Connect2id server 9.5.1

2020-06-22

This is a maintenance release of the Connect2id server.

  • Fixes a bug which will produce an HTTP 500 at the token endpoint if illegal characters appear in a submitted authorisation code.

  • Fixes a bug which affects publishing of EdDSA signing keys in the server JWK set. Deployments which intend to make use of EdDSA-signed access tokens introduced in 9.4 should be updated.

  • Rolls back support for JWT authentication (client_secret_jwt and private_key_jwt) at the token revocation endpoint accepting the token endpoint URI as JWT "aud" (audience), removed unannounced in 8.0. Note that client applications should use an "aud" value set to the exact endpoint URI and acceptance of alternative audience values may be removed in a future release as a security measure.

  • Logs the exact cause when client authentication at the token revocation endpoint fails.

For details check the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 9.5.1: Connect2id-server.zip

SHA-256: 6bd8409448f8f34e73c9147f54b44c84524009e2aab51c4995f82f29125f3bed

Connect2id server 9.5.1 WAR package: c2id.war

SHA-256: d416d1043d18ef1ecb4920cb58b63114759bdeca91e0870106f52cda014bc10c

Multi-tenant edition

Apache Tomcat package with Connect2id server 9.5.1: Connect2id-server-mt.zip

SHA-256: a016730031deda10d1c7007695ab7b2ea82ea8c877878d1beb1d872c34975d09

Connect2id server 9.5.1 WAR package: c2id-multi-tenant.war

SHA-256: b9a605be18ca82eb037e306b5d2c7c737550e6db9c149ad7497991602591e331

Questions?

Contact Connect2id support.

Release notes

9.5.1 (2020-06-22)

Resolved issues

  • Replaces the BASE64 Apache Commons Codec with the BASE64 codec from the Nimbus JOSE+JWT library to prevent an unchecked IllegalArgumentException exception due to illegal chars in a submitted authorisation code (issue server/574, common/61).

  • Restores accepting client_secret_jwt and private_key_jwt client authentication JWTs for the token revocation endpoint where the audience is set to the token endpoint URI, removed in Connect2id server v8.0. This rollback is done to preserve backward compatibility with existing clients. New clients should set the authentication JWT "aud" (audience) to the exact endpoint URI as future Connect2id server releases may stop accepting the issuer URI or the token endpoint URI for security reasons (issue server/573).

  • Logs the exception message for OP6412 when client authentication at the token revocation endpoint fails (issue server/570).

  • Exports public EdDSA keys from the server JWK set to /jwks.json (issue server/568).

Dependency changes

  • Updates to com.nimbusds:common:2.38.1

  • Updates to com.nimbusds:oidc-session-store:13.4.2

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.4

FAPI certification of Connect2id server 9.5

2020-05-27

The current Connect2id server release was tested in a online deployment against the FAPI certification suite (v4.0.1) and the results are now published on the OpenID Foundation certifications page, in the FAPI section.

The test suite has two modes - one for clients authenticating with private_key_jwt and another for clients authenticating with self_signed_tls_client_auth (mTLS). You you are developing a client application we suggest using the mTLS method because it's typically easier to setup.

If you're developing a deployment that needs to conform to the FAPI security standard we recommend you run the FAPI certification tests against it to make sure something is not accidentally missed out. The tests can be run for free. A fee is required only if you need to publish them and obtain a certificate from the OpenID Foundation.

The FAPI checklist has instructions how to setup a Connect2id server deployment for FAPI.

Connect2id server 9.5

2020-05-25

This release of the OpenID Connect / OAuth 2.0 server adds two new configuration properties:

  • op.authz.prohibitSwitchBetweenBasicResponseModes -- when enabled the Connect2id server will prevent OAuth clients from switching the normal query response mode for an authorisation request to "fragment" and similarly, for a normal fragment response mode to "query". Disabled by default.

  • op.token.requireClientX509Cert -- when enabled the Connect2id server will require all clients to present a client X.509 certificate at the token endpoint, thus enforcing issue of client certificate bound access tokens (according to RFC 8705). Disabled by default.

We also updated the FAPI checklist and also added instructions how to setup a Connect2id server deployment to run the FAPI certification test suite provided by the OpenID Foundation.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 9.5: Connect2id-server.zip

SHA-256: 2d15486eb97b970a9114e6768ab573b153e2a845e7c151a6babc52253e0e8622

Connect2id server 9.5 WAR package: c2id.war

SHA-256: 5646fd2d02cd32b1ff334a8eca7e0ee5fa71f2bcea1331ca280a4d76fd292b3e

Multi-tenant edition

Apache Tomcat package with Connect2id server 9.5: Connect2id-server-mt.zip

SHA-256: 54b2cbc6882200132d944cd87159c1e37bf3ecf9b44a83eea48451031d393f0c

Connect2id server 9.5 WAR package: c2id-multi-tenant.war

SHA-256: d62201d931254fe9a28fd0dbe02996ec5123e68bf824801cdba540e0800806c5

Questions?

Contact Connect2id support.

Release notes

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.prohibitSwitchBetweenBasicResponseModes -- New optional configuration property. If true client requests to switch between the "query" and "fragment" response modes by setting the response_mode authorisation request parameter are prohibited. The default value is false.

    • op.token.requireClientX509Cert -- New optional configuration property. If true the token endpoint will require a client X.509 certificate from all clients, in order to enforce issue of client certificate bound access tokens (RFC 8705). The default value is false.

EdDSA-signed access tokens in Connect2id server 9.4

2020-05-20

EdDSA for heavy-trafficked OAuth 2.0 server deployments

With this new release of the Connect2id server JWT-encoded access tokens can now be signed with the high-performance EdDSA algorithm. Our benchmarks show a 62x boost over 2048-bit RSA signature (JWS RS256) generation, with verification performance remaining roughly on par. Spending fewer CPU cycles processing tokens on the resource server side matters also, because it weighs on the request processing latency and throughput. The size of the JWT signature is reduced 4 fold.

Operation Ed25519 RSA 2048 ECDSA P-256
Sign 14635 ops/s 236 ops/s 1083 ops/s
Verify 5065 ops/s 8598 ops/s 687 ops/s

EdDSA signed access tokens can significantly improve the performance of heavy trafficked OAuth 2.0 servers that secure public web APIs or microservices. Because the Connect2id server spends significant CPU time signing tokens, EdDSA can also result in reduced CPU bills.

Sample access token with EdDSA:

eyJraWQiOiIyN3pWIiwidHlwIjoiYXQrand0IiwiYWxnIjoiRWREU0EifQ.eyJzdWIiOiJhbGljZSIsI
nNjcCI6WyJvcGVuaWQiLCJlbWFpbCJdLCJjbG0iOlsiIUJnIl0sImlzcyI6Imh0dHA6XC9cLzEyNy4wL
jAuMTo4MDgwXC9jMmlkIiwiZXhwIjoxNTg5ODkwNjMyLCJpYXQiOjE1ODk4OTAwMzIsInVpcCI6eyJnc
m91cHMiOlsiYWRtaW4iLCJhdWRpdCJdfSwianRpIjoiSHZzb0dPU1pUWm8iLCJjaWQiOiIwMDAxMjMif
Q.il7TK6cXdZQzh-WD7rKnvydrCxtjYO_owzfxwJkpVgUjrzPOpeD2pQHImn9NQkUXpwqIPELXFQ3B2Q
912aw4Aw

Decoded:

{
  "typ": "at+jwt"
  "alg": "EdDSA",
  "kid": "27zV"
}
.
{
  "iss": "https://c2id.com",
  "aud": [ "https://c2id.com" ],
  "sub": "alice",
  "cid": "123",
  "scp": [ "openid", "email" ],
  "clm": [ "!Bg" ],
  "iat": 1589890032,
  "exp": 1589890632,
  "uip": { "groups": [ "admin", "audit" ] },
  "jti": "HvsoGOSZTZo"
}
.
il7TK6cXdZQzh-WD7rKnvydrCxtjYO_owzfxwJkpVgUjrzPOpeD2pQHImn9NQkUXpwqIPELXFQ3B2Q
912aw4Aw

How to roll-over to EdDSA-signed access tokens:

  1. Make sure your resource servers can handle tokens signed with EdDSA / Ed25519 (in addition to RSA). The Nimbus JOSE+JWT library has had EdDSA EdDSA since version 6.0. Check out the example code and the library guide for access token validation. If you're using another library or framework for resource servers to validate JWTs it needs to be compliant with the RFC 8037 spec for EdDSA.

  2. Add a signing Ed25518 key to the Connect2id server JWK set. For that you can use the latest version of the provided generator to create a new JWK set, then extract the Ed25519 key from it with the following command:

    cat jwkSet.json | jq '.keys[] | select(.kty=="OKP" and .crv=="Ed25519" and .use=="sig")'

  3. Set the preferred JWS algorithm for the issued access tokens to EdDSA:

    authzStore.accessToken.jwsAlgorithm=EdDSA
  4. Restart / roll-over the Connect2id server to start signing the access tokens with EdDSA. For the multi-tenant Connect2id server it suffices to upload the updated configuration.

Other updates

This release also updates a number of dependencies to their latest stable versions and fixes two issues.

Check the release notes for more information.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 9.4: Connect2id-server.zip

SHA-256: 10302870dba1756d0a3ce53589ef02da818b8c9703a196b7470343891e00223d

Connect2id server 9.4 WAR package: c2id.war

SHA-256: 74c7fcbad60722aee0521bb98215fb0cfae131f5b0416e2cd993c71f3eb222cc

Multi-tenant edition

Apache Tomcat package with Connect2id server 9.4: Connect2id-server-mt.zip

SHA-256: 8116083061a1e2d5f905ad6c30350006b764ae655744710f5fd60400e98e540f

Connect2id server 9.4 WAR package: c2id-multi-tenant.war

SHA-256: c94607335d397f5f0024b70b845e4e2cf133ab0d04d6159aaea651e4626a646a

Questions?

Contact Connect2id support.

Release notes

9.4 (2020-05-20)

Summary

  • Adds support for issuing EdDSA signed JWT-encoded access tokens. Choose EdDSA (RFC 8037) for increased performance and compact signatures. Connect2id benchmarks show EdDSA signature generation with an Ed25519 key receiving a 62x boost over 2048-bit RSA (RS256), with verification remaining roughly on par. The JWT signature size is reduced 4 fold.

    To roll-over to EdDSA signed JWT-encoded access tokens provision the Connect2id server JWK set with a signing Ed25519 key and set the JWS algorithm for access tokens to "EdDSA". Check the configuration notes for details.

Configuration

  • /WEB-INF/jwkSet.json

    • Introduces a new optional Ed25519 octet key pair JWK (key type "OKP") with curve "Ed25519", use "sig" (signature) and requiring a unique key ID. Intended for issuing EdDSA signed JWT-encoded access tokens. To generate and roll-over the EdDSA signing key you can use the latest available Connect2id server JWK set generator, see https://connect2id.com/products/server/docs/config/jwk-set#generation

  • /WEB-INF/authzStore.properties

    • authzStore.accessToken.jwsAlgorithm -- Adds support for signing issued JWT-encoded access tokens with the "EdDSA" JWS algorithm (RFC 8037). Requires the Connect2id server JWK set to be provisioned with a signing Ed25519 key. The default JWS algorithm for signing remains "RS256" with an 2048-bit RSA key due to the ubiquitous JWT library support for RS256.

Resolved issues

  • Calls to the ClaimsSource from a TokenIntrospectionResponseComposer SPI implementation should automatically include any "claims_data" if available for the introspected access token (issue server/561).

  • Fixes a bug which prevented persistence of client registrations into an SQL database where the client_id contains a colon (:) character in combination with some non-alphanumeric characters preceding it. Affected the single-tenant edition of the Connect2id server (issue server/563).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.7

  • Updates to com.nimbusds:nimbus-jose-jwt:8.17

  • Updates to BouncyCastle 1.65

  • Updates to OpenSAML 3.4.5

  • Updates to com.nimbusds:lang-tag:1.5

  • Updates to com.amazonaws:aws-java-sdk-bundle:1.11.782

  • Updates to com.zaxxer:HikariCP:3.4.5

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.6.0

  • Updates to org.postgresql:postgresql:42.2.12

  • Updates to com.microsoft.sqlserver:mssql-jdbc:8.2.2.jre11

  • Updates DropWizard Metrics to 4.1.8

  • Updates Prometheus to 0.9.0

  • Updates Log4j to 2.13.3

Connect2id server 9.3

2020-05-12

This release of the Connect2id server adds a new plugin interface and updates the SQL and DynamoDB database connectors.

SPI for customising token responses

A new plugin interface enables customisation of token responses. Deployments willing to experiment with the new OAuth 2.0 Rich Authorization Requests (RAR) spec, in development at the OAuth 2.0 WG, can use it to return the required RAR metadata in the token response. We provided a working example.

Token error responses can also be potentially customised.

Database connector updates

The SQL store connector was updated and now has a default configuration where a single SQL connection pool is shared between all Connect2id server maps and caches with data persistence. Support for vertical partitioning is still available.

There is no need to update your current MySQL PostgreSQL, SQL Server and H2 configurations to use the new settings.

The DynamoDB connector was also updated and can now be configured with an HTTP proxy host and port for connections to the database endpoint.

Other

The authorisation session API of the Connect2id server also received a small update and a bug fix.

Check the release notes below for additional information.

Download

To download a ZIP package of Connect2id server 9.3:

https://connect2id.com/assets/products/server/download/9.3/Connect2id-server.zip

SHA-256: 039822d338d981f9dceacb2d19b6ff02e58bb7221fd9fbd7c4b005279a11eccf

As WAR package only:

https://connect2id.com/assets/products/server/download/9.3/c2id.war

SHA-256: 4b01ffa253ba2b6c485fcb36b407c39a224d93337a778caf56715c69a375785f

Questions?

Contact Connect2id support.

Release notes

9.3 (2020-05-12)

Configuration

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Updates the SQL store schema to v2.7 and switches to a single shared database connection pool for all Infinispan map and cache structures used by the Connect2id server. Support for per map / cache connection pool to spread the load over multiple databases (vertical partitioning) is still available.

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Updates the DynamoDB store schema to v1.7 and adds support for configuring an optional HTTP proxy for connections to the DynamoDB endpoint. The HTTP proxy is configured by setting the Java system properties "dynamodb.httpProxyHost" and "dynamodb.httpProxyPort".

Web API

  • /authz-sessions/rest/v3/

    • Exposes the optional "id_token_hint" OpenID authentication request parameter in the authorisation session object (under "auth_req").

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.20

  • com.nimbusds.openid.connect.provider.spi.tokens.response.CustomTokenResponseComposer

    • New SPI for composing custom token success and error responses. Can be used to include additional parameters in an access token response based on the authorisation (consent) "data" parameter, such as an "authorization_details" parameter required in OAuth 2.0 Rich Authorization Requests (draft-lodderstedt-oauth-rar-03).

Resolved issues

  • Previously consented claims appearing in the consent prompt (authorisation session API) must not include language tags. Fixed a bug which prevented stripping of the tags from claim names retrieved from the "clm" field in authorisation records (issue server/558).

  • Enhances the authorisation session API by automatically stripping language tags in the names of consented claims (issue server/559).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.20

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.5

  • Upgrades to com.nimbusds:oauth2-authz-store:14.6

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:4.2.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:3.6.1