Connect2id server 12.8

This is a mini plugin interface (SPI) and maintenance / security update of the Connect2id server for OpenID Connect identity provisioning and OAuth 2.0 authorisation.

  • The PAR validator SPI and the authorisation request validator SPI let plugins access the original raw requests, for purposes such as inspecting the presence of a signed request object (JAR).

    Example check for signed JAR presence:

    boolean jarPresent = validatorContext.getRawRequest()
        .specifiesRequestObject();
    JWSAlgorithm jwsAlg = validatorContext.getOIDCClientInformation()
        .getMetadata()
        .getRequestObjectJWSAlg();
    if (jarPresent && jwsAlg != null && JWSAlgorithm.Family.SIGNATURE.contains(jwsAlg)) {
        // Detected signed request
    }
    
  • Minor vulnerability and bug fixes. Upgrading is generally recommended.

  • Selected library updates.

Detailed information is available in the release notes below.

Download 12.8

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.8: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 8fe22c0494af181be220ff73cc24d65e7b0fa4b5acd389efc9cf1f08b748aff6

Connect2id server 12.8 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: dd427ec8c873825537ab966e17e06e9be6a3f037d2e442965d418898cde503ed

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.8: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 4587ec28a84b1ce0853430d594afe3d9911523127d2b1d8b077abebf73e12c52

Connect2id server 12.8 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 42582f3e352d2d5e726e976faadaffba33cd35d5058aed2fe8a59dad9736b65f

Questions?

Contact Connect2id support.


Release notes

12.8 (2022-03-12)

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.42

    • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getRawRequest method returning the original raw OAuth 2.0 authorisation / OpenID authentication request, as received at the authorisation endpoint and prior to any JAR unwrapping / resolution if JWT-secured.

    • com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getRawRequest method returning the original raw OAuth 2.0 authorisation / OpenID authentication request, as received at the authorisation endpoint and prior to any JAR unwrapping / resolution if JWT-secured.

Resolved issues

  • Fixes a vulnerability in the Connect2id server banner (splash) page that allowed injection of HTML or JavaScript via an invalid "Issuer" HTTP header. No feasible exploits found, but upgrading is generally recommended. The banner page also receives a Content-Security-Policy to allow only local content (issue server/733).

  • Fixes a vulnerability at the token endpoint that allowed log injection of CR and LF characters via a client_id prior to client validation. In Connect2id server deployments with a plain text Log4j appender the vulnerability may be exploited to compromise the integrity of the log messages. The severity of the vulnerability is deemed low, upgrading is recommended (issue server/734).

  • Fixes the log label for the token introspection HTTP request logging and the OP6500 internal server error message (issue server/735).

  • The token and UserInfo endpoints must return an HTTP 400 Bad Request with an invalid_dpop_proof error when receiving a DPoP HTTP request header with a header value that doesn't parse to a signed JWT. Previously the Connect2id server ignored th DPoP header when JWT parsing failed (issue server/736).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.42

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.28

  • Updates to com.nimbusds:nimbus-jose-jwt:9.21

  • Updates to com.nimbusds:common:2.48

  • Updates to org.cryptomator:siv-mode:1.4.4

  • Updates to net.minidev:json-smart:2.4.8

Connect2id server 12.7

This Connect2id server update introduces two new features in its integration APIs:

This release also fixes a bug that caused login handlers to receive an HTTP 500 status code instead of a 400 when including illegal characters in the error_description for authorisation error. Underlying frameworks and libraries also received updates. More information can be found in the release notes below.

Download 12.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: ce9aceb0ab3969cf95cef114a2a9ab2d31ee3ce1fb4f95fdf3dba26e491802b4

Connect2id server 12.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 019b2f9d68b924b07dd40ac0a5ac796ce35fbba76e09a28a513e87d24db90c7d

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: dc88c173b24c396e85681a9933273d6cf5c4464146209efaab4168774a5e2109

Connect2id server 12.7 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 15b3d233d550d938cc947cb32b024b63f9d7bffa26677e2518107e9847d39812 

Questions?

Contact Connect2id support.


Release notes

12.7 (2022-03-01)

Web API

  • /authz-sessions/rest/v3/

    • The DELETE call for returning an authorisation response error to the OAuth 2.0 client adds support for an "error_uri" query parameter. See RFC 6749, section 5.2.
  • /monitor/v1/metrics

    • Adds new "authzEndpoint.invalidRequests" meter of invalid requests by OAuth 2.0 clients and OpenID Connect relying parties at the OAuth 2.0 authorisation endpoint. Covers authorisation error responses with the "invalid_request" and other codes (save for "access_denied" metered by "authzEndpoint.failedSubjectAuthentications" and "authzEndpoint. consentDenials") as well as non-redirecting errors.

Resolved issues

  • The authorisation session API DELETE /authz-sessions/rest/v3/{sid} call must return an HTTP 400 Bad Request when illegal characters are present in a OAuth 2.0 error code or description, as specified in RFC 6749, section 5.2. Previously illegal characters would produce a HTTP 500 Internal Server Error (issue server/730).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.20

  • Updates to com.nimbusds:oauth2-authz-store:17.8

  • Updates to com.nimbusds:oidc-session-store:14.9

  • Updates to com.nimbusds:common:2.46

  • Updates to javax.servlet:javax.servlet-api:4.0.1

  • Updates to org.apache.commons:commons-lang3:3.12.0

  • Updates to javax.ws.rs:javax.ws.rs-api:2.1.1

  • Updates to org.glassfish.jersey.containers:jersey-container-servlet:2.35

  • Updates to com.google.code.gson:gson:2.9.0

  • Updates to commons-codec:commons-codec:1.15

  • Updates to io.prometheus:simpleclient:0.15.0

  • Updates to io.prometheus:simpleclient_servlet:0.15.0

  • Updates to io.prometheus:simpleclient_dropwizard:0.15.0

  • Updates to Log4j 2.17.2

Connect2id server 12.6.1

This release of the Connect2id server fixes two bugs that affected the eKYC / Identity Assurance extension for verified claims and a bug affecting configuration of the custom scope value to OpenID claims mapping. The fixed issues are described in the release notes below.

Download 12.6.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.6.1: Connect2id-server.zip

SHA-256: 88ca8c72ba87f144625cbc8a71f8e06a80d1cb5450beb18eb9ba6718f61cd745

GPG signature: Connect2id-server.zip.asc

Connect2id server 12.6.1 WAR package: c2id.war

SHA-256: 4a56c99242ea290992a207ef10a92a54e1d4442ab687e3327347cbf9e1cb145c

GPG signature: c2id.war.asc

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.6.1: Connect2id-server-mt.zip

SHA-256: 71b5289d020f06c0ebd6c762df6e8cc8dca90287011e2cac71dacf30ce6f777a

GPG signature: Connect2id-server-mt.zip.asc

Connect2id server 12.6.1 WAR package: c2id-multi-tenant.war

SHA-256: 11ac6124cbc3231103fb79be6c7a781585607d9f6bb7cb636dadfef58bf5fc7b 

GPG signature: c2id-multi-tenant.war.asc

Questions?

Contact Connect2id support.


Release notes

12.6.1 (2022-02-10)

Resolved issues

  • Fixes op.map.claims.* system property override for configuring the custom scope-to-claims mapper in the single-tenant edition of the Connect2id server. The multi-tenant server edition is not affected. The single-tenant server edition will log at startup the configured mapping (at level INFO with ID OP0080) (issue server/725).

  • OpenID Connect for Identity Assurance: MinimalVerificationSpec.parse must allow trust_framework set to an empty JSON object (issue oidc-sdk/385).

  • OpenID Connect for Identity Assurance: The birthplace claim must allow ISO 3166-1 Alpha-3 country codes. (issue server/728).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.25

  • Updates to com.nimbusds:nimbus-jose-jwt:9.19

  • Updates to org.postgresql:postgresql:42.3.2

Connect2id server 12.6 with major upgrade to Identity Assurance / eKYC support

Identity Assurance / eKYC upgrade

In September 2021 the Identity Assurance / eKYC extension to OpenID Connect received a major upgrade and was later voted to become an implementer's draft, a crucial step towards reaching standard status.

The changes fall into three areas:

  • Revision of the verification data element, to make a clear distinction between the process of verifying that the user is the owner of the claims and the process that involves the validation of evidences, such as ID cards or electronic records. The concept of assurance level was factored out and is no longer a part of the trust framework identifier. A new taxonomy for the identity evidences was created, which now has the types document, electronic_record, vouch, utility_bill and electronic_signature. Finally, there is a possibility to deliver attachments to relying parties, such as scanned documents.
  • Revision of the OpenID provider metadata, adding new fields and deprecating others.
  • Definition of two new OpenID claims: msisdn, also_known_as and address.country_code.

The changes are outlined in the history section of the Identity Assurance / eKYC draft, but due to the numerous significant changes we recommend studying the entire spec.

The Connect2id server is now updated to support the new syntax for the verification data element. The old (deprecated) syntax will continue to work with the server as well as with the underlying OAuth 2.0 / OpenID Connect SDK.

The server configuration for eKYC was also updated so the new fields can be advertised in OpenID provider metadata. Note that fields related to the deprecated id_document type should no longer be used. The changes in configuration and OpenID provider metadata are explained in the release notes below.

If you are interested in adopting Identity Assurance / eKYC in your Connect2id server deployment start here.

If you use our open source OAuth 2.0 / OpenID Connect SDK to construct verification data on the server side, or within a client application that relies on a IdA / eKYC provider, you will find these improvements:

  • A more intuitive API and improved typed-safety for writing robust code.
  • It's now easier to create custom verification data requests by extending the new MinimalVerificationSpec class.
  • External attachments can be downloaded (with HTTP timeouts) and their digests automatically verified with a single line of code.
  • Constants and helper methods for dealing with ISO 3166-1 and 3166-3 country codes, including logic for mapping between two (alpha-2) and three-letter (apha-3) ISO 3166-1 country codes.

Check the OpenID Connect SDK guide and examples for IdA / eKYC to find out more.

Accessing OpenID provider metadata from within a plugin

The AuthorizationRequestValidator and PARValidator SPIs can now access the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes. Contact us if you find this useful for other types of plugins.

Dependency updates

Finally, this 12.6 release comes with about a dozen updates to frameworks and libraries. Several optional and unused dependencies for OpenSAML were removed.

Docker

The Docker c2id/c2id-server-demo and c2id/c2id-server-min images switched from Debian (as OS) with Java 11 to Amazon Coretto 11, which has a lighter combined footprint. Fewer Linux packages will also mean fewer false positives to deal with when an image is scanned for vulnerabilities, because scanners at present cannot tell if a package is used or not (and Java doesn't need many of the standard packages that come in a Linux OS). Note that Amazon Coretto still isn't a bare bones Linux distribution, so vim, curl and other basic utilities can still be found in it.

Download 12.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a6ad8242ebfb578f0d62963a842635bfee8e76c27db78be180d254340ca66ee7

Connect2id server 12.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ea0bb877aa6c51ea96d1353823fceb8ae026fe75711c780ee14f060ac7d3fb41

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a787bd9d95eb0f657e19e7337dc327fdd45703e5720998a7a8f1caa268e6ec07

Connect2id server 12.6 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: b9d5844723274e817f02dbe63dde316c5089ed2b6c33ec75340d34a822bdee27 

Questions?

Contact Connect2id support.


Release notes

12.6 (2022-01-17)

Summary

  • Upgrades OpenID Connect for Identity Assurance 1.0 support to the latest implementers' draft 12 from 6 September 2021. See https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html

  • Upgrades the AuthorizationRequestValidator and PARValidator SPIs to enable read-only access to the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.assurance.supportedDocumentTypes -- New optional configuration property listing the supported document types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_supported" OpenID provider metadata parameter.

    • op.assurance.supportedMethodsForDocuments -- New optional configuration property listing the supported coarse identity verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedValidationMethodsForDocuments -- New optional configuration property listing the supported validation methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_validation_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedVerificationMethodsForDocuments -- New optional configuration property listing the supported person verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_verification_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedElectronicRecordTypes -- New optional configuration property listing the supported electronic record types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "electronic_records_supported" OpenID provider metadata parameter.

    • op.assurance.supportedAttachments -- New optional configuration property listing the supported attachment types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "attachments_supported" OpenID provider metadata parameter. Attachment types: embedded, external.

    • op.assurance.supportedDigestAlgs -- New optional configuration property listing the supported digest algorithms for external attachments if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "digest_algorithms_supported" OpenID provider metadata parameter. If external attachments are supported must at least include sha-256.

    • op.assurance.supportedIDDocumentTypes -- Becomes deprecated, the corresponding "id_documents_supported" OpenID provider metadata parameter in no longer in use in OpenID Connect for Identity Assurance 1.0.

    • op.assurance.supportedIdentityVerificationMethods -- Becomes deprecated, the corresponding "id_documents_verification_methods_supported" OpenID provider metadata parameter is no longer in use in OpenID Connect for Identity Assurance 1.0.

Web API

  • /.well-known/openid-configuration

    • documents_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported document types. Replaces "id_documents_supported".

    • documents_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported coarse identity verification methods for evidences of type document. Replaces "id_documents_verification_methods_supported".

    • documents_validation_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported validation methods for evidences of type document.

    • documents_verification_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported person verification methods for evidences of type document.

    • electronic_records_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported electronic record types.

    • attachments_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported attachment types: embedded, external.

    • digest_algorithms_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported digest algorithms for external attachments.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.41

    • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

    • com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.41

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.20.1

  • Updates to com.nimbusds:oauth2-authz-store:17.7

  • Updates to com.nimbusds:oidc-session-store:14.8

  • Updates to com.nimbusds:content-type:2.2

  • Updates to com.nimbusds:c2id-server-property-source:1.0.3

  • Removes and updates selected OpenSAML 3.4.6 transitive dependencies

  • Replaces javax.activation:javax.activation-api:jar:1.2.0 with jakarta. activation:jakarta.activation-api:jar:1.2.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.6

  • Updates to com.zaxxer:HikariCP:4.0.3

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.3

  • Updates to org.postgresql:postgresql:42.3.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.9

  • Updates to com.nimbusds:tenant-registry:6.0.1

  • Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.132

  • Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.5

  • Updates to AWS Java SDK 1.12.132

  • Updates DropWizard to 4.1.29

  • Updates Prometheus SimpleClient to 0.14.1

  • Updates Log4j to 2.17.1

Connect2id server 12.5.4 and 11.6.7 security updates addressing Log4j CVE-2021-45105

This Connect2id server release addresses a second post-Log4shell vulnerability discovered in Log4j, which can result in a DoS and is described in CVE-2021-45105.

Updating is strongly recommended to secure your deployments.

There are also updated c2id/c2id-server-demo and c2id/c2id-server-min Docker images available.

Download 12.5.4

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.5.4: Connect2id-server.zip

SHA-256: 2860513912e3494d172764e9c2e0a159241d5e41c1663bdaf714021f6921f7ac

Connect2id server 12.5.4 WAR package: c2id.war

SHA-256: 520d3c398faccd29ed41244dcb79a8f3dcb6a825d111d20665965ad85b84bc5a

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.5.4: Connect2id-server-mt.zip

SHA-256: 7859e9f37bd3ffcce1793e34921559bf03a9425831075cf22fcef311f8d316be

Connect2id server 12.5.4 WAR package: c2id-multi-tenant.war

SHA-256: c83965f09030956ceb6cf14fc1dbb983fe4b74620700dbbdf4e2e4b2a074edb2

Download 11.6.7

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.7: Connect2id-server.zip

SHA-256: e64d746617c750cf9abc954be9108541170d7b747a8ac4214f56538e6a45489b

Connect2id server 11.6.7 WAR package: c2id.war

SHA-256: 406bb18a8705b1230959553abaa2642f77dedd0399df71e1b65d303b47b5565e

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.7 Connect2id-server-mt.zip

SHA-256: ee926caabf4411c6b3ca481f1a1d456e1e9b37721581cc60997049f4d00e33cc

Connect2id server 11.6.7 WAR package: c2id-multi-tenant.war

SHA-256: 06bbef74bdd6b819bdf5ee967b29b697d5d3d324ee6acbcbb8ffc4c34a01f34f

Questions?

Contact Connect2id support.


Release notes

12.5.4 (2021-12-18)

Resolved issues

  • Updates Log4j to 2.17.0 to address a critical DoS vulnerability described in CVE-2021-45105, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45105 (issue server/711).

Dependency changes

  • Updates Log4j to 2.17.0

11.6.7 (2021-12-18)

Resolved issues

  • Updates Log4j to 2.17.0 to address a critical DoS vulnerability described in CVE-2021-45105, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45105 (issue server/711).

Dependency changes

  • Updates Log4j to 2.17.0