenance release of the Connect2id server addresses issues related to the SQL database connector, which is now optimised to conserve memory when purging expired entres. An issue slowing down the server startup with Oracle Databases is also fixed. If you have a deployment that uses an SQL database and deals with significant traffic updating to 14.8.1 is recommended.
Updating to 14.8.1 can be skipped if you have a Connect2id server deployment that uses DynamoDB.
More information can be found in the release notes below.
Download 14.8.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.8.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: cac7e644f028f5ca84e100c9ae402d0ca3e8bd86fce598c9731798827a1108b0
Connect2id server 14.8.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: bbdda0f1ecb5c5af003b8d3efe31e775cc32ebff537882ed7b2e3e65f89cc529
Multi-tenant edition
Apache Tomcat package with Connect2id server 14.8.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 16f12425588d4bbb13f19cf48943593c3e40fa258be08c8711535853f94202c3
Connect2id server 14.8.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: f83af6cbc94e539368695f2e2da47fb500b32ba3a19688439db2c594adc2ca49
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.8.1 (2023-11-02)
Resolved issues
Updates the expired entry reaper for Connect2id server deployments with an SQL database to conserve memory by employing paged key set seek, in sets of up to 100 SQL records and interleaving the record deletion between the pages. Intended to prevent OOM errors in deployments with a very large number of sessions and other expiring objects (issue server/935).
Optimises the
dataSource.createTableIfMissing
implementation for Oracle Databases when the queried table has a very large number of records, causing Connect2id server startup to pause for times longer than 1 minute at startup. The issue is addressed by switching from LIMIT 0 to LIMIT 1 in the query to obtain the table's column names (issue server/933).The expired entry reaper in Connect2id server deployments with an SQL database must not terminate when an unchecked parse or another exception is thrown when parsing a retrieved SQL record. This may occur in SQL records manipulated outside the Connect2id server APIs. Instead, the exception must be swallowed and an error with the offending SQL record logged. This is now done with an
IS0141
log error (issue sql-store/23).Fixes the default value and parsing of the optional
sessions
form parameter of the/session-store/rest/v2/purge
resource (issue session-store/95).
Dependency changes
Updates to com.nimbusds:oauth2-authz-store:24.7.1
Updates to com.nimbusds:oidc-session-store:16.7.3
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.1
Updates to Log4j 2.21.1
Updates to Dropwizard Metrics 4.2.20.
Connect2id server 14.8 enables client_secret_jwt and private_key_jwt replay prevention
This Connect2id server release receives the capability to prevent replay of JWTs for the client_secret_jwt and private_key_jwt client authentication methods.
The replay prevention relies on the optional
jti (JWT ID),
which when included must be a unique string. Without a jti
JWTs using a
deterministic JWS algorithm, such as HMAC, that expire at the same second
cannot be reliably distinguished. For authentication JWTs that have this
identifier the Connect2id server will cache its hash until the JWT's exp
and
use that record to prevent replay. This means that for replay prevention to
work an OAuth 2.0 client must includes a unique jti
in its authentication
JWTs. Clients using the Nimbus OAuth 2.0
SDK always receive these tokens
with a random 256-bit jti
.
In Connect2id server deployments where caching of jti
hashes for every
received client_secret_jwt
and private_key_jwt
is not feasible, this
security feature can be
disabled.
The amount of store required for the jti
caching can be regulated by
configuring
the Connect2id server to reject authentication JWTs with an exp
that is too
far ahead.
Example configuration to reject authentication JWTs that are more than 60 seconds ahead of the current system time:
op.token.authJWTExpMaxAhead=60
Offending OAuth 2.0 clients will receive a standard
invalid_client error and must
reduce their exp
time to fit the server's policy.
Regardless of this configuration, to prevent accidental or malicious DoS, the
Connect2id server will never cache a jti
for more that 5 minutes.
This Connect2id server release also updated the available configuration properties for deployments with a PostgreSQL database, which now supports the setting of a database schema (namespace).
Download 14.8
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.8: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: c768514ccb0dc1847866c7eb4ff7316d2aab35c32ee37f4cbfc41d1255d39d29
Connect2id server 14.8 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 946b23ef1d6be563c75faea931b41f33e1e29920ba4016f4bc908413d862e655
Multi-tenant edition
Apache Tomcat package with Connect2id server 14.8: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 4d56948a8c2984f52461f32617613269a0dc15557b08740f65fdbdc4dc5923a3
Connect2id server 14.8 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: e83af7de9192370ff8fcbb4ea1db0791707c1f52eea99246f0c9071436a6a358
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.8 (2023-10-20)
Summary
Implements configurable replay prevention of "client_secret_jwt" and "private_key_jwt" client authentication JWT assertions based on the optional JWT ID ("jti") claim. The implementation is based on the new expended token registry introduced in Connect2id server 14.0.
Updates the PostgreSQL configuration to enable setting of a JDBC "schema" parameter. Intended for Connect2id server deployments that want to use a database schema other than the default "public".
Configuration
/WEB-INF/oidcProvider.properties
op.token.authJWTPreventReplay -- New optional configuration property. If
true
replay of "client_secret_jwt" and "private_key_jwt" client assertions will be prevented, by caching the JWT "jti" claim for the duration of the assertion lifetime but no longer than 5 minutes. The default value istrue
.op.token.authJWTExpMaxAhead -- New optional configuration property. Sets the maximum allowed number of seconds of the expiration time (exp) claim in "client_secret_jwt" and "private_key_jwt" client assertions ahead of the current time. Assertions with longer expiration time will be rejected with an
invalid_client
error. If zero or negative this check is disabled. When enabled the value must be between 10 and 600 seconds. The default value is -1 (disabled).
/WEB-INF/infinispan-*-postgres95.xml
- dataSource.databaseSchema -- New optional Java system property to set the PostgreSQL schema to use. Corresponds to the HikariCP "schema" configuration property. The default value is empty (implies the default "public" PostgreSQL schema).
Web API
/par
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
false
.
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
/token
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
false
.
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
/token/introspect
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
false
.
- Requests with "client_secret_jwt" and "private_key_jwt" authentication
will be prevented from replaying a used JWT assertion, unless the JWT
assertion is missing the optional the JWT ID (jti) claim or the replay
prevention is disabled by setting the op.token.authJWTPreventReplay
configuration property to
Resolved issues
Updates the authz-session log INFO "OP2101" and "OP2103" messages to include the current issuer URL when issuer aliasing is enabled (issue server/925).
Updates the authz-session log DEBUG "OP2130" and WARN "OP2131", "OP2132" messages to include the authorisation session ID (issue server/925).
Dependency changes
Upgrades to com.nimbusds:oauth2-oidc-sdk:11.4
Upgrades to com.nimbusds:oauth2-authz-store:24.7
Updates to com.nimbusds:software-statement-verifier:2.2.6
Updates to org.apache.santuario:xmlsec:2.2.6
Updates to com.nimbusds:infinispan-cachestore-sql:7.0.6
Updates to org.mariadb.jdbc:mariadb-java-client:2.7.10
Connect2id server and CVE-2023-5072
Our CVE scanner recently returned a DoS vulnerability for the JSON.org
dependency org.json:json:20230227
.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5072
Fortunately this dependency is used in a single, non-critical place, to evaluate JSON paths as part of a configuration check in the optional software statement verifier (SSV) plugin of the Connect2id server.
There is no need to take action, unless all of the following applies:
You have enabled open dynamic client registration:
op.reg.allowOpenRegistration=true
You have a Connect2id server deployment with an enabled SSV plugin:
op.ssv.enable=true
The plugin is configured for
op.ssv.scopeRules.*
that represent JSON Path queries.
Due to that fact that the scope rules check is performed only after a successfully authenticated (JWS validated) software statement, the DoS exploitation risk is minimal.
We have released a patched up SSV plugin that bumps the org.json:json
dependency to 20231013
.
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>software-statement-verifier</artifactId>
<version>2.2.6</version>
</dependency>
The patched up SSV plugin will be included in the next Connect2id server release.