Logout API updates in Connect2id server 13.6

2023-02-22

The logout API of the Connect2id server was updated to make it more intuitive and developer friendly.

  • The logout end response message gets a new sub_session_closed parameter to provide a clear hint when the browser session should be deleted.

  • Post-logout redirections requested by the client will be processed regardless of whether an end-user session is present or not. Previously the Connect2id server would ignore them if there is no active end-user session.

More information can be found in the release notes below.

Download 13.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: bdb91c4cc8a2f32ebc63457251aa5876d2d54685eb1d9ab99c2a3749d070af00

Connect2id server 13.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 12e4671bc92918425571cdd1fc0762735d82d919ba4adc893c1dcdbc14a810a6

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 65219b215d4afce61d1d2017da0eaad03108af0c61344c2f7a331dbb5caadd94

Connect2id server 13.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 8b540c2865b3bb7eb6aa1c8ba87b2c4249da60654c4b493a8dffa47e82c9f54f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.6 (2023-02-22)

Summary

  • Updates to the logout session API.

Web API

  • /logout-sessions/rest/v1/

    • Adds new "sub_session_closed" parameter to the logout-end message, of type boolean {true|false}. When true indicates the Connect2id server closed the end-user session in response to an IdP-initiated logout request, or in response to an RP-initiated logout request with a submitted end-user confirmation that included the choice to log out of the IdP as well. To be used as a hint to delete the browser cookie linked to the session. Note that the deletion of the session cookie is not critical, because the session ID is invalidated on the server side.

    • The logout session API is updated to proceed with a requested "post_logout_redirect_uri" when there is no present end-user session, or the session has expired. Previously the redirection request by the relying party (RP) would be silently ignored. This change conforms with OpenID Connect RP-Initiated Logout 1.0 (see section 4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.31

Connect2id server 13.5

2023-02-20

This Connect2id server release ships three new features.

  • Single sign-on (SSO) can be disabled for selected clients. Intended as a lightweight alternative to fully-isolated client-based sessions.

  • The session store API gets a new resource that enables changes to the authentication lifetime of end-user sessions.

  • Client secret store plugins can return the encoded (hashed) secret in client read responses using a new custom encoded_client_secret client metadata field.

This release also fixes two reported bugs affecting the logout API and OpenID Connect Federation 1.0.

Detailed information is available in the release notes below.

Download 13.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: faf122c1be83aeff84961b7cb12a73a7787e885991d71dfd4049792c72b3ba02

Connect2id server 13.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: a586dd25af1e9b711a495bd533fe07845471e51a7629d45a812ba4b3deea59ca

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: f614ad4c03c6eb2f076d5bb2c0c9888ac56bdb20888ced811f0747127344672d

Connect2id server 13.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b610a9b1d703a7d1dbffd5032875fb459663c93e0d07d6dd2b46fe46648dd084

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.5 (2023-02-20)

Summary

  • Single sign-on (SSO) can be disabled for selected clients.

  • New session store web API resource for modifying the authentication lifetime of an end-user session.

  • Client secret store plugins can return the encoded secret in client read responses using a new custom "encoded_client_secret" client metadata field.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.sso.disableForSelectedClients -- New optional configuration property to disable single sign-on (SSO) for selected registered clients. Ensures end-users will be always (re)authenticated on the first OAuth 2.0 authorisation / OpenID authentication request when end-user has an existing session with the Connect2id server. Subsequent requests from the client received into the same end-user session will be processed as usual, without triggering re-authentication of the end-user.

      Disabling SSO for a client creates the effect of "virtual" client-based sessions with the Connect2id server.

      Clients with disabled SSO are selected by configuring a JSON query that accepts the client registration (as JSON object representation) and returns a boolean true result. The default configuration property is no selector specified.

      Example JSON query to disable SSO for clients which registered a custom data JSON object containing a disable_sso member set to true: .data.disable_sso==true.

      The Connect2id server logs the configured JSON query at INFO level with the ID OP0090.

Web API

  • /session-store/rest/v2/

    • Adds a new /sessions/subject-auth-life resource supporting a PUT method to change the authentication lifetime of a session. The value is specified as an integer number of minutes, where -1 means infinite (no timeout) and 0 implies the default lifetime from the sessionStore.authLifetime configuration property. Returns HTTP 204 No Content on success.

  • /clients/

    • Connect2id server deployments with a ClientSecretStoreCodec plugin for encoding (hashing or encrypting) client secrets before committing them to storage will include the stored client secret in an "encoded_client_secret" metadata field in responses to client registration read (HTTP GET) requests. Note, in order to provide the metadata field in registration read responses the ClientSecretStoreCodec.decode method must return a DecodedSecret.withEncodedValue.

  • /monitor/v1/metrics

    • Adds new sessionStore.sessionAuthLifetimeUpdates meter.

Resolved issues

  • The OpenID Connect Federation 1.0 "value" policy check must support JSON objects (issue oidc-sdk/419).

  • Fixes a bug that prevented return of the state parameter in RP-initiated logout requests with a post_logout_redirect_uri when there is no frontchannel_logout_uri registered for the client (issue server/831).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.7

  • Upgrades to com.nimbusds:oidc-session-store:15.3

  • Adds net.thisptr:jackson-jq:1.0.0-preview.20220705

Connect2id server 13.4.1

2023-02-09

This is a maintenance release of the Connect2id server.

It fixes two recently reported bugs affecting automatic clients in OpenID Connect Federation 1.0 deployments, reported during GAIN interop testing. GAIN is a project of the OpenID Foundation to devise and test a global scheme for verified identities, a scheme that can work across various identity ecosystems and jurisdictions, and is capable of automating the trust establishment, OP & RP metadata discovery and client registration.

The feeding and logging of X.509 certificate based Connect2id server keys (this includes keys stored in a HSM) was also optimised. We took the opportunity to enhance the guide for using an HSM, with tips how to manage their validity time windows and rotation.

There is more information about the resolved issues in the notes below.

The next major 14.0 release will be shipped in the coming weeks. It will include a major upgrade of the embedded Infinispan from version 9.4.x to 14.x and performance optimisations of the SQL, DynamoDB and Redis connectors. Oracle will become a supported RDBMS; support for LDAP as backend database will be removed.

Download 13.4.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 70515364029ad787d9f451d806386ad5529243390c635747a4813b4cca42fa6e

Connect2id server 13.4.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: faae7f3518ced76fd89928e1d0cd9d9ea1cdbbf5e9347436f9ced6721de6b11a

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 453918111bffc3e0565ae892acd6abdabc54137bdf33b9aa841d582baa1a89e9

Connect2id server 13.4.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9b6560b3b85c2360a208fd1ddc1867f58434d71435dd64955886d58e23999d59

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.4.1 (2023-02-09)

Resolved issues

  • The "aud" of request objects (JARs) passed by OpenID Connect Federation 1.0 clients must include the OpenID provider issuer URL, not the authorisation endpoint URL (issue server/825).

  • Fixes a bug that prevented client metadata shaped by a FinalMetadataValidator SPI plugin from appearing in the authentication prompt message when the op.authz.includeClientInfoInAuthPrompt configuration property is set to true and the requesting client is an automatic OpenID Federation 1.0 client that was just registered (issue server/826).

  • The signing JWK feeder when dealing with X.509 certificate based JWKs should bias the key selection to pick the key with the farthest certificate expiration date. This is to ensure optimal roll-over of RSA and EC signing JWKs with an X.509 certificate (issue jwk-set-loader/5).

  • Fixes the SE2000 error log message on failing to find a signing key with a currently valid X.509 certificate (according to its not-before and not-after attributes). The message must apply to both regular (in-memory) keys with an X.509 certificate and HSM keys with a certificate (issue jwk-set-loader/4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.30.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.2.2

Connect2id server 13.4 supports Java 17, redirect_uri templates

2023-01-30

The Connect2id server can now get deployed with a Java 11 or 17 runtime.

Java 17, the most recent long-term support (LTS) release, was made available in September 2021. With this Connect2id server update you have the choice to switch to the newer Java 17 runtime, as support for the free OpenJDK 11 version is going to end in October 2024 (longer paid support options are offered by Oracle and others).

Several cryptography related parts of the Connect2id server were updated for the Java 17 runtime where the secp256k1 elliptic curve for JWS is no longer available in the default Java 17 JCA provider. This curve is an alternative to the P-256 curve and is used where clients are registered for the ES256K JWS algorithm to secure ID tokens, UserInfo JWTs, JARs or JARMs. Whenever secp256k1 operations are needed the Connect2id server will use the alternative open source JCA provider developed by BouncyCastle.

The byte code and Java API use of the Connect2id server will remain Java 11 compatible at least until September 2023.

This release also adds a special new feature to enable OpenID Connect providers and OAuth 2.0 servers to use redirect_uri templates. Such templates can help in cases where a client may require a large number of redirection URIs which individual registration may be impractical.

You can find additional information about this release in the notes below.

Download 13.4

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: ef7b160197e3fcc575b2d0224c3ed8ba7416c2822f9d3e4611a6105d2f73d7fe

Connect2id server 13.4 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e36671174ce53d2fe1b1d96b52d33368c95f1c08d52383da8ffcb17c738504cf

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e

Connect2id server 13.4 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.4 (2023-01-30)

Summary

  • Updates the Connect2id server to support the Java 17 runtime.

    Due to the secp256k1 elliptic curve no longer being available in the default Java Cryptography Architecture (JCA) provider the Connect2id server will use the alternative open source BouncyCastle JCA provider for the ES256K (secp256k1 curve) JWS algorithm when it's used to secure ID tokens, UserInfo JWTs, request objects (JAR), authorisation responses (JARM) or self-contained (JWT) access tokens.

    The Java 11 runtime support remains.

  • Adds support for registering OAuth 2.0 clients with redirect_uri templates, to enable Connect2id server deployments to set the redirection URI at the time when the authorisation request is processed.

    This can facilitate scenarios where the exact redirect_uri is not known at the time of client registration or where a client may require a multitude of redirection URIs that conform to a certain pattern. The redirect_uri templates apply to authorisation requests as well as pushed authorisation requests (PAR).

    Example template where the [param] is a placeholder for a parameter to be set when the Connect2id server processes the authorisation request:

    urn:c2id:redirect_uri_template:https://[param].example.com/login-callback

Web API

  • /clients/

    • Supports registration of OAuth 2.0 web and native clients with templates in the redirect_uris parameter. The template is a URN with format urn:c2id:redirect_uri_template:[URI], where URI is the final redirection URI which must contain a single [param] placeholder. The [param] placeholder will be set by the Connect2id server when it processes authorisation requests from the client.

  • /authz-sessions/rest/v3/

    • Adds an optional redirect_uri_template_param parameter of type string to the authorisation session start request object. Used to set the [param] in a redirect_uri of an authorisation request where the URI is a template. The template URI must be registered just as any regular redirection URI in the client's record under the redirect_uris field.

      The [param] setting will apply to all authorisation requests, including JAR and PAR.

      If the Connect2id server doesn't set the [param] for some reason the redirect_uri will remain unchanged, which will later cause the redirection to fail because of the URN scheme.

Resolved issues

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.30

  • Upgrades to com.nimbusds:c2id-server-jwkset:1.26.2

  • Updates to com.nimbusds:oauth2-authz-store:19.5

The OAuth 2.0 token exchange in Connect2id server 13.3 supports refresh token and ID token issue

2023-01-24

Connect2id server deployments with OAuth 2.0 token exchange (RFC 8693) will now be able to issue refresh tokens and ID tokens. Previously the token exchange plugin interface (SPI) was capable of only specifying access token issue. The persistence of the token exchange authorisation can also be controlled now, by setting its long-lived flag (which also determines when a refresh token gets issued whether it's going to be persisted, with long-lived set to true, or a stateless encrypted JWT, with long-lived set to false.

This token exchange upgrade makes it possible for Connect2id server deployments to experiment with the new OpenID Connect draft specification for native single sign-on (SSO) for Android, iOS and desktop applications. Built-in support for the native SSO is now on the Connect2id server roadmap and it will appear once the spec has become stable.

The new token exchange plugin capabilities can be found useful in other scenarios where a client needs to exchange a token of some kind (opaque or JWT) for a local Connect2id server issued access / refresh / ID token.

This release fixes two issues:

  • If you have clients using symmetrically encrypted ID tokens or UserInfo (by means of deriving a shared AES key from the client_secret) upgrading is strongly recommended, to ensure interoperability and correctness of the key derivation. The key derivation suffered from a poorly worded specification in OpenID Connect Core 1.0, addressed in a recent errata. The security of the encryption was never compromised, but depending on how the original spec was interpreted the decryption of JWE objects can unexpectedly fail with a different client library or OpenID Connect server.

    The key derivation issue was also fixed in v10.5.1 of the open source OAuth 2.0 / OpenID Connect SDK we maintain.

  • If you have a deployment with OpenID Connect Federation 1.0 upgrading is also suggested, so you can read the registrations of automatic clients via the clients API without entity URL encoding issues.

There is more information in the release notes.

Download 13.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: b503e2a247bb7bbe224f3f6ed3b7f0f27930edb50b501b1931ecc45173c99705

Connect2id server 13.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d10fccf8fb49a5095ce7a387728ecdebe0023c6fd2411f264567c25741296a49

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: cce4e3dad989af9db16fca3ec8e731be913066ce59f41a099e5f0e9e47cc5197

Connect2id server 13.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: bf5f9b7a7fa6a3d80fde32c3405fdfbb61d8d8095b9bd4d71703cc84fbe42377

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.3 (2023-01-23)

Summary

  • Token exchange (RFC 8693) plugins can now optionally specify the issue of a refresh token and ID token (in addition to the access token) when authorising a request received via the TokenExchangeGrantHandler SPI. The plugin can also flag the authorisation as long-lived (persisted), to cause the granted scope values and other attributes to be remembered for the subject and the requesting client. This also enables control of the refresh token encoding (if issued) - persisted or stateless.

  • Resource owner password credentials grant plugins can now specify the issue of stateless (JWT-encoded) refresh tokens. Previously only persisted refresh tokens could be issued.

  • Updates the plugin for handling OAuth 2.0 grants at an external web service (web hook) to support token exchange (RFC 8693) authorisations for refresh token and ID token issue.

Web API

  • /token

    • Adds support for refresh token and ID token issue for a OAuth 2.0 token exchange grant (RFC 8693).

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.52

    • The TokenExchangeAuthorization class is updated to support optional persistence of the authorisation (with the long-lived flag), issue of a refresh token (stateless or persisted) and issue of an ID token.

    • The PasswordGrantAuthorization class is updated to support issue of a stateless refresh token when the long-lived authorisation flag is set to false. Previously only persisted refresh tokens could only be issued, when the long-lived authorisation flag was set to true.

Resolved issues

  • The AES key from client_secret derivation for shared JSON Web Encryption (JWE) of ID tokens, UserInfo responses and other objects must remove the right-most bits, not the left-most. See OpenID Connect Core 1.0 errata 2020-07-24 (issue oidc-sdk/412).

  • The clients web API GET by client_id must handle client identifiers that are OpenID Connect Federation 1.0 entity IDs (and URLs in general) seamlessly (issue server/824).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.52

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.5.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.29

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.4