Connect2id server 12.17

This September release of the Connect2id server updates the revocation web API to enable callers to conserve server and network resources. When revoking the tokens and persisted consent for a given subject (end-user) or client the server will return all matching long-lived (persisted) authorisations that have been deleted. For a revoked client with thousands or millions of end-users this can potentially result in the streaming of megabytes of removed authorisations into the HTTP response. In such cases or whenever the revocation is not interested in what authorisations are affected or their details, a new quiet=true query parameter can now be applied to omit the streaming and return a HTTP 204 No Content response.

Example use of the quiet=true query parameter when revoking a client with ID zaqu4ong:

POST /authz-store/rest/v3/revocation?quiet=true HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/x-www-form-urlencoded

client_id=zaqu4ong

The HTTP 204 No Content response:

Status Code: 204 No Content

The authorisation session API and the token exchange plugin received two bug fixes.

Check the release notes below for details.

Download 12.17

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 84959987d94ebca82ac9296161b63631d1fe71208250de5e01dfc682a14d5e79

Connect2id server 12.17 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: eb0cd476641f68228002d63af810fe26a83b5c1bb811ca22443691c4e8b5dd9e

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 6941ba145e5f58073aeb05f004886a8d9a509cdb20ba9fb63418945063381179

Connect2id server 12.17 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 504fe78e94d6d6f6ebd8bae647e15823336962043caa7c725346c740751d1c04

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.17 (2022-09-14)

Web API

  • /authz-store/rest/v2/revocation

    • Adds support for an optional "quiet" query parameter when posting a revocation. When set to quiet=true an HTTP 204 No Content response will be returned; if any authorisation(s) were matched by the revocation parameters and removed they will not be returned in the response body.

Resolved issues

  • The authorisation session web API must not set the "required_sub" parameter in the authentication prompt to the end-user ID when the Connect2id server is configured with alwaysPromptForAuth=true and the end-user has an active session. This resulted in a incorrect OpenID Connect login_required error if the current end-user is (re)authenticated to another subject (end-user ID) as a result of the authentication prompt. The fix corrects the behaviour so that the original session is closed and a new one with the new subject (end-user ID) is started (issue server/781).

  • The op.grantHandler.tokenExchange.webAPI.actorToken.types configuration property of the token exchange grant handler plugin must support setting of no actor token types accepted. The default value must also be none (issue grant-handlers-web/1).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2

  • Updates to com.nimbusds:oidc-session-store:14.9.2

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.3

  • Updates to com.nimbusds:tenant-manager:6.0.4

  • Updates to com.nimbusds:tenant-registry:6.0.3

  • Updates to com.google.crypto.tink:tink:1.7.0

  • Updates DropWizard to 4.2.12

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.6

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.8

  • Updates to org.postgresql:postgresql:42.5.0

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.6

  • Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.1.jre11

Connect2id server 12.16.1

This Connect2id server release fixes issues in the new token exchange plugin as well as in the re-engineered web-based password and client credentials grant handler plugins shipped in v12.16. You can find more information in the release notes below.

Download 12.16.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c12801414d8023e964b6512c5b05b04f040e85d07ab1eb5da771213007171ccd

Connect2id server 12.16.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 791d731e66694413ea00a9f7554a77bf6c2a0177f345ff44b01529a64115d0b9

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0f499cbdafba4c0c48eab771670d3511f521332619c47ed899e860749b233194

Connect2id server 12.16.1 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 24ddb24b1d893d9a0d1ee606ed09eb5c256a65133aea4dcd28f95f0fbeddbcef

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.16.1 (2022-08-18)

Resolved issues

  • Fixes missing logging of the base configuration properties in the web-based token exchange grant handler (issue server/776).

  • Fixes test that erroneously removed the SPI manifests for the web-based password, client credentials and token exchange grant handlers (issue server/778).

Dependency changes

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.1

Connect2id server 12.16 ships with a new plugin for handling token exchange (RFC 8693)

This Connect2id server release ships a new plugin for the token exchange (RFC 8693) grant handler SPI introduced in v12.15 last month. The plugin follows the web hook pattern of the existing password and client credentials grant handler plugins that delegate the authorisation to a web service.

The new token exchange plugin

The job of a web service handling a token exchange grant is to determine whether the received subject_token is eligible for exchange and if it is return the subject, scope and other optional properties of the new access token which the Connect2id server will mint and return to the client in the token response.

A web service handling a token exchange grant can base its authorisation decisions on the the following inputs:

  • The claims of the verified subject token and optional actor token (if the latter is accepted or required);

  • The requested token scope (if any) and other parameters;

  • The client ID and selected client metadata.

Example request to the grant handler service demonstrating the plugin web API:

POST /token-exchange-grant-handler HTTP/1.1
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json
Issuer: https://c2id.com

{
  "subject_token"      : "Eexungahcaetaizoh7ingait3Ur9ya1b",
  "subject_token_type" : "urn:ietf:params:oauth:token-type:access_token",
  "scope"              : [ "https://api.example.com/get-customer-address" ],
  "client"             : { "client_id"        : "123",
                           "confidential"     : true,
                           "application_type" : "web" }
}

Example response to the Connect2id server for an eligible subject token:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "sub"               : "164476e0-5c10-4cf0-bf75-b30fec2ba925",
  "issued_token_type" : "urn:ietf:params:oauth:token-type:access_token",
  "scope"             : [ "https://api.example.com/get-customer-address" ]
}

Example response for an invalid subject token:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error"             : "invalid_request",
  "error_description" : "Invalid subject token"
}

The token exchange plugin has a number of configurations that deployments can use to filter and pre-process the grants prior to invocation of the web service:

  • Specify the accepted subject and actor token types and reject all others with an invalid_request error.

  • Perform local or remote RFC 7662 compliant introspection of the subject token as an access token.

  • Perform signature and expiration validation of the subject token as a signed JWT.

Upgraded web-based password and client credentials grant handler plugins

The token exchange grant handler plugin together with the other web-based plugins for the password and the client credentials grants are now consolidated in a single JAR which project can be found here:

https://bitbucket.org/connect2id/grant-handlers-web/

The source code is licensed under the open source Apache 2.0 license and can be freely modified.

The web-based password and client credentials grant handlers received several upgrades:

  • The ability to handle custom token request parameters.

  • New configuration property to select which client metadata parameters to pass on in requests to the web service.

  • Requests to the web service now include the OpenID provider / OAuth 2.0 authorisation server issuer URL, to enable tenant specific handling of grants in multi-tenant Connect2id server deployments.

You can find detailed information about all changes in Connect2id server 12.16 in the notes below.

Download 12.16

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.16: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 774f2865eff2fded264155778275f9761a36ff1662f1aae6a60a63931178dd45

Connect2id server 12.16 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 54414e5b164b7de0a871c1797e0bc7d2e1f2224cb734bb6bad9526e766f89b78

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.16: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 774f2865eff2fded264155778275f9761a36ff1662f1aae6a60a63931178dd45

Connect2id server 12.16 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 70d525f52bd16030193292e1d742a155c048b592514e87e24548619c7f6210ab

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.16 (2022-08-12)

Summary

  • Adds new plugin for handling OAuth 2.0 token exchange (RFC 8693) grants that passes processing of the grant authorisation to an external web service (web hook). The plugin implements the TokenExchangeGrantHandler SPI introduced in Connect2id server 12.14.

    Features:

    • Supports arbitrary "subject_token" and "actor_token" types.

    • The acceptable "subject_token", "actor_token" and requested token types are configurable.

    • Optional automatic introspection of the received "subject_token" of type access token. Calls upon the internal Connect2id server introspection for access tokens that are locally issued, or one or more configured token introspection endpoints compliant with RFC 7662.

    • Optional automatic JWT verification of the received "subject_token" of type JWT, access token or ID token. The JWT signature is verified using a set of JWKs at one or more configured URLs.

    • Received "subject_token" and "actor_token" instances can also be passed in their original form for verification by the web service itself.

    • Supports passing of selected client metadata parameters to the web service, in addition to the client_id and confidential status, to be used as inputs in the authorisation decision. The "scope" and "data" client metadata fields are included by default.

    • Supports setting of HTTP connect and read timeouts, for the underlying web service, the configured token introspection endpoints and JWK set URLs.

  • Replaces the existing plugin for handling OAuth 2.0 client credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

  • Replaces the existing plugin for handling OAuth 2.0 resource own password credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

Configuration

  • /WEB-INF/tokenExchangeGrantHandlerWebAPI.properties -- New configuration file for the new web-based token exchange grant handler, containing the default configuration properties. They can be selectively overridden with Java system properties.

  • /WEB-INF/clientGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data"

  • /WEB-INF/passwordGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data".

Web API

  • /authz-sessions/rest/v3/

    • Designates the "invalid_target" OAuth 2.0 error code, defined in RFC 8707, as a standard acceptable code to indicate an error condition during end-user authentication / consent. Deployments that use this error code are no longer required to list it in the op.authz. customErrorCodes configuration.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.51

    • Adds DefaultTokenIntrospectionResponseComposer class.

    • Adds DefaultTokenRequestParameters class.

Resolved issues

  • Updates the systemPropertiesURL configuration property to support AWS S3 URLs in the new style virtual format (issue server/773).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.51

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.41

  • Adds com.nimbusds:oauth-grant-handlers-web:1.0

  • Removes com.nimbusds:oauth-password-grant-web-api:1.5

  • Updates to com.nimbusds:oauth-client-grant-handler:2.0.3

  • Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1.1

  • Updates to com.nimbusds:tenant-manager:6.0.3

  • Updates to com.nimbusds:tenant-registry:6.0.2

  • Updates to com.nimbusds:oauth2-authz-store:18.1.1

  • Updates to com.nimbusds:oidc-session-store:14.9.1

  • Updates to com.nimbusds:c2id-server-jwkset:1.26

  • Updates to com.nimbusds:infinispan-cachestore-common:2.4.1

  • Updates to com.nimbusds:infinispan-cachestore-ldap:3.1.3

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.7

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.2.1

  • Updates to org.postgresql:postgresql:42.4.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1

  • Upgrades to com.thetransactioncompany:java-property-utils:1.17

  • Updates to com.amazonaws:aws-java-sdk-*:1.12.264

  • Updates to DropWizard Metrics 4.2.10

  • Updates to Log4j 2.18.0

Updated RP-initiated logout in Connect2id server 12.15

The Connect2id server logout endpoint, used to implement single logout across participating applications, received an update to make it compliant with the latest 02 revision of the OpenID Connect RP-Initiated Logout 1.0 spec.

The logout endpoint can now support ID token hints (id_token_hint) encrypted for confidentiality. There is also support for a logout_hint parameter, similar to the login_hint in OpenID authentication requests, and a ui_locales to personalise the logout UI. Relying parties that for some reason cannot save the user's ID token in order to pass it later in the id_token_hint logout parameter, can use a client_id to at least hint the application's identity. The logout session API, which lets Connect2id server deployments implement a logout UI, journeys and policies around logout, was updated to reflect the changes.

Logout confirmation

The mini guide for developing a logout UI and the sample project were also revised.

Other changes

The plugin SPI for verifying qualified certificates in a private_key_jwt client authentication was also updated to allow for custom error_description and error_uri fields when an invalid_client error is returned.

Connect2id server deployments that use DynamoDB receive a new optional dynamodb.enableContBackups configuration property, to enable point-in-time recovery (PITR) for all tables where crucial or long-lived server data is persisted. Note that when continuous backups are enabled they will not apply to sessions, codes, caches and other transient data, as there is no practical utility in recovering such data. If you want to have PITR for that data, it must be enabled directly via the AWS APIs for those DynamoDB tables.

You can find detailed information about the changes in Connect2id server 12.15 in the notes below.

Download 12.15

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.15: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 16af5e3afa5e4810f7df7a204c1206ed9d6eafe66ac2bf5ecd6935e556d129f0

Connect2id server 12.15 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8d3feaa7da130f19866ff9fe498a9cbcf440f243d1a23d06eaec733d815a79f9

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.15: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 79c3b72dd0601ef4e583a7174ae27e4c48e2f5d6e490f9dba14e0a99d48b51f3

Connect2id server 12.15 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 2bee27a9d1a131c11c86fe433e768877ac7d35f43f846fbd3c722b85c0be3956

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.15 (2022-07-17)

Summary

  • Updates OpenID Connect RP-Initiated Logout 1.0 support to draft 02. Introduces new logout_hint, client_id and ui_locales request parameters. See https://openid.net/specs/openid-connect-rpinitiated-1_0.html

  • PrivateKeyJWTCertificateVerifier SPI plugins can override the default error_description and error_uri in invalid_client errors returned to the authenticating OAuth 2.0 client.

  • New dynamodb.enableContBackups configuration property to enable DynamoDB continuous backups / point-in-time recovery for tables holding crucial or long-lived Connect2id server data. Previously continuous backups could be enabled only via the AWS CLI, SDK, API or web console.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • New dynamodb.enableContBackups configuration property of type boolean (true|false) to enable continuous backups / point-in-time recovery for all DynamoDB tables where crucial or long-lived Connect2id server data is persisted: id_access_tokens, long_lived_authorizations, revocation_journal, clients, federation_clients andtenants (in the multi-tenant Connect2id server edition). Applied at Connect2id server startup on new table creation as well as for existing tables. The default value is false (no continuous backups).

Web API

  • Logout (end-session) endpoint

    • id_token_hint -- Relying parties can submit ID token hints encrypted with JSON Web Encryption (JWE) for confidentiality. The ID token can be encrypted with a public encryption RSA or EC JWK published at the Connect2id server's jwks.json endpoint. A relying party that is provisioned with a client_secret can alternatively encrypt the ID token with a symmetric AES key using the JWE dir algorithm and a JWE method listed in the id_token_encryption_enc_values_supported OpenID provider metadata field, as specified in OpenID Connect Core 1.0 incorporating errata set 1, section 10.2.

    • client_id -- New optional RP-initiated logout request parameter, of type string, representing the client ID of the relying party. A relying party should use it to identify itself in a request when the recommended id_token_hint parameter isn't included or when the id_token_hint represents a symmetrically encrypted (JWE) ID token so the OpenID provider can resolve the relying party's registered client_secret necessary for the ID token decryption. If both id_token_hint and client_id are included in a logout request the client ID must be found in the ID token audience.

      Note, a valid id_token_hint remains required for RP-initiated logout requests that include a post_logout_redirect_uri parameter.

    • logout_hint -- New optional RP-initiated logout request parameter, of type string, representing a hint about the end-user that is logging out, such as the user's email address, telephone number or username. Analogous to the login_hint OpenID authentication request parameter.

    • ui_locales -- New optional parameter, of type string and consisting of one or more space delimited BCP47 (RFC 7231) language tags, representing the end-user's preferred languages and scripts for the logout UI.

  • /logout-sessions/rest/v1/

    • Adds support for the optional client_id RP-initiated logout request parameter. The Connect2id server will use it to identify the calling relying party when the recommended id_token_hint logout request parameter isn't included or represents an ID token that is symmetrically encrypted with a client_secret. If both id_token_hint and client_id are present in a logout request the Connect2id will check the ID token was issued to the client_id; if not an invalid_id_token_hint error will be returned.

    • New id_token_hint_present parameter in the logout prompt message, of type boolean (true|false), to show if the relying party included an id_token_hint in the logout request.

      Note, if the id_token_hint logout request parameter failed the Connect2id server verification (covers all standard ID token checks, save for its exp claim), the logout session API will return an invalid_id_token_hint error. Hence, the id_token_hint_present when true will always indicate a valid ID token.

    • New optional op_logout parameter in the logout confirmation message, of type boolean (true|false) and a default value false, to indicate an end-user request for IdP-wide logout in addition to confirming the RP logout. This new parameter deprecates the existing confirm_logout parameter.

    • New optional logout_hint parameter in the logout prompt message, of type string, representing the logout_hint RP-initiated logout request parameter.

    • New optional ui_locales parameter in the logout prompt, logout end and logout error messages, of type string array, representing the ui_locales RP-initiated logout request parameter.

    • New invalid_request error code to indicate an invalid RP-initiated logout request.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.49

    • New ExposedInvalidClientException class that extends the common InvalidClientException for representing OAuth 2.0 invalid_client errors, to indicate that the default Connect2id server error_description and error_uri must be overridden with specific values.

      The Connect2id has a security policy to log the message of InvalidClientException instances and return a general error_description in the HTTP 401 Unauthorized response that doesn't reveal the exact cause why client authentication failed. The new ExposedInvalidClientException lets client authentication related plugins override this policy and set the error_description and error_uri in the HTTP 401 Unauthorized response. This facility must be used judiciously.

    • Connect2id server plugins implementing the PrivateKeyJWTCertificateVerifier SPI can throw the new ExposedInvalidClientException instead of the common InvalidClientException to override the default Connect2id server error_description and error_uri in the resulting HTTP 401 Unauthorized response.

      When using the ExposedInvalidClientException to set a custom invalid client error_description care must be taken not to divulge sensitive or more information than necessary.

Resolved issues

  • Updates the access token (as subject_token) introspection in token exchange grant handling (RFC 8693) to mark tokens which client_id doesn't match the client_id of the requesting OAuth 2.0 client as invalid. In addition, an OP6216 warning will be logged when this condition is encountered (issue server/768).

  • The logout session web API must not log request query strings at INFO level (issue server/770).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.49

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.38

  • Upgrades to com.nimbusds:lang-tag:1.7

OAuth 2.0 token exchange (RFC 8693) support in Connect2id server 12.14

This Connect2id server release introduces support for OAuth 2.0 token exchange (RFC 8693). Deployments can use it to let clients obtain an access token from the token endpoint by presenting a grant (credential) that is also a token.

The ability to utilise tokens as grants can be useful in cases such as:

  • Letting a client obtain tokens for backend services based on a initial access token from a user authorisation in a browser based OAuth flow. The client needs the additional token(s) in order to fulfil a complex operation that involves calls to multiple services / APIs.

  • A client obtaining a local access token using a credential from another domain. This external credential can be another access token, a JWT, a SAML assertion, or something else.

  • Obtaining tokens in a delegation (on-behalf-of) scenario.

  • Obtaining tokens in a impersonation (act-as) scenario.

  • Obtaining tokens for special purposes.

Following the established Connect2id server tradition for handling OAuth 2.0 grants where deployments are given a plugin interface to freely implement their own grant-specific logic and policy, the server receives a new token exchange handler SPI.

The SPI is designed to support arbitrary ingress tokens, in terms of their type, purpose, encoding and cryptographic protection. If the token that the client submits as OAuth grant is a locally issued access token, the Connect2id server will automatically inspect it and make its authorisation details available to the plugin. If the token is issued by another server and the deployment has a policy to accept such tokens the plugin must handle its verification. A future Connect2id server release may add a facility to simplify the task of validating JWTs and OAuth access tokens from other issuers.

If the plugin logic determines that the token exchange is allowed to proceed, it creates a simple object specifying the scope and other properties of the access token to return. The Connect2id server will then use this spec to mint the actual token and return it to the requesting client. In a next release the Connect2id server will receive the capability to support the issue of a refresh token on a token exchange.

You can find more information in the token exchange handler SPI documentation.

This Connect2id server release also took the opportunity to revise the other existing OAuth 2.0 grant handler SPIs. They received a new default method for processing grants that exposes additional token request parameters besides the requested scope; a context object is also added to facilitate the creation of plugins in the multi-tenant edition of the Connect2id server. The client credentials grant handler SPI was additionally updated so that plugins can now support access tokens that give access or include OpenID claims from the provisioned claims source.

Download 12.14

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.14: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 2ab142228d456e2ff9efec3c9e7ad196062a7d39f0116923c5f1e9d489f46f28

Connect2id server 12.14 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 1b6a273ff7625bf62d4dc1ae4c6dba06c34a44ff0b91a4c8d317fae8a7c2c223

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.14: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0fdf5a6fe700f2861d7c74d9a9f0c08e3fae8897c69e36f8046c02e28dbc4007

Connect2id server 12.14 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: f32676fd296eb3ea00da3daa684bbe1b1027a361892b05af0be9f427da9db278

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.14 (2022-06-30)

Summary

  • Support for OAuth 2.0 Token Exchange (RFC 8693). This is an OAuth 2.0 extension that specifies a generic mechanism for clients to obtain an access token in exchange for another token, which type and encoding can be arbitrary and which issuer can be the same OAuth 2.0 authorisation server or another trusted 3rd party token service. This grant also supports impersonation (act-as) and delegation (on-behalf-of) scenarios. See https://datatracker. ietf.org/doc/html/rfc8693

Web API

  • /clients

    • Supports registration of clients for the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange"). The clients can be confidential (with authentication credentials) or public.
  • /token

    • Supports the OAuth 2.0 token exchange grant (RFC 8693), identified by the grant_type "urn:ietf:params:oauth:grant-type:token-exchange". Requires a TokenExchangeGrantHandler SPI plugin.
  • /monitor/v1/metrics

    • Adds new tokenEndpoint.tokenExchange.successfulRequests, tokenEndpoint.tokenExchange.invalidClientErrors, tokenEndpoint.tokenExchange.unauthorizedClientErrors, tokenEndpoint.tokenExchange.invalidGrantErrors and tokenEndpoint.tokenExchange.invalidScopeErrors meters for the OAuth 2.0 token exchange grant.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.48

    • TokenExchangeGrantHandler -- New SPI for implementing OAuth 2.0 token exchange (RFC 8693) scenarios. Accepts subject_token and actor_token instances of any token type and issuer. The requested_token_type must be an access token (locally issued). The access token can be of type Bearer, with a client X.509 certificate binding (RFC 8705), or DPoP bound (draft-ietf-oauth-dpop-09). Issue of other types of tokens as well as refresh tokens currently isn't supported.

    • ClientCredentialsGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ResourceOwnerPasswordCredentialsGrant -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • SelfIssuedJWTGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ThirdPartyJWTGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • SelfIssuedSAML2GrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ThirdPartySAML2GrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • Adds a ClaimsSpec field to the GrantAuthorization class. This enables plugins implementing the ClientCredentialsGrantHandler SPI to authorise OAuth 2.0 clients registered for the client_credentials grant to receive an access token for OpenID claims at the UserInfo endpoint. This also enables the existing Connect2id server feature where authorised OpenID claims specified with the access_token: prefix will be fed into the access token.

Resolved issues

  • Increases the entity size limit of HTTP requests to the client registration endpoint from 20K chars to 250K chars to cater for client registrations with exceptionally large metadata. The entity size limit has been present to prevent DoS attacks in client registration that is open or managed in a way that doesn't enforce a limit on the submitted client metadata (issue server/765).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.48