Connect2id server 13.4.1
This is a maintenance release of the Connect2id server.
It fixes two recently reported bugs affecting automatic clients in OpenID Connect Federation 1.0 deployments, reported during GAIN interop testing. GAIN is a project of the OpenID Foundation to devise and test a global scheme for verified identities, a scheme that can work across various identity ecosystems and jurisdictions, and is capable of automating the trust establishment, OP & RP metadata discovery and client registration.
The feeding and logging of X.509 certificate based Connect2id server keys (this includes keys stored in a HSM) was also optimised. We took the opportunity to enhance the guide for using an HSM, with tips how to manage their validity time windows and rotation.
There is more information about the resolved issues in the notes below.
The next major 14.0 release will be shipped in the coming weeks. It will include a major upgrade of the embedded Infinispan from version 9.4.x to 14.x and performance optimisations of the SQL, DynamoDB and Redis connectors. Oracle will become a supported RDBMS; support for LDAP as backend database will be removed.
Download 13.4.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 70515364029ad787d9f451d806386ad5529243390c635747a4813b4cca42fa6e
Connect2id server 13.4.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: faae7f3518ced76fd89928e1d0cd9d9ea1cdbbf5e9347436f9ced6721de6b11a
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 453918111bffc3e0565ae892acd6abdabc54137bdf33b9aa841d582baa1a89e9
Connect2id server 13.4.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 9b6560b3b85c2360a208fd1ddc1867f58434d71435dd64955886d58e23999d59
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.4.1 (2023-02-09)
Resolved issues
The "aud" of request objects (JARs) passed by OpenID Connect Federation 1.0 clients must include the OpenID provider issuer URL, not the authorisation endpoint URL (issue server/825).
Fixes a bug that prevented client metadata shaped by a FinalMetadataValidator SPI plugin from appearing in the authentication prompt message when the
op.authz.includeClientInfoInAuthPrompt
configuration property is set totrue
and the requesting client is an automatic OpenID Federation 1.0 client that was just registered (issue server/826).The signing JWK feeder when dealing with X.509 certificate based JWKs should bias the key selection to pick the key with the farthest certificate expiration date. This is to ensure optimal roll-over of RSA and EC signing JWKs with an X.509 certificate (issue jwk-set-loader/5).
Fixes the SE2000 error log message on failing to find a signing key with a currently valid X.509 certificate (according to its not-before and not-after attributes). The message must apply to both regular (in-memory) keys with an X.509 certificate and HSM keys with a certificate (issue jwk-set-loader/4).
Dependency changes
Updates to com.nimbusds:nimbus-jose-jwt:9.30.1
Updates to com.nimbusds:nimbus-jwkset-loader:5.2.2
Connect2id server 13.4 supports Java 17, redirect_uri templates
The Connect2id server can now get deployed with a Java 11 or 17 runtime.
Java 17, the most recent long-term support (LTS) release, was made available in September 2021. With this Connect2id server update you have the choice to switch to the newer Java 17 runtime, as support for the free OpenJDK 11 version is going to end in October 2024 (longer paid support options are offered by Oracle and others).
Several cryptography related parts of the Connect2id server were updated for
the Java 17 runtime where the
secp256k1
elliptic curve for JWS is no longer available in the
default Java 17 JCA provider.
This curve is an alternative to the P-256
curve and is used where clients are
registered for the ES256K
JWS algorithm to secure ID tokens, UserInfo JWTs,
JARs or JARMs. Whenever secp256k1
operations are needed the Connect2id server
will use the alternative open source JCA provider developed by
BouncyCastle.
The byte code and Java API use of the Connect2id server will remain Java 11 compatible at least until September 2023.
This release also adds a special new feature to enable OpenID Connect providers and OAuth 2.0 servers to use redirect_uri templates. Such templates can help in cases where a client may require a large number of redirection URIs which individual registration may be impractical.
You can find additional information about this release in the notes below.
Download 13.4
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.4: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: ef7b160197e3fcc575b2d0224c3ed8ba7416c2822f9d3e4611a6105d2f73d7fe
Connect2id server 13.4 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: e36671174ce53d2fe1b1d96b52d33368c95f1c08d52383da8ffcb17c738504cf
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.4: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e
Connect2id server 13.4 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.4 (2023-01-30)
Summary
Updates the Connect2id server to support the Java 17 runtime.
Due to the
secp256k1
elliptic curve no longer being available in the default Java Cryptography Architecture (JCA) provider the Connect2id server will use the alternative open source BouncyCastle JCA provider for theES256K
(secp256k1
curve) JWS algorithm when it's used to secure ID tokens, UserInfo JWTs, request objects (JAR), authorisation responses (JARM) or self-contained (JWT) access tokens.The Java 11 runtime support remains.
Adds support for registering OAuth 2.0 clients with
redirect_uri
templates, to enable Connect2id server deployments to set the redirection URI at the time when the authorisation request is processed.This can facilitate scenarios where the exact
redirect_uri
is not known at the time of client registration or where a client may require a multitude of redirection URIs that conform to a certain pattern. Theredirect_uri
templates apply to authorisation requests as well as pushed authorisation requests (PAR).Example template where the
[param]
is a placeholder for a parameter to be set when the Connect2id server processes the authorisation request:urn:c2id:redirect_uri_template:https://[param].example.com/login-callback
Web API
/clients/
- Supports registration of OAuth 2.0 web and native clients with
templates in the
redirect_uris
parameter. The template is a URN with formaturn:c2id:redirect_uri_template:[URI]
, where URI is the final redirection URI which must contain a single[param]
placeholder. The[param]
placeholder will be set by the Connect2id server when it processes authorisation requests from the client.
- Supports registration of OAuth 2.0 web and native clients with
templates in the
/authz-sessions/rest/v3/
Adds an optional
redirect_uri_template_param
parameter of type string to the authorisation session start request object. Used to set the[param]
in aredirect_uri
of an authorisation request where the URI is a template. The template URI must be registered just as any regular redirection URI in the client's record under theredirect_uris
field.The
[param]
setting will apply to all authorisation requests, including JAR and PAR.If the Connect2id server doesn't set the
[param]
for some reason theredirect_uri
will remain unchanged, which will later cause the redirection to fail because of the URN scheme.
Resolved issues
Upgrades to com.nimbusds:nimbus-jose-jwt:9.30
Upgrades to com.nimbusds:c2id-server-jwkset:1.26.2
Updates to com.nimbusds:oauth2-authz-store:19.5
The OAuth 2.0 token exchange in Connect2id server 13.3 supports refresh token and ID token issue
Connect2id server deployments with OAuth 2.0 token
exchange
(RFC 8693) will now be able to
issue refresh tokens and ID tokens. Previously the token exchange plugin
interface (SPI) was capable of only specifying access token issue. The
persistence of the token exchange authorisation can also be controlled now,
by setting its long-lived flag (which also determines when a refresh token
gets issued whether it's going to be persisted, with long-lived set to true
,
or a stateless encrypted JWT, with long-lived set to false
.
This token exchange upgrade makes it possible for Connect2id server deployments to experiment with the new OpenID Connect draft specification for native single sign-on (SSO) for Android, iOS and desktop applications. Built-in support for the native SSO is now on the Connect2id server roadmap and it will appear once the spec has become stable.
The new token exchange plugin capabilities can be found useful in other scenarios where a client needs to exchange a token of some kind (opaque or JWT) for a local Connect2id server issued access / refresh / ID token.
This release fixes two issues:
If you have clients using symmetrically encrypted ID tokens or UserInfo (by means of deriving a shared AES key from the
client_secret
) upgrading is strongly recommended, to ensure interoperability and correctness of the key derivation. The key derivation suffered from a poorly worded specification in OpenID Connect Core 1.0, addressed in a recent errata. The security of the encryption was never compromised, but depending on how the original spec was interpreted the decryption of JWE objects can unexpectedly fail with a different client library or OpenID Connect server.The key derivation issue was also fixed in v10.5.1 of the open source OAuth 2.0 / OpenID Connect SDK we maintain.
If you have a deployment with OpenID Connect Federation 1.0 upgrading is also suggested, so you can read the registrations of automatic clients via the clients API without entity URL encoding issues.
There is more information in the release notes.
Download 13.3
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.3: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: b503e2a247bb7bbe224f3f6ed3b7f0f27930edb50b501b1931ecc45173c99705
Connect2id server 13.3 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: d10fccf8fb49a5095ce7a387728ecdebe0023c6fd2411f264567c25741296a49
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.3: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: cce4e3dad989af9db16fca3ec8e731be913066ce59f41a099e5f0e9e47cc5197
Connect2id server 13.3 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: bf5f9b7a7fa6a3d80fde32c3405fdfbb61d8d8095b9bd4d71703cc84fbe42377
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.3 (2023-01-23)
Summary
Token exchange (RFC 8693) plugins can now optionally specify the issue of a refresh token and ID token (in addition to the access token) when authorising a request received via the TokenExchangeGrantHandler SPI. The plugin can also flag the authorisation as long-lived (persisted), to cause the granted scope values and other attributes to be remembered for the subject and the requesting client. This also enables control of the refresh token encoding (if issued) - persisted or stateless.
Resource owner password credentials grant plugins can now specify the issue of stateless (JWT-encoded) refresh tokens. Previously only persisted refresh tokens could be issued.
Updates the plugin for handling OAuth 2.0 grants at an external web service (web hook) to support token exchange (RFC 8693) authorisations for refresh token and ID token issue.
Web API
/token
- Adds support for refresh token and ID token issue for a OAuth 2.0 token exchange grant (RFC 8693).
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.52
The TokenExchangeAuthorization class is updated to support optional persistence of the authorisation (with the long-lived flag), issue of a refresh token (stateless or persisted) and issue of an ID token.
The PasswordGrantAuthorization class is updated to support issue of a stateless refresh token when the long-lived authorisation flag is set to
false
. Previously only persisted refresh tokens could only be issued, when the long-lived authorisation flag was set totrue
.
Resolved issues
The AES key from client_secret derivation for shared JSON Web Encryption (JWE) of ID tokens, UserInfo responses and other objects must remove the right-most bits, not the left-most. See OpenID Connect Core 1.0 errata 2020-07-24 (issue oidc-sdk/412).
The clients web API GET by client_id must handle client identifiers that are OpenID Connect Federation 1.0 entity IDs (and URLs in general) seamlessly (issue server/824).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.52
Updates to com.nimbusds:oauth2-oidc-sdk:10.5.1
Updates to com.nimbusds:nimbus-jose-jwt:9.29
Updates to com.nimbusds:oauth-grant-handlers-web:1.0.4
Connect2id server 13.2.1
This is a maintenance release of the Connect2id server.
Should I upgrade?
An upgrade to 13.2.1 is recommended if:
You have a deployment with a plugin for handling SAML 2.0 assertion grants. This special OAuth 2.0 grant type is used to let client applications exchange a SAML 2.0 assertion for an OAuth 2.0 access token (potentially including a refresh token as well). Prior versions of the Connect2id server contain a dependency in the XML parsing stack reported vulnerable to CVE-2022-40152. A malicious SAML assertion which triggers the vulnerability will cause an internal stack overflow exception and the token endpoint returning an HTTP 500 Internal Server Error instead of a proper HTTP 400 Bad Request response with an
invalid_grant
error.You have a deployment enabled for OpenID Connect Federation 1.0. This release fixes two bugs that affect the clean up of expired federation clients.
In all other cases upgrading is not necessary.
There is more information in the release notes below.
Native SSO for Android and iOS apps
A new specification in development at the OpenID Connect working group is now on the Connect2id server roadmap for 2023.
A mobile app which signs-in a user with OpenID Connect to obtain an ID token will be able to share the user identity with apps belonging to the same vendor:
A mobile app by a vendor is installed and the user logs in with OpenID Connect.
If the user chooses to install other apps belonging to the same vendor she will be automatically signed into them, a concept called "native SSO".
We are currently also discussing possibilities for mobile apps to seamlessly sign-in the user with trusted web applications and sites. This scenario can occur when the app opens a link to a web site of the vendor. The aim is to save the user from having to perform an additional web-based SSO with the Connect2id server and improve the overall UX when moving between mobile app and web site.
If you have comments, suggestions or wish to try out this feature before it is finalised write to Connect2id support.
LDAP backend support will be removed in 2023
We would also like to inform you that LDAP backend support will be removed in 2023, with version 13.x likely remaining the last one to have it. If you use an LDAP directory server to persist Connect2id server data consider migrating to a different database. This change does not affect the Connect2id server connector for sourcing OpenID claims from LDAP directories, which will remain available and supported.
2023 will also see official support for Java 17, to enable Connect2id servers to be deployed with the newer Java 17 runtime (while keeping the software Java 11 compatible).
Download 13.2.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.2.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 889853c37a402ed36b04f29ec7962ee866800383ae59e6951e17ee8ee0f7d038
Connect2id server 13.2.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: be1785b7eb1f73d53c65a897617bfb9ff5dc2170e255ee17b2733da28672d276
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.2.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 39ae9507bf51ef3e3baaa8ea12f251976ab8cd82da2b0c2b0bf57db9f80ad2cf
Connect2id server 13.2.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 3b7c9fdce414cd20b097bcee8fac70014cecb4b70ce99efe59a06032602f2179
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.2.1 (2023-01-19)
Resolved issues
Updates the Woodstox Core dependency used in the SAML 2.0 assertion grant SPI, to address a potential stack overflow vulnerability in the XML DTD parse code (CVE-2022-40152). Note that the CVE has been incorrectly filed to an XStream dependency (a different project). Connect2id server deployments that don't use a SAML 2.0 assertion grant plugin for exchanging SAML 2.0 tokens for OAuth 2.0 tokens are not affected (issue server/820).
Streaming registered OpenID Connect Federation 1.0 clients from the federation client index must observe the tenant ID (issue server/640).
Fixes NPE that prevented clean up of expired OpenID Connect Federation 1.0 automatic clients (issue server/657).
Dependency changes
Updates to com.fasterxml.woodstox:woodstox-core:5.4.0
Updates Dropwizard Metrics to 4.2.15
Connect2id server 13.2 adds a signed JWKs endpoint for use in OpenID federations
This release of the Connect2id server builds upon the OpenID Connect Federation 1.0 upgrade that arrived in 13.1 by adding a new signed JWKs endpoint. The signature establishes a digital proof that a server owns its OpenID provider keys, which proof then becomes linked to the server's trust chain in a federation.
The signed OpenID provider JWKs endpoint does not play an actual part in the trust resolution protocol defined in OpenID Connect Federation 1.0. The terms and policies that govern a particular federation may however require it, for non-repudiation and legal purposes. The Italian eID federation requires members to sign their public OpenID provider keys so that end-user authentication events (represented by issued ID tokens) can be linked to the trust chain in a verifiable manner. The Italian federation operator also has a policy to keep a historical archive of the keys of all members, in case disputes over past transactions arise.
Example request to retrieve the server's OpenID provider keys in a signed form:
GET /jwks.jwt HTTP/1.1
Host: demo.c2id.com
The response will be a signed JWT, carrying a keys
claim that is a standard
JWK set:
HTTP/1.1 200 OK
Content-Type: application/jwk-set+jwt
eyJraWQiOiJleFI1IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJodHRwczpcL1wvZmFwaS5jMmlkLmNv
bSIsIm1ldGFkYXRhIjp7Im9wZW5pZF9wcm92aWRlciI6eyJyZXF1ZXN0X3BhcmFtZXRlcl9zdXBwb3J
ZW5kcG9pbnQiOiJodHRwczpcL1wvZmFwaS5jMmlkLmNvbVwvdG9rZW5cL2ludHJvc3BlY3QiLCJj...
Note that the new signed JWK set endpoint will normally return an HTTP 404
Not Found status code, unless OpenID Connect federation is
enabled.
This release also fixes two major bugs introduced in Connect2id server 13.0. Upgrading to 13.2 is strongly recommended if you are currently using an affected 13.0 or 13.1 deployment.
There is more information in the release notes below.
Download 13.2
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.2: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 5676fd128a46fbdc113b4b6ffc930ddb636217a715e599356279ffa0f1171b64
Connect2id server 13.2 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: ed815c1404898266ea35b277551addc7e2ca9f44b1036a34e7f30bb8a3ab62f3
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.2: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 1fc4ac435cbfc1baa8d34a644b0a0720ffc36ba87aca47ed23f3e74151a76008
Connect2id server 13.2 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 616c1dd0d92bd44d834d334f4fc6bad692c73cd7502ee0b90e5ffab5d9e776d8
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.2 (2023-01-12)
Summary
Upgrades OpenID Connect Federation 1.0 draft 25 support to publish a signed JWK set at the URL advertised in the
signed_jwks_uri
OpenID provider metadata found in the entity configuration.Fixes two bugs affecting deployments of Connect2id server v13.0 and v13.1 with an SQL database. Updating is strongly recommended (see issue server/816 for details).
Web API
/.well-known/openid-configuration
- signed_jwks_uri -- New optional metadata field specifying an endpoint where the OpenID provider JWK set is published as a signed JWT. Available when OpenID Connect Federation 1.0 is enabled, else omitted.
/jwks.jwt -- New endpoint publishing the OpenID provider JWK set as a signed JWT when OpenID Connect Federation 1.0 is enabled. The JWT is signed with the
RS256
algorithm using the first RSA key in the configured Connect2id server federation entity JWK set. The JWTtyp
(type) header is set tojwk-set+jwt
. The JWT contains theiss
(issuer),sub
(subject),iat
(issued-at time) andkeys
(JWK set keys) claims, as specified in OpenID Connect Federation 1.0, section 4.1.
Resolved issues
Fixes a bug introduced in Connect2id server 13.0, multi-tenant edition, affecting deployments with MySQL, PostgreSQL and MS SQL Server that may cause false HTTP 404 (invalid authorisation session ID) responses from the authorisation session web API. Connect2id server 13.0 and 13.1 multi-tenant deployments are strongly recommended updating (issue server/816).
Fixes a bug introduced in Connect2id server 13.0 affecting deployments with MySQL, PostgreSQL and MS SQL Server that causes incorrect PAR URI rejections at the authorisation endpoint. Connect2id server 13.0 and 13.1 deployments are strongly recommended updating (issue server/818).
Fixes non-critical NPE when writing HTTP 404 responses at the
.well-known/openid-federation
endpoint when OpenID Connect Federation 1.0 is disabled (issue server/817).Optimises OpenID Connect Federation 1.0 related logging (issue server/815).
The PARValidator SPI must be invoked with an AuthenticationRequest if the validated authorisation request has the "openid" scope value (issue server/819).
Dependency changes
- Upgrades to com.nimbusds:oauth2-oidc-sdk:10.5