Connect2id server 9.3

This release of the Connect2id server adds a new plugin interface and updates the SQL and DynamoDB database connectors.

SPI for customising token responses

A new plugin interface enables customisation of token responses. Deployments willing to experiment with the new OAuth 2.0 Rich Authorization Requests (RAR) spec, in development at the OAuth 2.0 WG, can use it to return the required RAR metadata in the token response. We provided a working example.

Token error responses can also be potentially customised.

Database connector updates

The SQL store connector was updated and now has a default configuration where a single SQL connection pool is shared between all Connect2id server maps and caches with data persistence. Support for vertical partitioning is still available.

There is no need to update your current MySQL PostgreSQL, SQL Server and H2 configurations to use the new settings.

The DynamoDB connector was also updated and can now be configured with an HTTP proxy host and port for connections to the database endpoint.

Other

The authorisation session API of the Connect2id server also received a small update and a bug fix.

Check the release notes below for additional information.

Download

To download a ZIP package of Connect2id server 9.3:

https://connect2id.com/assets/products/server/download/9.3/Connect2id-server.zip

SHA-256: 039822d338d981f9dceacb2d19b6ff02e58bb7221fd9fbd7c4b005279a11eccf

As WAR package only:

https://connect2id.com/assets/products/server/download/9.3/c2id.war

SHA-256: 4b01ffa253ba2b6c485fcb36b407c39a224d93337a778caf56715c69a375785f

Questions?

Contact Connect2id support.


Release notes

9.3 (2020-05-12)

Configuration

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Updates the SQL store schema to v2.7 and switches to a single shared database connection pool for all Infinispan map and cache structures used by the Connect2id server. Support for per map / cache connection pool to spread the load over multiple databases (vertical partitioning) is still available.
  • /WEB-INF/infinispan-*-dynamodb.xml

    • Updates the DynamoDB store schema to v1.7 and adds support for configuring an optional HTTP proxy for connections to the DynamoDB endpoint. The HTTP proxy is configured by setting the Java system properties "dynamodb.httpProxyHost" and "dynamodb.httpProxyPort".

Web API

  • /authz-sessions/rest/v3/

    • Exposes the optional "id_token_hint" OpenID authentication request parameter in the authorisation session object (under "auth_req").

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.20

  • com.nimbusds.openid.connect.provider.spi.tokens.response.CustomTokenResponseComposer

    • New SPI for composing custom token success and error responses. Can be used to include additional parameters in an access token response based on the authorisation (consent) "data" parameter, such as an "authorization_details" parameter required in OAuth 2.0 Rich Authorization Requests (draft-lodderstedt-oauth-rar-03).

Resolved issues

  • Previously consented claims appearing in the consent prompt (authorisation session API) must not include language tags. Fixed a bug which prevented stripping of the tags from claim names retrieved from the "clm" field in authorisation records (issue server/558).

  • Enhances the authorisation session API by automatically stripping language tags in the names of consented claims (issue server/559).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.20

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.5

  • Upgrades to com.nimbusds:oauth2-authz-store:14.6

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:4.2.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:3.6.1

JAR update in Connect2id server 9.2

This new release of the Connect2id server updates the JAR implementation and fixes four bugs.

The implementation of JWT-secured authorisation requests (JAR) in OAuth 2.0 was updated after a minor change in the underlying draft (see version 21) which made the client_id a required query parameter. Having the client_id easily accessible (outside the JWT) makes it easier to retrieve the registration of the requesting client, particularly for JARs passed inline and symmetrically encrypted using the client_secret, and for JARs passed by URI which aren't indexed.

This release also adds to new optional JAR-related configuration properties:

  • op.authz.oAuthRequestJWTPolicy -- sets a policy for merging unsecured query parameters for generic OAuth 2.0 requests. The standard policy (per JAR specification) is to only use the JWT-secured parameters in a authorisation request and ignore all parameters passed in the query strings.

  • op.authz.openIDRequestJWTPolicy -- set a policy for merging unsecured query parameters for OpenID authentication requests. The standard policy here is different (per OpenID Connect) - unsecured query parameters will be merged, with the JWT-secured ones having precedence. By setting the policy to "STRICT" any present unsecured parameters will be ignored when composing the final request.

The OAuth 2.0 & OpenID Connect SDK was also updated for the latest v21 JAR draft. The new examples will show you how easy it is to compose a JAR from a client application.

If you still find JAR a bit too cumbersome to use consider making plain pushed authorisation requests (PAR). They offer comparable security, such as source authentication and keeping the parameters unexposed to the browser, while completely sparing the need to deal with JWS and perhaps JWE.

Download

To download a ZIP package of Connect2id server 9.2:

https://connect2id.com/assets/products/server/download/9.2/Connect2id-server.zip

SHA-256: f21392c832d8114a158074f6989cab89508958726747f6d6f52a16593ed033e7

As WAR package only:

https://connect2id.com/assets/products/server/download/9.2/c2id.war

SHA-256: 0ea053b68dbaa1e21360c49e725131929d099b0b15f38de29fcf31a3763316b3

Questions?

Contact Connect2id support.


Release notes

9.2 (2020-04-21)

Summary

  • Updates support for "JWT Secured Authorization Request (JAR)" to draft-ietf-oauth-jwsreq-21. client_id becomes the sole required query parameter for JAR requests, in addition to the query parameter for the JWT itself (request for a JWT passed inline or request_uri for a JWT passed by URI reference).

  • Adds new "op.authz.oAuthRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OAuth 2.0 authorisation request (JAR) (excluding OpenID authentication requests). The default policy is to accept only the JWT-secured parameters, with unsecured query parameters being ignored.

  • Adds new "op.authz.openIDRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OpenID authentication request. The default policy is merge unsecured OpenID authentication request query parameters, with the JWT-secured parameters having precedence.

Configuration

  • /WEB-INF/oidcProvider.properties

    • New "op.authz.oAuthRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OAuth 2.0 authorisation request (JAR) (excluding OpenID authentication requests).

      Supported policies:

      • STRICT -- Use only JWT-secured parameters, unsecured query parameters will be ignored. This is the default policy for OAuth 2.0 authorisation requests.

      • MERGE_UNSECURED -- Merge unsecured authorisation request query parameters, with the JWT-secured parameters having precedence.

    • New "op.authz.openIDRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OpenID authentication request.

      Supported policies:

      • STRICT -- Use only JWT-secured parameters, unsecured query parameters will be ignored.

      • MERGE_UNSECURED -- Merge unsecured OpenID authentication request query parameters, with the JWT-secured parameters having precedence. This is the default policy for OpenID authentication requests.

Resolved issues

  • Adds missing AccessTokenKeyExternalizer and AccessTokenAuthorizationExternalizer declarations for "authzStore.idAccessTokenMap" in the infinispan-*.xml configs (issue server/545).

  • Fixes handling of GeneralException instances thrown from ClaimSource SPIs when no error code and HTTP status code is specified. The correct response is to return an HTTP status code 500 instead of an empty UserInfo (issue server/547).

  • Fixes "userInfoEndpoint.serverErrors" metering on a ClaimsSource SPI throwing an unchecked Exception or a GeneralException (with no parameters) instance (issue server/548).

  • Fixes the supply of optional claims data to ClaimsSource SPI implementations for OpenID claims requests for ID tokens (issue server/549).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.4

  • Updates to com.nimbusds:nimbus-jose-jwt:8.14.1

Connect2id server 9.1.1 and 8.2.2

This is a maintenance release of the Connect2id server.

The update is recommended for stateless Connect2id server deployments (single node or cluster) with an SQL RDBMS (MySQL, PostgreSQL, Microsoft SQL server). This applies to the Infinispan configuration files with the following pattern:

/WEB-INF/infinispan-stateless-{mysql|postgres95|sqlserver}.xml

Stateless cluster deployments with Redis as the in-memory / cache store are not affected.

The update fixes a bug which can cause premature expiration of OAuth 2.0 authorisation codes resulting from a prompt=none authorisation request, or from an authorisation request which was fulfilled from persisted consent (where the entire consent was on record), causing the code-for-token exchange to fail with an invalid / expired code error message.

The release notes below provide more information.

Download 9.1.1

To download a ZIP package of Connect2id server 9.1.1:

https://connect2id.com/assets/products/server/download/9.1.1/Connect2id-server.zip

SHA-256: 79fbfe1785d03c0260dac506a9092c9820162c3c0725ad6058c5bcee73033b80

As WAR package only:

https://connect2id.com/assets/products/server/download/9.1.1/c2id.war

SHA-256: 1622db4e9d7e29142d5df0a88261941ae3648628f73413408508007877342a83

Download 8.2.2

To download a ZIP package of Connect2id server 8.2.2:

https://connect2id.com/assets/products/server/download/8.2.2/Connect2id-server.zip

SHA-256: 2323b1d98f7c0e94bd92eb137a7b650fc9a4591151f604d8f9a1c62da7378d03

As WAR package only:

https://connect2id.com/assets/products/server/download/8.2.2/c2id.war

SHA-256: 26ced5bb3044ab8c2b8541a2fc31d81b7b2eb8d0b224b179d56a6761265b0bd3

Questions?

Contact Connect2id support.


Release notes

9.1.1 (2020-03-26)

Resolved issues

  • Fixes premature expiration of OAuth 2.0 authorisation codes resulting from prompt=none or persisted consent authorisations in stateless Connect2id server deployments (single node or cluster) with an SQL RDBMS database (MySQL, PostgreSQL, Microsoft SQL server). Applies to Infinispan configurations infinispan-stateless-{mysql|postgres95|sqlserver}.xml (where Redis is not used as an in-memory cache / store). Affected deployments should update (issue authz-store/176).

  • Adds debug logging for authorisation grant put (AS0230) and authorisation grant retrieval (AS0222) (issues authz-store/174 and 175).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.4.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.11


8.2.2 (2020-03-26)

Resolved issues

  • Fixes premature expiration of OAuth 2.0 authorisation codes resulting from prompt=none or persisted consent authorisations in stateless Connect2id server deployments (single node or cluster) with an SQL RDBMS database (MySQL, PostgreSQL, Microsoft SQL server). Applies to Infinispan configurations infinispan-stateless-{mysql|postgres95|sqlserver}.xml (where Redis is not used as an in-memory cache / store). Affected deployments should update (issue authz-store/176).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.2.1

  • Updates to com.nimbusds:nimbus-jose-jwt:8.11

Connect2id server 9.1 updates JWT-secured token introspection responses

This release of the Connect2id server updates support for JWT Response for OAuth Token Introspection to the upcoming version 09. This OAuth 2.0 extension is intended for securing token introspection results with a digital signature, which is intended for business cases where the identity provider assumes liability for the content of the token. One such case is services using verified person data to create digital certificates, which in turn are used to create qualified electronic signatures (QES).

What changes were made in version 09?

  • The content of the token introspection response was moved to a separate JWT claim called token_introspection. This is done to prevent potential confusion and clashes of token introspection response parameters with top-level JWT claims that bear the same name.

  • The following top-level JWT claims are now made mandatory:

    • iss -- Set to the Connect2id server issuer URL.
    • aud -- Set to the client_id of the introspection endpoint caller (typically a resource server inspecting a token).
    • iat -- Set to the issue timestamp.
    • token_introspection -- JSON object containing the token introspection response mentioned above.
  • The JWT-secured response is triggered by an Accept HTTP request header set to application/token-introspection+jwt, unless op.token.introspection.alwaysRespondWithJWT is enabled, when the Accept header will be ignored and the response will always be JWT-secured.

Example request, the client (the resource server) authenticates at the introspection endpoint with basic authentication, using its registered client_id and client_secret. Notice the Accept header:

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Accept: application/token-introspection+jwt

token=giuLtTTnya5XpHVKNopT9w.gepM14CKpHcWloJ3XqMtvA

Example response with a signed JWT in the body:

HTTP/1.1 200 OK
Content-Type: application/token-introspection+jwt

eyJraWQiOiJ3RzZEIiwidHlwIjoidG9rZW4taW50cm9zcGVjdGlvbitqd3QiLCJhbGc
iOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tLyIsImF1ZCI6I
mh0dHBzOi8vcnMuZXhhbXBsZS5jb20vcmVzb3VyY2UiLCJ0b2tlbl9pbnRyb3NwZWN0
aW9uIjp7ImFjdGl2ZSI6dHJ1ZSwiaXNzIjoiaHR0cHM6Ly9hcy5leGFtcGxlLmNvbS8
iLCJhdWQiOiJodHRwczovL3JzLmV4YW1wbGUuY29tL3Jlc291cmNlIiwiaWF0IjoxNT
E0Nzk3ODIyLCJleHAiOjE1MTQ3OTc5NDIsImNsaWVudF9pZCI6InBhaUIyZ29vMGEiL
CJzY29wZSI6InJlYWR3cml0ZWRvbHBoaW4iLCJzdWIiOiJaNU8zdXBQQzg4UXJBangw
MGRpcyIsImJpcnRoZGF0ZSI6IjE5ODItMDItMDEiLCJnaXZlbl9uYW1lIjoiSm9obiI
sImZhbWlseV9uYW1lIjoiRG9lIiwianRpIjoidDFGb0NDYVpkNFh2NE9SSlVXVlVlVF
pmc0toVzMwQ1FDcldERGp3WHk2dyJ9fQ.d1XLA-X8Inb0kwvRkk10ZokWbpEAO6u4Vb
0kirVPOLUdo2KiKD1IGer6bcVp-pNc2eC1yyUZGBp5GIDey8qhc41Oyhn6TOUAkLzZM
u2vAC7j4EsTM7-pKkbWX1kmH84-vAGvLR0MNWtVUgLmmIOy9krUMXE1jd0IS_Iqk7xW
JxmZLbuLHXx92LXRdErwThO-AHVLkiqIlz08H4LAsnKPVKMouzqBFYwK050ZJbnaVYw
O-QRC-lhCR_8JnsLZVp-QilDeWkOJiJ46un5HKZSYwxMjkhMs_Py8GOQaQk0ZY4MGCe
gTCKyiOsEIYSuIIDLy4YbHtY14SvZOUQwPDneFxQ

Example decoded JWT header, using the same JWS algorithm and key as for self-contained (JWT) access tokens:

{
  "alg" : "RS256",
  "typ" : "5iKs",
  "kid" : "token-introspection+jwt"
}

Example decoded JWT claims, notice how the introspection members are now encapsulated in a container claim:

{
  "iss"                 : "https://c2id.com/",
  "aud"                 : "kengo6Bo",
  "token_introspection" : { "active"    : true,
                            "iss"       : "https://c2id.com/",
                            "aud"       : "kengo6Bo",
                            "iat"       : 1514797822,
                            "exp"       : 1514797942,
                            "client_id" : "paiB2goo0a",
                            "scope"     : "openid email profile",
                            "sub"       : "c5787848-d360-42fa-b01f-558b8f33506c",
                            "jti"       : "doRu8eeNg0geew7u" }
}

The legacy JWT-secured introspection response from draft-ietf-oauth-jwt-introspection-response-08 can still be triggered, by setting the Accept header to application/jwt:

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Accept: application/jwt

token=giuLtTTnya5XpHVKNopT9w.gepM14CKpHcWloJ3XqMtvA

Download

To download a ZIP package of Connect2id server 9.1:

https://connect2id.com/assets/products/server/download/9.1/Connect2id-server.zip

SHA-256: 80d252bc3a1a966bee9abdaeb079b5b1a0f1e11c8c2d1bf5a6ae97c038421995

As WAR package only:

https://connect2id.com/assets/products/server/download/9.1/c2id.war

SHA-256: eb547fd5a7eecc804980c367b556808639c2665e294fd4c1eb03c08ad4e128b0

Questions?

Contact Connect2id support.


Release notes

9.1 (2020-03-24)

Web API

  • /token/introspect

    • Updates "JWT Response for OAuth Token Introspection" support to the upcoming draft-ietf-oauth-jwt-introspection-response-09 version.

      For a client (resource server) to obtain a JWT-secured introspection response it must submit an introspection request with the Accept HTTP request header set to "application/token-introspection+jwt". The request must be authorised with the registered client authentication method or with an access token.

      The JWT response will be JWS signed and include the following JWT claims:

      • "iss" -- Set to the OpenID Provider / Authorisation server issuer URL.
      • "aud" -- Set to the client_id of the caller (resource server).

      • "iat" -- The issue timestamp.

      • "token_introspection" -- A JSON object containing the token introspection response members, such as "active", etc.

      The optional op.token.introspection.jwtType configuration property that overrides the JWT "typ" (type) header applies.

      Legacy JWT-secured introspection responses (according to draft-ietf-oauth-jwt-introspection-response-08) will continue to be supported, for a client (resource server) to request one the Accept HTTP request header must be set to "application/jwt".

SPI

Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.19

  • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext

    • Adds a getIssuer() method to the PAR ValidatorContext.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.19

  • Updates to com.nimbusds:oauth2-oidc-sdk:7.3

Patched up Connect2id server 7.10.2 for Java 8

The last Connect2id server release which supported Java 8, 7.10 from April 2019, was patched up for critical bugs and updated to the latest stable versions of the OAuth 2.0 SDK, the Nimbus JOSE+JWT library and Infinispan.

The release notes below provide more information.

Download 7.10.2

To download a ZIP package of Connect2id server 7.10.2:

https://connect2id.com/assets/products/server/download/7.10.2/Connect2id-server.zip

SHA-256: 1ea688bb925818738e551c69a451dccd2a5fe5e9da16293218f696a66579fd60

As WAR package only:

https://connect2id.com/assets/products/server/download/7.10.2/c2id.war

SHA-256: 49514685d55ac72d2fcfc3ed0cb4595be0bdfa97ba4ad6e8cbb5196562c4416f

Questions?

Contact Connect2id support.


Release notes

7.10.2 (2020-03-23)

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).

  • Fixes a bug which prevented loading of Connect2id server keys overridden or passed via the "jose.jwkSet" Java system property. Deployments that rely on loading the server JWK set via the "jose.jwkSet" Java system property must upgrade. The bug did not affect the multi-tenant Connect2id server edition (issue server/471).

  • The client registration endpoint must return HTTP status code 201 instead of 200 on a successful POST (issue oauth-oidc-sdk/277).

  • Fixes a bug in the session store which resulted in closing an active subject (end-user) session when a new session is created and the index for the subject is filled with stale (pending purge) entries up to the configured session quota (sessionStore.quotaPerSubject) (issue session store/77).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.10

  • Updates to com.nimbusds:nimbus-jwkset-loader:3.1.1

  • Updates to com.nimbusds:oidc-session-store:11.0

  • Updates to Infinispan 9.4.18.Final.