Connect2id server 13.7

This Connect2id server release introduces two new configuration properties and fixes a bug affecting DPoP.

New configuration properties

op.idToken.includeX5C -- this configuration makes it possible to control the inclusion of X.509 certificate (chains) in the JWT header of issued ID tokens. The X.509 certificate get automatically included by the Connect2id server when one is found in the configured signing keys. To disable this behaviour and issue leaner ID tokens set this configuration property to false.

op.idToken.includeX5C=false

op.reg.allowNonTLSLogoutURIsForTest -- the configuration allows the registration of OpenID relying parties as clients with a frontchannel_logout_uri or backchannel_logout_uri that is an insecure (plain) HTTP URL. This is intended to help with test and devops deployments that cannot issue HTTPS certificates. Unsecured logout URLs must not be used in production!

op.reg.allowNonTLSLogoutURIsForTest=true

You can find more information about the frontchannel_logout_uri and backchannel_logout_uri parameters in their respective specifications:

Bug fixes

This release fixes a bug that affected DPoP access tokens. If you have a Connect2id server deployments that issues identifier-based access tokens with DPoP and are using the stateless server mode you should upgrade to this version. Deployments that issue JWT-encoded access tokens or use a replication cluster or Redis are not affected.

Download 13.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: eec7f9bdb26b4d9eb2228c629a0c58ef3a015b82209727375387f6e75e957de6

Connect2id server 13.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 650dab0e9a0dd20ec8581e9af5df5bd94a21b2edda8a74954365663a3ab9ebde

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 2198b564012f801b2ac14270e3ad4a1a48b67d7cb84bfd9b2988100364175673

Connect2id server 13.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 1a05a2721defb30fdcaf4b866eb5ecb52088b0973cad8edfc55c8e9e5661b172

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.7 (2023-03-30)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.idToken.includeX5C -- New optional configuration to control inclusion of the "x5c" (X.509 certificate chain) header parameter in issued ID tokens when the signing JWK is provisioned with a certificate. The default value is true.

    • op.reg.allowNonTLSLogoutURIsForTest -- New optional configuration property to allow registration of non-TLS (plain HTTP) front and back-channel logout URIs for test and development purposes. The default value is false (not allowed). Must not be allowed in production!

Resolved issues

  • The JWK thumbprint (jkt) confirmation must be persisted in the "cnf" column of the "id_access_tokens" SQL table for identifier-based DPoP access tokens (issue authz-store/205).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.7.1

  • Updates to com.nimbusds:oauth2-authz-store:19.5.1

  • Updates to net.minidev:json-smart:2.4.10

  • Updates to com.google.crypto.tink:tink:1.8.0

  • Updates to com.google.code.gson:gson:2.10.1

  • Updates to com.fasterxml.jackson.core:jackson-databind:2.13.4.2

Connect2id server 14.0 RC3 with Oracle Database support

This is a snapshot of the upcoming Connect2id server 14.0 with Oracle database support.

The underlying Infinispan-based architecture received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.

In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.

More information can be found in the release notes below.

Download 14.0-rc.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.0-rc.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: acaf4e2bb79b666c4cb0e99ce36c0b2c77ad423fcf29d595c28b62ff50fb1e71

Connect2id server 14.0-rc.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 39fbb7f6ae88a3d165c0b5f93ebdb8eec3e146b53c5b458d6fb5610b4dccbdfe

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.0-rc.3 (2023-03-11)

Summary

  • Upgrades to Infinispan 14.0.

  • Adds Oracle 12c r1+ Database support.

  • Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.

Configuration

  • /WEB-INF/infinispan-*.xml

    • Upgrades the XML schema to Infinispan 14.0.
  • /WEB-INF/infinispan-stateless-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database.
  • /WEB-INF/infinispan-stateless-redis-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
  • /WEB-INF/infinispan-replication-oracle.xml

    • New Infinispan configuration for replication clustering and an Oracle database.
  • /WEB-INF/infinispan-multitenant-stateless-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
  • /WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml

    • New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.

    • New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.

  • /WEB-INF/infinispan-*-ldap.xml

    • The LDAP backend database XML configurations are removed and no longer supported.
  • /WEB-INF/sql

    • New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).

Resolved issues

  • The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).

  • The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.52.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1.1

  • Updates to com.nimbusds:tenant-manager:7.4.1

  • Updates to com.nimbusds:tenant-registry:8.2

  • Updates to com.nimbusds:oauth2-authz-store:20.1

  • Updates to com.nimbusds:oidc-session-store:16.1

  • Upgrades to com.nimbusds:common:2.50

  • Upgrades to com.nimbusds:infinispan-cachestore-common:3.1

  • Upgrades to Infinispan 14.0.6.Final

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1

  • Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6

  • Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0

Connect2id server 14.0 RC2 with Oracle Database support

This is a snapshot of the upcoming Connect2id server 14.0 with Oracle database support.

The underlying Infinispan-based architecture received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.

In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.

More information can be found in the release notes below.

Download 14.0-rc.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.0-rc.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 314af2180aedc3c27d8363dfb517e105b0f924763395c22af9ebf924a35b1dbe

Connect2id server 14.0-rc.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: cf19afd1db69b93e0d9d48672f71360da641f5de8d379902e94534adb70b860f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

14.0-rc.2 (2023-03-06)

Summary

  • Upgrades to Infinispan 14.0.

  • Adds Oracle 12c r1+ Database support.

  • Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.

Configuration

  • /WEB-INF/infinispan-*.xml

    • Upgrades the XML schema to Infinispan 14.0.
  • /WEB-INF/infinispan-stateless-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database.
  • /WEB-INF/infinispan-stateless-redis-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
  • /WEB-INF/infinispan-replication-oracle.xml

    • New Infinispan configuration for replication clustering and an Oracle database.
  • /WEB-INF/infinispan-multitenant-stateless-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
  • /WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml

    • New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
  • /WEB-INF/infinispan-*-ldap.xml

    • The LDAP backend database XML configurations are removed and no longer supported.
  • /WEB-INF/sql

    • New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).

Resolved issues

  • The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).

  • The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.52.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1.1

  • Updates to com.nimbusds:tenant-manager:7.4.1

  • Updates to com.nimbusds:tenant-registry:8.2

  • Updates to com.nimbusds:oauth2-authz-store:20.1

  • Updates to com.nimbusds:oidc-session-store:16.1

  • Upgrades to com.nimbusds:common:2.50

  • Upgrades to com.nimbusds:infinispan-cachestore-common:3.1

  • Upgrades to Infinispan 14.0.6.Final

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1

  • Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6

  • Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0

Logout API updates in Connect2id server 13.6

The logout API of the Connect2id server was updated to make it more intuitive and developer friendly.

  • The logout end response message gets a new sub_session_closed parameter to provide a clear hint when the browser session should be deleted.

  • Post-logout redirections requested by the client will be processed regardless of whether an end-user session is present or not. Previously the Connect2id server would ignore them if there is no active end-user session.

More information can be found in the release notes below.

Download 13.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: bdb91c4cc8a2f32ebc63457251aa5876d2d54685eb1d9ab99c2a3749d070af00

Connect2id server 13.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 12e4671bc92918425571cdd1fc0762735d82d919ba4adc893c1dcdbc14a810a6

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 65219b215d4afce61d1d2017da0eaad03108af0c61344c2f7a331dbb5caadd94

Connect2id server 13.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 8b540c2865b3bb7eb6aa1c8ba87b2c4249da60654c4b493a8dffa47e82c9f54f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.6 (2023-02-22)

Summary

  • Updates to the logout session API.

Web API

  • /logout-sessions/rest/v1/

    • Adds new "sub_session_closed" parameter to the logout-end message, of type boolean {true|false}. When true indicates the Connect2id server closed the end-user session in response to an IdP-initiated logout request, or in response to an RP-initiated logout request with a submitted end-user confirmation that included the choice to log out of the IdP as well. To be used as a hint to delete the browser cookie linked to the session. Note that the deletion of the session cookie is not critical, because the session ID is invalidated on the server side.

    • The logout session API is updated to proceed with a requested "post_logout_redirect_uri" when there is no present end-user session, or the session has expired. Previously the redirection request by the relying party (RP) would be silently ignored. This change conforms with OpenID Connect RP-Initiated Logout 1.0 (see section 4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.31

Connect2id server 13.5

This Connect2id server release ships three new features.

  • Single sign-on (SSO) can be disabled for selected clients. Intended as a lightweight alternative to fully-isolated client-based sessions.

  • The session store API gets a new resource that enables changes to the authentication lifetime of end-user sessions.

  • Client secret store plugins can return the encoded (hashed) secret in client read responses using a new custom encoded_client_secret client metadata field.

This release also fixes two reported bugs affecting the logout API and OpenID Connect Federation 1.0.

Detailed information is available in the release notes below.

Download 13.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: faf122c1be83aeff84961b7cb12a73a7787e885991d71dfd4049792c72b3ba02

Connect2id server 13.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: a586dd25af1e9b711a495bd533fe07845471e51a7629d45a812ba4b3deea59ca

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: f614ad4c03c6eb2f076d5bb2c0c9888ac56bdb20888ced811f0747127344672d

Connect2id server 13.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b610a9b1d703a7d1dbffd5032875fb459663c93e0d07d6dd2b46fe46648dd084

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.5 (2023-02-20)

Summary

  • Single sign-on (SSO) can be disabled for selected clients.

  • New session store web API resource for modifying the authentication lifetime of an end-user session.

  • Client secret store plugins can return the encoded secret in client read responses using a new custom "encoded_client_secret" client metadata field.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.sso.disableForSelectedClients -- New optional configuration property to disable single sign-on (SSO) for selected registered clients. Ensures end-users will be always (re)authenticated on the first OAuth 2.0 authorisation / OpenID authentication request when end-user has an existing session with the Connect2id server. Subsequent requests from the client received into the same end-user session will be processed as usual, without triggering re-authentication of the end-user.

      Disabling SSO for a client creates the effect of "virtual" client-based sessions with the Connect2id server.

      Clients with disabled SSO are selected by configuring a JSON query that accepts the client registration (as JSON object representation) and returns a boolean true result. The default configuration property is no selector specified.

      Example JSON query to disable SSO for clients which registered a custom data JSON object containing a disable_sso member set to true: .data.disable_sso==true.

      The Connect2id server logs the configured JSON query at INFO level with the ID OP0090.

Web API

  • /session-store/rest/v2/

    • Adds a new /sessions/subject-auth-life resource supporting a PUT method to change the authentication lifetime of a session. The value is specified as an integer number of minutes, where -1 means infinite (no timeout) and 0 implies the default lifetime from the sessionStore.authLifetime configuration property. Returns HTTP 204 No Content on success.
  • /clients/

    • Connect2id server deployments with a ClientSecretStoreCodec plugin for encoding (hashing or encrypting) client secrets before committing them to storage will include the stored client secret in an "encoded_client_secret" metadata field in responses to client registration read (HTTP GET) requests. Note, in order to provide the metadata field in registration read responses the ClientSecretStoreCodec.decode method must return a DecodedSecret.withEncodedValue.
  • /monitor/v1/metrics

    • Adds new sessionStore.sessionAuthLifetimeUpdates meter.

Resolved issues

  • The OpenID Connect Federation 1.0 "value" policy check must support JSON objects (issue oidc-sdk/419).

  • Fixes a bug that prevented return of the state parameter in RP-initiated logout requests with a post_logout_redirect_uri when there is no frontchannel_logout_uri registered for the client (issue server/831).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.7

  • Upgrades to com.nimbusds:oidc-session-store:15.3

  • Adds net.thisptr:jackson-jq:1.0.0-preview.20220705