Connect2id server 6.5

2017-03-15

Single use of tokens is now also supported by the standard inspection endpoint

The standard token inspection endpoint will now also support optional removal of the queried access token, in order to facilitate use cases where access token replay at the resource server must be prevented. This feature was originally introduced in the proprietary inspection endpoint, in Connect2id server version 6.4 released last week.

To remove the access token after inspection simply add the revoke=true parameter. Note that this feature only works with identifier-based tokens, which represent a key to retrieve the underlying authorisation. It will have no effect if the access token is self-contained (JWT-encoded).

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=45ghiukldjahdnhzdauz&revoke=true

Subsequent inspection requests with the same access token will produce a response that the token is no longer valid.

Importing end-user sessions

The session store web API was updated to enable correct import of user sessions from other servers, preserving the original creation timestamp.

Bug fixes

This release also fixes a bug introduced in Connect2id server version 6.4 which affected session expiration when the maximum authentication lifetime parameter is set. Everybody who has downloaded 6.4 is advised to upgrade.

Download

To download a ZIP package of Connect2id server 6.5:

https://connect2id.com/assets/products/server/download/6.5/Connect2id-server.zip

(SHA-1: fc9045abe2a7ea523c3bcdc1d9e44a05d089458c)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.5/c2id.war

(SHA-1: 4c3a5c54b923674cf0c2b3b091ebcc67e1896b16)

Questions?

Get in touch Connect2id support to receive assistance.

---

Release notes

6.5 (2017-03-15)

Configuration

• No changes

Web API

• /token/introspect

  • Adds an optional non-standard (see RFC 7662) "revoke" query parameter (defaults to "false") to facilitate single use of identifier-based access tokens. Causes the access token to be automatically deleted from the store after successful inspection. Has no effect with self-contained (JWT-encoded) access tokens. Identical with the optional "revoke" query parameter of /authz-store/rest/v2/inspection (introduced in Connect2id server 6.4).

• /session-store/rest/v2

  • Permits addition of subject sessions created in the past, in order to facilitate the correct import of sessions from another Connect2id server.

Bug fixes

• Fixes a bug that caused the set authentication lifetime of a subject session to incorrectly cause its expiration (issue session-store/50).

Dependencies

• Upgrades to com.nimbusds:oidc-session-store:5.1

Improved claims and access token lifecycle support in Connect2id server 6.4

2017-03-08

This release of the OpenID Connect server introduces a number of small but useful new features.

Define your own scope to claims expansions

OpenID Connect allows client apps to request claims (assertions) about the user by including special OAuth 2.0 scope values in the OpenID authentication request.

For example, apps can use the profile scope value to request access to the following user attributes at the IdP:

Scope value	Claims
profile	name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at

OpenID Connect defines four such scope values that expand to specific sets of claims.

This neat concept can be used with other (custom) scope values and claims that the identity provider needs to support. Up until now, identity providers with a Connect2id server had to maintain these mappings externally, and apply them during the authorisation session. With v6.4 such scope value to claim expansions can be defined internally.

Example definition of a custom org_profile scope value and the claims that it expands to:

org_profile: roles, supervisor, employee_number

Guaranteeing single use of access tokens

Applications and resource servers which require an access token to be used once only and prevent its replay have these two choices:

1. The resource server caching the access token signature (or its JTI claim) for the duration of the token lifetime after it's validated. Subsequent requests with the same token will cause a cache hit, indicating that the
   token has already been used.

2. With identifier (key) based tokens, which are inspected with a call to the Connect2id server. This call now has an optional query parameter revoke
   which will cause the token to be deleted when it's inspected. A subsequent inspection call will yield a 404 status code - signalling that that token is no longer valid.

   POST /authz-store/rest/v2/inspection?remove=true HTTP/1.1
   Host: c2id.com
   Content-Type: application/x-www-form-urlencoded
   
   access_token=kiuf7oPaFaePoo5tzieS8eeMEChoo7Ko
   

Prometheus support

The Connect2id server collects over 100 useful metrics to monitor identity provider usage and performance. These can now be exported in Prometheus format at a dedicated endpoint.

Other new features

Other new features include improved support for implicit consent of OpenID claims, additional Infinispan configurations for using Redis as a primary in-memory and cache store, and a more efficient expiration of user sessions. Check the release notes below for details.

Download

To download a ZIP package of Connect2id server 6.4:

https://connect2id.com/assets/products/server/download/6.4/Connect2id-server.zip

(SHA-1: 6814cde422140d84e6fde0fbf816d7ec9be3cf2e)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.4/c2id.war

(SHA-1: 761e982431ca0d597c9f7ebca85aa1ed45c2c191)

Questions?

Get in touch Connect2id support to receive assistance.

---

Release notes

6.4 (2017-03-08)

General

• Adds new optional configuration file for defining custom scope value to OpenID Connect claim mappings.

• Adds support for implicit consent of OpenID Connect claims.

• Adds a new optional "revoke" parameter to the token introspection call to facilitate single use of identifier-based access tokens where required by the resource server / application.

• Adds endpoint for scraping the Connect2id server metrics in Prometheus (https://prometheus.io) format.

• Expiration of subject (end-user) sessions is now handled by Infinispan, simplifying configuration (see below) and improving the performance of session retrieval.

• Updates the Infinispan configuration files.

Configuration

• /WEB-INF/customClaimsMap.properties

  • New optional configuration file for defining custom scope value to OpenID Connect claim mappings. Can be used to automatically expand selected custom scope values to one or more custom claim names, e.g. "my_scope_value" to claim names "claim_a", "claim_b", etc.

• /WEB-INF/oidcProvider.properties

  • Adds new optional "op.authz.alwaysPromptForAuth" configuration property, defaults to "false". If "true" the Connect2id server will always prompt for authentication, even if the end-user is currently authenticated (by means of a valid session cookie), or "prompt=none" was requested by the client. Intended to facilitate authentication step-up by using selected scope values.

• /WEB-INF/sessionStore.properties

  • The sessionStore.purgeInterval configuration property is removed. Expiration of subject (end-user) sessions is now handled by Infinispan. The expiration interval can be fine tuned by changing the expiration interval attribute of "sessionStore.sessionMap" of the chosen Infinispan XML configuration (infinispan-.xml).

• /WEB-INF/jose.properties

  • Adds support for overriding the PKCS#11 configuration via Java system properties.

• /WEB-INF/infinispan-mysql-redis.xml

  • Adds new configuration for using Infinispan in invalidation mode, with MySQL as the persistence store and Redis as the primary in-memory / cache store.

• /WEB-INF/infinispan-postgres95-redis.xml

  • Adds new configuration for using Infinispan in invalidation mode, with PostgreSQL 9.5+ as the persistence store and Redis as the primary in-memory / cache store.

• /WEB-INF/infinispan-ldap-redis.xml

  • Renames the previous configuration file for using Infinispan in invalidation mode with LDAP as the persistence store and Redis as the primary in-memory / cache store.

• /WEB-INF/infinispan-*.xml

  • Declares the required application specific AdvancedExternalizer instances in the XML configuration (see issue server/253 below).

• /WEB-INF/web.xml

  • Configures eager servlet loading.

Web API

• /authz-sessions/rest/v3, /authz-sessions/rest/v2

  • Adds support for implicit consent of OpenID Connect claims.

• /authz-store/rest/v2/inspection

  • Adds an optional "revoke" query parameters (defaults to "false") to facilitate single use of identifier-based access tokens. Causes the access token to be automatically deleted from the store after successful inspection. Has no effect with self-contained (JWT-encoded) access tokens.

• /monitor/v1/metrics/prometheus

  • Adds new resource for retrieving Connect2id server metrics in Prometheus (https://prometheus.io) format (exported from Dropwizard). Requires a
    bearer access token, which is configured in /WEB-INF/monitor.properties.

Bug fixes

• Fixes processing of refresh token grant requests from public OAuth 2.0 clients to ensure a mismatch of the top-level client_id and the client_id encoded in the refresh token produces an invalid_grant error (issue server/254).

• Switches to XML-based declaration of the application specific Infinispan AdvancedExternalizer classes to address startup situations when the programmatically configured externalisers don't get picked up by Infinispan (issue server/253).

• Fixes handling of illegal URL-encoding in client secret basic authentication HTTP Authorization headers so that instead of failing with HTTP 500 status code a proper HTTP 400 status and message is returned (issue oidc-sdk/208).

• Prevents inconsistent direct authorisation requests for a refresh token with disabled authorisation persistence (long_lived = false). Such requests will now produce a HTTP 400 status code with the error message "Invalid request: Refresh token issue requires the authorization to be persisted with long_lived=true" (issue server/262).

• Fixes a bug that prevented the timely removal of authorisation sessions in Infinispan invalidation mode (issue server/265).

• Removes stray System.out.println in userInfo endpoint code (issue server/261).

Dependencies

• Upgrades to com.nimbusds:oauth2-oidc-sdk:5.24

• Upgrades to com.nimbusds:oauth2-authz-store:5.13.1

• Upgrades to com.nimbusds:oidc-session-store:5.0

• Upgrades to com.nimbusds:nimbus-jwkset-loader:1.3

• Upgrades to com.nimbusds:common:2.4

• Upgrades to com.unboundid:unboundid-ldapsdk:3.2.1

Hardware Security Module (PKCS#11) support in Connect2id server 6.3

2017-01-30

The Connect2id server can now utilise Hardware Security Modules (HSM) for signing issued identity and access tokens. By performing the cryptographic operations on a dedicated external device, and with no logical access to the private keys, the HSM provides an excellent security guarantee against key theft. This makes HSMs indispensable in applications which require a high degree of security, such as national eID schemes and in payments.

The HSM is accessed from the Connect2id server via a PKCS#11 interface, which has been the established standard for such devices since 1995.

You can find out more about HSM configuration in the Connect2id server manual. RSA as well as EC keys are supported. Roll-over of the signing keys is done automatically, based on the validity window of their X.509 certificates.

Check the release notes below to find out what else has been updated in Connect2id server v6.3.

Download

To download a ZIP package of Connect2id server 6.3:

https://connect2id.com/assets/products/server/download/6.3/Connect2id-server.zip

(SHA-1: 14fca0357036a322a85d9442c55e96ca269f37f3)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.3/c2id.war

(SHA-1: 4b6a57f384df93b3d801c76643e211167bcf4b0c)

Questions?

Get in touch Connect2id support, we'll be delighted to help out.

---

Release notes

6.3 (2017-01-30)

General

• Adds comprehensive support for signing issued ID and self-contained access tokens with RSA and EC keys stored in a PKCS#11 compliant Hardware Security Module (HSM). Supports automatic key rollover based on the not-before and not-after dates specified in the X.509 certificate of each PKCS#11 based RSA and EC key intended for signing.

Configuration

• /WEB-INF/jose.properties

  • Introduces new optional configuration file for loading RSA and EC signing JSON Web Keys (JWK) from a PKCS#11 compliant HSM.

• /WEB-INF/hsm.cfg

  • Adds sample configuration file for the Java SUN PKCS#11 security provider (to enable loading of a PKCS#11 compliant HSM).

• /WEB-INF/web.xml

  • Adds com.nimbusds.jose.jwk.loader.JWKSetLoader listener.

Web API

• No changes

Logging

• Logs a detailed message at level "INFO" for a token request with JWT client authentication (client_secret_jwt, private_key_jwt) where the JWT has expired or the claims validation failed (issue sdk/204).

Bug fixes

• Outputs a proper OAuth 2.0 invalid_client error if a token request includes multiple client authentication methods (issue sdk/203).

• Fixes a bug which caused the BouncyCastle JCA provider to be loaded if "none"
  is detected among the supported ID token JWS algorithms (non-critical).

Dependencies

• Upgrades to com.nimbusds:oauth2-oidc-sdk:5.21

• Upgrades to com.nimbusds:nimbus-jose-jwt:4.34.1

• Upgrades to com.nimbusds:oauth2-authz-store:5.11.1

• Upgrades to com.nimbusds:oidc-session-store:4.14.3

• Adds new com.nimbusds:nimbus-jwkset-loader:1.2.2 dependency.

• Upgrades to org.bouncycastle:bcprov-jdk15on:1.56

• Upgrades to org.bouncycastle:bcpkix-jdk15on:1.56

• Upgrades to Infinispan 8.2.6.Final

• Upgrades to JAX-RS Jersey 2.25.1

• Upgrades to Log4j 2.8

Connect2id server 6.2 makes it easier to implement stateless login / consent front-ends

2017-01-12

This new release of the OpenID Connect / OAuth 2.0 server makes it easier to implement nible stateless UIs on top of it. It also exposes Redis client connection pool metrics (initially appeared in v5.0.5) for those of you who choose to deploy the Connect2id server in a two-tiered manner, with Redis / AWS ElastiCache providing the main in-memory store, and Infinispan the secondary (in invalidation mode).

Stateless front-ends

Stateless front-ends are good, because they are easy to maintain, deploy and scale.

One of the defining features of the Connect2id server is the avoidance of any hard-wired UIs; the server comes instead with a set of elegant web APIs so that all UI, such as login and consent interaction, is decoupled, and can be developed, tested and deployed independently. We have a nice guide explaining the advantages and mechanics of that.

Version 6.2 adds a new optional data parameter to the authorisation session, which can be used to store arbitrary state while the end-user credentials are being checked and consent is obtained. This may also include the duration to redirect to an external authentication service or another identity provider (IdP).

For example, the login page may offer the option to sign in with another IdP, such as Google or Twitter. Before the user gets redirected to the IdP of their choice, the state can be stored in the data parameter of the current authorisation session. Upon returning from the IdP, the state is resumed, and the login interaction can continue.

The data can be set at the start of the authorisation session, or at any time after that with a PUT call. To read the stored data do a GET for the authorisation session or a direct GET for the data sub-resource.

Check out the updated authorisation session API reference for details.

Redis connection pool metrics

If you have a Connect2id server cluster deployed with Redis / AWS ElastiCache as primary in-memory store and want to fine tune your Redis connection pools, these new metrics will provide you with the necessary data.

The new Redis connection pool gauges are made available at the existing /monitor/v1 endpoint, which already collects more than 100 metrics for all sorts of things.

Example Redis client connection pool metrics:

{
    "sessionStore.sessionMap.redisStore.numActiveConnections": {
      "value": 1
    },
    "sessionStore.sessionMap.redisStore.numIdleConnections": {
      "value": 6
    },
    "sessionStore.sessionMap.redisStore.numWaitingForConnection": {
      "value": 0
    },
    "sessionStore.sessionMap.redisStore.maxWaitingTimeForConnectionMs": {
          "value": 15
    },
    "sessionStore.sessionMap.redisStore.meanWaitingTimeForConnectionMs": {
      "value": 0
    }
}

Download

To download a ZIP package of Connect2id server 6.2:

https://connect2id.com/assets/products/server/download/6.2/Connect2id-server.zip

(SHA-1: a84329a865d8fa5ed49f2c937bb2e9300706b51a)

As WAR package only:

https://connect2id.com/assets/products/server/download/6.2/c2id.war

(SHA-1: 6ba80693c0fa0e46c0849d41358d9af892d58274)

Questions?

Get in touch Connect2id support, we'll be delighted to help out.

---

Release notes

6.2 (2017-01-12)

Configuration

• No changes

Web API

• /authz-sessions/rest/v3/

  • Enables storage of additional data in the authorisation session, to enable use cases such as a stateless login front-end that needs to perform a redirection to an external service or IdP as part of the authentication or consent process.
    • Adds new optional "data" parameter of type JSON object to the authorisation session.
    • The optional "data" can be set with the initial POST request for a new authorisation session, or with a dedicated PUT request to the authorisation session data resource.
    • The optional "data" can be retrieved with a GET for the authorisation session, or directly from the authorisation session data resource.

• /monitor/v1/metrics

  • Adds Redis store connection pool metrics (of type gauge):
    • "[infinispan-cache-name].redisStore.numActiveConnections" -- the number of active Redis client connections in the pool.
    • "[infinispan-cache-name].redisStore.numIdleConnections" -- the number of idle Redis client connections in the pool.
    • "[infinispan-cache-name].redisStore.numWaitingForConnection" -- the number of threads waiting for a Redis client connection.
    • "[infinispan-cache-name].redisStore.meanWaitingTimeForConnectionMs" -- the mean time waiting to borrow a Redis client connection from the pool, in milliseconds.
    • "[infinispan-cache-name].redisStore.maxWaitingTimeForConnectionMs" -- the maximum time waiting to borrow a Redis client connection from the pool, in milliseconds.

Bug fixes

• None

Dependencies

• Upgrades to Nimbus JOSE+JWT 4.34.

• Upgrades to Redis Store 8.2.1 (private Connect2id release)

Certified OpenID Connect provider server

2017-01-09

Last week the Connect2id server received certification for all standard OpenID Connect provider profiles, which also extends to the optional advanced security features that we implemented in 2016:

• JWT client authentication -- Offers a number of security advantages over the common HTTP basic authentication, such as preventing credential leakage if the HTTP request is sent in the plain by accident.
• Client keys -- Clients and relying parties can bring their own assymetric keys (RSA and EC), in order to authenticate with a JWT, or to receive encrypted ID tokens and UserInfo.
• Encryption -- ID token and UserInfo encryption, using a public RSA or EC key registered by the client, or an AES key derived from the client's secret.
• Signed authorisation requests -- authenticate and integrity-protect the initial OpenID authentication and OAuth 2.0 authorisation requests. Work nicely with public / native clients, regardless of the nature of their registration, to ensure the important parameters get "locked down", and cannot be modified by the end-user or app.
• Pairwise identifiers -- Method (to be used in conjunction with others) that makes it harder for relying parties to correlate the identity of logged in users.

Other organisations that received OpenID provider certification during the same period are Yahoo! Japan and Verizon.

Many thanks to Roland Hedberg, who manages the certification suite at OpenID, for assisting us with the tests, even though it was holiday time, and he probably had better things to do.

We would also like to thank Mike Jones, secretary of the OpenID foundation, for his recognition of Connect2id's service to the OpenID Foundation and the OpenID community since 2012.