Connect2id server 2.3

2014-11-13

There's nothing fancy in the new 2.3 release of the Connect2id server, just a bunch of incremental improvements to provide for a more solid SSO, IdP and authorisation service, based on the standard OAuth 2.0 / OpenID Connect protocol stack.

1. Safer configuration

The Connect2id server configuration used to have properties that are given sensible default values in case they are undefined or commented out. While convenient, this makes it hard to detect mistyped property keys as then the default property would kick in and mask the configuration error. To address this from now on all configuration properties must be defined explicitly.

Other changes to make server configuration safer:

  • JWT-encoded access tokens can no longer be configured to include the end-user session ID as a claim; this can be a potential security risk and is no longer supported.

  • Added more checks to guard against potential misconfiguration.

2. You can register clients with preset ID's

When new OAuth 2.0 / OpenID Connect clients are registered they are automatically given a randomly generated client_id. You now also have the option to preset the client identifier.

This feature was actually added in version 2.2 on customer request, but has not been announced here yet.

3. Infinispan 7

The Connect2id server has been upgraded to the latest 7th release of Infinispan which is used for clustered in-memory storage and caching. Among other things it adds support for handling partitioned (split-brain) clusters. We still have to evaluate whether this new feature applies to the data model of the Connect2id server which is optimised for availability and data consistency is less of an issue.

Please, also note that Infinispan 7 comes with a brand new XML configuration. While this may sound scary, migrating your existing config to the new format is relatively easy. Contact our support if you need assistance with that.

4. Other changes

The following components have also been upgraded:

Upgrading from 2.1 or later

How to upgrade to the new 2.3 release:

  1. Save / backup your existing Connect2id server configurations in webapps/c2id/WEB-INF.

  2. Undeploy your existing c2id instance, e.g. from the Tomcat management panel.

  3. Deploy the new c2id.war onto your web server, which you can extract from the download package.

  4. Restore your previous configuration files, then remove the comments from all properties that used to have default values (see point 1). Also, make sure you migrate your existing Infinispan settings to the new format.

  5. Restart the c2id instance.

Ready to try out the new Connect2id server?

Proceed to the download section to get the latest package. Should you have any questions, get in touch with us. We'll be delighted to hear from you :-)

OpenID Connect logout

2014-11-10

The new 4.7 release of the OAuth 2.0 / OpenID Connect SDK adds support for making logout requests, as specified in section 5 of the OpenID Connect Session Management 1.0 document (draft 22).

Note that relying-party initiated logout is optional and will not work unless the OpenID Connect provider supports it. This is typically advertised in the JSON metadata that the IdP server publishes at its discovery endpoint.

The logout request serves two purposes:

  • To notify the OpenID Connect provider that the end-user has logged out of the relying party site (the client application).

  • The OpenID Connect provider should also ask the end-user whether their want to log out of the provider as well.

Logout works by directing the user's browser to the end-session endpoint of the OpenID Connect provider, with the logout request parameters encoded in the URL query string.

The identity of the user to logout is specified by their ID token (obtained at login), set in the id_token_hint parameter.

For example:

https://c2id.com/logout?id_token_hint=eyJhbGciOiJSUzI1NiJ9.eyJpc3Mi...

The relying party may also specify a post-logout redirection URI (which must have been registered, see the client registration spec for more details) with an optional state parameter:

https://c2id.com/logout?id_token_hint=eyJhbGciOiJSUzI1NiJ9.eyJpc3Mi...
&post_logout_redirect_uri=https%3A%2F%2Fclient.example.org%2Fpost-logout
&state=af0ifjsldkj

To construct a simple logout request with the SDK:

import java.net.URI;
import com.nimbusds.jwt.JWT;
import com.nimbusds.openid.connect.sdk.LogoutRequest;

// The end-session endpoint
URI endSessionEndpoint = new URI("https://c2id.com/logout");

// The previously obtained ID token for the end-user
JWT idToken = ...

// Create logout request
LogoutRequest logoutRequest = new LogoutRequest(endSessionEndpoint, idToken);

// Compose URI
URI logoutURI = logoutRequest.toURI();

// Send browser to logout URI...

To construct a logout request with a post-logout redirection (and no state):

import java.net.URI;
import com.nimbusds.jwt.JWT;
import com.nimbusds.openid.connect.sdk.LogoutRequest;

// The end-session endpoint
URI endSessionEndpoint = new URI("https://c2id.com/logout");

// The previously obtained ID token for the end-user
JWT idToken = ...

// The post-logout redirection URL
URI postLogoutTarget = new URI("https://client.example.com/login");

// Create logout request
LogoutRequest logoutRequest = new LogoutRequest(endSessionEndpoint, idToken, postLogoutTarget, null);

// Compose URI
URI logoutURI = logoutRequest.toURI();

// Send browser to logout URI...

Now that support for logout has been added to the OpenID Connect SDK the Connect2id server will follow suit in one of its next releases.

To get the JAR for version 4.7 of the OpenID Connect SDK proceed to the download page.

If you're using Maven for your project:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>oauth2-oidc-sdk</artifactId>
    <version>4.7</version>
</dependency>

Drop us a comment below or alternatively write to support should you have any questions about logout usage or OpenID Connect in general. We'll be glad to help you out.

Published complete OAuth 2.0 / OpenID Connect endpoint reference

2014-10-28

Today we published a complete API reference for the standard OAuth 2.0 / OpenID Connect endpoints provided by the Connect2id server.

Client application developers should now have an easier job integrating the Connect2id server into their login / SSO and authorisation flows. The reference comes with examples and further pointers to the underlying IETF and OpenID specifications.

The following endpoints are covered:

  • Server discovery -- enables discovery of the OAuth 2.0 / OpenID Connect endpoint URLs, supported authentication methods and other features.

  • Server JWK set -- for retrieval of the public server JSON Web Key (JWK) required to verify the authenticity of issued ID and access tokens.

  • Client registration -- to register new client applications with the server, and to access, update and delete existing registrations.

  • Authorisation -- the endpoint where the browser is sent to request the end-user's authentication and authorisation. This endpoint is used in the code and implicit OAuth 2.0 flows which require end-user interaction.

  • Token -- To post an OAuth 2.0 grant (code, refresh token, resource owner password credentials, client credentials) to obtain an ID and / or access token.

  • Token revocation -- to revoke an obtained access or refresh token.

  • UserInfo -- protected OpenID Connect resource, enables retrieval of profile information and other attributes for a logged-in end-user.