Connect2id server 12.6.1

This release of the Connect2id server fixes two bugs that affected the eKYC / Identity Assurance extension for verified claims and a bug affecting configuration of the custom scope value to OpenID claims mapping. The fixed issues are described in the release notes below.

Download 12.6.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.6.1: Connect2id-server.zip

SHA-256: 88ca8c72ba87f144625cbc8a71f8e06a80d1cb5450beb18eb9ba6718f61cd745

GPG signature: Connect2id-server.zip.asc

Connect2id server 12.6.1 WAR package: c2id.war

SHA-256: 4a56c99242ea290992a207ef10a92a54e1d4442ab687e3327347cbf9e1cb145c

GPG signature: c2id.war.asc

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.6.1: Connect2id-server-mt.zip

SHA-256: 71b5289d020f06c0ebd6c762df6e8cc8dca90287011e2cac71dacf30ce6f777a

GPG signature: Connect2id-server-mt.zip.asc

Connect2id server 12.6.1 WAR package: c2id-multi-tenant.war

SHA-256: 11ac6124cbc3231103fb79be6c7a781585607d9f6bb7cb636dadfef58bf5fc7b 

GPG signature: c2id-multi-tenant.war.asc

Questions?

Contact Connect2id support.


Release notes

12.6.1 (2022-02-10)

Resolved issues

  • Fixes op.map.claims.* system property override for configuring the custom scope-to-claims mapper in the single-tenant edition of the Connect2id server. The multi-tenant server edition is not affected. The single-tenant server edition will log at startup the configured mapping (at level INFO with ID OP0080) (issue server/725).

  • OpenID Connect for Identity Assurance: MinimalVerificationSpec.parse must allow trust_framework set to an empty JSON object (issue oidc-sdk/385).

  • OpenID Connect for Identity Assurance: The birthplace claim must allow ISO 3166-1 Alpha-3 country codes. (issue server/728).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.25

  • Updates to com.nimbusds:nimbus-jose-jwt:9.19

  • Updates to org.postgresql:postgresql:42.3.2

Connect2id server 12.6 with major upgrade to Identity Assurance / eKYC support

Identity Assurance / eKYC upgrade

In September 2021 the Identity Assurance / eKYC extension to OpenID Connect received a major upgrade and was later voted to become an implementer's draft, a crucial step towards reaching standard status.

The changes fall into three areas:

  • Revision of the verification data element, to make a clear distinction between the process of verifying that the user is the owner of the claims and the process that involves the validation of evidences, such as ID cards or electronic records. The concept of assurance level was factored out and is no longer a part of the trust framework identifier. A new taxonomy for the identity evidences was created, which now has the types document, electronic_record, vouch, utility_bill and electronic_signature. Finally, there is a possibility to deliver attachments to relying parties, such as scanned documents.
  • Revision of the OpenID provider metadata, adding new fields and deprecating others.
  • Definition of two new OpenID claims: msisdn, also_known_as and address.country_code.

The changes are outlined in the history section of the Identity Assurance / eKYC draft, but due to the numerous significant changes we recommend studying the entire spec.

The Connect2id server is now updated to support the new syntax for the verification data element. The old (deprecated) syntax will continue to work with the server as well as with the underlying OAuth 2.0 / OpenID Connect SDK.

The server configuration for eKYC was also updated so the new fields can be advertised in OpenID provider metadata. Note that fields related to the deprecated id_document type should no longer be used. The changes in configuration and OpenID provider metadata are explained in the release notes below.

If you are interested in adopting Identity Assurance / eKYC in your Connect2id server deployment start here.

If you use our open source OAuth 2.0 / OpenID Connect SDK to construct verification data on the server side, or within a client application that relies on a IdA / eKYC provider, you will find these improvements:

  • A more intuitive API and improved typed-safety for writing robust code.
  • It's now easier to create custom verification data requests by extending the new MinimalVerificationSpec class.
  • External attachments can be downloaded (with HTTP timeouts) and their digests automatically verified with a single line of code.
  • Constants and helper methods for dealing with ISO 3166-1 and 3166-3 country codes, including logic for mapping between two (alpha-2) and three-letter (apha-3) ISO 3166-1 country codes.

Check the OpenID Connect SDK guide and examples for IdA / eKYC to find out more.

Accessing OpenID provider metadata from within a plugin

The AuthorizationRequestValidator and PARValidator SPIs can now access the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes. Contact us if you find this useful for other types of plugins.

Dependency updates

Finally, this 12.6 release comes with about a dozen updates to frameworks and libraries. Several optional and unused dependencies for OpenSAML were removed.

Docker

The Docker c2id/c2id-server-demo and c2id/c2id-server-min images switched from Debian (as OS) with Java 11 to Amazon Coretto 11, which has a lighter combined footprint. Fewer Linux packages will also mean fewer false positives to deal with when an image is scanned for vulnerabilities, because scanners at present cannot tell if a package is used or not (and Java doesn't need many of the standard packages that come in a Linux OS). Note that Amazon Coretto still isn't a bare bones Linux distribution, so vim, curl and other basic utilities can still be found in it.

Download 12.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a6ad8242ebfb578f0d62963a842635bfee8e76c27db78be180d254340ca66ee7

Connect2id server 12.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ea0bb877aa6c51ea96d1353823fceb8ae026fe75711c780ee14f060ac7d3fb41

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a787bd9d95eb0f657e19e7337dc327fdd45703e5720998a7a8f1caa268e6ec07

Connect2id server 12.6 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: b9d5844723274e817f02dbe63dde316c5089ed2b6c33ec75340d34a822bdee27 

Questions?

Contact Connect2id support.


Release notes

12.6 (2022-01-17)

Summary

  • Upgrades OpenID Connect for Identity Assurance 1.0 support to the latest implementers' draft 12 from 6 September 2021. See https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html

  • Upgrades the AuthorizationRequestValidator and PARValidator SPIs to enable read-only access to the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.assurance.supportedDocumentTypes -- New optional configuration property listing the supported document types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_supported" OpenID provider metadata parameter.

    • op.assurance.supportedMethodsForDocuments -- New optional configuration property listing the supported coarse identity verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedValidationMethodsForDocuments -- New optional configuration property listing the supported validation methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_validation_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedVerificationMethodsForDocuments -- New optional configuration property listing the supported person verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_verification_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedElectronicRecordTypes -- New optional configuration property listing the supported electronic record types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "electronic_records_supported" OpenID provider metadata parameter.

    • op.assurance.supportedAttachments -- New optional configuration property listing the supported attachment types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "attachments_supported" OpenID provider metadata parameter. Attachment types: embedded, external.

    • op.assurance.supportedDigestAlgs -- New optional configuration property listing the supported digest algorithms for external attachments if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "digest_algorithms_supported" OpenID provider metadata parameter. If external attachments are supported must at least include sha-256.

    • op.assurance.supportedIDDocumentTypes -- Becomes deprecated, the corresponding "id_documents_supported" OpenID provider metadata parameter in no longer in use in OpenID Connect for Identity Assurance 1.0.

    • op.assurance.supportedIdentityVerificationMethods -- Becomes deprecated, the corresponding "id_documents_verification_methods_supported" OpenID provider metadata parameter is no longer in use in OpenID Connect for Identity Assurance 1.0.

Web API

  • /.well-known/openid-configuration

    • documents_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported document types. Replaces "id_documents_supported".

    • documents_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported coarse identity verification methods for evidences of type document. Replaces "id_documents_verification_methods_supported".

    • documents_validation_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported validation methods for evidences of type document.

    • documents_verification_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported person verification methods for evidences of type document.

    • electronic_records_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported electronic record types.

    • attachments_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported attachment types: embedded, external.

    • digest_algorithms_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported digest algorithms for external attachments.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.41

    • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

    • com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.41

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.20.1

  • Updates to com.nimbusds:oauth2-authz-store:17.7

  • Updates to com.nimbusds:oidc-session-store:14.8

  • Updates to com.nimbusds:content-type:2.2

  • Updates to com.nimbusds:c2id-server-property-source:1.0.3

  • Removes and updates selected OpenSAML 3.4.6 transitive dependencies

  • Replaces javax.activation:javax.activation-api:jar:1.2.0 with jakarta. activation:jakarta.activation-api:jar:1.2.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.6

  • Updates to com.zaxxer:HikariCP:4.0.3

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.3

  • Updates to org.postgresql:postgresql:42.3.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.9

  • Updates to com.nimbusds:tenant-registry:6.0.1

  • Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.132

  • Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.5

  • Updates to AWS Java SDK 1.12.132

  • Updates DropWizard to 4.1.29

  • Updates Prometheus SimpleClient to 0.14.1

  • Updates Log4j to 2.17.1

Connect2id server 12.5.4 and 11.6.7 security updates addressing Log4j CVE-2021-45105

This Connect2id server release addresses a second post-Log4shell vulnerability discovered in Log4j, which can result in a DoS and is described in CVE-2021-45105.

Updating is strongly recommended to secure your deployments.

There are also updated c2id/c2id-server-demo and c2id/c2id-server-min Docker images available.

Download 12.5.4

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.5.4: Connect2id-server.zip

SHA-256: 2860513912e3494d172764e9c2e0a159241d5e41c1663bdaf714021f6921f7ac

Connect2id server 12.5.4 WAR package: c2id.war

SHA-256: 520d3c398faccd29ed41244dcb79a8f3dcb6a825d111d20665965ad85b84bc5a

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.5.4: Connect2id-server-mt.zip

SHA-256: 7859e9f37bd3ffcce1793e34921559bf03a9425831075cf22fcef311f8d316be

Connect2id server 12.5.4 WAR package: c2id-multi-tenant.war

SHA-256: c83965f09030956ceb6cf14fc1dbb983fe4b74620700dbbdf4e2e4b2a074edb2

Download 11.6.7

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.7: Connect2id-server.zip

SHA-256: e64d746617c750cf9abc954be9108541170d7b747a8ac4214f56538e6a45489b

Connect2id server 11.6.7 WAR package: c2id.war

SHA-256: 406bb18a8705b1230959553abaa2642f77dedd0399df71e1b65d303b47b5565e

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.7 Connect2id-server-mt.zip

SHA-256: ee926caabf4411c6b3ca481f1a1d456e1e9b37721581cc60997049f4d00e33cc

Connect2id server 11.6.7 WAR package: c2id-multi-tenant.war

SHA-256: 06bbef74bdd6b819bdf5ee967b29b697d5d3d324ee6acbcbb8ffc4c34a01f34f

Questions?

Contact Connect2id support.


Release notes

12.5.4 (2021-12-18)

Resolved issues

  • Updates Log4j to 2.17.0 to address a critical DoS vulnerability described in CVE-2021-45105, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45105 (issue server/711).

Dependency changes

  • Updates Log4j to 2.17.0

11.6.7 (2021-12-18)

Resolved issues

  • Updates Log4j to 2.17.0 to address a critical DoS vulnerability described in CVE-2021-45105, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45105 (issue server/711).

Dependency changes

  • Updates Log4j to 2.17.0

Connect2id server 12.5.3

This release of the Connect2id server fixes a bug that affected the override of a configuration property and updates several dependencies.

The extra web applications included in the ZIP package (sample login page, OpenID relying party, etc) also receive the Log4j security patch for the CVE-2021-45046 announced on Monday. The Connect2id server itself was patched for this CVE in the prior 12.5.2 release.

Maven Central is currently experiencing an overload, due to the enormous number of packages being updated, with release uploads timing out. This situation has made it difficult for us to publish updates to various open source components that we maintain. If the difficulties persist we will consider setting up a private repo for their distribution.

This release also marks a change in the Connect2id server Docker images and their naming:

  • The Docker image built from Connect2id-server.zip, which includes a complete package with the latest stable Apache Tomcat and the extra web applications will now be published under the c2id/c2id-server-demo tag. Previously this was c2id/c2id-server. This naming change is to make it clear that the image is chiefly intended for demo and evaluation purposes. For production consider using a purpose built image (see next).

    https://hub.docker.com/r/c2id/c2id-server-demo/tags

  • A new type of Docker image becomes available now, under the c2id/c2id-server-min tag. It builds from an official Apache Tomcat Docker image, with only c2id.war deployed in it. This makes for a minimal image containing only an instance of the Connect2id server and nothing else. In a OpenID provider / OAuth 2.0 server deployment it will be complemented with containers for the backend database, the front-end, etc.

    https://hub.docker.com/r/c2id/c2id-server-min/tags

    The minimal image can be tweaked, for example to reconfigure logging output.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.5.3: Connect2id-server.zip

SHA-256: ec024cb187fe44d04a8feea204f0948a67668de31491f62c7fdbf919645af3a4

Connect2id server 12.5.3 WAR package: c2id.war

SHA-256: 380216996fce28034f1888870c97299c334d8da7a883fd5b52682694548e1d2b

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.5.3: Connect2id-server-mt.zip

SHA-256: 83b80077461a4e56cf9db1cd4523a078f4459f7d0cf1ca0a7166fb7fda98d561

Connect2id server 12.5.3 WAR package: c2id-multi-tenant.war

SHA-256: 6cb80a9f267c949f4120199b4d9d0bd82a40dca2a13075d3972adcfe54089906

Questions?

Contact Connect2id support.


Release notes

12.5.3 (2021-12-16)

Resolved issues

  • Fixes op.checkSession.iframe and op.checkSession.cookieName configuration property parsing to support Java system property override (issue server/709).

Dependency changes

  • Updates to com.nimbusds:software-statement-verifier:2.2.2

  • Updates to org.apache.commons:commons-compress:1.21

Connect2id server 11.6.6 security update

This release of the Connect2id server backports the security patch to address the most recent Log4j CVE-2021-45046, which was announced yesterday and is closely related to the original Log4shell vulnerability from last week.

Several other updates under the hood are also included. As with the 12.5.2 update, this one for 11.x is critical and highly recommended.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 11.6.6: Connect2id-server.zip

SHA-256: 5abd1efa691a059e380f8a6f712f9e09220c3f78b7aa308d8bfd927f1446ab77

Connect2id server 11.6.6 WAR package: c2id.war

SHA-256: a9ef91aa5f9e71081377d1b815042c086bdd38e1bbc3d974f6ec0f9ee1cb0232

Multi-tenant edition

Apache Tomcat package with Connect2id server 11.6.6: Connect2id-server-mt.zip

SHA-256: b24d9c1bab76ee6bcce26e7fb019d14df8104318cad4a6b40a7facc273049a75

Connect2id server 11.6.6 WAR package: c2id-multi-tenant.war

SHA-256: eb642f6d8f6d44a68750ff12ab2c4178539de09506eab3ecca146a99f5a2cdd4

Questions?

Contact Connect2id support.


Release notes

11.6.6 (2021-12-15)

Resolved issues

  • Updates Log4j to 2.16.0 to address a critical vulnerability described in CVE-2021-45046, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45046 (issue server/708).

Dependency changes

  • Updates Log4j to 2.16.0

  • Updates to com.google.code.gson:gson:2.8.9

  • Updates BouncyCastle to 1.70.

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.3