Connect2id server 14.8.1

This maintenance release of the Connect2id server addresses issues related to the SQL database connector, which is now optimised to conserve memory when purging expired entres. An issue slowing down the server startup with Oracle Databases is also fixed. If you have a deployment that uses an SQL database and deals with significant traffic updating to 14.8.1 is recommended.

Updating to 14.8.1 can be skipped if you have a Connect2id server deployment that uses DynamoDB.

More information can be found in the release notes below.

Download 14.8.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.8.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: cac7e644f028f5ca84e100c9ae402d0ca3e8bd86fce598c9731798827a1108b0

Connect2id server 14.8.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: bbdda0f1ecb5c5af003b8d3efe31e775cc32ebff537882ed7b2e3e65f89cc529

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.8.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 16f12425588d4bbb13f19cf48943593c3e40fa258be08c8711535853f94202c3

Connect2id server 14.8.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: f83af6cbc94e539368695f2e2da47fb500b32ba3a19688439db2c594adc2ca49

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.8.1 (2023-11-02)

Resolved issues

  • Updates the expired entry reaper for Connect2id server deployments with an SQL database to conserve memory by employing paged key set seek, in sets of up to 100 SQL records and interleaving the record deletion between the pages. Intended to prevent OOM errors in deployments with a very large number of sessions and other expiring objects (issue server/935).

  • Optimises the dataSource.createTableIfMissing implementation for Oracle Databases when the queried table has a very large number of records, causing Connect2id server startup to pause for times longer than 1 minute at startup. The issue is addressed by switching from LIMIT 0 to LIMIT 1 in the query to obtain the table's column names (issue server/933).

  • The expired entry reaper in Connect2id server deployments with an SQL database must not terminate when an unchecked parse or another exception is thrown when parsing a retrieved SQL record. This may occur in SQL records manipulated outside the Connect2id server APIs. Instead, the exception must be swallowed and an error with the offending SQL record logged. This is now done with an IS0141 log error (issue sql-store/23).

  • Fixes the default value and parsing of the optional sessions form parameter of the /session-store/rest/v2/purge resource (issue session-store/95).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.7.1

  • Updates to com.nimbusds:oidc-session-store:16.7.3

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:7.1

  • Updates to Log4j 2.21.1

  • Updates to Dropwizard Metrics 4.2.20.

Connect2id server 14.8.2

This second Connect2id server release for today fixes an issue in v14.8.1 with the Log4j Web 2.21.1 BOM that introduced an erroneous transitive dependency to two Spring artifacts. The erroneous dependency is now removed and we'll make a report upstream.

As always, more information can be found in the release notes below.

Download 14.8.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.8.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: d76f0d31096f495b0861ba9e79b8905d70ba2ef1b6571b9f17a8e6b305963620

Connect2id server 14.8.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 43e5667e20ed952395bce8ece3c50d4fb359976a499cdd68d7bcb7d4a7cac419

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.8.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 2959666e0cc7ea55311c962650d7008511f191de4024dda8de6ac05257bf2b61

Connect2id server 14.8.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 3390a7eb98c809d5ade60d23d47aa4bae858f2dfaa6a7514b98bc52fffd8068f

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.8.2 (2023-11-02)

Resolved issues

  • Forces removal of the org.springframework:spring-test dependency erroneously introduced as compile scope dependency of org.apache.logging.log4j:log4j-web:2.21.1 (issue server/936).

Dependency changes

  • Forces removal of org.springframework:spring-test

Connect2id server 14.8 enables client_secret_jwt and private_key_jwt replay prevention

This Connect2id server release receives the capability to prevent replay of JWTs for the client_secret_jwt and private_key_jwt client authentication methods.

The replay prevention relies on the optional jti (JWT ID), which when included must be a unique string. Without a jti JWTs using a deterministic JWS algorithm, such as HMAC, that expire at the same second cannot be reliably distinguished. For authentication JWTs that have this identifier the Connect2id server will cache its hash until the JWT's exp and use that record to prevent replay. This means that for replay prevention to work an OAuth 2.0 client must includes a unique jti in its authentication JWTs. Clients using the Nimbus OAuth 2.0 SDK always receive these tokens with a random 256-bit jti.

In Connect2id server deployments where caching of jti hashes for every received client_secret_jwt and private_key_jwt is not feasible, this security feature can be disabled. The amount of store required for the jti caching can be regulated by configuring the Connect2id server to reject authentication JWTs with an exp that is too far ahead.

Example configuration to reject authentication JWTs that are more than 60 seconds ahead of the current system time:

op.token.authJWTExpMaxAhead=60

Offending OAuth 2.0 clients will receive a standard invalid_client error and must reduce their exp time to fit the server's policy.

Regardless of this configuration, to prevent accidental or malicious DoS, the Connect2id server will never cache a jti for more that 5 minutes.

This Connect2id server release also updated the available configuration properties for deployments with a PostgreSQL database, which now supports the setting of a database schema (namespace).

Download 14.8

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.8: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c768514ccb0dc1847866c7eb4ff7316d2aab35c32ee37f4cbfc41d1255d39d29

Connect2id server 14.8 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 946b23ef1d6be563c75faea931b41f33e1e29920ba4016f4bc908413d862e655

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.8: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 4d56948a8c2984f52461f32617613269a0dc15557b08740f65fdbdc4dc5923a3

Connect2id server 14.8 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: e83af7de9192370ff8fcbb4ea1db0791707c1f52eea99246f0c9071436a6a358

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.8 (2023-10-20)

Summary

  • Implements configurable replay prevention of "client_secret_jwt" and "private_key_jwt" client authentication JWT assertions based on the optional JWT ID ("jti") claim. The implementation is based on the new expended token registry introduced in Connect2id server 14.0.

  • Updates the PostgreSQL configuration to enable setting of a JDBC "schema" parameter. Intended for Connect2id server deployments that want to use a database schema other than the default "public".

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.token.authJWTPreventReplay -- New optional configuration property. If true replay of "client_secret_jwt" and "private_key_jwt" client assertions will be prevented, by caching the JWT "jti" claim for the duration of the assertion lifetime but no longer than 5 minutes. The default value is true.

    • op.token.authJWTExpMaxAhead -- New optional configuration property. Sets the maximum allowed number of seconds of the expiration time (exp) claim in "client_secret_jwt" and "private_key_jwt" client assertions ahead of the current time. Assertions with longer expiration time will be rejected with an invalid_client error. If zero or negative this check is disabled. When enabled the value must be between 10 and 600 seconds. The default value is -1 (disabled).

  • /WEB-INF/infinispan-*-postgres95.xml

    • dataSource.databaseSchema -- New optional Java system property to set the PostgreSQL schema to use. Corresponds to the HikariCP "schema" configuration property. The default value is empty (implies the default "public" PostgreSQL schema).

Web API

  • /par

    • Requests with "client_secret_jwt" and "private_key_jwt" authentication will be prevented from replaying a used JWT assertion, unless the JWT assertion is missing the optional the JWT ID (jti) claim or the replay prevention is disabled by setting the op.token.authJWTPreventReplay configuration property to false.
  • /token

    • Requests with "client_secret_jwt" and "private_key_jwt" authentication will be prevented from replaying a used JWT assertion, unless the JWT assertion is missing the optional the JWT ID (jti) claim or the replay prevention is disabled by setting the op.token.authJWTPreventReplay configuration property to false.
  • /token/introspect

    • Requests with "client_secret_jwt" and "private_key_jwt" authentication will be prevented from replaying a used JWT assertion, unless the JWT assertion is missing the optional the JWT ID (jti) claim or the replay prevention is disabled by setting the op.token.authJWTPreventReplay configuration property to false.

Resolved issues

  • Updates the authz-session log INFO "OP2101" and "OP2103" messages to include the current issuer URL when issuer aliasing is enabled (issue server/925).

  • Updates the authz-session log DEBUG "OP2130" and WARN "OP2131", "OP2132" messages to include the authorisation session ID (issue server/925).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.4

  • Upgrades to com.nimbusds:oauth2-authz-store:24.7

  • Updates to com.nimbusds:software-statement-verifier:2.2.6

  • Updates to org.apache.santuario:xmlsec:2.2.6

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.0.6

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.10

Connect2id server 14.7

This Connect2id server release ships updates in three different areas.

Native application redirect_uri updates

The OpenID Connect standard is going to receive an errata that allows native applications to register redirection URIs using an IPv4 or IPv6 loopback IP, in addition to the previous localhost for HTTP URLs.

For example:

POST /clients HTTP/1.1
Content-Type: application/json

{
  "application_type"           : "native",
  "redirect_uris"              : [ "http://127.0.0.1:8080/cb" ],
  "token_endpoint_auth_method" : "none",
  "code_challenge_method"      : "S256"
}

This upcoming change was implemented and is now available.

Native applications can now also be registered to use variable ports in their localhost or loopback IP redirection URL. This is done by registering the URL with the port number set to zero (0). In situations where the application is not guaranteed to be able to bind to a predetermined port this can be indispensable.

POST /clients HTTP/1.1
Content-Type: application/json

{
  "application_type"           : "native",
  "redirect_uris"              : [ "http://127.0.0.1:0/cb" ],
  "token_endpoint_auth_method" : "none",
  "code_challenge_method"      : "S256"
}

Note, the port zero to signify that the native application may vary the port number in its redirection URL is not a standard convention (yet).

You can find more information and examples about native application registration as OAuth 2.0 clients in the dedicated guide.

Filtering of PKCS#11 / HSM keys

Connect2id server deployments where the token signing is handled by Hardware Security Module (HSM) can now specify a list of keys to load. The selective HSM key loading can enable deployments where the HSM is shared with other applications.

Example list of three key IDs representing UUIDs:

pkcs11.keyIDs.1=9d64c4f5-724f-4057-af36-1dd2679c00a4
pkcs11.keyIDs.2=cb8dc79c-7ec9-4488-8723-e50fe32a2ff3
pkcs11.keyIDs.3=d274a2c2-9af7-4fbd-b669-8e337672443c

Publishing of historical keys

The Connect2id server now also supports the publishing of JWKs for historical or other purposes. These can be supplied as public-only JWKs (without any their parameters).

Infinispan object expiration and purge updates

The shipped Infinispan configurations received an update that enables deployments to override the default interval of the object expiration tasks. This can be used to tune the expiration or to implement stateless cluster strategies with a dedicated expiration node.

Other related changes:

  • The orphaned subject key purge task is now disabled by default, since it's redundant in most practical cases.

  • The session store purge resource received new optional parameters and will now by default purge only the subject session map, ignoring the rest.

  • The default expiration interval of sessions was increased from 5 to 10 minutes.

You can find more information the release notes below.

Download 14.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 265ea89d12c7fd81a96ac7ad0b31dc72df8252489d54933b384f38773615838f

Connect2id server 14.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: fdb6beffdfdda8861ba057d370bfda6af594b72b99d1724584008d83e5724490

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1919a2815f3c5a8bf319656d2e963165461d1a0966e9de8b42ed87b88e59a6a8

Connect2id server 14.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b0c5198444ce02957e9045c6d1e2451a57fcdaccc779e43c508deb75cee0e055

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.7 (2023-10-15)

Summary

  • The support for native applications is updated to enable registration of redirection http URIs with a loopback IP. Native applications with a localhost or loopback http redirection URI may also use a variable port, in cases when the application is not guaranteed to be able to bind to a predetermined port.

  • The Connect2id server can now be configured to load only selected signing keys from a PKCS#11 (HSM) store. This can enable deployments where the HSM is shared with other applications.

  • The Connect2id server /jwks.json endpoint may include public-only signing keys, for historical or other purposes.

  • The Infinispan configuration supports the setting of custom expiration intervals for all Connect2id server objects that require expiration. The expiration interval of subject sessions remains separately configurable. This enables strategies such as:

    • Dedicating a set of Connect2id server nodes to processing OAuth 2.0 and OpenID Connect requests and one (or more) nodes to the task of object expiration.

    • Disabling the periodic execution of the subject session expiration task and invoking it externally, for example by a cron-style job at a time that is deemed optimal.

Configuration

  • /WEB-INF/jwkSet.json

    • The JWK set may include JWK instances without private parameters. These keys will be published at the /jwks.json endpoint and not used internally by the Connect2id server.

      Public signing and encryption Connect2id server keys may be included to be published at the /jwks.json endpoint for historical purposes.

  • /WEB-INF/federationJWKSet.json

    • The federation entity JWK set may include JWK instances without private parameters. These keys will be included in issued Entity Configurations and not used internally by the Connect2id server.

      Public signing federation entity keys may be included for historical purposes.

  • /WEB-INF/jose.properties

    • pkcs11.keyIDs.* -- New optional configuration property. Specifies an explicit list of identifiers (aliases) of PKCS#11 keys to load from the HSM device (when an HSM is configured). If omitted or blank all recognised keys will be loaded.

      This configuration property can be used to filter the PKCS#11 keys to load from an HSM that is shared by several applications.

  • /WEB-INF/sessionStore.properties

    • sessionStore.sessionMap.expirationInterval -- Increases the default value from 300000 ms (5 minutes) to 600000 ms (10 minutes).

    • sessionStore.internal.subjectIndexPurgeInterval -- Receives a new default value of -1 (disabled).

  • /WEB-INF/infinispan-*.xml

    • Adds a new "infinispan.defaultExpirationInterval" configuration property with a default value of 300000 ms (5 minutes) to enable override of the default expiration purge interval for all Infinispan maps and caches where an expiration is required by the Connect2id server. Non-expiring maps and caches are not affected by this configuration property. The session map expiration interval override remains in the "sessionStore.sessionMap.expirationInterval" configuration property.
  • /WEB-INF/infinispan-stateless-{mysql|oracle|postgres95|sqlserver}.xml

    • Enabled for the "sessionStore.sessionMap.expirationInterval" configuration property.
  • /WEB-INF/infinispan-multitenant-stateless-{mysql|oracle|postgres95|sqlserver}.xml

    • Enabled for the "sessionStore.sessionMap.expirationInterval" configuration property.

Web API

  • /clients/

    • Native applications (with the application_type metadata parameter set to native) may register redirection URIs with a loopback IP address -- 127.0.0.1 in IPv4 and 0:0:0:0:0:0:0:1 (short form ::1) in IPv6. Previously clients using the loopback interface to receive OAuth 2.0 redirections could only register with the "localhost" hostname in the URL.

    • Native applications (with the application_type metadata parameter set to native) may register localhost and loopback IP redirection URIs with a variable port, by specifying port zero in the URI, for example http://localhost:0/callback. Authorisation requests can then use any port in the 1 to 65535 range, provided the other components in the redirection URI match the registered URI exactly. Example permitted redirection URI for on the given registered example: http://localhost:1234/callback.

  • /session-store/rest/v2/

    • The /purge resource is updated, changing the default action to force a purge of the expired session only. The purging of expired and orphaned index keys is redundant and become optional operations now.

      Changes to the resource:

      • Adds a new form parameter with name sessions and a default value true. When true all expired sessions will be purged. When false the expired sessions purge will be skipped.

      • Adds a new form parameter with name index and a default value false. When true all expired subject index keys will be purged. When false the expired subject index keys purge will be skipped.

      • Adds a new form parameter with name orphaned_index_keys and a default value false. When true all orphaned subject index keys will be purged. When false the orphaned subject index keys purge will be skipped.

      • Adds a new form parameter with name async and a default value false. When true the purges will be performed asynchronously.

      • The async query parameter of the /purge resource is deprecated. Use the new async form parameter instead.

Resolved issues

  • The default value of sessionStore.internal.subjectIndexPurgeInterval is changed to -1 (disabled). In most practical cases the periodic purge task is redundant, due to the automatic subject index max_life expiration (in deployments with DynamoDB or Redis) or the purge on new subject session insertion when the subject session quota is reached. The session store /purge resource remains available (issue session-store/91).

  • Changes the SS0233 log message to level WARN when the purged number of orphaned subject keys is greater than zero, otherwise the level remains INFO (issue session-store/90).

  • Fixes an issue affecting grant isolation at the token endpoint when the Connect2id server is configured with issuer aliasing in mode PERSISTED_GRANT_ISOLATION (issue server/923).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:11.2

  • Updates to com.nimbusds:oauth2-authz-store:24.6.4

  • Updates to com.nimbusds:oidc-session-store:16.7.1

  • Updates to com.nimbusds:c2id-server-jwkset:1.30

  • Upgrades to com.nimbusds:nimbus-jwkset-loader:5.3

  • Updates to Infinispan to 14.0.19.Final

Connect2id server and CVE-2023-5072

Our CVE scanner recently returned a DoS vulnerability for the JSON.org dependency org.json:json:20230227.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5072

Fortunately this dependency is used in a single, non-critical place, to evaluate JSON paths as part of a configuration check in the optional software statement verifier (SSV) plugin of the Connect2id server.

There is no need to take action, unless all of the following applies:

  1. You have enabled open dynamic client registration:

    op.reg.allowOpenRegistration=true
    
  2. You have a Connect2id server deployment with an enabled SSV plugin:

    op.ssv.enable=true
    
  3. The plugin is configured for op.ssv.scopeRules.* that represent JSON Path queries.

Due to that fact that the scope rules check is performed only after a successfully authenticated (JWS validated) software statement, the DoS exploitation risk is minimal.

We have released a patched up SSV plugin that bumps the org.json:json dependency to 20231013.

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>software-statement-verifier</artifactId>
    <version>2.2.6</version>
</dependency>

The patched up SSV plugin will be included in the next Connect2id server release.