New access token configurations in Connect2id server 12.13
This release of the Connect2id server ships new possibilities for feeding additional (custom) claims into JWT-encoded access tokens and laying them out in a suitable way for the intended resource servers.
Feeding custom claims from the client registration
There is now a new authzStore.accessToken.codec.jwt.copyClientData configuration to direct the Connect2id server to take selected members from the optional "data" field in client registrations and make them available as top-level JWT claims in access tokens issued to the client.
For example, to copy the data.org_id member (if present) from client
registrations and paste into the access tokens:
authzStore.accessToken.codec.jwt.copyClientData=org_id
The updated access token guide has details, tips and examples how to use this new configuration parameter.
Moving authorisation data claims to the top-level
The "dat" (data) field in internal authorisation objects has provided Connect2id server deployments with a simple method for storing custom parameters related to the authorisation grant and making them available in issued access tokens. This is done by simply copying the "dat" JSON object into the token claims set.
Example access token claims with a custom dat claim:
{
"sub" : "449d693f-c0b8-4088-8ed6-6607d3c95853",
"client_id" : "ieJ0iefo",
"scope" : "https://api.example.com/read",
"dat" : {
"enforce_single_use" : true,
"app_ctx" : "ext"
}
...
}
eployments that need to have selected members from the "dat" JSON object appear as top-level access token claims can now do so with the following configuration: authzStore.accessToken.codec.jwt.moveAuthzData
Example config to make dat.enforce_single_use a top-level claim:
authzStore.accessToken.codec.jwt.moveAuthzData=enforce_single_use
The resulting access token claims:
{
"sub" : "449d693f-c0b8-4088-8ed6-6607d3c95853",
"client_id" : "ieJ0iefo",
"scope" : "https://api.example.com/read",
"enforce_single_use" : true,
"dat" : {
"app_ctx" : "ext"
}
...
}
The usage of this new configuration is also explained in the access token guide.
Download 12.13
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.13: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 2ab142228d456e2ff9efec3c9e7ad196062a7d39f0116923c5f1e9d489f46f28
Connect2id server 12.13 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 1b6a273ff7625bf62d4dc1ae4c6dba06c34a44ff0b91a4c8d317fae8a7c2c223
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.13: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 0fdf5a6fe700f2861d7c74d9a9f0c08e3fae8897c69e36f8046c02e28dbc4007
Connect2id server 12.13 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
SHA-256: f32676fd296eb3ea00da3daa684bbe1b1027a361892b05af0be9f427da9db278
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
12.13 (2022-06-20)
Summary
- The default Connect2id server codec for self-contained (JWT-encoded) access tokens can now insert selected elements from the client data field and the authorisation data fields as top-level JWT claims. Deployments can use this feature to conform to access token profiles without a custom SelfContainedAccessTokenClaimsCodec plugin.
Configuration
/WEB-INF/authzStore.properties
authzStore.accessToken.codec.jwt.copyClientData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists names of members in the client registration's "data" JSON object to copy as top-level JWT claims. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.
authzStore.accessToken.codec.jwt.moveAuthzData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists the names of members in the authorisation "dat" (data) JSON object to move to top-level JWT claims in access tokens minted by the default self-contained access token encoder. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.45
Updates the SelfContainedAccessTokenClaimsCodec SPI by adding a new TokenEncoderContext.getOIDCClientInformation method.
Updates the AccessTokenIssueEventListener and IDTokenIssueEventListener SPIs by adding a new EventContext.getOIDCClientInformation method.
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.45
Upgrades to com.nimbusds:oauth2-authz-store:18.1
Upgrades to com.nimbusds:common:2.49
Qualified X.509 certificates for private_key_jwt client authentication in Connect2id server 12.12
Connect2id server 12.12 focuses on shipping new client authentication capabilities. It also packs an additional plugin for web-hook based handling of OAuth 2.0 client credential grants.
Qualified certificates for private_key_jwt
To process token and other requests with
private_key_jwt
client authentication the Connect2id server needs a copy of the public key for
the JWT assertions in order to verify their signature. The public key has been
traditionally set in the client registration, in JWK format, using the standard
jwks or jwks_uri parameter.
Starting with this release the public key can now also be passed in a X.509
certificate included in the private_key_jwt itself.
Use cases and benefits of this method:
Enables straightforward use of qualified certificates to establish the client credential. The certificate can be issued by a national, industry or some other authority recognised by the identity provider. For internal applications and services the issuer can be a local CA.
The need for explicit registration of a client JWK set is obviated.
Since no client JWKs are registered with the Connect2id server the need for the client to manage key roll-over also falls away.
Clients include the certificate BASE64 encoded in the x5c (X.509 certificate
chain) header of the JWT assertion.
Example JWT header and claims for a private_key_jwt with certificate:
{
"alg" : "RS256",
"x5c" : [ "MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMC..." ]
}
{
"iss" : "oe7aiz60",
"sub" : "oe7aiz60",
"aud" : "https://demo.c2id.com/token",
"exp" : 1453021544,
"jti" : "Eefaevo0"
}
Deployments that wish to support certificates for establishing the public key
for private_key_jwt authentication are provided with a new plugin
interface
(SPI) where they can define the policy and verification logic for the
certificates.
Note that the existing
tls_client_auth
also supports certificate-based authentication, but over mutual TLS, and with
the extra benefit of sender constraining any issued access tokens to the
client. This enhanced token security is missing in private_key_jwt
authentication, even when it makes use of a X.509 certificate to establish the
public key.
Plugin interface for client authentication events
Another new plugin interface (SPI) that arrives in this release is for intercepting client authentication success and error events. Identity providers and authorisation servers can now create plugins for custom logging, auditing and reporting of client authentications, in real time.
public class MyPlugin implements ClientAuthenticationInterceptor {
@Override
public void interceptSuccess(
final ClientAuthentication clientAuth,
final ClientAuthenticationContext ctx)
throws InvalidClientException {
// do something on client auth success...
}
@Override
public void interceptError(
final ClientAuthentication clientAuth,
final InvalidClientException exception,
final ClientAuthenticationContext ctx) {
// do something on client auth error...
}
}
Client authentications accepted by the Connect2id server can be subjected to
additional checks and potentially rejected with an invalid_client error if
they shouldn't proceed due to some custom rule or policy.
client_auth_id
Every incoming client authentication, at the token endpoint or elsewhere, is
now tagged with a unique client_auth_id. This identifier will appear in the
Connect2id server log messages, in the plugin invocation contexts related to
client authentication, and in the HTTP 401 error responses if the client
authentication failed.
HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
"error" : "invalid_client",
"error_description" : "Invalid client: Possible causes may be missing /
invalid client_id, missing client authentication,
invalid or expired client secret, invalid or expired
JWT authentication, invalid or expired client X.509
certificate, or an unexpected client authentication
method",
"client_auth_id" : "cgXB4EyYViWPt6g2"
}
The client_auth_id and how to use it to debug or report client
authentications is explained
here.
Web-based handler plugin for the OAuth 2.0 client credentials grant
The c2id.war now packs a
plugin
(disabled by default) for delegating the authorisation logic for OAuth 2.0
client credentials grant handling to a web-hook.
The web API resembles the one for the existing web-based handler of OAuth 2.0 password grant.
Download 12.12
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.12: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 343efc3e1c4214ca93b854a5beb3935a29397d5cf9b3d86484c0ebd4b6e21703
Connect2id server 12.12 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: feadd400abe9c9516de2490af39d5070c81d26c32fbd64e15f2f706415e909af
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.12: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 4114b573604979badf3c537e00f553a273dfa8abf554a88552003a891d41fc80
Connect2id server 12.12 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
SHA-256: ddaf350a3c6087e61a2387db7293d2b5db5d079b0bfc95d8e0394663bacb5f42
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
12.12 (2022-06-03)
Summary
New plugin interface (Service Provider Interface, or SPI) for accepting qualified X.509 certificates to verify the digital signature in private_key_jwt client authentications.
New plugin interface (SPI) for intercepting client authentication success and failure events at all Connect2id server endpoints where client authentication occurs. Can be used for logging, reporting, audit, debugging and other purposes.
Introduces a secure random 12 byte "client_auth_id" to identify each individual client authentication performed by the Connect2id server in log messages, OAuth 2.0 invalid_client errors and calls to SPIs like the new private key JWT certificate verifier and the client authentication interceptor.
Includes a web-based handler plugin for the OAuth 2.0 client credentials grant, implementing the ClientCredentialsGrantHandler SPI from the Connect2id server SDK. This handler is not compatible with the multi-tenant edition of the Connect2id server. Disabled by default. The default client credentials handler remains the existing local one (com. nimbusds:oauth-client-grant-handler:2.0.2).
Web API
/token
- OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.
/token/introspect
- OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.
/token/revoke
- OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.
/par
- OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.
Configuration
- /WEB-INF/clientGrantHandlerWebAPI.properties -- New configuration file for the client credentials grant handler plugin that delegates processing of the grant authorisation to a web-service. The configuration properties can be overridden or set with Java system properties.
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.44
com.nimbusds.openid.connect.provider.spi.clientauth. PrivateKeyJWTCertificateVerifier -- New SPI for verifying an X.509 certificate (x5c) in private_key_jwt} client authentications. This can be used to enable private_key_jwt authentication based on qualified certificates and without a prior client JWK set registration (via the "jwks" or "jwks_uri" client metadata parameters).
The SPI enables implementation of policies where only selected clients are allowed or required to include a certificate for the private_key_jwt, based on the client's registered metadata or other criteria.
A client can place the certificate in the private_key_jwt "x5c" header. Alternatively, the certificate can be put in the "x5c" parameter of a matching public JWK and have the key pre-registered via the "jwks" or "jwks_uri" client metadata parameter.
Implementations must be thread-safe.
com.nimbusds.openid.connect.provider.spi.clientauth. ClientAuthenticationInterceptor -- New SPI for intercepting successful and failed client authentications at all Connect2id server endpoints where client authentication occurs, such as the token, token introspection, token revocation and pushed authorisation request (PAR) endpoints. Successful client authentications can be subjected to additional checks and rejected with an OAuth 2.0 invalid_client error.
Implementations must be thread-safe. Interceptors that create events should use a separate thread for blocking operations.
Resolved issues
Fixes an HTTP 500 Internal Server Error on a token revocation request with client authentication where the client_id resolves to an invalid client registration (issue server/760).
The message OP0131 ("Couldn't determine Connect2id server local host") should be logged at WARN level, not ERROR (issue server/759).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.44
Upgrades to com.nimbusds:oauth2-oidc-sdk:9.37.2
Upgrades to com.nimbusds:nimbus-jose-jwt:9.23
Updates to Infinispan 9.4.24
Updates to com.unboundid:unboundid-ldapsdk:6.0.5
Updates to com.nimbusds:oauth-password-grant-web-api:1.5
Updates to com.nimbusds:oauth-client-grant-handler:2.0.2
Adds com.nimbusds:oauth-client-grant-web-api:1.4
Connect2id server 12.11
This is a mini update to give Connect2id server deployments simple and precise control over the splash / landing page that is displayed when the configured issuer URL is opened in a browser. A new op.splashPage configuration property lets deployments choose between the current default splash page, a blank page, a redirection to the OpenID provider metadata, or to some other URL.
Example configuration to redirect HTTP requests to the issuer URL to the OpenID provider metadata:
op.splashPage=urn:c2id:splash_page:op_metadata
To redirect to some other URL:
op.splashPage=https://example.com
To show a blank page:
op.splashPage=urn:c2id:splash_page:blank
This release also fixes two issues. You can find more information in the release notes below.
Download 12.11
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.11: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: b3bd5cc5011c0cc31fe3465cbc6137da0e113a9185b88bff0acfa0b83f1d90f6
Connect2id server 12.11 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: ac0537550ead4e4b6e409d34b95e98b10b84ff1a1f0fb2d47548e5d09378172b
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.11: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 4aa967b1d02b7e748d57570922a119e8da23985ec8c447bb84e97f20cb439a07
Connect2id server 12.11 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
SHA-256: 6cbab334668f3a6ac863ec177b7be8bdd7f5171e496748a9e91cdaef5ee42b90
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
12.11 (2022-05-22)
Configuration
/WEB-INF/oidcProvider.properties
op.splashPage -- New configuration property for the splash page to display at the Connect2id server issuer URL (
op.issuer).Supported values:
- urn:c2id:splash_page:default -- The default splash page, an HTML page showing the Connect2id server version, a list of the available endpoints and links to public online documentation.
- urn:c2id:splash_page:blank -- A blank page.
- urn:c2id:splash_page:op_metadata -- Redirects (HTTP 301) to the
OpenID provider metadata at
/.well-known/openid-configuration - https or http URL -- Redirects (HTTP 301) to the specified HTTPS or HTTP URL.
Resolved issues
Fixes a bug that affected the correct handling of the subject session "auth_life" property (for values > 0) in the authorisation session web API, used to determine when the authentication lifetime (in minutes) of a session expires and the subject (end-user) must be re-authenticated in the same session (issue server/756).
Adds custom static error pages for 404, 405 and other HTTP status codes handled by the Servlet container to hide the Servlet container version and other potentially sensitive information (issue server/745).
c2id.net subscribers receive easy access to the logs of their OpenID Connect / OAuth 2.0 servers
Hosted Connect2id server subscribers can now enjoy easy access to the logs of their servers, directly from the admin panel. This can come in handy when you need to troubleshoot an integration or why for instance a client application is failing to authenticate.
The admin panel provides access to the server logs from the past 72 hours.
If you are interested in a hosted Connect2id server, check out the offerings at c2id.net. As a subscriber you can choose an optimal AWS region to have your server instances deployed and all plans come with a 2+ node cluster to provide high-availability and load-balancing for your OAuth and OpenID Connect applications.
Connect2id server 12.10
This release of the Connect2id server introduces support
for OpenID authentication requests
with prompt=create, implements explicitly typed logout
tokens
and updates the AWS region selection in the
DynamoDB connector.
Applications requesting a sign-up screen with prompt=create
The OpenID Connect working group adopted a new
spec that
defines a new value for the prompt parameter, called create, to let
relying parties request the OpenID provider to present the end-user with a
sign-up screen as part of the
authentication flow.
https://server.example.com/authorize?
response_type=code
&scope=openid
&client_id=123
&state=af0ifjsldkj
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&prompt=create
Requests with a prompt=create parameter will cause the Connect2id server to
send the login handler an auth prompt
message (even if the user is currently authenticated and has a valid session),
with the create_account field set to true. This flag can be taken as
signal to present the user with a sign-up screen.
If the OpenID provider has no requirement or wish to honour prompt=create
requests the login handler can safely ignore the create_account flag and
render the usual user authentication screen.
After the user is successfully registered the flow should proceed as usual.
Support for the create prompt value is advertised in the OpenID provider
metadata, under
prompt_values_supported. This metadata field lists the other standard prompt
values defined in OpenID Connect Core and already supported by the
Connect2id server: none, login, consent and select_account.
Example:
{
"issuer" : "https://c2id.com",
"prompt_values_supported" : [ "none", "login", "consent", "create" ],
...
}
You can find more information about the prompt=create in the
spec and the
release notes below.
Explicitly typed logout tokens
As you learned in the announcement of the last Connect2id server release, the
explicit typing of JWTs is good for security
and the OpenID Connect working group recently took the step to
update
the back-channel logout spec to define an optional logout+jwt type header for
the logout tokens.
Starting with this release the Connect2id server will type all issued logout
tokens with the logout+jwt header, unless it's configured to disable their
typing
for legacy reasons.
op.logout.backChannel.jwtTypeExplicit=true
If you have OpenID relying parties that use our Java SDK to deal with back-channel logout notification tokens check out the updated examples.
AWS region configuration for DynamoDB
The DynamoDB connector received an update to enable deployments to fall back to the default AWS region provider chain. This can be useful in deployments based on the AWS EKS where the AWS access credential is a web token obtained from a regional AWS STS endpoint.
If you are using DynamoDB and don't have any issues with the region selection, you can update to this Connect2id server release, keeping your existing configuration just as it is.
To take advantage of the default AWS region provider chain check out the DynamoDB connector configuration docs and the release notes.
Download 12.10
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.10: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 97d8f6cc1bcb0e237b6e4936f49457142fb9496ddd81a260872992e90133fb9a
Connect2id server 12.10 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: fdc9e2a02d0bc7f3360362bc16625223e1c27fbdcdbeccc75c7945c4bdf6b095
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.10: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 756301ca6269599d2f89e6ff72d7dead39360d36e7c38f4d0d3db453c207c600
Connect2id server 12.10 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
SHA-256: 4a6a12104a5b55ccb9f47129ab57dd581629ef33a842849f7b1a3395f8c7fdf8
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
12.10 (2022-05-03)
Summary
Support for OpenID authentication requests with prompt=create to enable relying parties to instruct the OpenID provider to present the user with a sign-up screen. After the user is successfully registered the flow proceeds as usual. Support for the "create" prompt value is advertised in a new "prompt_values_supported" OpenID provider metadata field. Login handlers integrating with the authorisation session API will receive indication of a prompt=create in a new "create_account" {true|false} parameter of the "auth" message. If the OpenID provider has no requirement or wish to honour prompt=create the login handler can safely ignore the "create_account" flag and render the usual user authentication screen. OpenID prompt=create requests will always trigger an "auth" prompt message in the authorisation session API, similarly to OpenID prompt=select requests.
The Connect2id server will reject OpenID authentication requests with a prompt parameter that contains values other than "create", in accordance with the specification recommendation.
This new prompt "create" value is specified in Initiating User Registration via OpenID Connect - draft 04, see https://openid.net/ specs/openid-connect-prompt-create-1_0.html
Support for minting back-channel logout notification tokens with explicit JWT typing. This is a simple measure to help relying parties simplify the prevention of mix-up of logout token JWTs with other types of JWT without having to examine the JWT claims structure. Enabled by default.
Configuration
/WEB-INF/oidcProvider.properties
op.logout.backChannel.jwtTypeExplicit -- New configuration property to enable / disable explicit typing of the issued back-channel logout tokens by setting the JWT type ("typ") header to "logout+jwt". Explicit logout token typing is a new recommendation in OpenID Connect Back-Channel Logout 1.0 - draft 07, section 4.1. This is a simple measure to prevent mix-up of logout token JWTs with other types of JWT without having to examine the JWT claims structure. Enabled by default.
See https://openid.net/specs/openid-connect-backchannel-1_0.html
/WEB-INF/infinispan-*-dynamodb.xml
- Removes the default "dynamodb.region" setting of "us-east-1". The purpose of this change is to enable DynamoDB configurations where the AWS region is determined by the default AWS region provider chain, for example by setting the "AWS_REGION" environment variable. The DynamoDB store XML schema is updated to v1.19. See https://docs.aws.amazon.com/ sdk-for-java/v1/developer-guide/java-dg-region-selection.html
Web API
/.well-known/openid-configuration
- prompt_values_supported -- New metadata field defined in Initiating User Registration via OpenID Connect - draft 04. Lists the supported prompt values in OpenID authentication requests. The Connect2id server supports the following prompt values: none, login, consent, select_account and create.
/authz-sessions/rest/v3/
- The authentication prompt (message with type "auth") receives a new "create_account" member of type boolean to indicate an OpenID authentication request with a prompt=create parameter.
Resolved issues
- Sourcing of "access_token:*" claims must call the AdvancedClaimsSource SPI instead of the basic ClaimsSource SPI in order to pass optional "claims_data" (issue server/753, authz-store/191).
Dependency changes
Updates to com.nimbusds:c2id-server-sdk:4.43
Updates to com.nimbusds:oauth2-oidc-sdk:9.35
Updates to com.nimbusds:nimbus-jose-jwt:9.22
Upgrades to com.nimbusds:oauth2-authz-store:17.9
Updates to com.nimbusds:oidc-claims-source-ldap:1.6.1
Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.2
Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.201
Updates to com.nimbusds:c2id-server-property-source:1.0.4
Updates to org.postgresql:postgresql:42.3.4
Updates to org.slf4j:slf4j-api:1.7.36
Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.7
Updates to com.nimbusds:token-event-publisher-aws-sqs:1.1.3
Adds dependency to com.amazonaws:aws-java-sdk-sts:1.12.201