Connect2id server 14.7

This Connect2id server release ships updates in three different areas.

Native application redirect_uri updates

The OpenID Connect standard is going to receive an errata that allows native applications to register redirection URIs using an IPv4 or IPv6 loopback IP, in addition to the previous localhost for HTTP URLs.

For example:

POST /clients HTTP/1.1
Content-Type: application/json

{
  "application_type"           : "native",
  "redirect_uris"              : [ "http://127.0.0.1:8080/cb" ],
  "token_endpoint_auth_method" : "none",
  "code_challenge_method"      : "S256"
}

This upcoming change was implemented and is now available.

Native applications can now also be registered to use variable ports in their localhost or loopback IP redirection URL. This is done by registering the URL with the port number set to zero (0). In situations where the application is not guaranteed to be able to bind to a predetermined port this can be indispensable.

POST /clients HTTP/1.1
Content-Type: application/json

{
  "application_type"           : "native",
  "redirect_uris"              : [ "http://127.0.0.1:0/cb" ],
  "token_endpoint_auth_method" : "none",
  "code_challenge_method"      : "S256"
}

Note, the port zero to signify that the native application may vary the port number in its redirection URL is not a standard convention (yet).

You can find more information and examples about native application registration as OAuth 2.0 clients in the dedicated guide.

Filtering of PKCS#11 / HSM keys

Connect2id server deployments where the token signing is handled by Hardware Security Module (HSM) can now specify a list of keys to load. The selective HSM key loading can enable deployments where the HSM is shared with other applications.

Example list of three key IDs representing UUIDs:

pkcs11.keyIDs.1=9d64c4f5-724f-4057-af36-1dd2679c00a4
pkcs11.keyIDs.2=cb8dc79c-7ec9-4488-8723-e50fe32a2ff3
pkcs11.keyIDs.3=d274a2c2-9af7-4fbd-b669-8e337672443c

Publishing of historical keys

The Connect2id server now also supports the publishing of JWKs for historical or other purposes. These can be supplied as public-only JWKs (without any their parameters).

Infinispan object expiration and purge updates

The shipped Infinispan configurations received an update that enables deployments to override the default interval of the object expiration tasks. This can be used to tune the expiration or to implement stateless cluster strategies with a dedicated expiration node.

Other related changes:

  • The orphaned subject key purge task is now disabled by default, since it's redundant in most practical cases.

  • The session store purge resource received new optional parameters and will now by default purge only the subject session map, ignoring the rest.

  • The default expiration interval of sessions was increased from 5 to 10 minutes.

You can find more information the release notes below.

Download 14.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 265ea89d12c7fd81a96ac7ad0b31dc72df8252489d54933b384f38773615838f

Connect2id server 14.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: fdb6beffdfdda8861ba057d370bfda6af594b72b99d1724584008d83e5724490

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1919a2815f3c5a8bf319656d2e963165461d1a0966e9de8b42ed87b88e59a6a8

Connect2id server 14.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b0c5198444ce02957e9045c6d1e2451a57fcdaccc779e43c508deb75cee0e055

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.7 (2023-10-15)

Summary

  • The support for native applications is updated to enable registration of redirection http URIs with a loopback IP. Native applications with a localhost or loopback http redirection URI may also use a variable port, in cases when the application is not guaranteed to be able to bind to a predetermined port.

  • The Connect2id server can now be configured to load only selected signing keys from a PKCS#11 (HSM) store. This can enable deployments where the HSM is shared with other applications.

  • The Connect2id server /jwks.json endpoint may include public-only signing keys, for historical or other purposes.

  • The Infinispan configuration supports the setting of custom expiration intervals for all Connect2id server objects that require expiration. The expiration interval of subject sessions remains separately configurable. This enables strategies such as:

    • Dedicating a set of Connect2id server nodes to processing OAuth 2.0 and OpenID Connect requests and one (or more) nodes to the task of object expiration.

    • Disabling the periodic execution of the subject session expiration task and invoking it externally, for example by a cron-style job at a time that is deemed optimal.

Configuration

  • /WEB-INF/jwkSet.json

    • The JWK set may include JWK instances without private parameters. These keys will be published at the /jwks.json endpoint and not used internally by the Connect2id server.

      Public signing and encryption Connect2id server keys may be included to be published at the /jwks.json endpoint for historical purposes.

  • /WEB-INF/federationJWKSet.json

    • The federation entity JWK set may include JWK instances without private parameters. These keys will be included in issued Entity Configurations and not used internally by the Connect2id server.

      Public signing federation entity keys may be included for historical purposes.

  • /WEB-INF/jose.properties

    • pkcs11.keyIDs.* -- New optional configuration property. Specifies an explicit list of identifiers (aliases) of PKCS#11 keys to load from the HSM device (when an HSM is configured). If omitted or blank all recognised keys will be loaded.

      This configuration property can be used to filter the PKCS#11 keys to load from an HSM that is shared by several applications.

  • /WEB-INF/sessionStore.properties

    • sessionStore.sessionMap.expirationInterval -- Increases the default value from 300000 ms (5 minutes) to 600000 ms (10 minutes).

    • sessionStore.internal.subjectIndexPurgeInterval -- Receives a new default value of -1 (disabled).

  • /WEB-INF/infinispan-*.xml

    • Adds a new "infinispan.defaultExpirationInterval" configuration property with a default value of 300000 ms (5 minutes) to enable override of the default expiration purge interval for all Infinispan maps and caches where an expiration is required by the Connect2id server. Non-expiring maps and caches are not affected by this configuration property. The session map expiration interval override remains in the "sessionStore.sessionMap.expirationInterval" configuration property.
  • /WEB-INF/infinispan-stateless-{mysql|oracle|postgres95|sqlserver}.xml

    • Enabled for the "sessionStore.sessionMap.expirationInterval" configuration property.
  • /WEB-INF/infinispan-multitenant-stateless-{mysql|oracle|postgres95|sqlserver}.xml

    • Enabled for the "sessionStore.sessionMap.expirationInterval" configuration property.

Web API

  • /clients/

    • Native applications (with the application_type metadata parameter set to native) may register redirection URIs with a loopback IP address -- 127.0.0.1 in IPv4 and 0:0:0:0:0:0:0:1 (short form ::1) in IPv6. Previously clients using the loopback interface to receive OAuth 2.0 redirections could only register with the "localhost" hostname in the URL.

    • Native applications (with the application_type metadata parameter set to native) may register localhost and loopback IP redirection URIs with a variable port, by specifying port zero in the URI, for example http://localhost:0/callback. Authorisation requests can then use any port in the 1 to 65535 range, provided the other components in the redirection URI match the registered URI exactly. Example permitted redirection URI for on the given registered example: http://localhost:1234/callback.

  • /session-store/rest/v2/

    • The /purge resource is updated, changing the default action to force a purge of the expired session only. The purging of expired and orphaned index keys is redundant and become optional operations now.

      Changes to the resource:

      • Adds a new form parameter with name sessions and a default value true. When true all expired sessions will be purged. When false the expired sessions purge will be skipped.

      • Adds a new form parameter with name index and a default value false. When true all expired subject index keys will be purged. When false the expired subject index keys purge will be skipped.

      • Adds a new form parameter with name orphaned_index_keys and a default value false. When true all orphaned subject index keys will be purged. When false the orphaned subject index keys purge will be skipped.

      • Adds a new form parameter with name async and a default value false. When true the purges will be performed asynchronously.

      • The async query parameter of the /purge resource is deprecated. Use the new async form parameter instead.

Resolved issues

  • The default value of sessionStore.internal.subjectIndexPurgeInterval is changed to -1 (disabled). In most practical cases the periodic purge task is redundant, due to the automatic subject index max_life expiration (in deployments with DynamoDB or Redis) or the purge on new subject session insertion when the subject session quota is reached. The session store /purge resource remains available (issue session-store/91).

  • Changes the SS0233 log message to level WARN when the purged number of orphaned subject keys is greater than zero, otherwise the level remains INFO (issue session-store/90).

  • Fixes an issue affecting grant isolation at the token endpoint when the Connect2id server is configured with issuer aliasing in mode PERSISTED_GRANT_ISOLATION (issue server/923).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.2

  • Updates to com.nimbusds:oauth2-authz-store:24.6.4

  • Updates to com.nimbusds:oidc-session-store:16.7.1

  • Updates to com.nimbusds:c2id-server-jwkset:1.30

  • Upgrades to com.nimbusds:nimbus-jwkset-loader:5.3

  • Updates to Infinispan to 14.0.19.Final

Connect2id server and CVE-2023-5072

Our CVE scanner recently returned a DoS vulnerability for the JSON.org dependency org.json:json:20230227.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5072

Fortunately this dependency is used in a single, non-critical place, to evaluate JSON paths as part of a configuration check in the optional software statement verifier (SSV) plugin of the Connect2id server.

There is no need to take action, unless all of the following applies:

  1. You have enabled open dynamic client registration:

    op.reg.allowOpenRegistration=true
    
  2. You have a Connect2id server deployment with an enabled SSV plugin:

    op.ssv.enable=true
    
  3. The plugin is configured for op.ssv.scopeRules.* that represent JSON Path queries.

Due to that fact that the scope rules check is performed only after a successfully authenticated (JWS validated) software statement, the DoS exploitation risk is minimal.

We have released a patched up SSV plugin that bumps the org.json:json dependency to 20231013.

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>software-statement-verifier</artifactId>
    <version>2.2.6</version>
</dependency>

The patched up SSV plugin will be included in the next Connect2id server release.

Connect2id server 14.6

This Connect2id server release received a sweeping update of the Redis connector. It fixes a bug that affected the max_idle expiration of sessions, addressed concurrency issues on scan operations and purges max_idle expired sessions eagerly to conserve Redis server memory. 14.x Connect2id servers deployed with a Redis for caching and storing sessions are strongly recommended to upgrade to 14.6.

The session store received a minor configuration change, increasing the maximum concurrent session quota per user from 10 to 25.

Additional information about the new releaese can be found in the release notes below.

Download 14.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 6ca441cccd264296bbaabcbeeeabf0fd609146004d431ce4cbeb7c1e30d0b2e0

Connect2id server 14.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8ac75fb6fa7f0c6ebb9ab54aa70b481081bb6ea85540aceef736cb83239d3e1c

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a8a06c6b8482d714e39ead566635273a0e18b32fba862b7c43d76db006c2ce7d

Connect2id server 14.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 72417e06dd9b21fe167ee9ca8566e84bee0c674f7d4e85a42b2c58298428fa9f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.6 (2023-09-28)

  • /WEB-INF/sessionStore.properties

    • sessionStore.quotaPerSubject -- The maximum configurable session quota per subject (end-user) is increased from 10 to 25 sessions.

Resolved issues

  • Enhances and refactors the Redis store debug and trace level logging (issue redis-store/7).

  • Prune max_idle expired entries on Redis store retrieval or iteration (scan) instead of waiting for the final max_lifetime expiration in the Redis store (issue/redis-store/10).

  • Adds an entry expiration check on Redis store retrieval based on the stored Infinispan entry metadata to prevent situations where a max_idle expired entry is assumed as not expired by Infinispan (since v14.x) (issue server/899, issue redis-store/8).

  • Makes Redis store iteration (scan) safe with concurrent key deletion or expiration (issue redis-store/11).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.0

  • Updates to com.nimbusds:oidc-session-store:16.5

  • Updates to com.nimbusds:nimbus-jose-jwt:9.35

  • Upgrades to Infinispan to 14.0.17.Final

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.0.5

  • Updates to com.microsoft.sqlserver:mssql-jdbc:12.2.0.jre11

  • Updates to com.oracle.database.jdbc:ojdbc11:21.9.0.0

  • Updates to com.nimbusds:infinispan-cachestore-redis:10.1.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:5.0.2

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.10

  • Updates to commons-io:commons-io:2.11.0

Connect2id server 14.5

Connect2id server 14.5 ships several small updates to its APIs and fixes v14.x issues reported in August.

This release also receives an enhanced redirect_uri validation, to prevent clients from registering or using redirection URIs with query parameters that may lead to authorisation response parameter pollution, as discussed on the 24th of August at the OAuth Security Workshop in London. The extra redirect_uri check is implemented in the underlying OAuth 2.0 / OpenID Connect SDK and will basically block clients from registering (or using) redirection URIs with query parameters that shadow the authorisation response parameters code, state or the JARM response. If a client for some reason is registered with a redirect_uri that contains one of these query parameters it will be forced to re-register with a compliant URI.

More information about what's new or was fixed in v14.5 can be found in the release notes below.

We are currently in the process of reworking our 10 year old connect2id.com website design. Our aim is to make it better, not worse, and to find out what people actually think or want to have improved we've set up this anonymous form. Your feedback will be highly appreciated.

Download 14.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 6ba96842a30c513cf2f29c6c49d196c54bfbec7094b874711712073c5c98b3b9

Connect2id server 14.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 7e8b27a0d9d3a0d75701ba115691732be3b61dec0c2edd2255722f70d80b305d

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.5: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 794adc95c528813969298b77c3dd8a5ee4a2ecc1d4809ad10b0fa730b0269c8f

Connect2id server 14.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 5139564949e4317bc16461841aa56b64db97ace2de292688ed66785ad155a90d

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.5 (2023-09-03)

Web API

  • /clients

    • Prevents registration of clients with "redirect_uris" that include a "code", "state" or "response" query parameter. OAuth 2.0 generally allows a client "redirect_uri" to include query parameters, which may be used, for instance, to process authorisation responses from multiple OAuth 2.0 servers or OpenID providers. This is a security measure that follows a recent recommendation that clients must not include query parameters in a registered "redirect_uri" with names used by the OAuth 2.0 authorisation response.
  • /authz-sessions/rest/v3/

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.max_age" member of type array to represent the maximum authentication age in OpenID authentication requests.

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.acr_values" member of type array to represent the Authentication Context Class Reference values in OpenID authentication requests.

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.login_hint" member of type string to represent the login hint in OpenID authentication requests.

    • Rejects OAuth 2.0 authorisation and OpenID authentication requests with a "redirect_uri" that includes a "code", "state" or "response" query parameter with an "invalid_request" error. Redirection URIs with query parameters that match the name of an OAuth 2.0 authorisation response parameter are deemed unsafe. Clients that use such query parameters in a "redirect_uri" must re-register with a new compliant redirection URI.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.59

    • The CustomTokenResponseComposer SPI extends Lifecycle.

Resolved issues

  • Alters the Oracle "clients" table definition of the "jwks" column from VARCHAR2(4000) to CLOB (issue server/910).

  • Logs the IDTokenIssueEventListener SPI and AccessTokenIssueEventListener SPI enabled status (issue server/915).

  • Isolates expended rotated self-contained (JWT) refresh tokens by subject (end-user) session ID when the refresh token is issued in a OAuth 2.0 authorisation code grant. For clients with multiple instances per subject (end-user) where the consent is transient (long_lived=false) (issue authz-store/223).

  • Logs the OP8041 INFO message only when there are explicit OpenID Connect Federation 1.0 clients reaped (issue server/916).

  • Removes redundant Infinispan externalisers used in the OpenID Connect Federation 1.0 explicit client index (issue server/917).

  • Fixes an HTTP 500 Internal Server Error at the authorisation session web API when receiving an OpenID authentication request with certain illegal JSON in the claims parameter that produced an OAuth 2.0 "error_description" with an illegal double-quote character according to RFC 6749, section 5.2 (issue server/919).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.59

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.14.2

  • Updates to com.nimbusds:oauth2-authz-store:24.6

  • Updates to net.minidev:json-smart:2.4.11

  • Updates to com.google.crypto.tink:tink:1.10.0

Connect2id server 14.4 introduces Rich Authorisation Request (RAR) type checking

RAR

This Connect2id server release is another step towards a complete built-in support for OAuth 2.0 Rich Authorisation Requests (RFC 9396).

Identity providers and OAuth 2.0 servers that implement this recent OAuth 2.0 extension can now use the op.rar.supportedTypes configuration property to list the supported RAR types. In RAR the JSON objects that express the authorization_details have an explicit "type" to aid their parsing and validation.

Example configuration listing two supported RAR object types:

op.rar.supportedTypes=account_information,payment_initiation

The supported types will then be published in the OpenID provider metadata where clients and developers can discover them.

Example server metadata snippet:

{
  "issuer"                                : "https://c2id.com",
  "jwks_uri"                              : "https://c2id.com/jwks.json",
  ...
  "authorization_details_types_supported" : [ "account_information",
                                              "payment_initiation" ],
  ...
}

When RAR types are configured the Connect2id server will not only include them in the published server metadata, but will also use them to check the authorization_details parameter in received authorisation and token requests. If the type is supported the request can proceed, if not the server will return an invalid_authorization_details to the client. Previously this check had to be done by creating dedicated PAR validator and / or authorisation request validator plugins.

Within the authorisation session web API the authorization_details parameter can now be accessed by handler logic in the session object under auth_req.authorization_details.

H2 database upgrade

This release also changes the version number of the embedded H2 database, from v2.1.x to v2.2.x. Connect2id server deployments that use this database must migrate any records they wish to retain, because the newer version uses an updated DB file format.

You can find more information about this new release in the notes below.

Download 14.4

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.4: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 9958cc9a99096f671a5b202d7ba2bc75e0491a5337c1c2051eaffeb7b5549d8d

Connect2id server 14.4 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e497e17a1c52d5b26d4e90bb80bf0cf04d928ce0b3ed2638c1a203400a976d9a

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.4: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 5bd816bf6c8787011cad227665817a88fa023cb1ca701beef7bd739a11bb4f62

Connect2id server 14.4 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 35890ad0202c329f9521c8a4db0f49e9f36a9981b9a1bab7f7ee7599a1547065

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.4 (2023-08-11)

Summary

  • Connect2id server deployments that implement OAuth 2.0 Rich Authorisation Requests (RAR) (RFC 9396) can use a new "op.rar.supportedTypes" configuration property to let the server check the types of "authorization_details" in received requests and reject requests with unsupported RAR types. The supported types will also be advertised in the "authorization_details_types_supported" OpenID provider metadata field.

  • Connect2id server deployments with an embedded H2 database are upgraded from 2.1.x to the latest stable 2.2.x release. Database files created in the older H2 version are not compatible. Existing records (where they must be retained) must be migrated.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.rar.supportedTypes -- New optional configuration property to list the supported OAuth 2.0 Rich Authorisation Request (RAR) (RFC 9396) types. When specified the "authorization_details" in OAuth 2.0 authorisation / OpenID authentication requests and token requests will be checked and those with an unsupported type will be rejected with an "invalid_authorization_details" error. The types will also be advertised in the "authorization_details_types_supported" OpenID provider metadata field. The default value is none (no check).

Web API

  • /.well-known/openid-configuration

    • authorization_details_types_supported -- New optional metadata field listing the supported OAuth 2.0 Rich Authorisation Request (RAR) (RFC 9396) types. Omitted if not specified.
  • /authz-sessions/rest/v3/

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.authorization_details" member to represent the Rich Authorization Request (RAR) (RFC 9396) parameter in OAuth 2.0 authorisation requests and OpenID authentication requests.

Resolved issues

  • The UserInfo endpoint must not request claims from the sourcing SPI that are pre-set (e.g. supplied via "preset_claims.userinfo" in the authorisation session API) (issue server/885).

  • Updates JWT minting to support the inclusion of null-valued top-level claims, which can legitimately occur in data returned from the claims source SPI. The claims set in plain (unsecured) UserInfo responses and JWT-secured UserInfo responses will thus be identical for those cases when claims with null values are included, previously omitted in a JWT (issue server/906).

  • The "authorization_details" parameter must be obtainable in the AuthorizationRequestValidator and PARValidator SPIs (issue server/907).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.5.3

  • Updates to com.nimbusds:oidc-session-store:16.4.4

  • Updates to com.h2database:h2:2.2.220