Connect2id server 12.18

2022-10-25

Connect2id server deployments can now mask or rewrite selected OpenID provider metadata fields published at the /.well-known/openid-configuration endpoint, to minimise the amount of metadata, or show fewer supported endpoints and capabilities, which cannot be disabled by a simple configuration setting. This is done by creating a JSON object to act as overlay, and saving it in the new op.metadataOverlay configuration property.

Sample overlay to hide the introspection endpoint:

op.metadataOverlay={"introspection_endpoint":null}

With additional BASE64 encoding on top of the JSON text, for easier passing around via environment variables:

op.metadataOverlay=eyJpbnRyb3NwZWN0aW9uX2VuZHBvaW50IjpudWxsfQ==

Note, the overlay will not alter the internal Connect2id server configuration and the server will not check the resulting JSON object for being a legal representation of OpenID provider metadata according to the specification. One way to double check the published metadata is to run it through the parse method of the OIDCProviderMetadata class in the OAuth 2.0 / OpenID Connect SDK.

For more information what's new or changed check the release notes below.

Download 12.18

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.18: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: ab5c6afa1b83f748d60799525327824884acd5d73bb407b12aefc1d826fb8b45

Connect2id server 12.18 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 98e6d1aeebf02198b7139f782689bcf13d4b59cbd9042ec8e2911d6e72468c75

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.18: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1ef2ae977c7e5222c1a27fae5be0d9868f80b431007105f4f80bbbda7f136f9a

Connect2id server 12.18 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: b4d4bf14ca3492a9301b9625801da3c69258589c3d7545322c4b02cfed46f92f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.18 (2022-10-25)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.metadataOverlay -- New optional configuration property for a JSON object overlay to apply to the OpenID provider / OAuth 2.0 authorisation server metadata published at the ".well-known/openid-configuration" and ".well-known/oauth-authorization-server" endpoints. Non-null values in the overlay object replace existing metadata fields, null values remove them. Note, the overlay does not affect the internal Connect2id server configuration and after its application the resulting JSON object is not checked for being a legal representation of OpenID provider / OAuth 2.0 authorisation server metadata. If set the overlay must be represented as a JSON object string, and can be additionally BASE64 encoded to ease passing the configuration property from a command line shell.

Web API

  • /authz-sessions/rest/v3/

    • Pushed authorisation request (PAR) URIs will become invalidated after their use at the authorisation endpoint. Previously a PAR URI will remain valid until its expiration configured by the op.par.lifetime property.

Resolved issues

  • Logs warning under AS0277 when revoking an authorisation by self-contained (JWT-encoded) access token which local (public) subject or client_id are not encoded (issue authz-store/194).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2.1

  • Updates to io.prometheus:simpleclient:0.16.0

  • Updates to io.prometheus:simpleclient_servlet:0.16.0

  • Updates to io.prometheus:simpleclient_dropwizard:0.16.0

  • Updates to Log4j 2.19.0

Connect2id server 12.17

2022-09-14

This September release of the Connect2id server updates the revocation web API to enable callers to conserve server and network resources. When revoking the tokens and persisted consent for a given subject (end-user) or client the server will return all matching long-lived (persisted) authorisations that have been deleted. For a revoked client with thousands or millions of end-users this can potentially result in the streaming of megabytes of removed authorisations into the HTTP response. In such cases or whenever the revocation is not interested in what authorisations are affected or their details, a new quiet=true query parameter can now be applied to omit the streaming and return a HTTP 204 No Content response.

Example use of the quiet=true query parameter when revoking a client with ID zaqu4ong:

POST /authz-store/rest/v3/revocation?quiet=true HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/x-www-form-urlencoded

client_id=zaqu4ong

The HTTP 204 No Content response:

Status Code: 204 No Content

The authorisation session API and the token exchange plugin received two bug fixes.

Check the release notes below for details.

Download 12.17

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 84959987d94ebca82ac9296161b63631d1fe71208250de5e01dfc682a14d5e79

Connect2id server 12.17 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: eb0cd476641f68228002d63af810fe26a83b5c1bb811ca22443691c4e8b5dd9e

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 6941ba145e5f58073aeb05f004886a8d9a509cdb20ba9fb63418945063381179

Connect2id server 12.17 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 504fe78e94d6d6f6ebd8bae647e15823336962043caa7c725346c740751d1c04

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.17 (2022-09-14)

Web API

  • /authz-store/rest/v2/revocation

    • Adds support for an optional "quiet" query parameter when posting a revocation. When set to quiet=true an HTTP 204 No Content response will be returned; if any authorisation(s) were matched by the revocation parameters and removed they will not be returned in the response body.

Resolved issues

  • The authorisation session web API must not set the "required_sub" parameter in the authentication prompt to the end-user ID when the Connect2id server is configured with alwaysPromptForAuth=true and the end-user has an active session. This resulted in a incorrect OpenID Connect login_required error if the current end-user is (re)authenticated to another subject (end-user ID) as a result of the authentication prompt. The fix corrects the behaviour so that the original session is closed and a new one with the new subject (end-user ID) is started (issue server/781).

  • The op.grantHandler.tokenExchange.webAPI.actorToken.types configuration property of the token exchange grant handler plugin must support setting of no actor token types accepted. The default value must also be none (issue grant-handlers-web/1).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2

  • Updates to com.nimbusds:oidc-session-store:14.9.2

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.3

  • Updates to com.nimbusds:tenant-manager:6.0.4

  • Updates to com.nimbusds:tenant-registry:6.0.3

  • Updates to com.google.crypto.tink:tink:1.7.0

  • Updates DropWizard to 4.2.12

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.6

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.8

  • Updates to org.postgresql:postgresql:42.5.0

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.6

  • Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.1.jre11

Connect2id server 12.16.1

2022-08-18

This Connect2id server release fixes issues in the new token exchange plugin as well as in the re-engineered web-based password and client credentials grant handler plugins shipped in v12.16. You can find more information in the release notes below.

Download 12.16.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c12801414d8023e964b6512c5b05b04f040e85d07ab1eb5da771213007171ccd

Connect2id server 12.16.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 791d731e66694413ea00a9f7554a77bf6c2a0177f345ff44b01529a64115d0b9

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0f499cbdafba4c0c48eab771670d3511f521332619c47ed899e860749b233194

Connect2id server 12.16.1 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 24ddb24b1d893d9a0d1ee606ed09eb5c256a65133aea4dcd28f95f0fbeddbcef

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.16.1 (2022-08-18)

Resolved issues

  • Fixes missing logging of the base configuration properties in the web-based token exchange grant handler (issue server/776).

  • Fixes test that erroneously removed the SPI manifests for the web-based password, client credentials and token exchange grant handlers (issue server/778).

Dependency changes

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.1

Connect2id server 12.16 ships with a new plugin for handling token exchange (RFC 8693)

2022-08-15

This Connect2id server release ships a new plugin for the token exchange (RFC 8693) grant handler SPI introduced in v12.15 last month. The plugin follows the web hook pattern of the existing password and client credentials grant handler plugins that delegate the authorisation to a web service.

The new token exchange plugin

The job of a web service handling a token exchange grant is to determine whether the received subject_token is eligible for exchange and if it is return the subject, scope and other optional properties of the new access token which the Connect2id server will mint and return to the client in the token response.

A web service handling a token exchange grant can base its authorisation decisions on the the following inputs:

  • The claims of the verified subject token and optional actor token (if the latter is accepted or required);

  • The requested token scope (if any) and other parameters;

  • The client ID and selected client metadata.

Example request to the grant handler service demonstrating the plugin web API:

POST /token-exchange-grant-handler HTTP/1.1
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json
Issuer: https://c2id.com

{
  "subject_token"      : "Eexungahcaetaizoh7ingait3Ur9ya1b",
  "subject_token_type" : "urn:ietf:params:oauth:token-type:access_token",
  "scope"              : [ "https://api.example.com/get-customer-address" ],
  "client"             : { "client_id"        : "123",
                           "confidential"     : true,
                           "application_type" : "web" }
}

Example response to the Connect2id server for an eligible subject token:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "sub"               : "164476e0-5c10-4cf0-bf75-b30fec2ba925",
  "issued_token_type" : "urn:ietf:params:oauth:token-type:access_token",
  "scope"             : [ "https://api.example.com/get-customer-address" ]
}

Example response for an invalid subject token:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error"             : "invalid_request",
  "error_description" : "Invalid subject token"
}

The token exchange plugin has a number of configurations that deployments can use to filter and pre-process the grants prior to invocation of the web service:

  • Specify the accepted subject and actor token types and reject all others with an invalid_request error.

  • Perform local or remote RFC 7662 compliant introspection of the subject token as an access token.

  • Perform signature and expiration validation of the subject token as a signed JWT.

Upgraded web-based password and client credentials grant handler plugins

The token exchange grant handler plugin together with the other web-based plugins for the password and the client credentials grants are now consolidated in a single JAR which project can be found here:

https://bitbucket.org/connect2id/grant-handlers-web/

The source code is licensed under the open source Apache 2.0 license and can be freely modified.

The web-based password and client credentials grant handlers received several upgrades:

  • The ability to handle custom token request parameters.

  • New configuration property to select which client metadata parameters to pass on in requests to the web service.

  • Requests to the web service now include the OpenID provider / OAuth 2.0 authorisation server issuer URL, to enable tenant specific handling of grants in multi-tenant Connect2id server deployments.

You can find detailed information about all changes in Connect2id server 12.16 in the notes below.

Download 12.16

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.16: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 774f2865eff2fded264155778275f9761a36ff1662f1aae6a60a63931178dd45

Connect2id server 12.16 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 54414e5b164b7de0a871c1797e0bc7d2e1f2224cb734bb6bad9526e766f89b78

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.16: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 774f2865eff2fded264155778275f9761a36ff1662f1aae6a60a63931178dd45

Connect2id server 12.16 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 70d525f52bd16030193292e1d742a155c048b592514e87e24548619c7f6210ab

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.16 (2022-08-12)

Summary

  • Adds new plugin for handling OAuth 2.0 token exchange (RFC 8693) grants that passes processing of the grant authorisation to an external web service (web hook). The plugin implements the TokenExchangeGrantHandler SPI introduced in Connect2id server 12.14.

    Features:

    • Supports arbitrary "subject_token" and "actor_token" types.

    • The acceptable "subject_token", "actor_token" and requested token types are configurable.

    • Optional automatic introspection of the received "subject_token" of type access token. Calls upon the internal Connect2id server introspection for access tokens that are locally issued, or one or more configured token introspection endpoints compliant with RFC 7662.

    • Optional automatic JWT verification of the received "subject_token" of type JWT, access token or ID token. The JWT signature is verified using a set of JWKs at one or more configured URLs.

    • Received "subject_token" and "actor_token" instances can also be passed in their original form for verification by the web service itself.

    • Supports passing of selected client metadata parameters to the web service, in addition to the client_id and confidential status, to be used as inputs in the authorisation decision. The "scope" and "data" client metadata fields are included by default.

    • Supports setting of HTTP connect and read timeouts, for the underlying web service, the configured token introspection endpoints and JWK set URLs.

  • Replaces the existing plugin for handling OAuth 2.0 client credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

  • Replaces the existing plugin for handling OAuth 2.0 resource own password credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

Configuration

  • /WEB-INF/tokenExchangeGrantHandlerWebAPI.properties -- New configuration file for the new web-based token exchange grant handler, containing the default configuration properties. They can be selectively overridden with Java system properties.

  • /WEB-INF/clientGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data"

  • /WEB-INF/passwordGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data".

Web API

  • /authz-sessions/rest/v3/

    • Designates the "invalid_target" OAuth 2.0 error code, defined in RFC 8707, as a standard acceptable code to indicate an error condition during end-user authentication / consent. Deployments that use this error code are no longer required to list it in the op.authz. customErrorCodes configuration.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.51

    • Adds DefaultTokenIntrospectionResponseComposer class.

    • Adds DefaultTokenRequestParameters class.

Resolved issues

  • Updates the systemPropertiesURL configuration property to support AWS S3 URLs in the new style virtual format (issue server/773).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.51

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.41

  • Adds com.nimbusds:oauth-grant-handlers-web:1.0

  • Removes com.nimbusds:oauth-password-grant-web-api:1.5

  • Updates to com.nimbusds:oauth-client-grant-handler:2.0.3

  • Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1.1

  • Updates to com.nimbusds:tenant-manager:6.0.3

  • Updates to com.nimbusds:tenant-registry:6.0.2

  • Updates to com.nimbusds:oauth2-authz-store:18.1.1

  • Updates to com.nimbusds:oidc-session-store:14.9.1

  • Updates to com.nimbusds:c2id-server-jwkset:1.26

  • Updates to com.nimbusds:infinispan-cachestore-common:2.4.1

  • Updates to com.nimbusds:infinispan-cachestore-ldap:3.1.3

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.7

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.2.1

  • Updates to org.postgresql:postgresql:42.4.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1

  • Upgrades to com.thetransactioncompany:java-property-utils:1.17

  • Updates to com.amazonaws:aws-java-sdk-*:1.12.264

  • Updates to DropWizard Metrics 4.2.10

  • Updates to Log4j 2.18.0

Updated RP-initiated logout in Connect2id server 12.15

2022-07-18

The Connect2id server logout endpoint, used to implement single logout across participating applications, received an update to make it compliant with the latest 02 revision of the OpenID Connect RP-Initiated Logout 1.0 spec.

The logout endpoint can now support ID token hints (id_token_hint) encrypted for confidentiality. There is also support for a logout_hint parameter, similar to the login_hint in OpenID authentication requests, and a ui_locales to personalise the logout UI. Relying parties that for some reason cannot save the user's ID token in order to pass it later in the id_token_hint logout parameter, can use a client_id to at least hint the application's identity. The logout session API, which lets Connect2id server deployments implement a logout UI, journeys and policies around logout, was updated to reflect the changes.

Logout confirmation

The mini guide for developing a logout UI and the sample project were also revised.

Other changes

The plugin SPI for verifying qualified certificates in a private_key_jwt client authentication was also updated to allow for custom error_description and error_uri fields when an invalid_client error is returned.

Connect2id server deployments that use DynamoDB receive a new optional dynamodb.enableContBackups configuration property, to enable point-in-time recovery (PITR) for all tables where crucial or long-lived server data is persisted. Note that when continuous backups are enabled they will not apply to sessions, codes, caches and other transient data, as there is no practical utility in recovering such data. If you want to have PITR for that data, it must be enabled directly via the AWS APIs for those DynamoDB tables.

You can find detailed information about the changes in Connect2id server 12.15 in the notes below.

Download 12.15

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.15: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 16af5e3afa5e4810f7df7a204c1206ed9d6eafe66ac2bf5ecd6935e556d129f0

Connect2id server 12.15 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8d3feaa7da130f19866ff9fe498a9cbcf440f243d1a23d06eaec733d815a79f9

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.15: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 79c3b72dd0601ef4e583a7174ae27e4c48e2f5d6e490f9dba14e0a99d48b51f3

Connect2id server 12.15 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 2bee27a9d1a131c11c86fe433e768877ac7d35f43f846fbd3c722b85c0be3956

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.15 (2022-07-17)

Summary

  • Updates OpenID Connect RP-Initiated Logout 1.0 support to draft 02. Introduces new logout_hint, client_id and ui_locales request parameters. See https://openid.net/specs/openid-connect-rpinitiated-1_0.html

  • PrivateKeyJWTCertificateVerifier SPI plugins can override the default error_description and error_uri in invalid_client errors returned to the authenticating OAuth 2.0 client.

  • New dynamodb.enableContBackups configuration property to enable DynamoDB continuous backups / point-in-time recovery for tables holding crucial or long-lived Connect2id server data. Previously continuous backups could be enabled only via the AWS CLI, SDK, API or web console.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • New dynamodb.enableContBackups configuration property of type boolean (true|false) to enable continuous backups / point-in-time recovery for all DynamoDB tables where crucial or long-lived Connect2id server data is persisted: id_access_tokens, long_lived_authorizations, revocation_journal, clients, federation_clients andtenants (in the multi-tenant Connect2id server edition). Applied at Connect2id server startup on new table creation as well as for existing tables. The default value is false (no continuous backups).

Web API

  • Logout (end-session) endpoint

    • id_token_hint -- Relying parties can submit ID token hints encrypted with JSON Web Encryption (JWE) for confidentiality. The ID token can be encrypted with a public encryption RSA or EC JWK published at the Connect2id server's jwks.json endpoint. A relying party that is provisioned with a client_secret can alternatively encrypt the ID token with a symmetric AES key using the JWE dir algorithm and a JWE method listed in the id_token_encryption_enc_values_supported OpenID provider metadata field, as specified in OpenID Connect Core 1.0 incorporating errata set 1, section 10.2.

    • client_id -- New optional RP-initiated logout request parameter, of type string, representing the client ID of the relying party. A relying party should use it to identify itself in a request when the recommended id_token_hint parameter isn't included or when the id_token_hint represents a symmetrically encrypted (JWE) ID token so the OpenID provider can resolve the relying party's registered client_secret necessary for the ID token decryption. If both id_token_hint and client_id are included in a logout request the client ID must be found in the ID token audience.

      Note, a valid id_token_hint remains required for RP-initiated logout requests that include a post_logout_redirect_uri parameter.

    • logout_hint -- New optional RP-initiated logout request parameter, of type string, representing a hint about the end-user that is logging out, such as the user's email address, telephone number or username. Analogous to the login_hint OpenID authentication request parameter.

    • ui_locales -- New optional parameter, of type string and consisting of one or more space delimited BCP47 (RFC 7231) language tags, representing the end-user's preferred languages and scripts for the logout UI.

  • /logout-sessions/rest/v1/

    • Adds support for the optional client_id RP-initiated logout request parameter. The Connect2id server will use it to identify the calling relying party when the recommended id_token_hint logout request parameter isn't included or represents an ID token that is symmetrically encrypted with a client_secret. If both id_token_hint and client_id are present in a logout request the Connect2id will check the ID token was issued to the client_id; if not an invalid_id_token_hint error will be returned.

    • New id_token_hint_present parameter in the logout prompt message, of type boolean (true|false), to show if the relying party included an id_token_hint in the logout request.

      Note, if the id_token_hint logout request parameter failed the Connect2id server verification (covers all standard ID token checks, save for its exp claim), the logout session API will return an invalid_id_token_hint error. Hence, the id_token_hint_present when true will always indicate a valid ID token.

    • New optional op_logout parameter in the logout confirmation message, of type boolean (true|false) and a default value false, to indicate an end-user request for IdP-wide logout in addition to confirming the RP logout. This new parameter deprecates the existing confirm_logout parameter.

    • New optional logout_hint parameter in the logout prompt message, of type string, representing the logout_hint RP-initiated logout request parameter.

    • New optional ui_locales parameter in the logout prompt, logout end and logout error messages, of type string array, representing the ui_locales RP-initiated logout request parameter.

    • New invalid_request error code to indicate an invalid RP-initiated logout request.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.49

    • New ExposedInvalidClientException class that extends the common InvalidClientException for representing OAuth 2.0 invalid_client errors, to indicate that the default Connect2id server error_description and error_uri must be overridden with specific values.

      The Connect2id has a security policy to log the message of InvalidClientException instances and return a general error_description in the HTTP 401 Unauthorized response that doesn't reveal the exact cause why client authentication failed. The new ExposedInvalidClientException lets client authentication related plugins override this policy and set the error_description and error_uri in the HTTP 401 Unauthorized response. This facility must be used judiciously.

    • Connect2id server plugins implementing the PrivateKeyJWTCertificateVerifier SPI can throw the new ExposedInvalidClientException instead of the common InvalidClientException to override the default Connect2id server error_description and error_uri in the resulting HTTP 401 Unauthorized response.

      When using the ExposedInvalidClientException to set a custom invalid client error_description care must be taken not to divulge sensitive or more information than necessary.

Resolved issues

  • Updates the access token (as subject_token) introspection in token exchange grant handling (RFC 8693) to mark tokens which client_id doesn't match the client_id of the requesting OAuth 2.0 client as invalid. In addition, an OP6216 warning will be logged when this condition is encountered (issue server/768).

  • The logout session web API must not log request query strings at INFO level (issue server/770).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.49

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.38

  • Upgrades to com.nimbusds:lang-tag:1.7