Connect2id server 11.3

This is a mini update to the Connect2id server for OAuth 2.0 and OpenID Connect.

Authorisation and PAR validator SPI update

Plugins using the authorisation request and pushed authorisation request (PAR) validator SPIs can now define their custom initialisation and shutdown logic. Heavyweight plugins that need to load a configuration or some other resources at server startup can do so via the Lifecycle interface which the two validator SPIs now extend.

If the concept of the Java Service Provider Interface (SPI) for dynamic loading of plugin code is new to you we devised a guide explaining the packaging and deployment of plugins.

Open Banking update to the Software Statement Verifier plugin

The Software Statement Verifier plugin, which was written to handle client registration requests with embedded software statements (a signed JWT intended to identify the client software vendor) as well as the special type of client registrations occurring in Open Banking, was updated to support the configuration of scope rules based on JSON Path expressions. Such rules can be used to determine what scopes a particular client can be allowed to request based on parameters found in its software statement JWT.

For more information and a list of fixed issues check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.3: Connect2id-server.zip

SHA-256: 176e9acfdda9440f05bfdd3be5fd9c78fd0d7629c8187345029a8ae90dcab970

Connect2id server 11.3 WAR package: c2id.war

SHA-256: b6bb0b5414a80f8d20ebf13d6210d1c768bb0e9178c13032d0d215d5718cdc70

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.3: Connect2id-server-mt.zip

SHA-256: 9de2eb744b7b219510b5ec33e0972909d12313ba0b4306570f1b1e5d93a2aac5

Connect2id server 11.3 WAR package: c2id-multi-tenant.war

SHA-256: 8ab10da34d6b2dacab6a998521f2cd86405238a1a6fc1cdde408038bfb355744

Questions?

Contact Connect2id support.


Release notes

11.3 (2021-03-31)

Summary

  • Upgrades to the AuthorizationRequestValidator and PARValidator SPIs to allow for initialisation and shutdown code.

  • Upgrades the Software Statement Verifier plugin (for the RegistrationInterceptor SPI) to support the configuration of scope rules based on JSON Path expressions. Intended for use in Open Banking.

  • Upgrades the JSON serialisation in the Connect2id server.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.31

  • com.nimbusds.openid.connect.provider.spi.authz.AuthorizationRequestValidator

    • Lets the SPI extend Lifecycle which has default init, isEnabled and shutdown methods.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.31/ com/nimbusds/openid/connect/provider/spi/authz/ AuthorizationRequestValidator.html

  • com.nimbusds.openid.connect.provider.spi.par.PARValidator

    • Lets the SPI extend Lifecycle which has default init, isEnabled and shutdown methods.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.31/ com/nimbusds/openid/connect/provider/spi/par/PARValidator.html

Resolved issues

  • Corrupted persisted long-lived authorisation records should be treated as missing record and not result in a 500 Internal Server Error. Corrupted entries are logged under AS0267 (issue authz-store/183).

  • Corrupted persisted revocation journal entries should be treated as missing entry and not result in a 500 Internal Server Error. Corrupted entries are logged under AS0271 (issue authz-store/182).

  • Log uniform INFO messages on failed client authentication at the token (OP6203), token introspection (OP6512), token revocation (OP6412) and PAR (OP6203) endpoints (issue server/653).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.31

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.3

  • Updates to com.nimbusds:oauth2-authz-store:16.7.1

  • Updates to com.nimbusds:oidc-session-store:14.4.1

  • Upgrades to com.nimbusds:common:2.45

  • Updates to com.unboundid:unboundid-ldapsdk:5.1.4

  • Updates to com.thetransactioncompany:pretty-json:1.4.1

  • Updates to net.minidev:json-smart:2.3

  • Adds com.jsoniter:jsoniter:0.9.23

  • Updates to com.nimbusds:software-statement-verifier:2.2

Open Banking update to the software statement verifier

Open Banking clients can use dynamic registration with providers, a style of OAuth 2.0 client registration based on RFC 7591 that is API-based and lets itself to be fully automated.

To prove its belonging to a regulated Open Banking entity the client includes a software statement assertion (SSA) in the client registration request. The SSA is a signed JSON Web Token (JWT) issued by the Open Banking directory and contains important details such the organisation's identity and keys endpoint URL.

Example client registration request with an embedded software statement as JWT (note, in Open Banking the registration JSON is additionally secured with a JWS and sent with a client X.509 certificate for a mutually authenticated HTTPS):

POST /clients HTTP/1.1
Content-Type: application/json
Host: c2id.com

{
  "redirect_uris"                   : [ "https://client.example.org/callback" ],
  "token_endpoint_auth_method"      : "private_key_jwt",
  "token_endpoint_auth_signing_alg" : "PS256",
  "scope"                           : "openid account",
  "software_statement"              : "eyJhbGciOiJSUzI1NiJ9xaemaep4waibohphsf09..."
}

To handle special client registration profiles such as in Open Banking the Connect2id server comes with a plugin interface for intercepting client registration requests. To make the job of integrators even easier we maintain an open source plugin which can be configured to perform all necessary validations for the Open Banking SSA as well as the additional top-level JWS of the client registration request and its mutual TLS authentication.

One question that often comes up in dynamic client registration is how to control the optional scope metadata field that may be used to bound the scope values that the client may request?

The default policy of the plugin is to scrub the scope field if it's set by the client because allowing the client to set the scope bounds on its own access tokens can compromise the security of the OAuth 2.0 server.

The decision what scope values to allow for a client can however be based on the embedded SSA because it carries a proof of the client's identity, such as the legal entity behind it, its software roles and other useful details from the Open Banking directory.

Sample Open Banking SSA claims snippet:

{
  "iss"                            : "OpenBanking Ltd",
  "iat"                            : 1614268968,
  "jti"                            : "seesh6IeFemahboi",
  "software_redirect_uris"         : [ "https://client.example.com/cb" ],
  "software_roles"                 : [ "AISP", "PISP", "CBPII" ],
  "org_status"                     : "Active",
  "org_name"                       : "XYZ Bank",
  "org_jwks_endpoint"              : "https://keystore.openbanking...",
  "org_jwks_revoked_endpoint"      : "https://keystore.openbanking...",
  "software_jwks_endpoint"         : "https://keystore.openbanking...",
  "software_jwks_revoked_endpoint" : "https://keystore.openbanking..."
}

In release 2.2 of the SSA plugin we added the ability to configure scope rules based on claims in the software statement.

Each scope rule is represented by JSON Path expressions: if the JSON Path query produces a match in the software statement JSON then the configured scope values for the rule are allowed to pass.

The use of JSON Path gives Open Banking deployments of the Connect2id server plenty of flexibility to define scope policies based on the SSA.

Example rules for allowing clients with the AISP role to register for the scope openid accounts and those with the PISP role for the scope openid payments:

op.ssv.scopeRules.1.scope=openid accounts
op.ssv.scopeRules.1.jsonPath=$.software_roles[?(@=='AISP')]
op.ssv.scopeRules.2.scope=openid payments
op.ssv.scopeRules.2.jsonPath=$.software_roles[?(@=='PISP')]

You can do quick online JSON Path tests with the tool at jsonpath.com.

The SSA plugin can be further configured to shape the client registration request after the statement has been merged, by moving, renaming or deleting selected fields to produce a final request that matches the OAuth 2.0 server's registration policies and idioms.

The SSA plugin is compatible with Connect2id server releases 11+ and the most recent v2.2 of it will be include in the next 11.3 release.

Connect2id server 11.2

New SPI for custom validation of authorisation requests

This update of the Connect2id server introduces a new plugin interface (SPI) for carrying out additional validation of authorisation requests, after all standard checks, such as the client_id and the client being registered for the response_type, have passed. The SPI can also be used to modify parameters of the received request, before passing it on for further processing.

The SPI can be used to enforce compliance with some OAuth 2.0 security profile and mimics the PAR validator SPI that appeared in Connect2id server 8.0. The PAR validator was also updated to enable optional modification of the requests.

The new authorisation request validator SPI is documented here.

Note, the existing web based API for plugging in the user auth, consent and UI is equally capable of carrying out any additional validation and shaping of the authorisation requests. The new SPI is provided for convenience and enables easy sharing of code with the PAR validator.

Upgraded JWT assertion grant handler

The shipped JWT assertion OAuth 2.0 grant handler was upgraded with a new setting for setting access token data from selected client metadata parameters.

For more information and a list of fixed issues check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.2: Connect2id-server.zip

SHA-256: e7093549087bd75495f8484e6350046678616d6e5a76060208dbb855acada6a0

Connect2id server 11.2 WAR package: c2id.war

SHA-256: 0c0ffa88552d408914d869570dd6e0af87931957d6d156148369db5dbea9db48

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.2: Connect2id-server-mt.zip

SHA-256: bafe2bcee8de47904837bd7784c9879bc214afecaf43410953869b690b0910b3

Connect2id server 11.2 WAR package: c2id-multi-tenant.war

SHA-256: 31777defa880716fb349bf89fe9a27d1d85ca3f88fb9462934d61d0887402b88

Questions?

Contact Connect2id support.


Release notes

11.2 (2021-03-07)

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.30

  • com.nimbusds.openid.connect.provider.spi.authz.AuthorizationRequestValidator

    • New SPI for performing additional custom validation as well as modification of received OAuth 2.0 authorisation / OpenID authentication requests. The validator has access to the registered client information for the client_id in the authorisation request. If the validator rejects the request it can set a standard or custom error code and also optionally disable redirection back to the client redirect_uri.

      The loading of an AuthorizationRequestValidator SPI implementation is logged at INFO level under OP2113. The cause for rejection of a request is also logged at INFO level, under OP2114.

      Note, to perform additional custom validation of pushed authorisation requests use the PARValidator SPI.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/authz/ AuthorizationRequestValidator.html

  • com.nimbusds.openid.connect.provider.spi.par.PARValidator

    • Adds new PARValidator.validatePushedAuthorizationRequest method that also enables optional modification of received Pushed Authorisation Request (PAR). This method has a default implementation that calls the existing validate only method. Existing plugins need not be updated.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/par/PARValidator.html

  • com.nimbusds.openid.connect.provider.spi.grants.SelfIssuedJWTGrantHandler

    • Upgrades the included OAuth 2.0 self-issued JWT bearer grant handler plugin, see https://bitbucket.org/connect2id/self-issued-jwt-bearer-grant-handler .

      • New op.grantHandler.selfIssuedJWTBearer.accessToken.includeClientMetadataFields configuration property to specify names of client metadata fields to include in the optional access token data field, empty set if none. To specify a member within a field that is a JSON object member use dot (.) notation.

      • The op.grantHandler.selfIssuedJWTBearer.enable configuration property receives a default value false (disabled).

      • Lets op.grantHandler.selfIssuedJWTBearer.accessToken.audienceList also apply to identifier-based access tokens.

      • Makes the /WEB-INF/selfIssuedJWTBearerHandler.properties configuration file optional.

Resolved issues

  • Adjusts DynamoDB item output of the "clm" and "cls" attributes to the long_lived_authorizations table to prevent false HMAC check errors when a dynamodb.hmacSHA256Key is configured (issue authz-store/179).

  • Updates revocation_journal DynamoDB parsing to include the illegal string on a parse exception (issue authz-store/180).

  • Updates OP2209 logging to include the JSON string in the exception message when ID token minting fails due to an "aud" (audience) parse error (issue server/644).

  • Authorisation and token requests with a parameter included more than once, save for "resource", must result in a invalid_request error (issue oidc-sdk/345).

  • Fixes new RSASSASigner(RSAKey) conversion to PrivateKey with a Hardware Security Module (HSM) (issue nimbus-jose-jwt/404).

  • Updates JSON parsing in the OAuth 2.0 SDK to catch non-documented and unexpected exceptions (issue oauth-oidc-sdk/347).

  • Allows OAuth 2.0 client metadata "software_version" of type JSON number and converts it to a JSON string in new and updated client registrations. This is done to accommodate non RFC 7591 compliant dynamic client registrations in the UK Open Banking profile (issue oauth-oidc-sdk/348).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.30

  • Updates to com.nimbusds:oauth2-authz-store:16.5.2

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.2.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.6.1

  • Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1

Connect2id server 11.1.1

This is a mini update to the recent 11.1 release of the Connect2id server fixing a bug in the DynamoDB connector that prevented new table creation. The connector config was also made more robust and logging of the raw written and retrieved items at TRACE level was refined.

For details check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.1.1: Connect2id-server.zip

SHA-256: b4295aa14520a962ff9fb9b2de9e16078a438373667677a0f95f689893c67fc3

Connect2id server 11.1.1 WAR package: c2id.war

SHA-256: 38e167cceddede8b153251132b782320fee9d4f4fb3fbc89dfc450f0775c4214

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.1.1: Connect2id-server-mt.zip

SHA-256: d77fecd98c2d4d245b978c031cce8678b8fdcdc73a8f425d3ac74ac6d02fd984

Connect2id server 11.1.1 WAR package: c2id-multi-tenant.war

SHA-256: 22cb0385eaa5bc6771b6dcf3ac18dc2ea2d2d5285dfa78b487a70d50efabbc8f

Questions?

Contact Connect2id support.


Release notes

11.1.1 (2021-02-19)

Resolved issues

  • Fixes bug that caused DynamoDB table creation without a range (sort) key to fail in single-tenant Connect2id server 1.11 instances (issue server/636).
  • Adds extra logging around DynamoDB table creation to include the resolved table spec (issue server/638).
  • Empty or blank DynamoDB apply-range-key must return null in config API (issue ispn-dynamodb/14).
  • Require non-empty DynamoDB range key value when a range key is set (issue ispn-dynamodb/15).
  • Log stored HMAC, computed HMAC and original item when an invalid HMAC is detected in the DynamoDB connector (issue ispn-dynamodb/17).

Dependency changes

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.5

Connect2id server 11.1

The multi-tenant edition of the Connect2id server can now be deployed with the AWS DynamoDB database-as-a-service, to benefit from useful features such as seamless replication between two or more AWS regions. If you need to serve identities globally, at low latency, while remaining available in the rare case of a total region outage, the cross-region replication is ideal for you. The Connect2id server data model allows for eventual consistency, and the replication can be tuned to minimise your AWS bills.

Prior to Connect2id server 11.1 the multi-tenant edition could be deployed with an SQL RDBMS only.

The new release also considerably reduces the web application footprint.

For details check the release notes below.

Important: Get the updated 11.1.1 release, the DynamoDB connector received a fix for a major bug introduced in 11.1.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.1: Connect2id-server.zip

SHA-256: 5943726404dc03b582a99c4dee9770d1b6a3ddd596f960ca62a74b6ad22e40e1

Connect2id server 11.1 WAR package: c2id.war

SHA-256: 86ec5405396762d3a6254df767dfbf9aa66c37a003c5980da33f1c5390a43d0f

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.1: Connect2id-server-mt.zip

SHA-256: 249167c61a296c28373d98f0ddaa12cb882954a8ab1b45d1ad680fb0ebc90ebb

Connect2id server 11.1 WAR package: c2id-multi-tenant.war

SHA-256: 85abee7a967ba055d1ccf1a555689903cf91a79962c812e41aacb3cd96def2c6

Questions?

Contact Connect2id support.


Release notes

11.1 (2021-02-17)

Summary

  • Support for AWS DynamoDB in the multi-tenant edition of the Connect2id server. Persisted tenant specific objects are isolated in their DynamoDB tables by means of a range (sort) key named "tid".

  • Reduces the footprint of AWS related dependencies by switching from the AWS Java SDK bundle to smaller service specific dependencies. The size of the final WAR file is reduced from 244 megabytes to 68 megabytes. If an SPI implementation (custom plugin) requires an AWS dependency previously available through the AWS Java SDK bundle it now needs to be explicitly included as a dependency.

Configuration

  • /WEB-INF/infinispan-multitenant-stateless-dynamodb.xml -- New Infinispan configuration file for the multi-tenant edition of the Connect2id server with an AWS DynamoDB backend. The standard DynamoDB configuration properties from the regular Connect2id server edition apply, save for the "dynamodb.applyRangeKey" and "dynamodb.rangeKeyValue" properties that have no effect.

Resolved issues

  • Fixes typo in the "invalid_client" error description (issue server/634).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:16.5

  • Updates to com.nimbusds:oidc-session-store:14.3

  • Updates to com.nimbusds:tenant-registry:5.3

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:4.1.1

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.5

  • Replaces com.amazonaws:aws-java-sdk-bundle with the narrower aws-java-sdk-dynamodb and aws-java-sdk-s3:1.11.955

  • Updates to com.nimbusds:software-statement-verifier:2.1.1