Connect2id server 9.1.1 and 8.2.2

2020-03-26

This is a maintenance release of the Connect2id server.

The update is recommended for stateless Connect2id server deployments (single node or cluster) with an SQL RDBMS (MySQL, PostgreSQL, Microsoft SQL server). This applies to the Infinispan configuration files with the following pattern:

/WEB-INF/infinispan-stateless-{mysql|postgres95|sqlserver}.xml

Stateless cluster deployments with Redis as the in-memory / cache store are not affected.

The update fixes a bug which can cause premature expiration of OAuth 2.0 authorisation codes resulting from a prompt=none authorisation request, or from an authorisation request which was fulfilled from persisted consent (where the entire consent was on record), causing the code-for-token exchange to fail with an invalid / expired code error message.

The release notes below provide more information.

Download 9.1.1

To download a ZIP package of Connect2id server 9.1.1:

https://connect2id.com/assets/products/server/download/9.1.1/Connect2id-server.zip

SHA-256: 79fbfe1785d03c0260dac506a9092c9820162c3c0725ad6058c5bcee73033b80

As WAR package only:

https://connect2id.com/assets/products/server/download/9.1.1/c2id.war

SHA-256: 1622db4e9d7e29142d5df0a88261941ae3648628f73413408508007877342a83

Download 8.2.2

To download a ZIP package of Connect2id server 8.2.2:

https://connect2id.com/assets/products/server/download/8.2.2/Connect2id-server.zip

SHA-256: 2323b1d98f7c0e94bd92eb137a7b650fc9a4591151f604d8f9a1c62da7378d03

As WAR package only:

https://connect2id.com/assets/products/server/download/8.2.2/c2id.war

SHA-256: 26ced5bb3044ab8c2b8541a2fc31d81b7b2eb8d0b224b179d56a6761265b0bd3

Questions?

Contact Connect2id support.

Release notes

9.1.1 (2020-03-26)

Resolved issues

  • Fixes premature expiration of OAuth 2.0 authorisation codes resulting from prompt=none or persisted consent authorisations in stateless Connect2id server deployments (single node or cluster) with an SQL RDBMS database (MySQL, PostgreSQL, Microsoft SQL server). Applies to Infinispan configurations infinispan-stateless-{mysql|postgres95|sqlserver}.xml (where Redis is not used as an in-memory cache / store). Affected deployments should update (issue authz-store/176).

  • Adds debug logging for authorisation grant put (AS0230) and authorisation grant retrieval (AS0222) (issues authz-store/174 and 175).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.4.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.11

8.2.2 (2020-03-26)

Resolved issues

  • Fixes premature expiration of OAuth 2.0 authorisation codes resulting from prompt=none or persisted consent authorisations in stateless Connect2id server deployments (single node or cluster) with an SQL RDBMS database (MySQL, PostgreSQL, Microsoft SQL server). Applies to Infinispan configurations infinispan-stateless-{mysql|postgres95|sqlserver}.xml (where Redis is not used as an in-memory cache / store). Affected deployments should update (issue authz-store/176).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.2.1

  • Updates to com.nimbusds:nimbus-jose-jwt:8.11

Connect2id server 9.1 updates JWT-secured token introspection responses

2020-03-24

This release of the Connect2id server updates support for JWT Response for OAuth Token Introspection to the upcoming version 09. This OAuth 2.0 extension is intended for securing token introspection results with a digital signature, which is intended for business cases where the identity provider assumes liability for the content of the token. One such case is services using verified person data to create digital certificates, which in turn are used to create qualified electronic signatures (QES).

What changes were made in version 09?

  • The content of the token introspection response was moved to a separate JWT claim called token_introspection. This is done to prevent potential confusion and clashes of token introspection response parameters with top-level JWT claims that bear the same name.

  • The following top-level JWT claims are now made mandatory:

    • iss -- Set to the Connect2id server issuer URL.
    • aud -- Set to the client_id of the introspection endpoint caller (typically a resource server inspecting a token).
    • iat -- Set to the issue timestamp.
    • token_introspection -- JSON object containing the token introspection response mentioned above.

  • The JWT-secured response is triggered by an Accept HTTP request header set to application/token-introspection+jwt, unless op.token.introspection.alwaysRespondWithJWT is enabled, when the Accept header will be ignored and the response will always be JWT-secured.

Example request, the client (the resource server) authenticates at the introspection endpoint with basic authentication, using its registered client_id and client_secret. Notice the Accept header:

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Accept: application/token-introspection+jwt

token=giuLtTTnya5XpHVKNopT9w.gepM14CKpHcWloJ3XqMtvA

Example response with a signed JWT in the body:

HTTP/1.1 200 OK
Content-Type: application/token-introspection+jwt

eyJraWQiOiJ3RzZEIiwidHlwIjoidG9rZW4taW50cm9zcGVjdGlvbitqd3QiLCJhbGc
iOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tLyIsImF1ZCI6I
mh0dHBzOi8vcnMuZXhhbXBsZS5jb20vcmVzb3VyY2UiLCJ0b2tlbl9pbnRyb3NwZWN0
aW9uIjp7ImFjdGl2ZSI6dHJ1ZSwiaXNzIjoiaHR0cHM6Ly9hcy5leGFtcGxlLmNvbS8
iLCJhdWQiOiJodHRwczovL3JzLmV4YW1wbGUuY29tL3Jlc291cmNlIiwiaWF0IjoxNT
E0Nzk3ODIyLCJleHAiOjE1MTQ3OTc5NDIsImNsaWVudF9pZCI6InBhaUIyZ29vMGEiL
CJzY29wZSI6InJlYWR3cml0ZWRvbHBoaW4iLCJzdWIiOiJaNU8zdXBQQzg4UXJBangw
MGRpcyIsImJpcnRoZGF0ZSI6IjE5ODItMDItMDEiLCJnaXZlbl9uYW1lIjoiSm9obiI
sImZhbWlseV9uYW1lIjoiRG9lIiwianRpIjoidDFGb0NDYVpkNFh2NE9SSlVXVlVlVF
pmc0toVzMwQ1FDcldERGp3WHk2dyJ9fQ.d1XLA-X8Inb0kwvRkk10ZokWbpEAO6u4Vb
0kirVPOLUdo2KiKD1IGer6bcVp-pNc2eC1yyUZGBp5GIDey8qhc41Oyhn6TOUAkLzZM
u2vAC7j4EsTM7-pKkbWX1kmH84-vAGvLR0MNWtVUgLmmIOy9krUMXE1jd0IS_Iqk7xW
JxmZLbuLHXx92LXRdErwThO-AHVLkiqIlz08H4LAsnKPVKMouzqBFYwK050ZJbnaVYw
O-QRC-lhCR_8JnsLZVp-QilDeWkOJiJ46un5HKZSYwxMjkhMs_Py8GOQaQk0ZY4MGCe
gTCKyiOsEIYSuIIDLy4YbHtY14SvZOUQwPDneFxQ

Example decoded JWT header, using the same JWS algorithm and key as for self-contained (JWT) access tokens:

{
  "alg" : "RS256",
  "typ" : "5iKs",
  "kid" : "token-introspection+jwt"
}

Example decoded JWT claims, notice how the introspection members are now encapsulated in a container claim:

{
  "iss"                 : "https://c2id.com/",
  "aud"                 : "kengo6Bo",
  "token_introspection" : { "active"    : true,
                            "iss"       : "https://c2id.com/",
                            "aud"       : "kengo6Bo",
                            "iat"       : 1514797822,
                            "exp"       : 1514797942,
                            "client_id" : "paiB2goo0a",
                            "scope"     : "openid email profile",
                            "sub"       : "c5787848-d360-42fa-b01f-558b8f33506c",
                            "jti"       : "doRu8eeNg0geew7u" }
}

The legacy JWT-secured introspection response from draft-ietf-oauth-jwt-introspection-response-08 can still be triggered, by setting the Accept header to application/jwt:

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Accept: application/jwt

token=giuLtTTnya5XpHVKNopT9w.gepM14CKpHcWloJ3XqMtvA

Download

To download a ZIP package of Connect2id server 9.1:

https://connect2id.com/assets/products/server/download/9.1/Connect2id-server.zip

SHA-256: 80d252bc3a1a966bee9abdaeb079b5b1a0f1e11c8c2d1bf5a6ae97c038421995

As WAR package only:

https://connect2id.com/assets/products/server/download/9.1/c2id.war

SHA-256: eb547fd5a7eecc804980c367b556808639c2665e294fd4c1eb03c08ad4e128b0

Questions?

Contact Connect2id support.

Release notes

9.1 (2020-03-24)

Web API

  • /token/introspect

    • Updates "JWT Response for OAuth Token Introspection" support to the upcoming draft-ietf-oauth-jwt-introspection-response-09 version.

      For a client (resource server) to obtain a JWT-secured introspection response it must submit an introspection request with the Accept HTTP request header set to "application/token-introspection+jwt". The request must be authorised with the registered client authentication method or with an access token.

      The JWT response will be JWS signed and include the following JWT claims:

      • "iss" -- Set to the OpenID Provider / Authorisation server issuer URL.

      • "aud" -- Set to the client_id of the caller (resource server).

      • "iat" -- The issue timestamp.

      • "token_introspection" -- A JSON object containing the token introspection response members, such as "active", etc.

      The optional op.token.introspection.jwtType configuration property that overrides the JWT "typ" (type) header applies.

      Legacy JWT-secured introspection responses (according to draft-ietf-oauth-jwt-introspection-response-08) will continue to be supported, for a client (resource server) to request one the Accept HTTP request header must be set to "application/jwt".

SPI

Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.19

  • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext

    • Adds a getIssuer() method to the PAR ValidatorContext.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.19

  • Updates to com.nimbusds:oauth2-oidc-sdk:7.3

Patched up Connect2id server 7.10.2 for Java 8

2020-03-23

The last Connect2id server release which supported Java 8, 7.10 from April 2019, was patched up for critical bugs and updated to the latest stable versions of the OAuth 2.0 SDK, the Nimbus JOSE+JWT library and Infinispan.

The release notes below provide more information.

Download 7.10.2

To download a ZIP package of Connect2id server 7.10.2:

https://connect2id.com/assets/products/server/download/7.10.2/Connect2id-server.zip

SHA-256: 1ea688bb925818738e551c69a451dccd2a5fe5e9da16293218f696a66579fd60

As WAR package only:

https://connect2id.com/assets/products/server/download/7.10.2/c2id.war

SHA-256: 49514685d55ac72d2fcfc3ed0cb4595be0bdfa97ba4ad6e8cbb5196562c4416f

Questions?

Contact Connect2id support.

Release notes

7.10.2 (2020-03-23)

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).

  • Fixes a bug which prevented loading of Connect2id server keys overridden or passed via the "jose.jwkSet" Java system property. Deployments that rely on loading the server JWK set via the "jose.jwkSet" Java system property must upgrade. The bug did not affect the multi-tenant Connect2id server edition (issue server/471).

  • The client registration endpoint must return HTTP status code 201 instead of 200 on a successful POST (issue oauth-oidc-sdk/277).

  • Fixes a bug in the session store which resulted in closing an active subject (end-user) session when a new session is created and the index for the subject is filled with stale (pending purge) entries up to the configured session quota (sessionStore.quotaPerSubject) (issue session store/77).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.10

  • Updates to com.nimbusds:nimbus-jwkset-loader:3.1.1

  • Updates to com.nimbusds:oidc-session-store:11.0

  • Updates to Infinispan 9.4.18.Final.

Focus on Identity Assurance in Connect2id server 9.0

2020-03-18

This new major release of the Connect2id server is designed with eKYC / Identity Assurance providers in mind. We looked at how customers have been integrating and customising provision of regular as well as verified OpenID claims and used those lessons to touch up the server web APIs and SPIs in key places. The verified claims are now clearly delineated. It is also easier to construct claims and verification metadata in the authorisation session / front-channel, which can be useful in cases such as on-demand remote in-person identity proofing.

The new release also updates eKYC / Identity Assurance support to the latest 09 draft, intended to become the basis for final publication, give or take a few cosmetic changes. The eKYC spec maturated quickly, in under three months since the official working group was founded, and so did our support for it, in the open source OpenID Connect SDK and the Connect2id server for identity provision.

Handling eKYC / Identity Assurance requests

The authorisation session web API of the Connect2id server is updated to simplify processing of requests for verified claims. An authorisation handler can now clearly find out which claims were requested by the relying party (RP) in the normal fashion and which as verified. If the RP requested a particular trust framework, such as "eidas_ial_high", or a purpose message for each claim is to be displayed to the end-user in the consent screen, these are now presented in the consent prompt.

Check out the updated eKYC / Identity Assurance guide and the release notes below for more information.

Passing additional data with the claims request

The consent object includes a new "claims_data" parameter, of type JSON object, which the claims source can use when constructing a claims set for the UserInfo endpoint or the ID token.

In eKYC / IdA the "claims_data" parameter can pass parameters needed to construct the "verification" element of a verified claims set, such as the trust and process identifiers.

{
  "scope"       : [ "openid" ],
  "claims"      : [ "email",
                    "verified:name",
                    "verified:address" ]
  "claims_data" : { "trust_framework"      : "eidas_ial_high",
                    "time"                 : "2020-03-16T18:25Z",
                    "verification_process" : "f24c6f-6d3f-4ec5-973e-b0d8506f3bc7" }
}

The "claims_data" can also be used to feed entire OpenID claims from the authorisation session / front-channel.

If the claims are to be returned at the UserInfo endpoint the "claims_data" will be encoded into the issued access token. If the claims data must be kept confidential make sure the access token is identifier-based or an encrypted JWT.

If the authorisation is long-lived the "claims_data" will also get persisted in the Connect2id server authorisation records.

The web hook for sourcing claims was updated to include the "claims_data" parameter in the HTTP POST requests.

The new "claims_data" parameter requires an update of the database schema if the Connect2id server is deployed with an RDBMS or LDAPv3 server. Save for LDAP the schema update where needed will happen automatically when switching to Connect2id server v9.0. Check the release notes for details.

Other updates

A number of dependencies, such as Infinispan, were also updated to their latest stable versions. The new release also fixes three bugs, one of them security related (already addressed in 8.2.1), so updating is advised.

Download

To download a ZIP package of Connect2id server 9.0:

https://connect2id.com/assets/products/server/download/9.0/Connect2id-server.zip

SHA-256: d8aeb03bc84a24756d1c2323a050c538aea9be986cd6128e3f89878e5da6150d

As WAR package only:

https://connect2id.com/assets/products/server/download/9.0/c2id.war

SHA-256: e6fbe74bb6e6502ea662d8b3979fe01c06eb25232eaf62e2487b570b7dc689f8

Questions?

Contact Connect2id support.

Release notes

9.0 (2020-03-18)

Summary

  • Updates support for OpenID Connect for Identity Assurance 1.0 to draft 09 (see https://openid.net/specs/openid-connect-4-identity-assurance-1_0-09.html). Requested verified claims will now be automatically marked and processed as such in the authorisation session API. The requested "verification" and individual claim "purpose" parameters will be presented in the consent prompt.

  • Updates the authorisation session API and the OAuth 2.0 grant handler SPIs to enable passing of additional JSON data with requests to the configured claims source(s). This can be used to pass claim values from the authorisation handler or when implementing Identity Assurance the necessary verification element for verified claims in the UserInfo response or the ID token.

    The included HTTP-based claims source SPI implementation is updated to include a "claims_data" parameter (of type JSON object) in the request to represent the optional claims data.

  • Upgrades the Infinispan and backend database schemas for the identifier-based access tokens and the long-lived (persisted) authorisation records.

    On startup the Connect2id server will automatically create the new required "id_access_tokens" and "long_lived_authorizations" table columns for a relational MySQL, PostgreSQL or Microsoft SQL Server database.

    Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) need to update the LDAP schema manually to version 1.12 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.10/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/src/main/resources/ oidc-authz-schema-openldap.ldif?at=1.12 &diff1=49115daf531b48c2d9fd0f766721d84c28576eae &diff2=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/src/main/resources/ oidc-authz-schema-opendj.ldif?at=1.12 &diff1=49115daf531b48c2d9fd0f766721d84c28576eae &diff2=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa

    Connect2id server deployments with a DynamoDB database are essentially schema-less and no specific action is required.

Configuration

  • /WEB-INF/oidcProvider.properties

    • New "op.token.introspection.jwtType" configuration property. Sets the "typ" (type) header of JWT introspection responses. The default value is "token-introspection+jwt". This configuration allows the type header to be set to "JWT" for non-compliant clients and JWT libraries which cannot handle header values other than "JWT".

  • /WEB-INF/log4j.xml

    • Adds an optional console (SYSTEM_OUT) appender. Setting the Java system property log4j.loggers.root.appender to console switches logging from the rolling-file appender to the standard output. Can be useful in container deployments.

Web API

  • /authz-sessions/rest/v3/

    • The consent prompt identifies requested verified OpenID claims by prefixing their name with "verified:", for example "verified:given_name", "verified:family_name" or "verified:address". When submitting consent to the Connect2id server the names of the verified claims must also be prefixed with "verified:".

      To process verified OpenID claims OpenID Connect for Identity Assurance 1.0 must be enabled (op.assurance.supportsVerifiedClaims=true).

    • The consent prompt is updated to include the optional "purpose" attribute of requested verified OpenID claims (OpenID Connect for Identity Assurance 1.0) as well as regular claims. If the attribute is set for one or more claims the purpose strings will appear in a new claims.purposes JSON object containing the claim name / purpose string pairs.

      The accepted purpose string length is between 3 and 300 characters, according to the Assurance specification. The Relying Party may use the "ui_locales" OpenID authentication request parameter to set the preferred language for the purpose strings.

      In order to prevent injection attacks all special characters in a purpose string must be escaped before shown in a user interface.

    • The consent prompt is updated to include the optional "verification" JSON object for a requested verified claims set (OpenID Connect for Identity Assurance 1.0). If the verification element is set for a requested verified claims set to be returned in the UserInfo response it will appear in a new claims.verification.userinfo JSON object. Likewise, if the element is set for a requested claims set to be returned with the ID token it will appear in a claims.verifiction.id_token JSON object.

      To include the "verification" element in the consent prompt OpenID Connect for Identity Assurance 1.0 must be enabled (op.assurance.supportsVerifiedClaims=true).

    • The consent is updated to include an optional "claims_data" JSON object parameter. The data will be made available in the ClaimsSourceRequestContext.getClaimsData method when the configured claims source(s) get called at the UserInfo endpoint or when feeding the consented claims into the ID token.

      The "claims_data" can be used to provision entire claims from the authorisation session and the front-channel. It can also be used in Identity Assurance to construct the "verification" element in the authorisation session and then have it included in the UserInfo response, for example in remote in-person proofing scenarios.

      The "claims_data" will be included in the issued access token and in long-lived (persisted) authorisations in a new "cld" (claims data) JSON object field. To keep the claims data confidential from the relying party (client) either an identifier access token encoding must be chosen (access_token.encoding = IDENTIFIER in the consent) or if a self-contained (JWT) encoding is chosen the JWT must be additionally encrypted (access_token.encrypt = true).

      An AdvancedClaimsSource SPI implementation can retrieve the claims data JSON object by a call to the ClaimsSourceRequestContext.getClaimsData method.

  • /authz-store/rest/v2/authorizations

    • The OAuth 2.0 / OpenID Connect authorisations includes a new optional "cld" (claims data) JSON object field to represent claims data to be passed to the OpenID claims source(s) with access tokens consumed at the UserInfo endpoint.

  • /token/introspect

    • The access token introspection response includes a new optional "cld" (claims data) JSON object field to represent claims data to be passed to the OpenID claims source(s) with access tokens consumed at the UserInfo endpoint.

SPI

Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.17

  • com.nimbusds.openid.connect.provider.spi.claims.ClaimsSource, AdvancedClaimsSource

    • The names of verified OpenID claims passed via the "claims" argument of the "getClaims" method will be prefixed with "verified:" by the Connect2id server (OpenID Connect for Identity Assurance 1.0).

  • com.nimbusds.openid.connect.provider.spi.claims.ClaimsSourceRequestContext

    • Adds new "getClaimsData" method to obtain optional data set by an authorisation handler to fulfill OpenID claims provision, for example to construct the "verification" element for a verified claims set (OpenID Connect for Identity Assurance 1.0).

  • com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization

    • Adds new "getClaimsData" method to the interface to represent OpenID claims fulfillment data. The default implementation returns null.

  • com.nimbusds.openid.connect.provider.spi.grants.BasicClaimsSpec

    • Adds new constructor and "getData" method for passing optional claims fulfillment data to the configured OpenID claims source(s).

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).

  • Fixes a bug introduced in Connect2id server 8.1 which prevented output of the "verification" element in the OpenID "claims" authentication parameter output in /authz-sessions/rest/v3/ GET responses. The bug was caused by a faulty consent-all keyword sanitization (issue server/532).

  • Removes an erroneous standard output print (issue server/535).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.18

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.10

  • Upgrades to com.nimbusds:oauth2-authz-store:14.4.1

  • Updates to com.nimbusds:oidc-session-store:13.4.1

  • Upgrades to com.nimbusds:oidc-claims-source-http:2.0

  • Updates to commons-codec:commons-codec:1.14

  • Updates to io.dropwizard.metrics:*:4.0.7

  • Updates to io.prometheus:*:0.8.1

  • Updates to org.apache.logging.log4j:*:2.13.1

  • Updates to org.slf4j:slf4j-api:1.7.30

  • Updates to com.amazonaws:aws-java-sdk-bundle:1.11.728

  • Updates to Infinispan 9.4.18.Final.

  • Updates to com.zaxxer:HikariCP:3.4.2

  • Updates to com.h2database:h2:1.4.200

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.5.4

  • Updates to org.postgresql:postgresql:42.2.10

  • Updates to com.unboundid:unboundid-ldapsdk:5.0.1

  • Updates to org.opensaml:*:3.4.3

  • Upgrades to com.nimbusds:c2id-server-ldap-schemas:1.12

Connect2id server 8.2.1

2020-03-17

This is a security update to the Connect2id server.

Last night a pen test revealed a bug which allowed a particular invalid authorisation request to result in a redirection to the redirect_uri, with the standard error code and message from the failed request appended in the query parameters, without ensuring the validity of the redirect_uri.

The proper OAuth 2.0 action is to not return errors to the client if the redirect_uri and the client_id are invalid. In such cases the Connect2id server outputs a non-redirecting error which should typically be displayed to the end-user.

Deployments are advised to update to prevent untended redirections via the authorisation endpoint.

The latest stable 8.x and 7.x versions were patched up. The 8.x patch also includes other maintenance updates.

The next 9.0 release which was cut out today and its documentation is currently being updated will also include the fix.

The release notes below provide more information.

Download 8.2.1

To download a ZIP package of Connect2id server 8.2.1:

https://connect2id.com/assets/products/server/download/8.2.1/Connect2id-server.zip

SHA-256: 44fc5d5674399f582256fe983c949194e7b5cfe46beb1bbe80052bcb2e3e6a5d

As WAR package only:

https://connect2id.com/assets/products/server/download/8.2.1/c2id.war

SHA-256: 48633ed9c322d1802fa12640b1677976de8cf98bc508339961fb8154818ecab6

Download 7.18.2

To download a ZIP package of Connect2id server 7.18.2:

https://connect2id.com/assets/products/server/download/7.18.2/Connect2id-server.zip

SHA-256: 9725568fc6d934e4a0113a6fbae5780d95757573b2ecddace4ad8afe4a989aad

As WAR package only:

https://connect2id.com/assets/products/server/download/7.18.2/c2id.war

SHA-256: 8d37118f01f16672c598b60d56ceed8a18166007452b2d70a57a07ba81d7053e

Questions?

Contact Connect2id support.

Release notes

8.2.1 (2020-03-17)

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).

  • Fixes a bug introduced in Connect2id server 8.1 which prevented output of the "verification" element in the OpenID "claims" authentication parameter output in /authz-sessions/rest/v3/ GET responses. The bug was caused by a faulty consent-all keyword sanitization (issue server/532).

  • Removes an erroneous standard output print (issue server/535).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.1.1

Release notes

7.18.2 (2020-03-17)

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).