Connect2id server 11.6.2

This is a maintenance update of the Connect2id server for OAuth 2.0 authorisation and OpenID Connect sign-in.

Check the release notes for more information.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.2: Connect2id-server.zip

SHA-256: 6f70d8f0521420860249e03d4fde6f781cddbe20c6c72e74d8b391d03ab73035

Connect2id server 11.6.2 WAR package: c2id.war

SHA-256: 18b57e2f57588ddf7e98847111916cd585c5198531da4bfab59db22bb9330e8b

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.2: Connect2id-server-mt.zip

SHA-256: ab2fb95ae74b4fec71fab11a684b2531199ce409c3022d9059c76d393f390686

Connect2id server 11.6.2 WAR package: c2id-multi-tenant.war

SHA-256: 4db6b8f2232f4838777d9052dd0c5671a0c4c5bd55314390e1209999fe97662a

Questions?

Contact Connect2id support.


Release notes

11.6.2 (2021-05-21)

Resolved issues

  • Fixes the HTTP 401 error response for an HTTP GET /clients request with an invalid master access token. The bug was introduced in 11.6.1 (issue server/668).

  • Fixes bug introduced in 11.3 (2021-03-31) that allowed OpenID authentication requests with response_type=id_token or response_type=id_token token to pass without a nonce (issue oidc-sdk/363).

  • Updates the logout endpoint OP2711 log INFO message that an ID token hint is required when the RP requests a post-logout redirection (issue server/671).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.5.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.9.3

  • Updates to Infinispan 9.4.22.Final

  • Updates to com.google.crypto.tink:tink:1.5.0

Connect2id server 11.6.1

This is a maintenance update of the Connect2id server.

For further information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.1: Connect2id-server.zip

SHA-256: 148c2ca254e17ec87850574afa66cc23bc51e6b0ec9aebfabb197e58a646cf67

Connect2id server 11.6.1 WAR package: c2id.war

SHA-256: 18702660cf6b4669d8731bc396ee86930e39328215bad65d865d330dec7a9bb8

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.1: Connect2id-server-mt.zip

SHA-256: ad7f3855dd27ad91916cc8e8d7f659f0f99fc5bcb2a87394abe35c2978b691bd

Connect2id server 11.6.1 WAR package: c2id-multi-tenant.war

SHA-256: d25e387f5a122886f03c6b48d79a4258716beebe7bade8f4eaac18069b624ead

Questions?

Contact Connect2id support.


Release notes

11.6.1 (2021-05-03)

Resolved issues

  • Fixes missing output of the "resource" parameter (RFC 8707) as URI string list in the authorisation session API objects for OpenID authentication requests. Plain OAuth 2.0 authorisation requests were not affected (issue server/664).

  • Switches HTTP GET /clients output to streaming to conserve memory when reading a large number of OAuth 2.0 client registrations (issue server/665).

  • Improves logging of HTTP 302 errors at the client registration endpoint by including additional details in the log message at INFO level, reduces the number of log statements to log a condition (issue server/667).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.5

Connect2id server 11.6 with FAPI enhancements, login page API update

This week's release of the Connect2id server focuses on the FAPI security profile. It also optimises interaction with the login page API for developers.

New FAPI configurations

Six new configuration properties were added to facilitate conformance with the latest version (2021-03-12) of the FAPI Baseline and Advanced security profiles. The new settings can also be used in other security profiles or to establish some baseline security policy for all OAuth clients.

Here is an overview of the new configurations:

Always require an explicit redirect_uri in the authorisation requests. This is normally a requirement only for OpenID authentication.

Additional request object (JAR) specific checks:

Require the use of signed authorisation responses, with JARM (response_type=jwt) or by requesting an ID token in the front-channel (reponse_type=code id_token) to act as detached signature:

Note that the authorisation request validator and the PAR validator plugin interfaces (SPI) can be used to perform additional checks or as alternative method.

The FAPI deployment checklist was updated accordingly.

Login page API

The Connect2id server web API for handling user authentication and consent can now include selected authorisation request parameters, including parameters that are custom, in the authentication and consent prompt objects. This behaviour is switched on with two new configuration properties and is intended to save an HTTP GET call in cases when access to those parameters is required by the login page UI or logic.

For further information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6: Connect2id-server.zip

SHA-256: ef604a653452a76e6a2c06134c5f5aec110645308b588485ee93966de6b8fac1

Connect2id server 11.6 WAR package: c2id.war

SHA-256: 295c9d2e4037bec5f43676aae5caaf2c8b9a57bd958f25f27e5ac562fd825d35

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6: Connect2id-server-mt.zip

SHA-256: 49854e045c868428c1f8ef27567e2c6b1ca0c1d3cdcf940b7ce8a9610d9d17c3

Connect2id server 11.6 WAR package: c2id-multi-tenant.war

SHA-256: c9652c7610e94f2453f66adb47a1127e438bce7209011465c15bff7a9de72db0

Questions?

Contact Connect2id support.


Release notes

11.6 (2021-04-27)

Summary

  • Adds a set of new Connect2id server configuration properties for setting up OAuth 2.0 servers conforming to version 2021-03-12 of the FAPI 1.0 Advanced security profile. See Financial-grade API Security Profile 1.0 - Part 2: Advanced (2021-03-12).

  • Adds configuration properties for causing selected OAuth 2.0 authorisation request parameters, including custom parameters, to appear in the authentication or consent prompt in the authorisation web API. Intended to save HTTP GET calls to the authorisation session resource when access to those parameters is needed.

Configuration

  • /WEB-INF/oidProvider.properties

    • op.authz.alwaysRequireRedirectURI -- New configuration property to specify whether the redirect_uri parameter is required for all authorisation requests. The default value is false (required only for OpenID authentication requests).

    • op.authz.alwaysRequireSignedRequestJWT -- New configuration property to specify whether a JWS signed request JWT passed inline via "request" or by URL reference via "request_uri" will be required for all authorisation requests. The default value is false (not required unless the client is explicitly registered for it).

    • op.authz.requireRequestJWTNotBefore -- New configuration property to specify whether received request object JWTs must include a not before (nbf) claim. The default value is false.

    • op.authz.maxLifetimeRequestJWTExpiration -- New configuration property to specify the maximum accepted lifetime in seconds of an expiration (exp) claim in request JWTs. The lifetime is computed from the not before (nbf) claim if present, otherwise from the current time. The default value is -1 (not specified).

    • op.authz.maxAgeRequestJWTNotBefore -- New configuration property to specify the maximum accepted age in seconds of a not before (nbf) claim in request JWTs. The default value is -1 (not specified).

    • op.authz.alwaysRequireSignedResponse -- New configuration property to specify whether all authorisation requests must specify a JWT-secured response (JARM) or a "response_type" that includes an "id_token" to serve as a detached signature. The default value is false.

    • op.authz.requestParamsInAuthPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the authentication prompt, in a JSON object named "request". No parameters are included by default.

    • op.authz.requestParamsInConsentPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the consent prompt, in a JSON object named "request". No parameters are included by default.

Web API

  • /authz-sessions/rest/v3/

    • Authentication prompt: Adds new optional "request" member of type JSON object to the authentication prompt ("auth"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInAuthPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during authentication.

    • Consent prompt: Adds new optional "request" member of type JSON object to the consent prompt ("consent"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInConsentPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during consent.

Resolved issues

  • The "resource" parameter (RFC 8707) as URI string list must be included in the authorisation session object under "auth_req", fixes regression bug (issue serer/658).

  • The "prompt" parameter as string list must be included in the authorisation session object under "auth_req" for plain OAuth 2.0 requests (custom Connect2id server feature) (issue serer/660).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.4.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.9

  • Updates to com.nimbusds:oauth2-authz-store:16.7.3

  • Updates to com.nimbusds:oidc-session-store:14.4.4

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.5

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.7

  • Updates to com.nimbusds:tenant-manager:5.0.2

  • Updates to com.nimbusds:tenant-registry:5.3.3

  • Updates to net.minidev:json-smart:2.4.6

Connect2id server 11.5

This release of the Connect2id server adds a new store configuration for deployments in AWS with DynamoDB. The built-in CORS Filter gets an extra setting for disabling it when a reverse HTTP proxy is managing the necessary CORS headers. We also ship a number of updates to underlying code, including one security update to the SAML grant handler.

New DynamoDB + Redis store configuration

In 2017 the Connect2id server began supporting DynamoDB as database, enabling customers with deployments in the AWS cloud to make use of its native high-performance and low-maintenance NoSQL technology. Until now customers had a choice between two store configurations with DynamoDB - one for clusters in replication mode where sessions and other short-lived and cached data is kept on the JVM heap, another for the so called stateless mode, where all data, including sessions and caches, are put into DynamoDB tables.

This release introduces support for a new store configuration which makes use of Redis (ElastiCache in AWS) to store sessions and other short-lived objects.

/WEB-INF/infinispan-stateless-redis-dynamodb.xml

This configuration is similar to the existing infinispan-stateless-redis-*.xml for MySQL, PostgreSQL and SQL Server, save for the difference that objects from the primary database are not cached in Redis. If you want to achieve higher performance and lower latency by caching items in DynamoDB consider using the AWS DAX to provide such caching transparently.

The release notes have further information and also discuss the implications for DynamoDB replication.

Optional deactivation of the CORS Filter

The built-in CORS Filter receives a new cors.enable setting. By default it's turned on to process the necessary HTTP headers for JavaScript applications (SPA) to make cross-origin requests to the Connect2id server.

Deployments that rely on a reverse HTTP proxy to handle CORS can use the new setting for easy disabling of the built-in filter.

SAML grant handler security update

This release also fixes a security bug in the underlying OAuth 2.0 SDK that could allow SAML assertion grants to include external XML entities. If your deployments have plugins for the SAML 2.0 bearer assertion grant handler SPI they should be updated. This OAuth 2.0 grant was designed early on to enable the exchange of SAML assertions for OAuth access tokens, i.e. let applications where users have logged in with SAML to obtain an access token.

For further information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.5: Connect2id-server.zip

SHA-256: 4037c8327ee19e90db9d5a15b29a22342a66f568fa0625411e1d37e8863d8cf8

Connect2id server 11.5 WAR package: c2id.war

SHA-256: 5417f3f4a2d2354a80d32aabbbea157fd46d5c8853d7f2d9ede9010299458d53

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.5: Connect2id-server-mt.zip

SHA-256: 75c875761cfec4d9dd0aa19e62b89e048160d04ec617832f9b2bce31e135ff9e

Connect2id server 11.5 WAR package: c2id-multi-tenant.war

SHA-256: 8e7c3b42d05f6e0274b908e411016f460a3fa41f71a8ed78ee0c4e129698d30f

Questions?

Contact Connect2id support.


Release notes

11.5 (2021-04-14)

Configuration

  • /WEB-INF/infinispan-stateless-redis-dynamodb.xml -- New Infinispan configuration file for storing short-lived and cached data in Redis, and long-lived data in DynamoDB. Long-lived data in DynamoDB can be transparently cached by turning the optional Amazon DynamoDB Accelerator (DAX) for the DynamoDB tables.

    This Infinispan configuration is suitable for single-region deployments in AWS as well as multi-region deployments where only replication of long-lived data in DynamoDB via the "global-tables" feature is required.

    This Infinispan configuration is an alternative to the existing available "infinispan-stateless-dynamodb.xml" configuration where the long-lived as well as the short-lived and cached data is stored in DynamoDB. Both types of data in that configuration can be replicated via the "global-tables" feature.

  • /WEB-INF/cors.properties

    • cors.enable -- New configuration property for disabling the CORS Filter. If false the CORS Filter is disabled and will pass all HTTP request and response headers unmodified. The CORS Filter can be disabled if the Connect2id server is provisioned with a reverse proxy handling CORS. The default value is true enabling the CORS Filter to process cross-domain requests according to its configuration.

Resolved issues

  • Disables access to external entities in XML parsing in the OAuth 2.0 SDK SAML2AssertionValidator, closing a potential vulnerability when processing OAuth 2.0 grants of type SAML 2.0 bearer assertion (urn:ietf:params:oauth:grant-type:saml2-bearer). The exchange of SAML 2.0 bearer assertions for OAuth access tokens is not enabled by the Connect2id out of the box and requires a plugin. Deployments that have implemented such a plugin for the SelfIssuedSAML2GrantHandler or ThirdPartySAML2GrantHandler should upgrade (issue oidc-sdk/356).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.3.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.8.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.1

  • Updates to com.nimbusds:oidc-session-store:14.4.2

  • Updates to com.nimbusds:oauth2-authz-store:16.7.2

  • Updates to com.nimbusds:common:2.45.1

  • Updates to com.nimbusds:tenant-manager:5.0.1

  • Updates to com.nimbusds:tenant-registry:5.3.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.4

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.6

  • Updates to net.minidev:json-smart:2.4.2

  • Updates to com.thetransactioncompany:cors-filter:2.10

  • Updates to com.nimbusds:software-statement-verifier:2.2.1

Connect2id server 11.4

We are having another release of the Connect2id server this week and no, this is not an April Fools' joke!

This new release targets the multi-tenant edition of the server, designed to host one or more OpenID providers / OAuth 2.0 authorisation servers within a single deployment that is easy to manage and scale.

Up until now the multi-tenant edition has covered only a subset of the OAuth 2.0 grants -- the front-channel authorisation code and implicit, and the client credentials grants. In v11.4 the remaining grants also become supported, by means of the existing grant handler SPIs from the regular (single-tenant) Connect2id server edition:

  • The resource owner password credentials grant (password), via the password grant handler SPI.

  • The JWT bearer assertion grant (urn:ietf:params:oauth:grant-type:jwt-bearer), via its grant handler SPI.

  • The SAML 2.0 bearer assertion grant (urn:ietf:params:oauth:grant-type:saml2-bearer), via its grant handler SPI.

For more information check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.4: Connect2id-server.zip

SHA-256: d6394a826429aea5173d033bac0a09a0989e804abb164b7f52023ef4f27b2101

Connect2id server 11.4 WAR package: c2id.war

SHA-256: b73f7040da70149d99ad77de33c19ba4ee76a20f11c8084e4e7069f047158c81

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.4: Connect2id-server-mt.zip

SHA-256: 3aec8973049e845013091e7f618e9c1eec4561e9a632142cf7c5a0fa44dfec78

Connect2id server 11.4 WAR package: c2id-multi-tenant.war

SHA-256: cff5c40c2a01a59a3b669227f38aa13b5d397bf9fabed3cda850f35190c1adc2

Questions?

Contact Connect2id support.


Release notes

11.4 (2021-04-01)

Summary

  • Enables the following OAuth 2.0 grants in the multi-tenant Connect2id server edition:

    • The resource owner password credentials grant (password).

    • The JWT bearer assertion grant (urn:ietf:params:oauth:grant-type:jwt-bearer), as defined in RFC 7523.

    • The SAML 2.0 bearer assertion grant (urn:ietf:params:oauth:grant-type:saml2-bearer), as defined in RFC 7523.

    The client credentials grant has been available in the multi-tenant Connect2id server since v7.7.1.

SPI

  • The following OAuth 2.0 grant handler SPIs become supported in the multi-tenant Connect2id server edition:

    • PasswordGrantHandler

    • SelfIssuedJWTGrantHandler

    • ThirdPartyJWTGrantHandler

    • SelfIssuedSAML2GrantHandler

    • ThirdPartySAML2GrantHandler