Connect2id server 12.0 supports issue of access tokens with pairwise subjects

This new major release of the Connect2id server brings an almost total rework of the system for pairwise subject identifiers. Those are essential in preventing leakage of identity information via end-user identifiers in the issued tokens and UserInfo responses, by encrypting any data in them and making correlation based on their values very difficult.

The changes and new features:

  1. Access tokens can now also be minted with a pairwise sub (linked to the token audience).

  2. OpenID provider managed sector ID URNs, for deployments that seek tight control over the sector IDs. The use of URNs also relieves relying parties from the need to host the sector JSON documents.

  3. Uniform length of the pairwise identifiers, to prevent information about the length of the local user ID from leaking. This is achieved by the introduction of a new configuration property to specify a padding of the IDs to some predetermined length.

    Note, if you choose to switch to uniform pairwise IDs this will invalidate (reset) all previously issued ones (by older Connect2id server versions). The release notes has a discussion on this, including how to disable padding to keep the old format.

The pairwise subject identifiers, how to configure and integrate them, is explained fully in our updated guide.

Another change in Connect2id server 12.0 is the ability to issue access and refresh tokens without a scope. This is intended for deployments that need to handle OAuth 2.0 Rich Authorisation Requests (RAR). This is currently possible via the custom token response plugin interface. A future release will bring native support.

The upgrade to Connect2id server 12.0 from an earlier version involves a change in the database schema to accomodate the new features. If you use an SQL database, such as MySQL or PostgreSQL, the Connect2id server at startup will automatically create new table columns where necessary. If you use an LDAP backend a manual schema update needs to be performed. Deployments with DynamoDB, it being effectively schema-less, don't necessitate any such changes.

The complete list of changes, bug fixes and database schema related instructions can be found in the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.0: Connect2id-server.zip

SHA-256: ca706e557e8beefa49ebab184be0a8f43b8f3ac78f44ac8a59d9d7f280e3b1e4

Connect2id server 12.0 WAR package: c2id.war

SHA-256: c208db9d559296df788c92d138cc0a132bb9a5739a7705b99dab334e19ab7b49

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.0: Connect2id-server-mt.zip

SHA-256: ca5b64c30e85dbcd39772dd89a9418373b0ff2a46db3f0127b293905b6f94eda

Connect2id server 12.0 WAR package: c2id-multi-tenant.war

SHA-256: 635d379bf910483c6c39f6cf7ff708102aa61b9a39777a82ba60e46ad643a6a3

Questions?

Contact Connect2id support.


Release notes

12.0 (2021-06-09)

Summary

  • Uniform pairwise subject IDs

    Adds support for issuing pairwise subject identifiers with a uniform string length which is not affected by the length of the local (system) subject identifiers. This measure is intended to prevent leaking information about the length of the local subject identifiers. Uniformity is configured with a new "op.pairwiseSubjects.padLocalSubjectsToLength" property. It specifies a length to which a local subject identifier will be padded before input to the pairwise codec (SIV mode deterministic AES encryption). For uniform pairwise subject lengths the property should be set to the maximum expected length of the local subjects. Subject IDs longer than the configured length will result in a pairwise encoding that is proportionally longer.

    Setting the property to -1 (negative integer) disables padding, which is the behaviour of the pairwise codec in previous Connect2id server versions.

    Example pairwise IDs for local subjects "alice", "bob" and "claire" with no padding:

    myzM-ARj7vYBH9NOIog9Sf5xklhU_rkLenu8mOtfLv6L Q20o2EYNsamhlOh2RbteNp7Te7AilmMPVk3cyhmCBA rNW4ByxEQd06rNCLLMvH2-d1WRumrJcSrmDGA6FlvtxeGw

    With padding up to 10 characters:

    pxXoRPqPpLy3fBbLNV22KRCghztrFMtGV3AxDnQH_erfB4dwZ_0 s10h_EEMtYHaNSZuMBznfvupKqC2mznkIGnmxRevffJGo4ybRrM uLfwVCpRUu1ltEeXqRt_Yik7SN5-yKabYwXan-xYCwgJlDZubSA

    Important: Changing the padding length will reset all previously issued pairwise subject identifiers!

    Configuration choices for "op.pairwiseSubjects.padLocalSubjectsToLength":

    • Configure a length to issue uniform pairwise subject IDs: if pairwise subjects have never been issued or to benefit from the new improved security. In the latter case don't forget to notify the relying parties of the reset!

    • No padding: to ensure backward compatibility if pairwise subjects have already been issued and a reset is not desirable. Also, if the local subjects have a uniform length, for example when based on a GUUID which has a constant length of 37 characters.

  • OpenID provider managed sector IDs

    Connect2id server deployments that need to issue ID tokens and UserInfo responses with pairwise (pseudonymous) subject (end-user) identifiers to two or more OpenID relying parties under single administrative control can now do so without requiring the relying parties to host a JSON document for the "sector_identifier_uri" client registration parameter. A single OpenID relying party can also choose to register a "sector_identifier_uri" to ensure the pairwise "sub" values in the received ID tokens and UserInfo responses remain consistent if its registered redirection URI changes in future. See OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1, section 5, for an explanation of the "sector_identifier_uri" parameter and its validation.

    For such relying parties an OpenID provider can now manage the sector IDs internally, in some a database or portal, by assigning unique sector ID URNs to them prior to registration. Those URNs will not get resolved and validated in the same way a standard https URL in the "sector_identifier_uri" parameter gets, by downloading a JSON document from the URL. Instead, the URN will be used to provide the sector ID directly. The expected URN format is urn:c2id:sector_id:<id> where <id> represents the sector ID assigned to a relying party or group of relying parties.

    To use this feature the new "op.reg.enableProviderManagedSectorIDs" configuration property must be turned on. The client registration POST or PUT request must be authorised with a master API token or one-time registration token with a "client-reg:set-sector-id-urn" scope value. Unauthorised requests (if open registration is allowed) cannot use sector ID URNs.

  • Access tokens with pairwise subjects

    The Connect2id server can now optionally issue access tokens with a subject (end-user) identifier made pairwise for the token's intended audience (resource server).

    Use tokens with a pairwise subject:

    • To keep the local (system) end-user ID confidential from the resource servers, as privacy measure, especially if the subject identifier represents or contains personal information, such as the user's email address or social security number.

    • To minimise the possibility for resource servers to link or correlate the identity of users. The pairwise identifier for a given subject (end-user) in an access token will be different, unique and not-reversible for each resource server (token audience).

    The Connect2id server computes the pairwise identifier for an access token by applying strong deterministic SIV AES based encryption over the concatenation of the token audience and the local subject identifier.

    pairwise_sub = SIVAES(aud|local_sub)

    The algorithm is identical to the one the Connect2id server uses to compute pairwise subject identifiers for ID tokens and UserInfo responses and uses the same "subject-encrypt" AES key from the configured server JWK set.

    JWT-encoded as well identifier-based access tokens are supported.

    Note, to issue access tokens with a pairwise subject the token authorisation must specify an explicit token audience for the intended resource server(s). If the audience is a list of multiple values the first one will be used to compute the pairwise subject. This enables the issue of tokens with a pairwise subject where there are multiple audiences as aliases specified, for example the resource indicator, e.g. "https://api.example.com", as primary audience and the resource server client ID, e.g. "Zoo0rah0", to enable token introspection at the Connect2id server endpoint with an audience restriction check on the client_id.

    Also note that access tokens with a pairwise subject that grant release of OpenID claims at the UserInfo endpoint, as only or additional scope, need not specify the UserInfo endpoint or the OpenID provider issuer URL as audience.

    If required for audit purposes a pairwise subject identifier can be decrypted (reversed) with the Connect2id server's configured "subject-encrypt" JSON Web Key (JWK). See https://bitbucket.org/connect2id/pairwise-subject-codec/ .

  • Allows issue of the access and refresh tokens without a scope, to ease handling of OAuth 2.0 Rich Authorisation Requests (RAR). See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-05

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.pairwiseSubjects.padLocalSubjectsToLength -- New configuration property to enable output of pairwise subject identifiers with a uniform string length which is not affected by the length of the local (system) subject identifier. Intended to prevent leaking information about the length of the local subject identifiers. Uniformity is achieved by padding local subject identifiers up to the specified length, which should be the maximum expected length of the local subjects. Subjects longer than the configured length will result in a pairwise encoding that is proportionally longer.

      -1 (negative integer) disables padding.

      Important note: Changing the padding length will reset all previously issued pairwise subject identifiers!

    • op.reg.enableProviderManagedSectorIDs -- New configuration property to enable registration of OpenID provider managed sector identifiers for the computation of pairwise subject (end-user) identifiers. A managed sector ID can be registered with the "sector_identifier_uri" set to a URN with the format urn:c2id:sector_id:<id>. The registration requires a master API token or a one-time registration token with a "client-reg:set-sector-id-urn" scope value. The default value is false (disabled).

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Adds new "ats" (access token subject type) columns to the "id_access_tokens" and "long_lived_authorizations" tables. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the new columns (with an appropriate default value) on startup.
  • /WEB-INF/infinispan-*-ldap.xml

    • Adds new "authzAccessTokenSubjectType" attribute to the "oauth2IdAccessToken" and "oauth2Authz" object classes. Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) need to update the LDAP schema manually to version 1.17 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.17/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-authz-schema-openldap.ldif?at=1.17 &diff1=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa &diff2=cdfdb912753b17a0fed7c08aa500be53cb767cd7 and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-authz-schema-opendj.ldif?at=1.17 &diff1=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa &diff2=cdfdb912753b17a0fed7c08aa500be53cb767cd7

Web API

  • /clients

    • Adds support for registering OpenID relying parties for pairwise subject identifiers where the "sector_identifier_uri" parameter is a URN for a sector ID that is managed by the OpenID provider. The expected URN format is urn:c2id:sector_id:<id>. The OpenID provider must manage the assignment of the URN sector IDs to relying parties prior to registration and ensure that the ID stays unique for a given OpenID relying party, unless the sector ID is allowed to be shared by two more relying parties, typically when those are under single administrative control. To register URN sector IDs the "op.reg.enableProviderManagedSectorIDs" configuration property must be enabled. The registration must be authorised with a master API token or a one-time registration token with a "client-reg:set-sector-id-urn" scope value.

    • Will return an "invalid_client_metadata" OAuth 2.0 error with a suitable description message when the client registration request is not authorised for a "preferred_client_id", "preferred_client_secret" or custom "data" parameter. Previously those parameters will be silently scrubbed from the registration request if not authorised (by means of the master API token or a specific one-time registration token).

  • /token

    • Supports issue of access tokens with a pairwise subject identifier encoded for the token audience as sector identifier. If the token has multiple audiences the first audience value in the list is taken as the sector identifier. Access tokens for releasing OpenID claims at the UserInfo endpoint that have pairwise subject need not include the UserInfo endpoint or the OpenID issuer URL in its audience.
  • /token/introspect

    • Supports introspection of access tokens with a pairwise subject identifier. The standard "sub" (subject) field will be set to the pairwise identifier.
  • /token/revoke

    • Supports revocation of access tokens with a pairwise subject identifier.
  • /userinfo

    • Supports access tokens with a pairwise subject identifier. Note, access tokens for OpenID claims that have a pairwise subject identifier need not include the UserInfo endpoint or the OpenID issuer URL in its audience.
  • /authz-sessions/rest/v3/

    • Consent prompt: Adds new optional "sub_type" member of type string with values "PUBLIC" (default) or "PAIRWISE" to the "access_token" JSON object. When set to "PAIRWISE" the Connect2id server will issue an access token with a pairwise subject identifier. This requires the consent to specify a token "audience" (if multiple audience values are set the first in the list will used to compute the pairwise identifier).

    • Consent: The consent can now specify an empty or null "scope" to enable handling of Rich Authorisation Requests (RAR). In this case the issued access and refresh tokens will not contain a scope. Previously a consent PUT with an empty scope would cause an "access_denied" OAuth error to be returned to the client. Integrations must now explicitly trigger an "access_denied" OAuth 2.0 error via the authorisation session web API.

  • /direct-authz/rest/v2/

    • Direct authorisation request: Adds new optional "sub_type" member of type string with values "PUBLIC" (default) or "PAIRWISE" to the "access_token" JSON object. When set to "PAIRWISE" the Connect2id server will issue an access token with a pairwise subject identifier. This requires the request to specify a token "audience" (if multiple audience values are set the first in the list will used to compute the pairwise identifier).
  • /authz-store/rest/v3/

    • OAuth 2.0 / OpenID Connect authorisation object: Adds new optional "ats" (access token subject type) member of type string with values "PUBLIC" (default) or "PAIRWISE".

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.36

  • com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization

    • Adds new getSubjectType method to return the SubjectType for the access token (PUBLIC or PAIRWISE). The default implementation returns null (not specified).

    • Adds new getLocalSubject method to return the local (system) subject identifier for an access token since the existing getSubject can return a pairwise identifier. The default implementation calls getSubject for a PUBLIC access token subject, else returns null.

  • com.nimbusds.openid.connect.provider.spi.tokens.MutableAccessTokenAuthorization

    • Adds new getSubjectType and withSubject methods for getting / setting the access token subject type (PUBLIC or PAIRWISE).

    • Adds new getLocalSubject and withLocalSubject methods for getting / setting the access token local subject identifier.

  • com.nimbusds.openid.connect.provider.spi.grants.AccessTokenSpec

    • Adds support for specifying an access token subject type (PUBLIC or PAIRWISE). When set to PAIRWISE the access token must specify an audience (if multiple audience values are set the first in the list will used to compute the pairwise identifier).
  • com.nimbusds.openid.connect.provider.spi.tokens.introspection.TokenIntrospectionResponseComposer

    • TokenIntrospectionResponseComposer SPI implementations can access the local (system) subject of access tokens with a pairwise subject identifier via the AccessTokenAuthorization.getLocalSubject method.
  • com.nimbusds.openid.connect.provider.spi.tokens.SelfContainedAccessTokenClaimsCodec

    • Connect2id server deployments with a SelfContainedAccessTokenClaimsCodec SPI implementation and which issue access tokens with pairwise subject identifiers should provide encoding / decoding for the AccessTokenAuthorization.getSubjectType and getLocalSubject methods.

Resolved issues

  • Fixes leading JSON array bracket output for a GET on the clients endpoint with no registered clients. The bug was introduced in 11.6.1 (issue server/679).

  • Enforces a string length limit of 10K chars when parsing JWT headers (after the BASE64URL decoding). The 10K chars should be sufficient to accommodate JWT headers with an X.509 certificate chain in the "x5c" header parameter (issue nimbus-jose-jwt/424).

  • Prevents StackOverflowError when parsing a JWT header with a very large number of nested JOSE objects (issue nimbus-jose-jwt/425).

  • Moves validation of configured signing RSA and EC keys from JWT issue time to Connect2id server startup to improve performance (issue server/673).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.36

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.9

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.10

  • Upgrades to com.nimbusds:c2id-server-jwkset:1.19

  • Upgrades to com.nimbusds:oauth2-authz-store:17.1.1

  • Updates to com.nimbusds:oidc-session-store:14.5.1

  • Upgrades to com.nimbusds:c2id-server-ldap-schemas:1.17

  • Updates Infinispan to 9.4.23.Final.

  • Updates to org.cryptomator:siv-mode:1.4.2

  • Updates to com.google.crypto.tink:tink:1.6.0

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.0

Connect2id server 11.6.3

This is a maintenance and security update of the Connect2id server. It fixes several bugs and introduces a check to reject JWTs in request objects (JAR) and the id_token_hint parameter with excessively large JWT headers, or specially crafted JWT headers that can cause an internal server error (HTTP 500) when parsed.

Updating from other 11.x releases or earlier releases is recommended.

Check the release notes for more information.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.3: Connect2id-server.zip

SHA-256: 13830847cdaebe87ce708bc7cb076819c77ba510bc725418283a4ba3381c9890

Connect2id server 11.6.3 WAR package: c2id.war

SHA-256: 13830847cdaebe87ce708bc7cb076819c77ba510bc725418283a4ba3381c9890

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.3: Connect2id-server-mt.zip

SHA-256: 4531ccc65d64ad5fe558fc24dfa600004ccb73074ce2566722bde57010a36622

Connect2id server 11.6.3 WAR package: c2id-multi-tenant.war

SHA-256: 83f106b9b446f8e08916b4e07c414c8f3634f591ee7b4d63c59a150cdf2ce9fd

Questions?

Contact Connect2id support.


Release notes

11.6.3 (2021-06-22)

Resolved issues

  • Fixes JSON encoding issue that affected serialisation of the ~/7E character into objects and for persistence since v11.3 (issue common/62).

  • Fixes bug introduced in 11.3 (2021-03-31) that allowed OpenID authentication requests with response_type=id_token or response_type=id_token token to pass without a nonce (issue oidc-sdk/363).

  • Fixes a bug that prevented completion of plain OAuth 2.0 authorisation requests with prompt=none and resulted in a HTTP 500 server error. OpenID authentication requests were not affected (issue server/681).

  • Fixes leading JSON array bracket output for a GET on the clients endpoint with no registered clients. The bug was introduced in 11.6.1 (issue server/679).

  • Enforces a string length limit of 10K chars when parsing JWT headers (after the BASE64URL decoding). The 10K chars should be sufficient to accommodate JWT headers with an X.509 certificate chain in the "x5c" header parameter (issue nimbus-jose-jwt/424).

  • Prevents StackOverflowError when parsing a JWT header with a very large number of nested JOSE objects (issue nimbus-jose-jwt/425).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.9

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.10

  • Updates to com.nimbusds:common:2.45.2

Connect2id server 11.6.2

This is a maintenance update of the Connect2id server for OAuth 2.0 authorisation and OpenID Connect sign-in.

Check the release notes for more information.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.2: Connect2id-server.zip

SHA-256: 6f70d8f0521420860249e03d4fde6f781cddbe20c6c72e74d8b391d03ab73035

Connect2id server 11.6.2 WAR package: c2id.war

SHA-256: 18b57e2f57588ddf7e98847111916cd585c5198531da4bfab59db22bb9330e8b

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.2: Connect2id-server-mt.zip

SHA-256: ab2fb95ae74b4fec71fab11a684b2531199ce409c3022d9059c76d393f390686

Connect2id server 11.6.2 WAR package: c2id-multi-tenant.war

SHA-256: 4db6b8f2232f4838777d9052dd0c5671a0c4c5bd55314390e1209999fe97662a

Questions?

Contact Connect2id support.


Release notes

11.6.2 (2021-05-21)

Resolved issues

  • Fixes the HTTP 401 error response for an HTTP GET /clients request with an invalid master access token. The bug was introduced in 11.6.1 (issue server/668).

  • Fixes bug introduced in 11.3 (2021-03-31) that allowed OpenID authentication requests with response_type=id_token or response_type=id_token token to pass without a nonce (issue oidc-sdk/363).

  • Updates the logout endpoint OP2711 log INFO message that an ID token hint is required when the RP requests a post-logout redirection (issue server/671).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.5.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.9.3

  • Updates to Infinispan 9.4.22.Final

  • Updates to com.google.crypto.tink:tink:1.5.0

Connect2id server 11.6.1

This is a maintenance update of the Connect2id server.

For further information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.1: Connect2id-server.zip

SHA-256: 148c2ca254e17ec87850574afa66cc23bc51e6b0ec9aebfabb197e58a646cf67

Connect2id server 11.6.1 WAR package: c2id.war

SHA-256: 18702660cf6b4669d8731bc396ee86930e39328215bad65d865d330dec7a9bb8

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.1: Connect2id-server-mt.zip

SHA-256: ad7f3855dd27ad91916cc8e8d7f659f0f99fc5bcb2a87394abe35c2978b691bd

Connect2id server 11.6.1 WAR package: c2id-multi-tenant.war

SHA-256: d25e387f5a122886f03c6b48d79a4258716beebe7bade8f4eaac18069b624ead

Questions?

Contact Connect2id support.


Release notes

11.6.1 (2021-05-03)

Resolved issues

  • Fixes missing output of the "resource" parameter (RFC 8707) as URI string list in the authorisation session API objects for OpenID authentication requests. Plain OAuth 2.0 authorisation requests were not affected (issue server/664).

  • Switches HTTP GET /clients output to streaming to conserve memory when reading a large number of OAuth 2.0 client registrations (issue server/665).

  • Improves logging of HTTP 302 errors at the client registration endpoint by including additional details in the log message at INFO level, reduces the number of log statements to log a condition (issue server/667).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.5

Connect2id server 11.6 with FAPI enhancements, login page API update

This week's release of the Connect2id server focuses on the FAPI security profile. It also optimises interaction with the login page API for developers.

New FAPI configurations

Six new configuration properties were added to facilitate conformance with the latest version (2021-03-12) of the FAPI Baseline and Advanced security profiles. The new settings can also be used in other security profiles or to establish some baseline security policy for all OAuth clients.

Here is an overview of the new configurations:

Always require an explicit redirect_uri in the authorisation requests. This is normally a requirement only for OpenID authentication.

Additional request object (JAR) specific checks:

Require the use of signed authorisation responses, with JARM (response_type=jwt) or by requesting an ID token in the front-channel (reponse_type=code id_token) to act as detached signature:

Note that the authorisation request validator and the PAR validator plugin interfaces (SPI) can be used to perform additional checks or as alternative method.

The FAPI deployment checklist was updated accordingly.

Login page API

The Connect2id server web API for handling user authentication and consent can now include selected authorisation request parameters, including parameters that are custom, in the authentication and consent prompt objects. This behaviour is switched on with two new configuration properties and is intended to save an HTTP GET call in cases when access to those parameters is required by the login page UI or logic.

For further information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6: Connect2id-server.zip

SHA-256: ef604a653452a76e6a2c06134c5f5aec110645308b588485ee93966de6b8fac1

Connect2id server 11.6 WAR package: c2id.war

SHA-256: 295c9d2e4037bec5f43676aae5caaf2c8b9a57bd958f25f27e5ac562fd825d35

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6: Connect2id-server-mt.zip

SHA-256: 49854e045c868428c1f8ef27567e2c6b1ca0c1d3cdcf940b7ce8a9610d9d17c3

Connect2id server 11.6 WAR package: c2id-multi-tenant.war

SHA-256: c9652c7610e94f2453f66adb47a1127e438bce7209011465c15bff7a9de72db0

Questions?

Contact Connect2id support.


Release notes

11.6 (2021-04-27)

Summary

  • Adds a set of new Connect2id server configuration properties for setting up OAuth 2.0 servers conforming to version 2021-03-12 of the FAPI 1.0 Advanced security profile. See Financial-grade API Security Profile 1.0 - Part 2: Advanced (2021-03-12).

  • Adds configuration properties for causing selected OAuth 2.0 authorisation request parameters, including custom parameters, to appear in the authentication or consent prompt in the authorisation web API. Intended to save HTTP GET calls to the authorisation session resource when access to those parameters is needed.

Configuration

  • /WEB-INF/oidProvider.properties

    • op.authz.alwaysRequireRedirectURI -- New configuration property to specify whether the redirect_uri parameter is required for all authorisation requests. The default value is false (required only for OpenID authentication requests).

    • op.authz.alwaysRequireSignedRequestJWT -- New configuration property to specify whether a JWS signed request JWT passed inline via "request" or by URL reference via "request_uri" will be required for all authorisation requests. The default value is false (not required unless the client is explicitly registered for it).

    • op.authz.requireRequestJWTNotBefore -- New configuration property to specify whether received request object JWTs must include a not before (nbf) claim. The default value is false.

    • op.authz.maxLifetimeRequestJWTExpiration -- New configuration property to specify the maximum accepted lifetime in seconds of an expiration (exp) claim in request JWTs. The lifetime is computed from the not before (nbf) claim if present, otherwise from the current time. The default value is -1 (not specified).

    • op.authz.maxAgeRequestJWTNotBefore -- New configuration property to specify the maximum accepted age in seconds of a not before (nbf) claim in request JWTs. The default value is -1 (not specified).

    • op.authz.alwaysRequireSignedResponse -- New configuration property to specify whether all authorisation requests must specify a JWT-secured response (JARM) or a "response_type" that includes an "id_token" to serve as a detached signature. The default value is false.

    • op.authz.requestParamsInAuthPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the authentication prompt, in a JSON object named "request". No parameters are included by default.

    • op.authz.requestParamsInConsentPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the consent prompt, in a JSON object named "request". No parameters are included by default.

Web API

  • /authz-sessions/rest/v3/

    • Authentication prompt: Adds new optional "request" member of type JSON object to the authentication prompt ("auth"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInAuthPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during authentication.

    • Consent prompt: Adds new optional "request" member of type JSON object to the consent prompt ("consent"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInConsentPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during consent.

Resolved issues

  • The "resource" parameter (RFC 8707) as URI string list must be included in the authorisation session object under "auth_req", fixes regression bug (issue serer/658).

  • The "prompt" parameter as string list must be included in the authorisation session object under "auth_req" for plain OAuth 2.0 requests (custom Connect2id server feature) (issue serer/660).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.4.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.9

  • Updates to com.nimbusds:oauth2-authz-store:16.7.3

  • Updates to com.nimbusds:oidc-session-store:14.4.4

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.5

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.7

  • Updates to com.nimbusds:tenant-manager:5.0.2

  • Updates to com.nimbusds:tenant-registry:5.3.3

  • Updates to net.minidev:json-smart:2.4.6