There's nothing fancy in the new 2.3 release of the Connect2id server, just a bunch of incremental improvements to provide for a more solid SSO, IdP and authorisation service, based on the standard OAuth 2.0 / OpenID Connect protocol stack.
1. Safer configuration
The Connect2id server configuration used to have properties that are given sensible default values in case they are undefined or commented out. While convenient, this makes it hard to detect mistyped property keys as then the default property would kick in and mask the configuration error. To address this from now on all configuration properties must be defined explicitly.
Other changes to make server configuration safer:
JWT-encoded access tokens can no longer be configured to include the end-user session ID as a claim; this can be a potential security risk and is no longer supported.
Added more checks to guard against potential misconfiguration.
2. You can register clients with preset ID's
When new OAuth 2.0 / OpenID Connect clients are registered they are
automatically given a randomly generated
client_id. You now also have the
option to preset the client
This feature was actually added in version 2.2 on customer request, but has not been announced here yet.
3. Infinispan 7
The Connect2id server has been upgraded to the latest 7th release of Infinispan which is used for clustered in-memory storage and caching. Among other things it adds support for handling partitioned (split-brain) clusters. We still have to evaluate whether this new feature applies to the data model of the Connect2id server which is optimised for availability and data consistency is less of an issue.
Please, also note that Infinispan 7 comes with a brand new XML configuration. While this may sound scary, migrating your existing config to the new format is relatively easy. Contact our support if you need assistance with that.
4. Other changes
The following components have also been upgraded:
- Version 3.2.2 of the Nimbus JOSE+JWT toolkit.
- Version 4.7.1 of the OAuth 2.0 / OpenID Connect toolkit.
- Version 2.0.6 of the Connect2id server toolkit.
Upgrading from 2.1 or later
How to upgrade to the new 2.3 release:
Save / backup your existing Connect2id server configurations in
Undeploy your existing
c2idinstance, e.g. from the Tomcat management panel.
Deploy the new
c2id.waronto your web server, which you can extract from the download package.
Restore your previous configuration files, then remove the comments from all properties that used to have default values (see point 1). Also, make sure you migrate your existing Infinispan settings to the new format.
Ready to try out the new Connect2id server?
Note that relying-party initiated logout is optional and will not work unless the OpenID Connect provider supports it. This is typically advertised in the JSON metadata that the IdP server publishes at its discovery endpoint.
The logout request serves two purposes:
To notify the OpenID Connect provider that the end-user has logged out of the relying party site (the client application).
The OpenID Connect provider should also ask the end-user whether their want to log out of the provider as well.
Logout works by directing the user's browser to the end-session endpoint of the OpenID Connect provider, with the logout request parameters encoded in the URL query string.
The identity of the user to logout is specified by their ID token (obtained at
login), set in the
The relying party may also specify a post-logout redirection URI (which must
have been registered, see the client registration spec for more details) with
https://c2id.com/logout?id_token_hint=eyJhbGciOiJSUzI1NiJ9.eyJpc3Mi... &post_logout_redirect_uri=https%3A%2F%2Fclient.example.org%2Fpost-logout &state=af0ifjsldkj
To construct a simple logout request with the SDK:
import java.net.URI; import com.nimbusds.jwt.JWT; import com.nimbusds.openid.connect.sdk.LogoutRequest; // The end-session endpoint URI endSessionEndpoint = new URI("https://c2id.com/logout"); // The previously obtained ID token for the end-user JWT idToken = ... // Create logout request LogoutRequest logoutRequest = new LogoutRequest(endSessionEndpoint, idToken); // Compose URI URI logoutURI = logoutRequest.toURI(); // Send browser to logout URI...
To construct a logout request with a post-logout redirection (and no state):
import java.net.URI; import com.nimbusds.jwt.JWT; import com.nimbusds.openid.connect.sdk.LogoutRequest; // The end-session endpoint URI endSessionEndpoint = new URI("https://c2id.com/logout"); // The previously obtained ID token for the end-user JWT idToken = ... // The post-logout redirection URL URI postLogoutTarget = new URI("https://client.example.com/login"); // Create logout request LogoutRequest logoutRequest = new LogoutRequest(endSessionEndpoint, idToken, postLogoutTarget, null); // Compose URI URI logoutURI = logoutRequest.toURI(); // Send browser to logout URI...
To get the JAR for version 4.7 of the OpenID Connect SDK proceed to the download page.
If you're using Maven for your project:
<dependency> <groupId>com.nimbusds</groupId> <artifactId>oauth2-oidc-sdk</artifactId> <version>4.7</version> </dependency>
Drop us a comment below or alternatively write to support should you have any questions about logout usage or OpenID Connect in general. We'll be glad to help you out.
Client application developers should now have an easier job integrating the Connect2id server into their login / SSO and authorisation flows. The reference comes with examples and further pointers to the underlying IETF and OpenID specifications.
The following endpoints are covered:
Server discovery -- enables discovery of the OAuth 2.0 / OpenID Connect endpoint URLs, supported authentication methods and other features.
Server JWK set -- for retrieval of the public server JSON Web Key (JWK) required to verify the authenticity of issued ID and access tokens.
Client registration -- to register new client applications with the server, and to access, update and delete existing registrations.
Authorisation -- the endpoint where the browser is sent to request the end-user's authentication and authorisation. This endpoint is used in the code and implicit OAuth 2.0 flows which require end-user interaction.
Token -- To post an OAuth 2.0 grant (code, refresh token, resource owner password credentials, client credentials) to obtain an ID and / or access token.
Token revocation -- to revoke an obtained access or refresh token.
UserInfo -- protected OpenID Connect resource, enables retrieval of profile information and other attributes for a logged-in end-user.