LDAP backend support will be removed in 2023

2022-12-21

In 2023 Connect2id server support for persisting its internal data, such as client registrations and sessions, will cease to cover LDAP. The latest significant feature, OpenID Connect Federation 1.0, was implemented without support for persisting data to LDAP.

When support for LDAP is removed the available databases will be:

  • For persisting durable data:
    • Relational databases:
      • MySQL
      • PostgreSQL
      • Microsoft SQL Server
      • H2
    • AWS DynamoDB
  • For in-memory storage and caching outside Infinispan:
    • Redis

Note that the Connect2id server connector for sourcing OpenID claims from LDAP directories remains.

Connect2id server 13.0

2022-12-01

This release of the Connect2id server for OpenID provision and OAuth 2.0 authorisation focuses on PKCE and issuer (domain) aliasing. It is given a new major number for two reasons: the database schema receives an update; deployments that have an embedded H2 database for persisting server data are switched to a new backwards incompatible version of H2.

Per-client PKCE policy support

The Proof Key for Code Exchange by OAuth Public Clients (PKCE) is a security extension originally devised to prevent code injection attacks on clients that cannot authenticate at the token endpoint. It was later found to be useful against other attack vectors and thus became mandatory in OAuth 2.1.

This release of the Connect2id server introduces the new code_challenge_method metadata field to require a client to use PKCE. If the client makes an authorisation request without a code_challenge or with a method other than the registered the Connect2id server will return an invalid_request error with an explanation what PKCE method is expected.

Note, the global op.authz.requiredPKCE configuration property, which applies to all clients, will always override the individual PKCE setting.

Example registration request where the client is required to use the recommended S256 code challenge method:

POST /clients HTTP/1.1
Host: demo.c2id.com
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "redirect_uris"         : [ "https://client.example.org/callback" ],
  "code_challenge_method" : "S256"
}

The client registration howto is updated with this and other useful examples.

OpenID provider issuer (domain) aliases

Connect2id server 12.3 introduced the concept of issuer aliases, for scenarios where an OpenID provider / OAuth 2.0 server can be known by multiple issuer URLs. This can also be useful to migrate an identity provider seamlessly and over time from one issuer URL to another.

This release upgrades the issuer alias model, by adding a new mode suitable for light multitenancy, by isolating the OAuth flows, grants and tokens between issuer aliases while keeping the client registrations and end-user sessions shared.

The issuer aliases guide has a thorough explanation how to configure and operate such a deployment. The guide also lists the limitations of issuer aliases and when the multitenant edition of the Connect2id server is appropriate.

Client registration entity size limit

The Connect2id server limits the size of client metadata in registration requests to 250K chars, to prevent DoS attacks.

This limit can now be adjusted if needed via a op.reg.httpMaxRequestSize Java system property.

Example:

op.reg.httpMaxRequestSize=100000

Database schema

The introduction of the new code_challenge_method client metadata parameter will necessitate a change to the database schema of Connect2id server deployments that use an SQL store (MySQL, PostgreSQL, SQL Server or H2) or an LDAP store (such as OpenLDAP).

If you have an SQL database on startup the Connect2id server will automatically add the new code_challenge_method column to the clients table.

If you have LDAP store this will require a manual schema upgrade, explained in the release notes below.

If you have a DynamoDB store which is schema-less there is nothing to do.

SQL connector and driver updates

The connector for SQL stores, including jOOQ, the connection pool library and some of the JDBC drivers were also upgraded.

H2 database

Support for the H2 SQL database was upgraded from v1.x to 2.x. The new version of the database received changes to the SQL data types and the underlying file format. This means that data stored in H2 v1.x is not compatible and cannot be read by the new v2.x. If you have a Connect2id server deployment with the embedded H2 database and need to migrate the server data check out the data migration guide.

Redis

Connect2id server deployments with Redis for storing short lived and cached data can now easily configure a password to access the Redis server with the new redisMapPassword and redisCachePassword system properties.

For more information what's new or changed check the release notes below.

Download 13.0

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.0: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 02c72ef9d3ef9c35db9189b8984fb67abfe7f844ceccf854a7f71e383c3906f0

Connect2id server 13.0 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 95280957fed80e6bf827668bffc5afafeb63cc49904d6a2d6ea14ec7ab432017

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.0: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 3c61225f1f3dccdc7e69c932d53adc46b60ec4abd971f8234069f4980aa60dc3

Connect2id server 13.0 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 2c75c97dcdd6e6098a7a2b7ee7f3e35b91c0e39f9b5260b30ecebf197a08f92b

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.0 (2022-11-30)

Summary

  • Individual clients can be registered to require use of Proof Key for Code Exchange by OAuth Public Clients (RFC 7636) by means of the code_challenge_method client metadata.

  • Upgrades the OpenID provider / OAuth 2.0 authorisation server issuer alias model.

    Issuer aliasing was introduced in v12.3 (2021-09-17) to enable a Connect2id server deployment to migrate seamlessly and over time from one issuer identifier URL to another. Issuer aliases can also be used when an OpenID provider / OAuth 2.0 authorisation server is known by multiple URLs.

    This release introduces two differentiated issuer alias modes (configurable by op.issuerAliasMode):

    • MIGRATION -- Intended to facilitate issuer URL migration or deployments where the OpenID provider is known by multiple URLs. This is the default mode and how the Connect2id server previously behaved with enabled issuer aliases.

    • PERSISTED_GRANT_ISOLATION -- Enforces complete OAuth 2.0 grant isolation between issuer aliases. Has the effect of disabling long-lived (persisted) consent, forcing issue of self-contained (stateless) refresh tokens only, and blocking the use of any previously issued identifier-based refresh tokens. This mode is intended for deployments that for some reason choose not to operate a multi-tenant Connect2id server where the OpenID providers / OAuth 2.0 authorisation servers completely isolated.

    For security reasons both issuer alias modes will now behave as follows:

    • Prevent switching of the issuer URL during an OAuth authorisation code, implicit or hybrid flow (which may involve the PAR endpoint).

    • Prevent switching of the issuer URL in the authorisation session API at the user authentication or consent step.

    • The token introspection endpoint will mark any token issued under a different alias as invalid and the scope to access the endpoint must also be set to the current issuer URL.

    • The UserInfo endpoint will reject access tokens issued under a different alias.

    Note, in the MIGRATION issuer alias mode refresh tokens which are tied to long-lived (persisted) consent can be shared across all issuer aliases. The resulting access tokens however will be issued and remain valid for the current issuer alias only.

    Finally, the issuer aliasing was updated to enable dynamic addition and removal of issuer alias URLs, with no changes to the Connect2id server configuration.

  • Upgrades H2 SQL database support from v1.x to v2.x. This is a breaking change that affects the persisted H2 data format. Data stored by H2 v1.x is not compatible and cannot be read by H2 v2.x. Connect2id server deployments that use H2 to persist server data will need to perform a migration. See the Data Migration guide for more information.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.issuerAliases -- New optional configuration property for Connect2id server deployments that need to support issuer alias URLs of the OpenID provider / OAuth 2.0 authorisation server. By setting the configuration property to "*" (asterisk) the HTTP reverse proxy in front of the Connect2id server is enabled to determine the whitelisted issuer alias URLs when setting the "Issuer" security header. This can be useful in deployments where issuer aliases must be added or removed dynamically, without restarting the server (in the regular edition) or updating the OpenID provider / OAuth 2.0 authorisation server configuration via the tenants web API (in the multi-tenant edition). Previously the Connect2id server supported only a static whitelist of allowed issuer aliases.

    • op.issuerAliasMode -- New optional configuration property introducing two differentiated modes of issuer aliasing:

      • MIGRATION -- Enables seamless migration over time to a new issuer URL. This is the default mode and how the Connect2id server previously behaved with enabled issuer aliases.

      • PERSISTED_GRANT_ISOLATION -- Enforces persisted grant isolation between issuer aliases: disables long-lived (persisted) consent; forces issue of self-contained (stateless) refresh tokens; blocks the use of any previously issued identifier-based refresh tokens.

    • op.reg.httpMaxRequestSize -- New optional configuration property enabling override of the size limit of the entity body of HTTP POST and PUT requests to the client registration web API. Configurable via Java system property only! The default value is 250 thousand (250000) characters.

  • /WEB-INF/infinispan--redis-.xml

    • New redisMapPassword and redisCachePassword configuration properties of type string to set a password for accessing Redis. The default value is no password.

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Adds new "code_challenge_method" column to the "clients" table. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the new column (with an appropriate default value) on startup.

  • /WEB-INF/infinispan-*-ldap.xml

    • Adds new "oauthCodeChallengeMethod" attribute to the "oauthClientMetadata" object classes. Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) must update the LDAP schema manually to version 1.19 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.19/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas /diff/src/main/resources/oidc-client-schema-openldap.ldif?at=1.19 &diff2=97f372ce82ddd94e08a3937c4169f3a190aed2b2 and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas /diff/src/main/resources/oidc-client-schema-opendj.ldif?at=1.19 &diff2=97f372ce82ddd94e08a3937c4169f3a190aed2b2

Web API

  • /clients

    • Supports registration of clients with the optional custom code_challenge_method metadata field of type string and values S256 and plain to force the client to use a code challenge method (see Proof Key for Code Exchange by OAuth Public Clients, RFC 7636) at the authorisation and the pushed authorisation request (PAR) endpoints. The default value is no code challenge method.

      Note that the Connect2id server op.authz.allowedPKCE and op.authz. requiredPKCE configuration properties will always override this client metadata.

Resolved issues

  • Upgrades the security of the authorisation code grant at the token endpoint by adding an immediate code invalidation to complement the usual invalid_grant OAuth 2.0 error in the following cases: 1) mismatch between token request client_id (for a public or successfully authenticated confidential client) and the client_id associated with the issued code at the authorisation endpoint; 2) invalid or missing redirect_uri; 3) missing, invalid or unexpected code_verifier (PKCE); 4) mismatch between the code issuer and the tenant issuer at the token endpoint (issue authz-store/195).

  • Improves the data layer performance of code for token exchange at the token endpoint (issue authz-store/195).

  • Updates the token endpoint unauthorized_client error description in the case when the request is rejected because the client is not registered for the grant type (issue server/798).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:19.3

  • Updates to com.nimbusds:oidc-session-store:15.1.1

  • Upgrades to com.nimbusds:tenant-manager:7.3.1

  • Upgrades to com.nimbusds:tenant-registry:7.1

  • Updates to com.google.code.gson:gson:2.10

  • Updates to com.nimbusds:infinispan-cachestore-sql:5.0

  • Updates to com.nimbusds:infinispan-cachestore-redis:9.2.9

  • Upgrades to org.jooq.pro-java-11:jooq:3.17.4

  • Updates to com.zaxxer:HikariCP:5.0.1

  • Updates to org.postgresql:postgresql:42.5.1

  • Upgrades to com.h2database:h2:2.1.214

Connect2id server 12.18

2022-10-25

Connect2id server deployments can now mask or rewrite selected OpenID provider metadata fields published at the /.well-known/openid-configuration endpoint, to minimise the amount of metadata, or show fewer supported endpoints and capabilities, which cannot be disabled by a simple configuration setting. This is done by creating a JSON object to act as overlay, and saving it in the new op.metadataOverlay configuration property.

Sample overlay to hide the introspection endpoint:

op.metadataOverlay={"introspection_endpoint":null}

With additional BASE64 encoding on top of the JSON text, for easier passing around via environment variables:

op.metadataOverlay=eyJpbnRyb3NwZWN0aW9uX2VuZHBvaW50IjpudWxsfQ==

Note, the overlay will not alter the internal Connect2id server configuration and the server will not check the resulting JSON object for being a legal representation of OpenID provider metadata according to the specification. One way to double check the published metadata is to run it through the parse method of the OIDCProviderMetadata class in the OAuth 2.0 / OpenID Connect SDK.

For more information what's new or changed check the release notes below.

Download 12.18

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.18: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: ab5c6afa1b83f748d60799525327824884acd5d73bb407b12aefc1d826fb8b45

Connect2id server 12.18 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 98e6d1aeebf02198b7139f782689bcf13d4b59cbd9042ec8e2911d6e72468c75

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.18: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1ef2ae977c7e5222c1a27fae5be0d9868f80b431007105f4f80bbbda7f136f9a

Connect2id server 12.18 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: b4d4bf14ca3492a9301b9625801da3c69258589c3d7545322c4b02cfed46f92f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.18 (2022-10-25)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.metadataOverlay -- New optional configuration property for a JSON object overlay to apply to the OpenID provider / OAuth 2.0 authorisation server metadata published at the ".well-known/openid-configuration" and ".well-known/oauth-authorization-server" endpoints. Non-null values in the overlay object replace existing metadata fields, null values remove them. Note, the overlay does not affect the internal Connect2id server configuration and after its application the resulting JSON object is not checked for being a legal representation of OpenID provider / OAuth 2.0 authorisation server metadata. If set the overlay must be represented as a JSON object string, and can be additionally BASE64 encoded to ease passing the configuration property from a command line shell.

Web API

  • /authz-sessions/rest/v3/

    • Pushed authorisation request (PAR) URIs will become invalidated after their use at the authorisation endpoint. Previously a PAR URI will remain valid until its expiration configured by the op.par.lifetime property.

Resolved issues

  • Logs warning under AS0277 when revoking an authorisation by self-contained (JWT-encoded) access token which local (public) subject or client_id are not encoded (issue authz-store/194).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2.1

  • Updates to io.prometheus:simpleclient:0.16.0

  • Updates to io.prometheus:simpleclient_servlet:0.16.0

  • Updates to io.prometheus:simpleclient_dropwizard:0.16.0

  • Updates to Log4j 2.19.0

Connect2id server 12.17

2022-09-14

This September release of the Connect2id server updates the revocation web API to enable callers to conserve server and network resources. When revoking the tokens and persisted consent for a given subject (end-user) or client the server will return all matching long-lived (persisted) authorisations that have been deleted. For a revoked client with thousands or millions of end-users this can potentially result in the streaming of megabytes of removed authorisations into the HTTP response. In such cases or whenever the revocation is not interested in what authorisations are affected or their details, a new quiet=true query parameter can now be applied to omit the streaming and return a HTTP 204 No Content response.

Example use of the quiet=true query parameter when revoking a client with ID zaqu4ong:

POST /authz-store/rest/v3/revocation?quiet=true HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/x-www-form-urlencoded

client_id=zaqu4ong

The HTTP 204 No Content response:

Status Code: 204 No Content

The authorisation session API and the token exchange plugin received two bug fixes.

Check the release notes below for details.

Download 12.17

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 84959987d94ebca82ac9296161b63631d1fe71208250de5e01dfc682a14d5e79

Connect2id server 12.17 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: eb0cd476641f68228002d63af810fe26a83b5c1bb811ca22443691c4e8b5dd9e

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 6941ba145e5f58073aeb05f004886a8d9a509cdb20ba9fb63418945063381179

Connect2id server 12.17 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 504fe78e94d6d6f6ebd8bae647e15823336962043caa7c725346c740751d1c04

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.17 (2022-09-14)

Web API

  • /authz-store/rest/v2/revocation

    • Adds support for an optional "quiet" query parameter when posting a revocation. When set to quiet=true an HTTP 204 No Content response will be returned; if any authorisation(s) were matched by the revocation parameters and removed they will not be returned in the response body.

Resolved issues

  • The authorisation session web API must not set the "required_sub" parameter in the authentication prompt to the end-user ID when the Connect2id server is configured with alwaysPromptForAuth=true and the end-user has an active session. This resulted in a incorrect OpenID Connect login_required error if the current end-user is (re)authenticated to another subject (end-user ID) as a result of the authentication prompt. The fix corrects the behaviour so that the original session is closed and a new one with the new subject (end-user ID) is started (issue server/781).

  • The op.grantHandler.tokenExchange.webAPI.actorToken.types configuration property of the token exchange grant handler plugin must support setting of no actor token types accepted. The default value must also be none (issue grant-handlers-web/1).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2

  • Updates to com.nimbusds:oidc-session-store:14.9.2

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.3

  • Updates to com.nimbusds:tenant-manager:6.0.4

  • Updates to com.nimbusds:tenant-registry:6.0.3

  • Updates to com.google.crypto.tink:tink:1.7.0

  • Updates DropWizard to 4.2.12

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.6

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.8

  • Updates to org.postgresql:postgresql:42.5.0

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.6

  • Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.1.jre11

Connect2id server 12.16.1

2022-08-18

This Connect2id server release fixes issues in the new token exchange plugin as well as in the re-engineered web-based password and client credentials grant handler plugins shipped in v12.16. You can find more information in the release notes below.

Download 12.16.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c12801414d8023e964b6512c5b05b04f040e85d07ab1eb5da771213007171ccd

Connect2id server 12.16.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 791d731e66694413ea00a9f7554a77bf6c2a0177f345ff44b01529a64115d0b9

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0f499cbdafba4c0c48eab771670d3511f521332619c47ed899e860749b233194

Connect2id server 12.16.1 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 24ddb24b1d893d9a0d1ee606ed09eb5c256a65133aea4dcd28f95f0fbeddbcef

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.16.1 (2022-08-18)

Resolved issues

  • Fixes missing logging of the base configuration properties in the web-based token exchange grant handler (issue server/776).

  • Fixes test that erroneously removed the SPI manifests for the web-based password, client credentials and token exchange grant handlers (issue server/778).

Dependency changes

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.1