Connect2id server 13.4.1

This is a maintenance release of the Connect2id server.

It fixes two recently reported bugs affecting automatic clients in OpenID Connect Federation 1.0 deployments, reported during GAIN interop testing. GAIN is a project of the OpenID Foundation to devise and test a global scheme for verified identities, a scheme that can work across various identity ecosystems and jurisdictions, and is capable of automating the trust establishment, OP & RP metadata discovery and client registration.

The feeding and logging of X.509 certificate based Connect2id server keys (this includes keys stored in a HSM) was also optimised. We took the opportunity to enhance the guide for using an HSM, with tips how to manage their validity time windows and rotation.

There is more information about the resolved issues in the notes below.

The next major 14.0 release will be shipped in the coming weeks. It will include a major upgrade of the embedded Infinispan from version 9.4.x to 14.x and performance optimisations of the SQL, DynamoDB and Redis connectors. Oracle will become a supported RDBMS; support for LDAP as backend database will be removed.

Download 13.4.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 70515364029ad787d9f451d806386ad5529243390c635747a4813b4cca42fa6e

Connect2id server 13.4.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: faae7f3518ced76fd89928e1d0cd9d9ea1cdbbf5e9347436f9ced6721de6b11a

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 453918111bffc3e0565ae892acd6abdabc54137bdf33b9aa841d582baa1a89e9

Connect2id server 13.4.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9b6560b3b85c2360a208fd1ddc1867f58434d71435dd64955886d58e23999d59

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.4.1 (2023-02-09)

Resolved issues

  • The "aud" of request objects (JARs) passed by OpenID Connect Federation 1.0 clients must include the OpenID provider issuer URL, not the authorisation endpoint URL (issue server/825).

  • Fixes a bug that prevented client metadata shaped by a FinalMetadataValidator SPI plugin from appearing in the authentication prompt message when the op.authz.includeClientInfoInAuthPrompt configuration property is set to true and the requesting client is an automatic OpenID Federation 1.0 client that was just registered (issue server/826).

  • The signing JWK feeder when dealing with X.509 certificate based JWKs should bias the key selection to pick the key with the farthest certificate expiration date. This is to ensure optimal roll-over of RSA and EC signing JWKs with an X.509 certificate (issue jwk-set-loader/5).

  • Fixes the SE2000 error log message on failing to find a signing key with a currently valid X.509 certificate (according to its not-before and not-after attributes). The message must apply to both regular (in-memory) keys with an X.509 certificate and HSM keys with a certificate (issue jwk-set-loader/4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.30.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.2.2

Connect2id server 13.4 supports Java 17, redirect_uri templates

The Connect2id server can now get deployed with a Java 11 or 17 runtime.

Java 17, the most recent long-term support (LTS) release, was made available in September 2021. With this Connect2id server update you have the choice to switch to the newer Java 17 runtime, as support for the free OpenJDK 11 version is going to end in October 2024 (longer paid support options are offered by Oracle and others).

Several cryptography related parts of the Connect2id server were updated for the Java 17 runtime where the secp256k1 elliptic curve for JWS is no longer available in the default Java 17 JCA provider. This curve is an alternative to the P-256 curve and is used where clients are registered for the ES256K JWS algorithm to secure ID tokens, UserInfo JWTs, JARs or JARMs. Whenever secp256k1 operations are needed the Connect2id server will use the alternative open source JCA provider developed by BouncyCastle.

The byte code and Java API use of the Connect2id server will remain Java 11 compatible at least until September 2023.

This release also adds a special new feature to enable OpenID Connect providers and OAuth 2.0 servers to use redirect_uri templates. Such templates can help in cases where a client may require a large number of redirection URIs which individual registration may be impractical.

You can find additional information about this release in the notes below.

Download 13.4

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: ef7b160197e3fcc575b2d0224c3ed8ba7416c2822f9d3e4611a6105d2f73d7fe

Connect2id server 13.4 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e36671174ce53d2fe1b1d96b52d33368c95f1c08d52383da8ffcb17c738504cf

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e

Connect2id server 13.4 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 93422f791fc775d41d427b07fa852ba2581c045fa00a49eeee79274b12a4228e

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.4 (2023-01-30)

Summary

  • Updates the Connect2id server to support the Java 17 runtime.

    Due to the secp256k1 elliptic curve no longer being available in the default Java Cryptography Architecture (JCA) provider the Connect2id server will use the alternative open source BouncyCastle JCA provider for the ES256K (secp256k1 curve) JWS algorithm when it's used to secure ID tokens, UserInfo JWTs, request objects (JAR), authorisation responses (JARM) or self-contained (JWT) access tokens.

    The Java 11 runtime support remains.

  • Adds support for registering OAuth 2.0 clients with redirect_uri templates, to enable Connect2id server deployments to set the redirection URI at the time when the authorisation request is processed.

    This can facilitate scenarios where the exact redirect_uri is not known at the time of client registration or where a client may require a multitude of redirection URIs that conform to a certain pattern. The redirect_uri templates apply to authorisation requests as well as pushed authorisation requests (PAR).

    Example template where the [param] is a placeholder for a parameter to be set when the Connect2id server processes the authorisation request:

    urn:c2id:redirect_uri_template:https://[param].example.com/login-callback

Web API

  • /clients/

    • Supports registration of OAuth 2.0 web and native clients with templates in the redirect_uris parameter. The template is a URN with format urn:c2id:redirect_uri_template:[URI], where URI is the final redirection URI which must contain a single [param] placeholder. The [param] placeholder will be set by the Connect2id server when it processes authorisation requests from the client.
  • /authz-sessions/rest/v3/

    • Adds an optional redirect_uri_template_param parameter of type string to the authorisation session start request object. Used to set the [param] in a redirect_uri of an authorisation request where the URI is a template. The template URI must be registered just as any regular redirection URI in the client's record under the redirect_uris field.

      The [param] setting will apply to all authorisation requests, including JAR and PAR.

      If the Connect2id server doesn't set the [param] for some reason the redirect_uri will remain unchanged, which will later cause the redirection to fail because of the URN scheme.

Resolved issues

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.30

  • Upgrades to com.nimbusds:c2id-server-jwkset:1.26.2

  • Updates to com.nimbusds:oauth2-authz-store:19.5

The OAuth 2.0 token exchange in Connect2id server 13.3 supports refresh token and ID token issue

Connect2id server deployments with OAuth 2.0 token exchange (RFC 8693) will now be able to issue refresh tokens and ID tokens. Previously the token exchange plugin interface (SPI) was capable of only specifying access token issue. The persistence of the token exchange authorisation can also be controlled now, by setting its long-lived flag (which also determines when a refresh token gets issued whether it's going to be persisted, with long-lived set to true, or a stateless encrypted JWT, with long-lived set to false.

This token exchange upgrade makes it possible for Connect2id server deployments to experiment with the new OpenID Connect draft specification for native single sign-on (SSO) for Android, iOS and desktop applications. Built-in support for the native SSO is now on the Connect2id server roadmap and it will appear once the spec has become stable.

The new token exchange plugin capabilities can be found useful in other scenarios where a client needs to exchange a token of some kind (opaque or JWT) for a local Connect2id server issued access / refresh / ID token.

This release fixes two issues:

  • If you have clients using symmetrically encrypted ID tokens or UserInfo (by means of deriving a shared AES key from the client_secret) upgrading is strongly recommended, to ensure interoperability and correctness of the key derivation. The key derivation suffered from a poorly worded specification in OpenID Connect Core 1.0, addressed in a recent errata. The security of the encryption was never compromised, but depending on how the original spec was interpreted the decryption of JWE objects can unexpectedly fail with a different client library or OpenID Connect server.

    The key derivation issue was also fixed in v10.5.1 of the open source OAuth 2.0 / OpenID Connect SDK we maintain.

  • If you have a deployment with OpenID Connect Federation 1.0 upgrading is also suggested, so you can read the registrations of automatic clients via the clients API without entity URL encoding issues.

There is more information in the release notes.

Download 13.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: b503e2a247bb7bbe224f3f6ed3b7f0f27930edb50b501b1931ecc45173c99705

Connect2id server 13.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: d10fccf8fb49a5095ce7a387728ecdebe0023c6fd2411f264567c25741296a49

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: cce4e3dad989af9db16fca3ec8e731be913066ce59f41a099e5f0e9e47cc5197

Connect2id server 13.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: bf5f9b7a7fa6a3d80fde32c3405fdfbb61d8d8095b9bd4d71703cc84fbe42377

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.3 (2023-01-23)

Summary

  • Token exchange (RFC 8693) plugins can now optionally specify the issue of a refresh token and ID token (in addition to the access token) when authorising a request received via the TokenExchangeGrantHandler SPI. The plugin can also flag the authorisation as long-lived (persisted), to cause the granted scope values and other attributes to be remembered for the subject and the requesting client. This also enables control of the refresh token encoding (if issued) - persisted or stateless.

  • Resource owner password credentials grant plugins can now specify the issue of stateless (JWT-encoded) refresh tokens. Previously only persisted refresh tokens could be issued.

  • Updates the plugin for handling OAuth 2.0 grants at an external web service (web hook) to support token exchange (RFC 8693) authorisations for refresh token and ID token issue.

Web API

  • /token

    • Adds support for refresh token and ID token issue for a OAuth 2.0 token exchange grant (RFC 8693).

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.52

    • The TokenExchangeAuthorization class is updated to support optional persistence of the authorisation (with the long-lived flag), issue of a refresh token (stateless or persisted) and issue of an ID token.

    • The PasswordGrantAuthorization class is updated to support issue of a stateless refresh token when the long-lived authorisation flag is set to false. Previously only persisted refresh tokens could only be issued, when the long-lived authorisation flag was set to true.

Resolved issues

  • The AES key from client_secret derivation for shared JSON Web Encryption (JWE) of ID tokens, UserInfo responses and other objects must remove the right-most bits, not the left-most. See OpenID Connect Core 1.0 errata 2020-07-24 (issue oidc-sdk/412).

  • The clients web API GET by client_id must handle client identifiers that are OpenID Connect Federation 1.0 entity IDs (and URLs in general) seamlessly (issue server/824).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.52

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.5.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.29

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.4

Connect2id server 13.2.1

This is a maintenance release of the Connect2id server.

Should I upgrade?

An upgrade to 13.2.1 is recommended if:

  • You have a deployment with a plugin for handling SAML 2.0 assertion grants. This special OAuth 2.0 grant type is used to let client applications exchange a SAML 2.0 assertion for an OAuth 2.0 access token (potentially including a refresh token as well). Prior versions of the Connect2id server contain a dependency in the XML parsing stack reported vulnerable to CVE-2022-40152. A malicious SAML assertion which triggers the vulnerability will cause an internal stack overflow exception and the token endpoint returning an HTTP 500 Internal Server Error instead of a proper HTTP 400 Bad Request response with an invalid_grant error.

  • You have a deployment enabled for OpenID Connect Federation 1.0. This release fixes two bugs that affect the clean up of expired federation clients.

In all other cases upgrading is not necessary.

There is more information in the release notes below.

Native SSO for Android and iOS apps

A new specification in development at the OpenID Connect working group is now on the Connect2id server roadmap for 2023.

A mobile app which signs-in a user with OpenID Connect to obtain an ID token will be able to share the user identity with apps belonging to the same vendor:

  • A mobile app by a vendor is installed and the user logs in with OpenID Connect.

  • If the user chooses to install other apps belonging to the same vendor she will be automatically signed into them, a concept called "native SSO".

We are currently also discussing possibilities for mobile apps to seamlessly sign-in the user with trusted web applications and sites. This scenario can occur when the app opens a link to a web site of the vendor. The aim is to save the user from having to perform an additional web-based SSO with the Connect2id server and improve the overall UX when moving between mobile app and web site.

If you have comments, suggestions or wish to try out this feature before it is finalised write to Connect2id support.

LDAP backend support will be removed in 2023

We would also like to inform you that LDAP backend support will be removed in 2023, with version 13.x likely remaining the last one to have it. If you use an LDAP directory server to persist Connect2id server data consider migrating to a different database. This change does not affect the Connect2id server connector for sourcing OpenID claims from LDAP directories, which will remain available and supported.

2023 will also see official support for Java 17, to enable Connect2id servers to be deployed with the newer Java 17 runtime (while keeping the software Java 11 compatible).

Download 13.2.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.2.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 889853c37a402ed36b04f29ec7962ee866800383ae59e6951e17ee8ee0f7d038

Connect2id server 13.2.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: be1785b7eb1f73d53c65a897617bfb9ff5dc2170e255ee17b2733da28672d276

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.2.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 39ae9507bf51ef3e3baaa8ea12f251976ab8cd82da2b0c2b0bf57db9f80ad2cf

Connect2id server 13.2.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 3b7c9fdce414cd20b097bcee8fac70014cecb4b70ce99efe59a06032602f2179

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.2.1 (2023-01-19)

Resolved issues

  • Updates the Woodstox Core dependency used in the SAML 2.0 assertion grant SPI, to address a potential stack overflow vulnerability in the XML DTD parse code (CVE-2022-40152). Note that the CVE has been incorrectly filed to an XStream dependency (a different project). Connect2id server deployments that don't use a SAML 2.0 assertion grant plugin for exchanging SAML 2.0 tokens for OAuth 2.0 tokens are not affected (issue server/820).

  • Streaming registered OpenID Connect Federation 1.0 clients from the federation client index must observe the tenant ID (issue server/640).

  • Fixes NPE that prevented clean up of expired OpenID Connect Federation 1.0 automatic clients (issue server/657).

Dependency changes

  • Updates to com.fasterxml.woodstox:woodstox-core:5.4.0

  • Updates Dropwizard Metrics to 4.2.15

Connect2id server 13.2 adds a signed JWKs endpoint for use in OpenID federations

This release of the Connect2id server builds upon the OpenID Connect Federation 1.0 upgrade that arrived in 13.1 by adding a new signed JWKs endpoint. The signature establishes a digital proof that a server owns its OpenID provider keys, which proof then becomes linked to the server's trust chain in a federation.

The signed OpenID provider JWKs endpoint does not play an actual part in the trust resolution protocol defined in OpenID Connect Federation 1.0. The terms and policies that govern a particular federation may however require it, for non-repudiation and legal purposes. The Italian eID federation requires members to sign their public OpenID provider keys so that end-user authentication events (represented by issued ID tokens) can be linked to the trust chain in a verifiable manner. The Italian federation operator also has a policy to keep a historical archive of the keys of all members, in case disputes over past transactions arise.

Example request to retrieve the server's OpenID provider keys in a signed form:

GET /jwks.jwt HTTP/1.1
Host: demo.c2id.com

The response will be a signed JWT, carrying a keys claim that is a standard JWK set:

HTTP/1.1 200 OK
Content-Type: application/jwk-set+jwt

eyJraWQiOiJleFI1IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJodHRwczpcL1wvZmFwaS5jMmlkLmNv
bSIsIm1ldGFkYXRhIjp7Im9wZW5pZF9wcm92aWRlciI6eyJyZXF1ZXN0X3BhcmFtZXRlcl9zdXBwb3J
ZW5kcG9pbnQiOiJodHRwczpcL1wvZmFwaS5jMmlkLmNvbVwvdG9rZW5cL2ludHJvc3BlY3QiLCJj...

Note that the new signed JWK set endpoint will normally return an HTTP 404 Not Found status code, unless OpenID Connect federation is enabled.

This release also fixes two major bugs introduced in Connect2id server 13.0. Upgrading to 13.2 is strongly recommended if you are currently using an affected 13.0 or 13.1 deployment.

There is more information in the release notes below.

Download 13.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 5676fd128a46fbdc113b4b6ffc930ddb636217a715e599356279ffa0f1171b64

Connect2id server 13.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ed815c1404898266ea35b277551addc7e2ca9f44b1036a34e7f30bb8a3ab62f3

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1fc4ac435cbfc1baa8d34a644b0a0720ffc36ba87aca47ed23f3e74151a76008

Connect2id server 13.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 616c1dd0d92bd44d834d334f4fc6bad692c73cd7502ee0b90e5ffab5d9e776d8

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.2 (2023-01-12)

Summary

  • Upgrades OpenID Connect Federation 1.0 draft 25 support to publish a signed JWK set at the URL advertised in the signed_jwks_uri OpenID provider metadata found in the entity configuration.

  • Fixes two bugs affecting deployments of Connect2id server v13.0 and v13.1 with an SQL database. Updating is strongly recommended (see issue server/816 for details).

Web API

  • /.well-known/openid-configuration

    • signed_jwks_uri -- New optional metadata field specifying an endpoint where the OpenID provider JWK set is published as a signed JWT. Available when OpenID Connect Federation 1.0 is enabled, else omitted.
  • /jwks.jwt -- New endpoint publishing the OpenID provider JWK set as a signed JWT when OpenID Connect Federation 1.0 is enabled. The JWT is signed with the RS256 algorithm using the first RSA key in the configured Connect2id server federation entity JWK set. The JWT typ (type) header is set to jwk-set+jwt. The JWT contains the iss (issuer), sub (subject), iat (issued-at time) and keys (JWK set keys) claims, as specified in OpenID Connect Federation 1.0, section 4.1.

Resolved issues

  • Fixes a bug introduced in Connect2id server 13.0, multi-tenant edition, affecting deployments with MySQL, PostgreSQL and MS SQL Server that may cause false HTTP 404 (invalid authorisation session ID) responses from the authorisation session web API. Connect2id server 13.0 and 13.1 multi-tenant deployments are strongly recommended updating (issue server/816).

  • Fixes a bug introduced in Connect2id server 13.0 affecting deployments with MySQL, PostgreSQL and MS SQL Server that causes incorrect PAR URI rejections at the authorisation endpoint. Connect2id server 13.0 and 13.1 deployments are strongly recommended updating (issue server/818).

  • Fixes non-critical NPE when writing HTTP 404 responses at the .well-known/openid-federation endpoint when OpenID Connect Federation 1.0 is disabled (issue server/817).

  • Optimises OpenID Connect Federation 1.0 related logging (issue server/815).

  • The PARValidator SPI must be invoked with an AuthenticationRequest if the validated authorisation request has the "openid" scope value (issue server/819).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.5