The OpenID Connect server adds support for SQL backends

The upcoming 6th release of the Connect2id server introduces support for SQL databases for persisting its own data, such as client registrations and authorisations. With this preview you can now test drive the server with a MySQL database.

  1. Download the ZIP file and unpack it.

  2. Provision a fresh MySQL database, and an account for it that the Connect2id server can use.

  3. Edit /webapp/WEB-INF/infinispan-mysql.xml in the c2id.war:

    • Set the dataSource.url properties to point to the MySQL database.

    • Set dataSource.user and dataSource.password to the user credentials for accessing the MySQL database.

  4. Start the LDAP directory with the sample users with opendj/bin/start-ds.

  5. Start the Tomcat web server with tomcat/bin/startup.sh.

  6. Point your browser to http://127.0.0.1:8080/oidc-client/ when the server has started.

That's it!

The Connect2id server will automatically create the required SQL tables if they are missing. The /WEB-INF/web.xml is also configured with a simple script that will create a demo OpenID client account for oidc-client with client_id 000123, so you can test drive OpenID Connect login.

To disable creation of this account (in production) simply comment out or delete the following lines from the /WEB-INF/web.xml descriptor:

<!-- Demo client registration installer (remove in production) -->
<listener>
    <listener-class>com.nimbusds.openid.connect.provider.demo.DemoClientRegInstaller</listener-class>
</listener>

You can also test drive the Connect2id server with a PostgreSQL 9.5 database. To do that edit /WEB-INF/web.xml to point to the Postgres specific Infinispan config like this:

<context-param>
    <description>
        The location of the Infinispan configuration file. Must be
        relative to the web application root directory.
    </description>
    <param-name>infinispan.configurationFile</param-name>
    <param-value>/WEB-INF/infinispan-postgres95.xml</param-value>
</context-param>

Then edit the data source parameters as explained above.

Download

To preview the upcoming Connect2id server 6.0 release download the following ZIP package and follow the instructions above, plus those in the README.txt file:

https://connect2id.com/assets/products/server/download/6.0-pre-4/Connect2id-server.zip

https://connect2id.com/assets/products/server/download/6.0-pre-4/c2id.war

Questions?

For any questions, write the comments section below or email our support team.


Release notes 6.0-pre-4 (2016-09-29)

General

  • Switches to Infinispan's persistent store APIs to enable support of other Connect2id server backends besides LDAP, such as MySQL, PosgreSQL, H2, flat file storage, Redis (experimental) and AWS Elasticache (experimental).

  • Adds support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for encrypted ID tokens. A client can receive ID tokens encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for encrypted UserInfo. A client can receive UserInfo JWTs encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for registering OpenID Connect / OAuth 2.0 clients with a JWK set specified by URI (jwks_uri). Intended for handling private_key_jwt client authentication, self-issued JWT and SAML 2.0 bearer grants, signed request objects, encrypted ID tokens and encrypted UserInfo responses. The downloaded client JWK set is cached by the Connect2id server to ensure quick processing of requests that rely on remote JWKs.

  • Updates handling of the optional max_age OpenID authentication request parameter. If max_age is set to zero (max_age=0) the Connect2id server will prompt the end-user for (re)authentication, even if the end-user has an existing valid session with the Connect2id server. This is equivalent to setting the optional prompt OpenID authentication request parameter to login (prompt=login). See issue #993 with the OpenID Connect working group (https://bitbucket.org/openid/connect/issues/993).

  • Adds experimental support for pairwise subject (end-user) identifiers, based on deterministic AES encryption in SIV mode (see RFC 5297).

  • Adds an extra layer of security to issued session IDs, authorisation codes and identifier-based access tokens by provisioning them with a SHA-256 based Message Authentication Code (MAC) (truncated to 128 bits). The HMAC enables detection of online guessing attacks and may also be used to block certain DoS attacks the utilise the above objects.

  • Switches to new JSON-based marshalling of Connect2id server objects stored in Infinispan.

  • Refines diagnostic messages on a client registration error due to invalid or inconsistent client metadata.

  • Refines logging of invalid client authentication attempts at the token endpoint (issue server/199).

Configuration

  • /WEB-INF/jwkSet.json

    • All JSON Web Keys (JWKs) in the Connect2id server JWK set must have a key identifier ("kid" JWK parameter) and specify the intended key use ("use" JWK parameter).

    • All RSA JWKs intended for signing of objects (ID tokens, UserInfo JWTs and self-contained access tokens) must have their use parameter set to "sig" (signature). Required to prevent mix up with future RSA JWKs intended for encrypting objects to the Connect2id server.

    • Adds support for optional EC JWKs with curves P-256, P-384 and P-521 for signing of ID tokens and UserInfo JWTs. The EC JWKs must have a key identifier ("kid" JWK parameter) and be flagged for specify signature use ("use":"sig").

    • All AES JWKs intended for symmetric encryption of self-contained access tokens must have their use parameter set to "enc" (encryption). Required to prevent mix up with the introduced secret JWKs for HMAC protection and pairwise subject encryption (see below).

    • Adds new secret JSON Web Key (JWK) with ID "hmac" and use "sig" to facilitate HMAC-SHA256 protection of session IDs, authorisation codes and identifier-based access tokens. The HMAC key size must be 256 bits.

    • Adds new symmetric JSON Web Key (JWK) with ID "subject-encrypt" to facilitate AES SIV-mode (RFC 5297) encryption of pairwise subject identifiers. The accepted AES key sizes are 128, 192 and 256 bits.

  • /WEB-INF/oidcProvider.properties

    • Extends the op.idToken.jwsAlgs configuration setting to include support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.idToken.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued ID tokens. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.idToken.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued ID tokens. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

    • Adds new op.authz.requestJWSAlgs configuration setting for the accepted
      JWS algorithms for signed OpenID authentication requests passed with the optional request_uri or request parameter. The following JWS algorithms are supported: HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512 and none.

    • Adds new op.reg.resourceRetriever.httpConnectTimeout configuration setting for the HTTP connect timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Adds new op.reg.resourceRetriever.httpReadTimeout configuration setting for the HTTP read timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Removes the op.reg.preloadCache, op.reg.ldapServer.*, op.reg.ldapUser.*, op.reg.ldapDirectory.*, op.reg.customTrustStore.* and op.reg.customKeyStore.* settings for configuring an LDAP store for the OpenID Connect and OAuth client registration. Configuration of the client registration store is now assumed by the Infinispan.

    • Extends the op.userinfo.jwsAlgs configuration setting to include support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.userinfo.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued UserInfo JWTs. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.userinfo.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued UserInfo JWTs. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

  • /WEB-INF/authzStore.properties

    • Removes the authzStore.options.preloadCache, authzStore.ldapServer.*, authzStore.ldapUser.*, authzStore.ldapDirectory.*, authzStore.customTrustStore.* and authzStore.customKeyStore.* settings for configuring an LDAP store for the long-lived (persisted) OpenID Connect and OAuth authorisations. Configuration of the long-lived authorisations store is now assumed by Infinispan.

    • Adds new authzStore.options.discardedAttributes settings to list the optional authorisation attributes that are to be automatically discarded from new authorisation objects, in order to conserve cache memory and backend storage.

    • Adds the "iat" (issued-at) claim to the list of recommended JWT claims to include in self-contained access tokens. Required to facilitate correct inspection of revoked self-contained access tokens.

  • /WEB-INF/infinispan.xml

    • Updates all advanced externalisers for Connect2id server data stored in Infinispan. The externalisers are now declared programmatically, instead of using the Infinispan XML configuration.

    • Adds new "clients.remoteJWKSetCache" cache.

    • Replaces the "op.regCache" cache with "clients.registrationsMap".

    • Replaces the "op.regTokenCache" cache with "op.clientRegTokenMap".

    • Replaces the "authzStore.authzCache" cache with "authzStore.longLivedAuthzMap".

Web API

  • /.well-known/openid-configuration

    • Advertises support for pairwise subject identifiers (subject_types_supported).
  • /clients/

    • Supports registration of OAuth 2.0 and OpenID Connect clients with a JWK set specified by URL (jwks_uri).

    • Supports registration of OpenID Connect clients for pairwise subject identifiers. OpenID Connect clients can be registered for pairwise subject identifiers by setting the "subject_type" parameter to "pairwise"; if more than one redirection URI is specified in the "redirect_uris" parameter, a "sector_identifier_uri" parameter must also be provided.

  • /session-store/rest/v2/sessions

    • Support for the optional "SID" header parameter on POST new session is removed, due to the introduction of HMAC secured session IDs. The key portion of the session ID can be set with the new "SID-Key" header parameter; the Connect2id server will then return the final SID (session key with appended HMAC).
  • /authz-store/rest/v2/revocation

    • Extends the effect of revocation to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).
  • /authz-store/rest/v2/inspection

    • Access tokens that fall under the scope of a previous revocation event will be resolved as invalid. Previously, access tokens will appear as valid until they expire, unless the access token is identifier-based and had been explicitly revoked.
  • /monitor/v1/metrics

    • Replaces the "authzStore.numCachedAuthorizations" metric with "authzStore.numLongLivedAuthorizations".

    • Adds new "clientStore.numCachedRemoteJWKSets" metric for the number of cached client JWK sets.

Bug fixes

  • Adds check to prevent client registration of redirect_uris with a fragment component (issue sdk/188).

  • Fixes NPE in the LDAP connector when the asynchronous LDAP result listener receives a notification before the associated timer context is cached (issuer authz-store/117).

  • Fixes Log4j class loading conflict caused by shadowing of Log4j by the Infinispan Embedded package (iss #219).

  • Enables stack trace logging on Infinispan cache manager launch failure.

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:5.5.4

  • Upgrades to com.nimbusds:oidc-session-store:4.8

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.17.1

  • Upgrades to com.nimbusds.nimbus-jose-jwt:4.26.1

  • Upgrades to com.nimbusds:common:2.0

  • Upgrades to Infinispan 8.2.4.Final

  • Upgrades to JAX-RS Jersey 2.23.2

  • Upgrades to com.unboundid:unboundid-ldapsdk:3.2.0

  • Upgrades to Log4j 2.6.2

  • Adds JHades dependency to diagnose class loader issuer at runtime (issue server/219).

Third preview of the upcoming Connect2id server 6.0

We have another preview of the upcoming Connect2id server 6.0, this time to demonstrate issue of encrypted ID tokens and UserInfo endpoint responses. ID tokens normally come with a digital signature certifying that they have been issued by the IdP (or alternatively, an HMAC using the client_secret as key). Encryption applies an additional layer of security to them, by making their content (claims) confidential.

Digital signature support has also been extended, and now covers EC DSA, besides the commonly used RSA signatures.

Signing up for encrypted ID tokens

Client apps can register to receive encrypted ID tokens by specifying the desired encryption algorithm.

The two fundamental encryption variants are supported:

  • Symmetric encryption: The ID token is encrypted with an AES key derived from the client_secret. The client can decrypt the ID token by performing its own AES key derivation from the client_secret.

  • Asymmetric encryption: Also called public key encryption. The ID token is encrypted with an RSA or EC public key supplied by the client at registration time (via the jwks_uri or jwks registration parameters). Decryption is performed with the corresponding private key.

The Connect2id server supports all standard JWE algorithms for symmetric and public key encryption.

Example client registration request stating that ID tokens are to be first
signed with RSA PKCS #1 and then encrypted with a 128-bit AES key derived from the client secret, using the AES GCM KW algorithm:

POST /clients HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "redirect_uris"                   : [ "https://client.example.org/callback" ],
  "client_name"                     : "My Cool App",
  "id_token_signed_response_alg"    : "RS256",
  "id_token_encrypted_response_alg" : "A128GCMKW",
  "id_token_encrypted_response_enc" : "A128CBC-HS256"
}

If your client app is written in Java you can use the popular Connect2id libraries for OpenID Connect development and JOSE + JWT to decrypt and validate the ID tokens.

Encrypted UserInfo

Claims (profile information) about the end-user released at the UserInfo endpoint are normally returned as a plain JSON object.

Example plain UserInfo response:

HTTP/1.1 200 OK
Content-Type: application/json

{
 "sub"         : "248289761001",
 "name"        : "Jane Doe"
 "given_name"  : "Jane",
 "family_name" : "Doe",
 "email"       : "[email protected]",
 "picture"     : "http://example.com/janedoe/me.jpg"
}

Clients can however opt in to receive the claims packaged as a JSON Web Token (JWT), signed by the IdP. The JWT can be additionally encrypted. This is also stated at client registration time.

POST /clients HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "redirect_uris"                   : [ "https://client.example.org/callback" ],
  "client_name"                     : "My Cool App",
  "userinfo_signed_response_alg"    : "RS256",
  "userinfo_encrypted_response_alg" : "A128GCMKW",
  "userinfo_encrypted_response_enc" : "A128CBC-HS256"
}

The Connect2id server supports the exact same JWE algorithms for UserInfo JWT encryption (that is, all).

Example encrypted UserInfo:

HTTP/1.1 200 OK
Content-Type: application/jwt

eyJraWQiOiJlMSIsImN0eSI6IkpXVCIsImVuYyI6IkExMjhHQ00iLCJhbGciOiJSU0ExXzUifQ.WR0Y
05FSyPrgFCdLvp_UAjr44wE5_jY0BEekZw5K7mUkDxeBBN_zAjd8Wmt055iA9QsGFN0qFzGsin7P05R
2BSZKuXPPRis-iqmxwvIPF5hSFrWVpA3XL7I5u91DKl1t_nnw1NVbn6MgVw4wf8Ca7yfoanYF-jaj3w
HGSXwASrk.t7OTawT4hj5Q3YW5.3no2XbKPTnStuS-xXGmuQv6n-Y0hZfUPYz-NhP6Zeg1_NURcr0vv
_e0e0eP5q6G2fRgxO_DICYCREwxzQ0mjMs8JMrwT5bkMwMkJP2w0zJsGEFyIhRtAH2r43fL42XaXo6H
3DBU2Gw4Fo9w7ze4WNKMZIRCd42BkSubLNrsMSVbX2RsHGRlovbV5j7ADnCtkhvM2QPiejcW0UCY6Cv
pS5zCBvA3rw9-wtSV4Pfqh-B5DY8k-7bWuE0gbvDupmMvloBa_FhX4M0866_KfV2SE-xD4jXVPyEznN
cVkuJZut1bIZjRE3Xn57dgu-NcyOTXAeIsmtqUbpYx7Ra4TB9Xcw448KUg9AQfZjOG9qSfe-alMDt1x
JPfHOsPTalQRF9CD-NNNVVkj7EP-P9iMly1BwLYeSxkiWlv4L6rH37upW3t8p7d_RFZ8rralvg.tAvZ
Vj1W1OmDl37qSQRryg

Download

To preview the upcoming Connect2id server 6.0 release download the following ZIP package and follow the instructions in the README.txt file:

https://connect2id.com/assets/products/server/download/6.0-pre-3/Connect2id-server.zip

https://connect2id.com/assets/products/server/download/6.0-pre-3/c2id.war

Questions?

For any questions, write the comments section below or email our support team.


Release notes 6.0-pre-3 (2016-08-30)

General

  • Switches to Infinispan's persistent store APIs to enable support of other Connect2id server backends besides LDAP, such as flat file storage, DynamoDB and LevelDB.

  • Adds support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

  • Adds support for encrypted ID tokens. A client can receive ID tokens encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for encrypted UserInfo. A client can receive UserInfo JWTs encrypted with a public RSA or EC key it has registered with the Connect2id server (via the jwks or jwks_uri client registration parameter), or with a symmetric AES key derived from its client_secret.

  • Adds support for registering OpenID Connect / OAuth 2.0 clients with a JWK set specified by URI (jwks_uri). Intended for handling private_key_jwt client authentication, self-issued JWT and SAML 2.0 bearer grants, signed request objects, encrypted ID tokens and encrypted UserInfo responses. The downloaded client JWK set is cached by the Connect2id server to ensure quick processing of requests that rely on remote JWKs.

  • Updates handling of the optional max_age OpenID authentication request parameter. If max_age is set to zero (max_age=0) the Connect2id server will prompt the end-user for (re)authentication, even if the end-user has an existing valid session with the Connect2id server. This is equivalent to setting the optional prompt OpenID authentication request parameter to login (prompt=login). See issue #993 with the OpenID Connect working group (https://bitbucket.org/openid/connect/issues/993).

  • Adds experimental support for pairwise subject (end-user) identifiers, based on deterministic AES encryption in SIV mode (see RFC 5297).

  • Adds an extra layer of security to issued session IDs, authorisation codes and identifier-based access tokens by provisioning them with a SHA-256 based Message Authentication Code (MAC) (truncated to 128 bits). The HMAC enables detection of online guessing attacks and may also be used to block certain DoS attacks the utilise the above objects.

  • Switches to new JSON-based marshalling of Connect2id server objects stored in Infinispan.

  • Refines diagnostic messages on a client registration error due to invalid or inconsistent client metadata.

  • Refines logging of invalid client authentication attempts at the token endpoint (issue server/199).

Configuration

  • /WEB-INF/jwkSet.json

    • All JSON Web Keys (JWKs) in the Connect2id server JWK set must have a key identifier ("kid" JWK parameter) and specify the intended key use ("use" JWK parameter).

    • All RSA JWKs intended for signing of objects (ID tokens, UserInfo JWTs and self-contained access tokens) must have their use parameter set to "sig" (signature). Required to prevent mix up with future RSA JWKs intended for encrypting objects to the Connect2id server.

    • Adds support for optional EC JWKs with curves P-256, P-384 and P-521 for signing of ID tokens and UserInfo JWTs. The EC JWKs must have a key identifier ("kid" JWK parameter) and be flagged for specify signature use ("use":"sig").

    • All AES JWKs intended for symmetric encryption of self-contained access tokens must have their use parameter set to "enc" (encryption). Required to prevent mix up with the introduced secret JWKs for HMAC protection and pairwise subject encryption (see below).

    • Adds new secret JSON Web Key (JWK) with ID "hmac" and use "sig" to facilitate HMAC-SHA256 protection of session IDs, authorisation codes and identifier-based access tokens. The HMAC key size must be 256 bits.

    • Adds new symmetric JSON Web Key (JWK) with ID "subject-encrypt" to facilitate AES SIV-mode (RFC 5297) encryption of pairwise subject identifiers. The accepted AES key sizes are 128, 192 and 256 bits.

  • /WEB-INF/oidcProvider.properties

    • Extends the op.idToken.jwsAlgs configuration setting to include support for ID tokens signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.idToken.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued ID tokens. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.idToken.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued ID tokens. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

    • Adds new op.authz.requestJWSAlgs configuration setting for the accepted
      JWS algorithms for signed OpenID authentication requests passed with the optional request_uri or request parameter. The following JWS algorithms are supported: HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512 and none.

    • Adds new op.reg.resourceRetriever.httpConnectTimeout configuration setting for the HTTP connect timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Adds new op.reg.resourceRetriever.httpReadTimeout configuration setting for the HTTP read timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Removes the op.reg.preloadCache, op.reg.ldapServer.*, op.reg.ldapUser.*, op.reg.ldapDirectory.*, op.reg.customTrustStore.* and op.reg.customKeyStore.* settings for configuring an LDAP store for the OpenID Connect and OAuth client registration. Configuration of the client registration store is now assumed by the Infinispan.

    • Extends the op.userinfo.jwsAlgs configuration setting to include support for UserInfo JWTs signed with EC DSA (ES256, ES384 and ES512).

    • Adds new op.userinfo.jweAlgs configuration setting for the enabled JWE key management algorithms for applying optional additional encryption to issued UserInfo JWTs. All standard symmetric and public key JWE algorithms are supported: RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW and A256GCMKW.

    • Adds new op.userinfo.jweEncs configuration setting for the enabled JWE content encryption methods for applying optional additional encryption to issued UserInfo JWTs. All standard JWE methods are supported: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM.

  • /WEB-INF/authzStore.properties

    • Removes the authzStore.options.preloadCache, authzStore.ldapServer.*, authzStore.ldapUser.*, authzStore.ldapDirectory.*, authzStore.customTrustStore.* and authzStore.customKeyStore.* settings for configuring an LDAP store for the long-lived (persisted) OpenID Connect and OAuth authorisations. Configuration of the long-lived authorisations store is now assumed by Infinispan.

    • Adds new authzStore.options.discardedAttributes settings to list the optional authorisation attributes that are to be automatically discarded from new authorisation objects, in order to conserve cache memory and backend storage.

    • Adds the "iat" (issued-at) claim to the list of recommended JWT claims to include in self-contained access tokens. Required to facilitate correct inspection of revoked self-contained access tokens.

  • /WEB-INF/infinispan.xml

    • Updates all advanced externalisers for Connect2id server data stored in Infinispan. The externalisers are now declared programmatically, instead of using the Infinispan XML configuration.

    • Adds new "clients.remoteJWKSetCache" cache.

    • Replaces the "op.regCache" cache with "clients.registrationsMap".

    • Replaces the "op.regTokenCache" cache with "op.clientRegTokenMap".

    • Replaces the "authzStore.authzCache" cache with "authzStore.longLivedAuthzMap".

Web API

  • /.well-known/openid-configuration

    • Advertises support for pairwise subject identifiers (subject_types_supported).
  • /clients/

    • Supports registration of OAuth 2.0 and OpenID Connect clients with a JWK set specified by URL (jwks_uri).

    • Supports registration of OpenID Connect clients for pairwise subject identifiers. OpenID Connect clients can be registered for pairwise subject identifiers by setting the "subject_type" parameter to "pairwise"; if more than one redirection URI is specified in the "redirect_uris" parameter, a "sector_identifier_uri" parameter must also be provided.

  • /session-store/rest/v2/sessions

    • Support for the optional "SID" header parameter on POST new session is removed, due to the introduction of HMAC secured session IDs. The key portion of the session ID can be set with the new "SID-Key" header parameter; the Connect2id server will then return the final SID (session key with appended HMAC).
  • /authz-store/rest/v2/revocation

    • Extends the effect of revocation to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).
  • /authz-store/rest/v2/inspection

    • Access tokens that fall under the scope of a previous revocation event will be resolved as invalid. Previously, access tokens will appear as valid until they expire, unless the access token is identifier-based and had been explicitly revoked.
  • /monitor/v1/metrics

    • Replaces the "authzStore.numCachedAuthorizations" metric with "authzStore.numLongLivedAuthorizations".

    • Adds new "clientStore.numCachedRemoteJWKSets" metric for the number of cached client JWK sets.

Bug fixes

  • Adds check to prevent client registration of redirect_uris with a fragment component (issue sdk/188).

  • Fixes NPE in the LDAP connector when the asynchronous LDAP result listener receives a notification before the associated timer context is cached (issuer authz-store/117).

  • Fixes Log4j class loading conflict caused by shadowing of Log4j by the Infinispan Embedded package (iss #219).

  • Enables stack trace logging on Infinispan cache manager launch failure.

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:5.4.1

  • Upgrades to com.nimbusds:oidc-session-store:4.7.1

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.16.1

  • Upgrades to com.nimbusds.nimbus-jose-jwt:4.26

  • Upgrades to com.nimbusds:common:1.108.1

  • Upgrades to Infinispan 8.2.4.Final

  • Upgrades to JAX-RS Jersey 2.23.1

  • Upgrades to Log4j 2.6.2

  • Adds JHades dependency to diagnose class loader issuer at runtime (issue server/219).

Identity events and why we joined the ID-event effort

Sourcing of user logins, logouts, token issue, revocation and other identity related events can be useful or even mandatory for an enterprise's audit, risk management and BI systems.

Support for event feeds has been on the Connect2id server roadmap since the beginning of 2016, and we spent time thinking about a common event format and interface for plugging various mechanisms for their delivery (message queues, etc). Events will also be a part of the upcoming Connect2id cloud service for OpenID Connect IdP, SSO and OAuth 2.0 access management.

We are really delighted that there is now an effort at the IETF to standardise identity events. The first milestone of that was the release of a draft spec for the Security Event Token (SET), which utilises the well known JWT format.

Sample SET for user "alice" logging in, detailing the authentication factors and strength, and the IP address of her browser:

{
  "jti"    : "3d0c3cf797584bd193bd0fb1bd4e7d30",
  "events" : [ "https://events.c2id.com/login" ],
  "iat"    : 1458496025,
  "iss"    : "https://c2id.com",
  "aud"    : [ "https://example.com/feeds/98d52461fa5bbc879593b7754" ],
  "https://events.c2id.com/login" : { "sub" : "alice",
                                      "amr" : [ "mfa", "pwd", "otp" ],
                                      "acr" : "https://loa.c2id.com/high",
                                      "ip"  : "192.168.0.1" }
}

The SET may be signed with the IdP's RSA key, and optionally encrypted for the intended audience, using the standard JWT crypto facilities.

Delivery may be via HTTP notifications (asynchronous and not guaranteed) or via a message queue (if a delivery guarantee is required).

Second preview of the upcoming Connect2id server 6.0

We are delighed to announce a 2nd preview of the upcoming Connect2id server 6.0 for token based security based on the emerging OpenID Connect / OAuth 2.0 protocol stack. This is probably the most significant update of the Connect2id server in terms of advancing security for the IdP and its relying parties, as well as opening up new avenues for deployment of the server.

Summary of the key features introduced since the first preview about a month ago:

Clients can register their JSON Web Keys (JWK) by URI

Client applications that want to use their own RSA or EC keys for advanced JWT authentication with the server can simply publish them in JSON Web Key (JWK) format at a https URL, and then register this URL with the Connect2id server. Previously client JWKs could only be registered by value.

The server will cache the published keys so that processing of token requests doesn't get slowed down. If the client ever updates the published JWK set and makes use of a new key, the Connect2id server will automatically pick it up. Key-rollover must be as seamless as possible.

Note that for extra security the Connect2id server will impose an HTTP timeout limit of 250 milliseconds when fetching remote JWK sets, and will also limit their size. You can modify these limits if needed.

Extra HMAC protection for session IDs, code and ID-based access tokens

We decided to add an extra layer of cryptographic protection to browser session IDs, authorisation codes and identifier-based access tokens. This is done by appending a SHA256-based authentication code to the ID (HMAC).

The additional HMAC allows the Connect2id server to differentiate between expired and invalid browser session IDs, and raise an alarm if the latter is detected (may be a sign of a online SID guessing attack). The Connect2id server will proceed to lookup the SID in the underlying session store only if the HMAC check has passed.

The HMAC also provides protection in the event of a failure or compromise of the secure random generator on the host machine.

Revocation journal

The Connect2id server is now keeping a journal of all revocation events.

This allows the effect of revocation to be extended to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).

We're playing with the idea to make the revocation journal available at the authz store web API, for audit purposes and also to enable syncing of the revocation events with resource servers.

Download

To preview the upcoming Connect2id server 6.0 release download the following ZIP package and follow the instructions in the README.txt file:

https://connect2id.com/assets/products/server/download/6.0-pre-2/Connect2id-server.zip

This will launch a instance of the Connect2id server where data is persisted to a local file store (Infinispan's Soft-Index File Store).

An LDAP directory is still included in the package, but that's only to provide a sample user database.

Important: The Tomcat web server must be launched from the base of the extracted file tree, otherwise the Connect2id server will not be able to find the correct base directory for the file store. We intend to fix this by the time 6.0 gets released.

Questions?

If you have any questions or comments about the new persistence backends, don't hesitate to get in touch with Connect2id support.


Release notes

6.0-pre-2 (2016-07-20)

General

  • Switches to Infinispan's persistent store APIs to enable support of other backends besides LDAP, such as flat file storage, DynamoDB and LevelDB.

  • Adds support for registering OpenID Connect / OAuth 2.0 clients with a JWK set specified by URI (jwks_uri). Intended for handling private_key_jwt client authentication, self-issued JWT and SAML 2.0 bearer grants, signed request objects, encrypted ID tokens and encrypted UserInfo responses. The downloaded client JWK set is cached by the Connect2id server to ensure quick processing of requests that rely on remote JWKs.

  • Updates handling of the optional max_age OpenID authentication request parameter. If max_age is set to zero (max_age=0) the Connect2id server will prompt the end-user for (re)authentication, even if the end-user has an existing valid session with the Connect2id server. This is equivalent to setting the optional prompt OpenID authentication request parameter to login (prompt=login). See issue #993 with the OpenID Connect working group (https://bitbucket.org/openid/connect/issues/993).

  • Adds experimental support for pairwise subject (end-user) identifiers.

  • Adds an extra layer of security to issued session IDs, authorisation codes and identifier-based access tokens by provisioning them with a SHA-256 based Message Authentication Code (MAC) (truncated to 128 bits). The HMAC enables detection of online guessing attacks and may also be used to block certain DoS attacks the utilise the above objects.

  • Switches to new JSON-based marshalling of Connect2id server objects stored in Infinispan.

  • Refines logging of invalid client authentication attempts at the token endpoint (issue server/199).

Configuration

  • /WEB-INF/jwkSet.json

    • All RSA JSON Web Keys (JWKs) intended for signing of objects (ID tokens, self-contained access tokens, etc) must have their use parameter set to "sig" (signature). Required to prevent mix up with future RSA JWKs intended for encrypting objects to the Connect2id server.

    • All AES JSON Web Keys (JWKs) intended for symmetric encryption of self-contained access tokens must have their use parameter set to "enc" (encryption). This is required to prevent mix up with the introduced secret JWKs for HMAC protection and pairwise subject encryption (see below).

    • Adds new secret JSON Web Key (JWK) with ID "hmac" and use "sig" to facilitate HMAC-SHA256 protection of session IDs, authorisation codes and identifier-based access tokens. The HMAC key size must be 256 bits.

    • Adds new symmetric JSON Web Key (JWK) with ID "subject-encrypt" to facilitate AES/CBC/PKCS5Padding encryption of pairwise subject identifiers. The acceptable AES key sizes are 128, 192 and 256 bits.

    • Adds new salt JSON Web Key (JWK) with ID "subject-salt" to facilitate AES/CBC/PKCS5Padding encryption of pairwise subject identifiers. The salt must be at least 128 bits long.

  • /WEB-INF/oidcProvider.properties

    • Adds new op.reg.resourceRetriever.httpConnectTimeout configuration setting for the HTTP connect timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Adds new op.reg.resourceRetriever.httpReadTimeout configuration setting for the HTTP read timeout (in milliseconds) when retrieving client resources (JWK sets and request objects specified by URI). Zero implies no timeout. Defaults to 250 ms.

    • Removes the op.reg.preloadCache, op.reg.ldapServer.*, op.reg.ldapUser.*, op.reg.ldapDirectory.*, op.reg.customTrustStore.* and op.reg.customKeyStore.* settings for configuring an LDAP store for the OpenID Connect and OAuth client registration. Configuration of the client registration store is now assumed by the Infinispan.

  • /WEB-INF/authzStore.properties

    • Removes the authzStore.options.preloadCache, authzStore.ldapServer.*, authzStore.ldapUser.*, authzStore.ldapDirectory.*, authzStore.customTrustStore.* and authzStore.customKeyStore.* settings for configuring an LDAP store for the long-lived (persisted) OpenID Connect and OAuth authorisations. Configuration of the long-lived authorisations store is now assumed by Infinispan.

    • Adds new authzStore.options.discardedAttributes settings to list the optional authorisation attributes that are to be automatically discarded from new authorisation objects, in order to conserve cache memory and backend storage.

    • Adds the "iat" (issued-at) claim to the list of recommended JWT claims to include in self-contained access tokens. Required to facilitate correct inspection of revoked self-contained access tokens.

  • /WEB-INF/infinispan.xml

    • Updates all advanced Infinispan externalisers.

    • Adds new "clients.remoteJWKSetCache" cache.

    • Replaces the "op.regCache" cache with "clients.registrationsMap".

    • Replaces the "op.regTokenCache" cache with "op.clientRegTokenMap".

    • Replaces the "authzStore.authzCache" cache with "authzStore.longLivedAuthzMap".

Web API

  • /.well-known/openid-configuration

    • Advertises support for pairwise subject identifiers (subject_types_supported).
  • /clients/

    • Supports registration of OAuth 2.0 and OpenID Connect clients with a JWK set specified by URL (jwks_uri).

    • Supports registration of OpenID Connect clients for pairwise subject identifiers. OpenID Connect clients can be registered for pairwise subject identifiers by setting the "subject_type" parameter to "pairwise"; if more than one redirection URI is specified in the "redirect_uris" parameter, a "sector_identifier_uri" parameter must also be provided.

  • /session-store/rest/v2/sessions

    • Support for the optional "SID" header parameter on POST new session is removed, due to the introduction of HMAC secured session IDs. The key portion of the session ID can be set with the new "SID-Key" header parameter; the Connect2id server will then return the final SID (session key with appended HMAC).
  • /authz-store/rest/v2/revocation

    • Extends the effect of revocation to issued access tokens as well. Previously, revocation was limited to deleting the long-lived authorisations and any associated refresh tokens that match the revocation spec (subject, actor, client_id).
  • /authz-store/rest/v2/inspection

    • Access tokens that fall under the scope of a previous revocation event will be resolved as invalid. Previously, access tokens will appear as valid until they expire, unless the access token is identifier-based and had been explicitly revoked.
  • /monitor/v1/metrics

    • Replaces the "authzStore.numCachedAuthorizations" metric with "authzStore.numLongLivedAuthorizations".

    • Adds new "clientStore.numCachedRemoteJWKSets" metric for the number of cached client JWK sets.

Bug fixes

  • Adds check to prevent client registration of redirect_uris with a fragment component (issue sdk/188).

  • Fixes NPE in the LDAP connector when the asynchronous LDAP result listener receives a notification before the associated timer context is cached (issuer authz-store/117).

  • Fixes Log4j class loading conflict caused by shadowing of Log4j by the Infinispan Embedded package (iss #219).

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:5.3.4

  • Upgrades to com.nimbusds:oidc-session-store:4.4

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.13

  • Upgrades to com.nimbusds.nimbus-jose-jwt:4.22

  • Upgrades to com.nimbusds:common:1.107

  • Upgrades to Infinispan 8.2.3.Final

  • Upgrades to JAX-RS Jersey 2.23.1

  • Upgrades to Log4j 2.6.2

  • Adds JHades dependency to diagnose class loader issuer at runtime (issue server/219).

Connect2id server 5.0.2 maintenance release

This is a maintenance release of the OpenID Connect server.

  • Fixes a Connect2id server packaging issue, which may manifest as a Java class loader exception that prevents the server from starting up. The issue was traced to shadowing of the Log4j logging library by Infinispan, and can show up when the JVM loads the Log4j classes in a certain order.

  • We realised that class loader conflicts may also get introduced into the Connect2id server through plugins that customers create, for purposes such as custom grant handling, or in DB connectors. To report such potential conflicts the Connect2id server will from now on run an automated JHades diagnostic at startup. The report will be written to the web server console (catalina.out if you're using Apache Tomcat).

  • Upgrades the Connect2id server to the latest stable versions of Infinispan, JAX-RS Jersey and Log4j.

Download

To download a ZIP package of Connect2id server 5.0.2:

https://connect2id.com/assets/products/server/download/5.0.2/Connect2id-server.zip

As WAR package only:

https://connect2id.com/assets/products/server/download/5.0.2/c2id.war

Questions?

Get in touch Connect2id support, we'll be delighted to help out.


Release notes

5.0.2 (2016-07-18)

Configuration

  • No changes

Web API

  • No changes

Bug fixes

  • Fixes Log4j class loading conflict caused by shadowing of Log4j by the Infinispan Embedded package (iss #219).

Dependencies

  • Upgrades to Infinispan 8.2.3.Final

  • Upgrades to JAX-RS Jersey 2.23.1

  • Upgrades to Log4j 2.6.2

  • Adds JHades dependency to report class loader issues at server startup (iss

    219).