Connect2id server 12.6 with major upgrade to Identity Assurance / eKYC support
Identity Assurance / eKYC upgrade
In September 2021 the Identity Assurance / eKYC extension to OpenID Connect received a major upgrade and was later voted to become an implementer's draft, a crucial step towards reaching standard status.
The changes fall into three areas:
- Revision of the verification data element, to make a clear distinction between the process of verifying that the user is the owner of the claims and the process that involves the validation of evidences, such as ID cards or electronic records. The concept of assurance level was factored out and is no longer a part of the trust framework identifier. A new taxonomy for the identity evidences was created, which now has the types document, electronic_record, vouch, utility_bill and electronic_signature. Finally, there is a possibility to deliver attachments to relying parties, such as scanned documents.
- Revision of the OpenID provider metadata, adding new fields and deprecating others.
- Definition of two new OpenID claims: msisdn, also_known_as and address.country_code.
The changes are outlined in the history section of the Identity Assurance / eKYC draft, but due to the numerous significant changes we recommend studying the entire spec.
The Connect2id server is now updated to support the new syntax for the verification data element. The old (deprecated) syntax will continue to work with the server as well as with the underlying OAuth 2.0 / OpenID Connect SDK.
The server configuration for eKYC was
also updated so the new fields can be advertised in OpenID provider
metadata. Note that fields
related to the deprecated id_document type should no longer be used. The
changes in configuration and OpenID provider metadata are explained in the
release notes below.
If you are interested in adopting Identity Assurance / eKYC in your Connect2id server deployment start here.
If you use our open source OAuth 2.0 / OpenID Connect SDK to construct verification data on the server side, or within a client application that relies on a IdA / eKYC provider, you will find these improvements:
- A more intuitive API and improved typed-safety for writing robust code.
- It's now easier to create custom verification data requests by extending the
new
MinimalVerificationSpecclass. - External attachments can be downloaded (with HTTP timeouts) and their digests automatically verified with a single line of code.
- Constants and helper methods for dealing with ISO 3166-1 and 3166-3 country codes, including logic for mapping between two (alpha-2) and three-letter (apha-3) ISO 3166-1 country codes.
Check the OpenID Connect SDK guide and examples for IdA / eKYC to find out more.
Accessing OpenID provider metadata from within a plugin
The AuthorizationRequestValidator and PARValidator SPIs can now access the
OpenID provider / OAuth 2.0 authorisation server metadata for plugin
configuration and other purposes. Contact us if you find this useful for other
types of plugins.
Dependency updates
Finally, this 12.6 release comes with about a dozen updates to frameworks and libraries. Several optional and unused dependencies for OpenSAML were removed.
Docker
The Docker c2id/c2id-server-demo and c2id/c2id-server-min images switched from Debian (as OS) with Java 11 to Amazon Coretto 11, which has a lighter combined footprint. Fewer Linux packages will also mean fewer false positives to deal with when an image is scanned for vulnerabilities, because scanners at present cannot tell if a package is used or not (and Java doesn't need many of the standard packages that come in a Linux OS). Note that Amazon Coretto still isn't a bare bones Linux distribution, so vim, curl and other basic utilities can still be found in it.
Download 12.6
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.6: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: a6ad8242ebfb578f0d62963a842635bfee8e76c27db78be180d254340ca66ee7
Connect2id server 12.6 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: ea0bb877aa6c51ea96d1353823fceb8ae026fe75711c780ee14f060ac7d3fb41
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.6: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: a787bd9d95eb0f657e19e7337dc327fdd45703e5720998a7a8f1caa268e6ec07
Connect2id server 12.6 WAR package: c2id-multi-tenant.war
GPG signature: c2id-multi-tenant.war.asc
SHA-256: b9d5844723274e817f02dbe63dde316c5089ed2b6c33ec75340d34a822bdee27
Questions?
Contact Connect2id support.
Release notes
12.6 (2022-01-17)
Summary
Upgrades OpenID Connect for Identity Assurance 1.0 support to the latest implementers' draft 12 from 6 September 2021. See https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html
Upgrades the AuthorizationRequestValidator and PARValidator SPIs to enable read-only access to the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes.
Configuration
/WEB-INF/oidcProvider.properties
op.assurance.supportedDocumentTypes -- New optional configuration property listing the supported document types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_supported" OpenID provider metadata parameter.
op.assurance.supportedMethodsForDocuments -- New optional configuration property listing the supported coarse identity verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_methods_supported" OpenID provider metadata parameter.
op.assurance.supportedValidationMethodsForDocuments -- New optional configuration property listing the supported validation methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_validation_methods_supported" OpenID provider metadata parameter.
op.assurance.supportedVerificationMethodsForDocuments -- New optional configuration property listing the supported person verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_verification_methods_supported" OpenID provider metadata parameter.
op.assurance.supportedElectronicRecordTypes -- New optional configuration property listing the supported electronic record types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "electronic_records_supported" OpenID provider metadata parameter.
op.assurance.supportedAttachments -- New optional configuration property listing the supported attachment types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "attachments_supported" OpenID provider metadata parameter. Attachment types: embedded, external.
op.assurance.supportedDigestAlgs -- New optional configuration property listing the supported digest algorithms for external attachments if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "digest_algorithms_supported" OpenID provider metadata parameter. If external attachments are supported must at least include sha-256.
op.assurance.supportedIDDocumentTypes -- Becomes deprecated, the corresponding "id_documents_supported" OpenID provider metadata parameter in no longer in use in OpenID Connect for Identity Assurance 1.0.
op.assurance.supportedIdentityVerificationMethods -- Becomes deprecated, the corresponding "id_documents_verification_methods_supported" OpenID provider metadata parameter is no longer in use in OpenID Connect for Identity Assurance 1.0.
Web API
/.well-known/openid-configuration
documents_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported document types. Replaces "id_documents_supported".
documents_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported coarse identity verification methods for evidences of type document. Replaces "id_documents_verification_methods_supported".
documents_validation_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported validation methods for evidences of type document.
documents_verification_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported person verification methods for evidences of type document.
electronic_records_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported electronic record types.
attachments_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported attachment types: embedded, external.
digest_algorithms_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported digest algorithms for external attachments.
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.41
com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.
com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.41
Updates to com.nimbusds:oauth2-oidc-sdk:9.20.1
Updates to com.nimbusds:oauth2-authz-store:17.7
Updates to com.nimbusds:oidc-session-store:14.8
Updates to com.nimbusds:content-type:2.2
Updates to com.nimbusds:c2id-server-property-source:1.0.3
Removes and updates selected OpenSAML 3.4.6 transitive dependencies
Replaces javax.activation:javax.activation-api:jar:1.2.0 with jakarta. activation:jakarta.activation-api:jar:1.2.1
Updates to com.nimbusds:infinispan-cachestore-sql:4.2.6
Updates to com.zaxxer:HikariCP:4.0.3
Updates to org.mariadb.jdbc:mariadb-java-client:2.7.3
Updates to org.postgresql:postgresql:42.3.1
Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.9
Updates to com.nimbusds:tenant-registry:6.0.1
Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.132
Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.5
Updates to AWS Java SDK 1.12.132
Updates DropWizard to 4.1.29
Updates Prometheus SimpleClient to 0.14.1
Updates Log4j to 2.17.1
Connect2id server 12.5.4 and 11.6.7 security updates addressing Log4j CVE-2021-45105
This Connect2id server release addresses a second post-Log4shell vulnerability discovered in Log4j, which can result in a DoS and is described in CVE-2021-45105.
Updating is strongly recommended to secure your deployments.
There are also updated c2id/c2id-server-demo and c2id/c2id-server-min Docker images available.
Download 12.5.4
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.5.4: Connect2id-server.zip
SHA-256: 2860513912e3494d172764e9c2e0a159241d5e41c1663bdaf714021f6921f7ac
Connect2id server 12.5.4 WAR package: c2id.war
SHA-256: 520d3c398faccd29ed41244dcb79a8f3dcb6a825d111d20665965ad85b84bc5a
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.5.4: Connect2id-server-mt.zip
SHA-256: 7859e9f37bd3ffcce1793e34921559bf03a9425831075cf22fcef311f8d316be
Connect2id server 12.5.4 WAR package: c2id-multi-tenant.war
SHA-256: c83965f09030956ceb6cf14fc1dbb983fe4b74620700dbbdf4e2e4b2a074edb2
Download 11.6.7
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 11.6.7: Connect2id-server.zip
SHA-256: e64d746617c750cf9abc954be9108541170d7b747a8ac4214f56538e6a45489b
Connect2id server 11.6.7 WAR package: c2id.war
SHA-256: 406bb18a8705b1230959553abaa2642f77dedd0399df71e1b65d303b47b5565e
Multi-tenant edition
Apache Tomcat package with Connect2id server 11.6.7 Connect2id-server-mt.zip
SHA-256: ee926caabf4411c6b3ca481f1a1d456e1e9b37721581cc60997049f4d00e33cc
Connect2id server 11.6.7 WAR package: c2id-multi-tenant.war
SHA-256: 06bbef74bdd6b819bdf5ee967b29b697d5d3d324ee6acbcbb8ffc4c34a01f34f
Questions?
Contact Connect2id support.
Release notes
12.5.4 (2021-12-18)
Resolved issues
- Updates Log4j to 2.17.0 to address a critical DoS vulnerability described in CVE-2021-45105, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45105 (issue server/711).
Dependency changes
- Updates Log4j to 2.17.0
11.6.7 (2021-12-18)
Resolved issues
- Updates Log4j to 2.17.0 to address a critical DoS vulnerability described in CVE-2021-45105, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45105 (issue server/711).
Dependency changes
- Updates Log4j to 2.17.0
Connect2id server 12.5.3
This release of the Connect2id server fixes a bug that affected the override of a configuration property and updates several dependencies.
The extra web applications included in the ZIP package (sample login page, OpenID relying party, etc) also receive the Log4j security patch for the CVE-2021-45046 announced on Monday. The Connect2id server itself was patched for this CVE in the prior 12.5.2 release.
Maven Central is currently experiencing an overload, due to the enormous number of packages being updated, with release uploads timing out. This situation has made it difficult for us to publish updates to various open source components that we maintain. If the difficulties persist we will consider setting up a private repo for their distribution.
This release also marks a change in the Connect2id server Docker images and their naming:
The Docker image built from
Connect2id-server.zip, which includes a complete package with the latest stable Apache Tomcat and the extra web applications will now be published under the c2id/c2id-server-demo tag. Previously this was c2id/c2id-server. This naming change is to make it clear that the image is chiefly intended for demo and evaluation purposes. For production consider using a purpose built image (see next).A new type of Docker image becomes available now, under the c2id/c2id-server-min tag. It builds from an official Apache Tomcat Docker image, with only
c2id.wardeployed in it. This makes for a minimal image containing only an instance of the Connect2id server and nothing else. In a OpenID provider / OAuth 2.0 server deployment it will be complemented with containers for the backend database, the front-end, etc.https://hub.docker.com/r/c2id/c2id-server-min/tags
The minimal image can be tweaked, for example to reconfigure logging output.
Download
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.5.3: Connect2id-server.zip
SHA-256: ec024cb187fe44d04a8feea204f0948a67668de31491f62c7fdbf919645af3a4
Connect2id server 12.5.3 WAR package: c2id.war
SHA-256: 380216996fce28034f1888870c97299c334d8da7a883fd5b52682694548e1d2b
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.5.3: Connect2id-server-mt.zip
SHA-256: 83b80077461a4e56cf9db1cd4523a078f4459f7d0cf1ca0a7166fb7fda98d561
Connect2id server 12.5.3 WAR package: c2id-multi-tenant.war
SHA-256: 6cb80a9f267c949f4120199b4d9d0bd82a40dca2a13075d3972adcfe54089906
Questions?
Contact Connect2id support.
Release notes
12.5.3 (2021-12-16)
Resolved issues
- Fixes op.checkSession.iframe and op.checkSession.cookieName configuration property parsing to support Java system property override (issue server/709).
Dependency changes
Updates to com.nimbusds:software-statement-verifier:2.2.2
Updates to org.apache.commons:commons-compress:1.21
Connect2id server 12.5.2 security update addressing Log4j CVE-2021-45046
The extraordinary attention which Log4j received due to the Log4shell (CVE-2021-44228) vulnerability lead to the discovery of another related, but fortunately somewhat less severe remote code execution exposure in the logging framework. This new issue is described in CVE-2021-45046.
This 12.5.2 release of the Connect2id server ships the Log4j patch for the new CVE, plus several other updates under the hood.
You can find more information in the release notes below.
Download
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 12.5.2: Connect2id-server.zip
SHA-256: 4f254a27ef02dd1f7deffa05f6620b13d8ba00db2871c2c06d0143f4c419e0cd
Connect2id server 12.5.2 WAR package: c2id.war
SHA-256: 544b1259c3040cf970448f59ea0483b815849d94114a3f7e556bf600abe9071d
Multi-tenant edition
Apache Tomcat package with Connect2id server 12.5.2: Connect2id-server-mt.zip
SHA-256: 769fad20d1fda0b80dcd4ebae53f1dff5b0e1b6a9093938bd91898b544f2c01e
Connect2id server 12.5.2 WAR package: c2id-multi-tenant.war
SHA-256: c6882fc8ed2ac88252e95bcf5589a9abffaed3043999504a6a9d1046fff194c7
Questions?
Contact Connect2id support.
Release notes
12.5.2 (2021-12-15)
Resolved issues
- Updates Log4j to 2.16.0 to address a critical vulnerability described in CVE-2021-45046, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45046 (issue server/708).
Dependency changes
Updates Log4j to 2.16.0
Updates to org.slf4j:slf4j-api:1.7.32
Updates to com.google.code.gson:gson:2.8.9
Updates to com.google.crypto.tink:tink:1.6.1
Updates BouncyCastle to 1.70.
Updates to com.unboundid:unboundid-ldapsdk:6.0.3
Connect2id server 11.6.6 security update
This release of the Connect2id server backports the security patch to address the most recent Log4j CVE-2021-45046, which was announced yesterday and is closely related to the original Log4shell vulnerability from last week.
Several other updates under the hood are also included. As with the 12.5.2 update, this one for 11.x is critical and highly recommended.
Download
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 11.6.6: Connect2id-server.zip
SHA-256: 5abd1efa691a059e380f8a6f712f9e09220c3f78b7aa308d8bfd927f1446ab77
Connect2id server 11.6.6 WAR package: c2id.war
SHA-256: a9ef91aa5f9e71081377d1b815042c086bdd38e1bbc3d974f6ec0f9ee1cb0232
Multi-tenant edition
Apache Tomcat package with Connect2id server 11.6.6: Connect2id-server-mt.zip
SHA-256: b24d9c1bab76ee6bcce26e7fb019d14df8104318cad4a6b40a7facc273049a75
Connect2id server 11.6.6 WAR package: c2id-multi-tenant.war
SHA-256: eb642f6d8f6d44a68750ff12ab2c4178539de09506eab3ecca146a99f5a2cdd4
Questions?
Contact Connect2id support.
Release notes
11.6.6 (2021-12-15)
Resolved issues
- Updates Log4j to 2.16.0 to address a critical vulnerability described in CVE-2021-45046, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45046 (issue server/708).
Dependency changes
Updates Log4j to 2.16.0
Updates to com.google.code.gson:gson:2.8.9
Updates BouncyCastle to 1.70.
Updates to com.unboundid:unboundid-ldapsdk:6.0.3