Connect2id server 14.5

2023-09-03

Connect2id server 14.5 ships several small updates to its APIs and fixes v14.x issues reported in August.

This release also receives an enhanced redirect_uri validation, to prevent clients from registering or using redirection URIs with query parameters that may lead to authorisation response parameter pollution, as discussed on the 24th of August at the OAuth Security Workshop in London. The extra redirect_uri check is implemented in the underlying OAuth 2.0 / OpenID Connect SDK and will basically block clients from registering (or using) redirection URIs with query parameters that shadow the authorisation response parameters code, state or the JARM response. If a client for some reason is registered with a redirect_uri that contains one of these query parameters it will be forced to re-register with a compliant URI.

More information about what's new or was fixed in v14.5 can be found in the release notes below.

We are currently in the process of reworking our 10 year old connect2id.com website design. Our aim is to make it better, not worse, and to find out what people actually think or want to have improved we've set up this anonymous form. Your feedback will be highly appreciated.

Download 14.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 6ba96842a30c513cf2f29c6c49d196c54bfbec7094b874711712073c5c98b3b9

Connect2id server 14.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 7e8b27a0d9d3a0d75701ba115691732be3b61dec0c2edd2255722f70d80b305d

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.5: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 794adc95c528813969298b77c3dd8a5ee4a2ecc1d4809ad10b0fa730b0269c8f

Connect2id server 14.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 5139564949e4317bc16461841aa56b64db97ace2de292688ed66785ad155a90d

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.5 (2023-09-03)

Web API

  • /clients

    • Prevents registration of clients with "redirect_uris" that include a "code", "state" or "response" query parameter. OAuth 2.0 generally allows a client "redirect_uri" to include query parameters, which may be used, for instance, to process authorisation responses from multiple OAuth 2.0 servers or OpenID providers. This is a security measure that follows a recent recommendation that clients must not include query parameters in a registered "redirect_uri" with names used by the OAuth 2.0 authorisation response.

  • /authz-sessions/rest/v3/

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.max_age" member of type array to represent the maximum authentication age in OpenID authentication requests.

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.acr_values" member of type array to represent the Authentication Context Class Reference values in OpenID authentication requests.

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.login_hint" member of type string to represent the login hint in OpenID authentication requests.

    • Rejects OAuth 2.0 authorisation and OpenID authentication requests with a "redirect_uri" that includes a "code", "state" or "response" query parameter with an "invalid_request" error. Redirection URIs with query parameters that match the name of an OAuth 2.0 authorisation response parameter are deemed unsafe. Clients that use such query parameters in a "redirect_uri" must re-register with a new compliant redirection URI.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.59

    • The CustomTokenResponseComposer SPI extends Lifecycle.

Resolved issues

  • Alters the Oracle "clients" table definition of the "jwks" column from VARCHAR2(4000) to CLOB (issue server/910).

  • Logs the IDTokenIssueEventListener SPI and AccessTokenIssueEventListener SPI enabled status (issue server/915).

  • Isolates expended rotated self-contained (JWT) refresh tokens by subject (end-user) session ID when the refresh token is issued in a OAuth 2.0 authorisation code grant. For clients with multiple instances per subject (end-user) where the consent is transient (long_lived=false) (issue authz-store/223).

  • Logs the OP8041 INFO message only when there are explicit OpenID Connect Federation 1.0 clients reaped (issue server/916).

  • Removes redundant Infinispan externalisers used in the OpenID Connect Federation 1.0 explicit client index (issue server/917).

  • Fixes an HTTP 500 Internal Server Error at the authorisation session web API when receiving an OpenID authentication request with certain illegal JSON in the claims parameter that produced an OAuth 2.0 "error_description" with an illegal double-quote character according to RFC 6749, section 5.2 (issue server/919).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.59

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.14.2

  • Updates to com.nimbusds:oauth2-authz-store:24.6

  • Updates to net.minidev:json-smart:2.4.11

  • Updates to com.google.crypto.tink:tink:1.10.0

Connect2id server 14.4 introduces Rich Authorisation Request (RAR) type checking

2023-08-11

RAR

This Connect2id server release is another step towards a complete built-in support for OAuth 2.0 Rich Authorisation Requests (RFC 9396).

Identity providers and OAuth 2.0 servers that implement this recent OAuth 2.0 extension can now use the op.rar.supportedTypes configuration property to list the supported RAR types. In RAR the JSON objects that express the authorization_details have an explicit "type" to aid their parsing and validation.

Example configuration listing two supported RAR object types:

op.rar.supportedTypes=account_information,payment_initiation

The supported types will then be published in the OpenID provider metadata where clients and developers can discover them.

Example server metadata snippet:

{
  "issuer"                                : "https://c2id.com",
  "jwks_uri"                              : "https://c2id.com/jwks.json",
  ...
  "authorization_details_types_supported" : [ "account_information",
                                              "payment_initiation" ],
  ...
}

When RAR types are configured the Connect2id server will not only include them in the published server metadata, but will also use them to check the authorization_details parameter in received authorisation and token requests. If the type is supported the request can proceed, if not the server will return an invalid_authorization_details to the client. Previously this check had to be done by creating dedicated PAR validator and / or authorisation request validator plugins.

Within the authorisation session web API the authorization_details parameter can now be accessed by handler logic in the session object under auth_req.authorization_details.

H2 database upgrade

This release also changes the version number of the embedded H2 database, from v2.1.x to v2.2.x. Connect2id server deployments that use this database must migrate any records they wish to retain, because the newer version uses an updated DB file format.

You can find more information about this new release in the notes below.

Download 14.4

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.4: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 9958cc9a99096f671a5b202d7ba2bc75e0491a5337c1c2051eaffeb7b5549d8d

Connect2id server 14.4 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: e497e17a1c52d5b26d4e90bb80bf0cf04d928ce0b3ed2638c1a203400a976d9a

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.4: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 5bd816bf6c8787011cad227665817a88fa023cb1ca701beef7bd739a11bb4f62

Connect2id server 14.4 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 35890ad0202c329f9521c8a4db0f49e9f36a9981b9a1bab7f7ee7599a1547065

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.4 (2023-08-11)

Summary

  • Connect2id server deployments that implement OAuth 2.0 Rich Authorisation Requests (RAR) (RFC 9396) can use a new "op.rar.supportedTypes" configuration property to let the server check the types of "authorization_details" in received requests and reject requests with unsupported RAR types. The supported types will also be advertised in the "authorization_details_types_supported" OpenID provider metadata field.

  • Connect2id server deployments with an embedded H2 database are upgraded from 2.1.x to the latest stable 2.2.x release. Database files created in the older H2 version are not compatible. Existing records (where they must be retained) must be migrated.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.rar.supportedTypes -- New optional configuration property to list the supported OAuth 2.0 Rich Authorisation Request (RAR) (RFC 9396) types. When specified the "authorization_details" in OAuth 2.0 authorisation / OpenID authentication requests and token requests will be checked and those with an unsupported type will be rejected with an "invalid_authorization_details" error. The types will also be advertised in the "authorization_details_types_supported" OpenID provider metadata field. The default value is none (no check).

Web API

  • /.well-known/openid-configuration

    • authorization_details_types_supported -- New optional metadata field listing the supported OAuth 2.0 Rich Authorisation Request (RAR) (RFC 9396) types. Omitted if not specified.

  • /authz-sessions/rest/v3/

    • The authorisation session object (obtainable via an HTTP GET request) receives an optional "auth_req.authorization_details" member to represent the Rich Authorization Request (RAR) (RFC 9396) parameter in OAuth 2.0 authorisation requests and OpenID authentication requests.

Resolved issues

  • The UserInfo endpoint must not request claims from the sourcing SPI that are pre-set (e.g. supplied via "preset_claims.userinfo" in the authorisation session API) (issue server/885).

  • Updates JWT minting to support the inclusion of null-valued top-level claims, which can legitimately occur in data returned from the claims source SPI. The claims set in plain (unsecured) UserInfo responses and JWT-secured UserInfo responses will thus be identical for those cases when claims with null values are included, previously omitted in a JWT (issue server/906).

  • The "authorization_details" parameter must be obtainable in the AuthorizationRequestValidator and PARValidator SPIs (issue server/907).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.5.3

  • Updates to com.nimbusds:oidc-session-store:16.4.4

  • Updates to com.h2database:h2:2.2.220

Connect2id server 14.3

2023-08-07

This Connect2id server release fixes a bug in earlier 14.x versions that caused marshalling errors in deployments configured with a Redis store for cached and short-lived objects.

The optional op.reg.clientIDByteLength configuration property was updated to limit the possible lengths to 48 bytes. The preferred_client_id registration parameter is also bounded now, to 80 characters, and when exceeded will cause the client registration endpoint to return an HTTP 400 Bad Request with an invalid_client_metadata error.

The underlying OAuth 2.0 / OpenID Connect SDK dependency was updated and now includes support for RAR (RFC 9396). CustomTokenResponseComposer SPI plugins that implement RAR should be recompiled for potential conflicts with the new RAR API in the SDK, and updated when feasible to utilise the new type-safe RAR classes when adding an authorization_details parameter to the a token response.

Built-in RAR support is on the Connect2id server roadmap and will be included in a future release.

You can find more information about this new release in the notes below.

Download 14.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: f0093e81657e540659c9240049a6ccb305d7e8508be9c22b0ffe8adc20b13d8f

Connect2id server 14.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: a8c79fc998bde94f46eed07688db1b578ab0a71f67002dcedd003e8d2c3bec82

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a6853a25f1dd621b8615513d2d289224759c99659517c207bb93301c1da8c2bc

Connect2id server 14.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 49c664dd9f0456876e33a4fea3985f07c5b694059502810c8599e2ef69a660ae

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.3 (2023-08-07)

Summary

  • Connect2id server 14.x deployments with a Redis store should update to this release which fixes an issue related to ProtoBuf marshalling.

  • The OAuth 2.0 / OpenID Connect SDK dependency was updated to v10.13.2 which includes native OAuth 2.0 Rich Authorisation Requests (RAR) (RFC 9396) support. CustomTokenResponseComposer SPI plugins that implement RAR should be recompiled and updated if feasible to utilise the new type-safe methods of AccessTokenResponse when adding an "authorization_details" parameter to the response.

    Built-in RAR support is on the Connect2id server roadmap and will be included in a future release.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.reg.clientIDByteLength -- Updates the configuration property check, the length of generated client identifiers must not exceed 48 bytes.

Resolved issues

  • The client registration endpoint must return HTTP 400 Bad Request on a preferred_client_id that exceeds the max number of characters (80) that can be stored (issue server/901).

  • Fixes the authorisation code ProtoBuf marshalling in replication cluster and Redis based Connect2id server deployments (issue server/902).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.13.2

  • Updates to com.nimbusds:oauth2-authz-store:24.5.2

  • Updates Infinispan to 14.0.13.Final

  • Updates to org.slf4j:slf4j-api:2.0.7

Connect2id server 14.2 introduces reuse grace period for rotated refresh tokens

2023-07-17

The current OAuth 2.0 best practices mandate refresh tokens issued to public clients to be either sender-constrained (with mTLS or DPoP) or rotated, to prevent replay if the refresh token suffers a leak and gets in the hands of a malicious actor.

One recognised drawback of rotation is potential false positives for legitimate public clients with a slow or poor network connection, which may lead to situations when the OAuth 2.0 server has successfully processed the token request and output the response with new newly minted access and refresh tokens, but the client being unable to retrieve them due to an HTTP timeout or an interrupted connection. The client will then typically retry the request with the previous refresh token, but because the server has flagged that token as already rotated the client will get an invalid_grant error.

To mitigate such networking issues the Connect2id server introduces a short grace period during which the client may retry the token request with the same refresh token. This grace period is 5 seconds. To change it we added a new configuration property:

authzStore.refreshToken.rotatedReuseGracePeriod=5

To monitor the frequency of rotated refresh token reuses - those that were allowed to proceed within the grace period and those that were rejected, two new meters were added:

  • authzStore.rotatedRefreshTokenAllowedReuses -- Meters allowed reuses of rotated refresh tokens within the configured grace period.

  • authzStore.rotatedRefreshTokenReplayRevocations -- Meters authorisation revocations due to rotated refresh token replay.

The Connect2id server log records the individual rotated refresh token replays and what particular action was taken. Together this information may be used to fine-tune the grace period.

Example rotated refresh token reuse within the grace period (grep for AS0285):

INFO TOKEN - [OP6204] Confidential client authenticated: client_id=etxmlfglafhn2 method=client_secret_basic client_auth_id=dUEgk8M0Bue_5AJR
INFO AUTHZ-STORE - [AS0285] Expended refresh token check: Allowed reuse within 1s: last_token_iat=1689583263 checked_token_iat=1689583257
INFO AUTHZ-STORE - [AS0280] Issued access token: sub=alice act= client_id=etxmlfglafhn2 scope=[read, write]

Example rotated refresh token reuse that was denied and triggered the customary revocation of the client's tokens for the subject (grep for AS0278):

INFO TOKEN - [OP6204] Confidential client authenticated: client_id=hxds4i5olwtqc method=client_secret_basic client_auth_id=PNRC_b0DADRbx0Xx
INFO AUTHZ-STORE - [AS0278] Revoked authorizations due to replay of rotated self-contained refresh token: sub=alice act=null client_id=hxds4i5olwtqc
INFO AUTHZ-STORE - [AS0270] Invalid or expired refresh token: client_id=hxds4i5olwtqc
INFO TOKEN - [OP6201] Token error response: invalid_grant: Invalid grant

This release also fixes two store related bugs that appeared in major 14.0 release last month. You can find more information in the release notes below.

Download 14.2

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.2: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 82eb1e8590911a982928825e6b9e77027fb35f04378ab9e19a37fe8a9b6e5b9f

Connect2id server 14.2 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 8a1b8e712afb4fad319ae784c51dfe0d496fcf84ad5b6cddf8ef15f106610624

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.2: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 37764086c22ac4b2b35e539e647028010b919877892a81f794027daccd469109

Connect2id server 14.2 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9e8bad8ad454a7b2755fcd61fe2c07b32cf4006f16c6ba82e396fbbd734f3e6f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.2 (2023-07-17)

Configuration

  • /WEB-INF/authzStore.properties

    • authzStore.refreshToken.rotatedReuseGracePeriod -- New optional configuration property specifying a grace period in seconds during which a client may repeat a request with the same rotated refresh token without triggering the customary token revocation. Intended to enable token request retrial on slow / poor networks where the HTTP response times out after issue of the new token. Currently supported only for refresh tokens linked to short-lived (transient) authorisations. The default value is 5 seconds.

Web API

  • /token

    • A client may repeat a token request with a rotated refresh token within the configured "authzStore.refreshToken.rotatedReuseGracePeriod" period without triggering the customary token revocation when the Connect2id detects a replay of a rotated refresh token. Intended to enable token request retrial on slow / poor networks where the HTTP response times out after issue of the new token. Currently supported only for refresh tokens linked to short-lived (transient) authorisations.

  • /monitor/v1/metrics

    • "authzStore.rotatedRefreshTokenReplayRevocations" -- New meter of authorisation revocations due to rotated refresh token replay.

    • "authzStore.rotatedRefreshTokenAllowedReuses" -- New meter of the allowed reuses of rotated refresh tokens within the configured grace period.

Resolved issues

  • Fixes Redis HMGET retrieval of the "last used" (u) field in the Infinispan Redis connector that caused subject session max_idle > 0 to not be observed in Connect2id server deployments with a Redis store (issue server/899).

  • Writes to Oracle database CLOB / NCLOB fields with long strings that trigger the string concatenation work-around must escape quote chars (issue sql-store/20).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:24.5.1

  • Updates Infinispan to 14.0.11.Final

  • Updates to com.nimbusds:infinispan-cachestore-sql:7.0.4

  • Updates to com.nimbusds:infinispan-cachestore-redis:10.0.2

  • Updates to BouncyCastle 1.74

  • Updates to com.google.crypto.tink:tink:1.9.0

Connect2id server 14.1

2023-06-30

This is a mini Connect2id server update to the 14.0 release that appeared on Tuesday. It fixes an incorrect server SDK dependency declaration, which means 14.1 is the version to upgrade to (and not 14.0) from 13.x or older versions.

Support for OpenID Connect Federation 1.0 is bumped to the most recent stable 29 draft, in particular the new policy language.

There is also a new config to disable the automatic inclusion of X.509 certificate chains (x5c) in the JWS headers of signed authorisation responses (JARM).

If the configured Connect2id server signing keys have certificates, the server will automatically include them in the JWS header, unless the server is instructed not to do so. This will result in smaller JARM JWTs:

op.authz.responseJWTIncludeX5C=true

This configuration works similarly to the existing op.idToken.includeX5C and authzStore.accessToken.includeX5C configs.

More information can be found in the release notes below. If you have questions or need assistance with the new release contact us.

Download 14.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c491ca76c1b8949f3a4df5147ec739eefb7057454091b26dc781b719eb3ee487

Connect2id server 14.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ad70418441faf02a3895d0a2ac01365f679ff22208b9ed8aedfd26e84b83d261

Multi-tenant edition

Apache Tomcat package with Connect2id server 14.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 9fd68c5ca04ad91ad6939f56efbb48ce14879928fde062e7993bd24e9e5cfacb

Connect2id server 14.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: ad70418441faf02a3895d0a2ac01365f679ff22208b9ed8aedfd26e84b83d261

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.1 (2023-06-30)

Summary

  • Upgrades OpenID Connect Federation 1.0 policy support to draft 29.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.responseJWTIncludeX5C -- New optional configuration property of type boolean to enable / disable inclusion of the X.509 certificate chain ("x5c") header parameter in signed OAuth 2.0 authorisation responses (JARM) when the signing JWK is provisioned with a certificate. The default value is true (enabled).

Resolved issues

  • The com.nimbusds:c2id-server-sdk dependency must not be SNAPSHOT, but 4.58 (issue server/898).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.58

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.10.1

  • Updates to io.dropwizard.metrics:metrics-core:4.2.19