Connect2id server 13.7.1

2023-04-05

This maintenance release of the Connect2id server fixes a bug that affected the OAuth 2.0 token exchange grant and also updates selected dependencies. Details can be found in the release notes below.

Download 13.7.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.7.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: dd82ec7cd211b02a6f4aba5985ad33ec476f3948eac1a6bb49c33acb9b7e3f88

Connect2id server 13.7.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 9bbcadc11fbea14f911875ebe3efe85e09134906fdc0db62c003b3cb43c45392

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.7.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 5550c31ad66237c4c54d1d813666240b633d1ab95043f16419ebe0f65f8dea21

Connect2id server 13.7.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9ed6fdfdb792108942a4f462758ea4450969c589aadeb91e140858ddd54880ae

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.7.1 (2023-04-05)

Resolved issues

  • Loading of a TokenExchangeGrantHandler SPI implementation was not reflected in the OpenID provider / OAuth 2.0 authorisation server metadata (issue server/849).

Dependency changes

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.8

  • Updates Log4j to 2.20.0

Connect2id server 13.7

2023-03-30

This Connect2id server release introduces two new configuration properties and fixes a bug affecting DPoP.

New configuration properties

op.idToken.includeX5C -- this configuration makes it possible to control the inclusion of X.509 certificate (chains) in the JWT header of issued ID tokens. The X.509 certificate get automatically included by the Connect2id server when one is found in the configured signing keys. To disable this behaviour and issue leaner ID tokens set this configuration property to false.

op.idToken.includeX5C=false

op.reg.allowNonTLSLogoutURIsForTest -- the configuration allows the registration of OpenID relying parties as clients with a frontchannel_logout_uri or backchannel_logout_uri that is an insecure (plain) HTTP URL. This is intended to help with test and devops deployments that cannot issue HTTPS certificates. Unsecured logout URLs must not be used in production!

op.reg.allowNonTLSLogoutURIsForTest=true

You can find more information about the frontchannel_logout_uri and backchannel_logout_uri parameters in their respective specifications:

Bug fixes

This release fixes a bug that affected DPoP access tokens. If you have a Connect2id server deployments that issues identifier-based access tokens with DPoP and are using the stateless server mode you should upgrade to this version. Deployments that issue JWT-encoded access tokens or use a replication cluster or Redis are not affected.

Download 13.7

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.7: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: eec7f9bdb26b4d9eb2228c629a0c58ef3a015b82209727375387f6e75e957de6

Connect2id server 13.7 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 650dab0e9a0dd20ec8581e9af5df5bd94a21b2edda8a74954365663a3ab9ebde

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.7: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 2198b564012f801b2ac14270e3ad4a1a48b67d7cb84bfd9b2988100364175673

Connect2id server 13.7 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 1a05a2721defb30fdcaf4b866eb5ecb52088b0973cad8edfc55c8e9e5661b172

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.7 (2023-03-30)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.idToken.includeX5C -- New optional configuration to control inclusion of the "x5c" (X.509 certificate chain) header parameter in issued ID tokens when the signing JWK is provisioned with a certificate. The default value is true.

    • op.reg.allowNonTLSLogoutURIsForTest -- New optional configuration property to allow registration of non-TLS (plain HTTP) front and back-channel logout URIs for test and development purposes. The default value is false (not allowed). Must not be allowed in production!

Resolved issues

  • The JWK thumbprint (jkt) confirmation must be persisted in the "cnf" column of the "id_access_tokens" SQL table for identifier-based DPoP access tokens (issue authz-store/205).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.7.1

  • Updates to com.nimbusds:oauth2-authz-store:19.5.1

  • Updates to net.minidev:json-smart:2.4.10

  • Updates to com.google.crypto.tink:tink:1.8.0

  • Updates to com.google.code.gson:gson:2.10.1

  • Updates to com.fasterxml.jackson.core:jackson-databind:2.13.4.2

Logout API updates in Connect2id server 13.6

2023-02-22

The logout API of the Connect2id server was updated to make it more intuitive and developer friendly.

  • The logout end response message gets a new sub_session_closed parameter to provide a clear hint when the browser session should be deleted.

  • Post-logout redirections requested by the client will be processed regardless of whether an end-user session is present or not. Previously the Connect2id server would ignore them if there is no active end-user session.

More information can be found in the release notes below.

Download 13.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: bdb91c4cc8a2f32ebc63457251aa5876d2d54685eb1d9ab99c2a3749d070af00

Connect2id server 13.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 12e4671bc92918425571cdd1fc0762735d82d919ba4adc893c1dcdbc14a810a6

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 65219b215d4afce61d1d2017da0eaad03108af0c61344c2f7a331dbb5caadd94

Connect2id server 13.6 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 8b540c2865b3bb7eb6aa1c8ba87b2c4249da60654c4b493a8dffa47e82c9f54f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.6 (2023-02-22)

Summary

  • Updates to the logout session API.

Web API

  • /logout-sessions/rest/v1/

    • Adds new "sub_session_closed" parameter to the logout-end message, of type boolean {true|false}. When true indicates the Connect2id server closed the end-user session in response to an IdP-initiated logout request, or in response to an RP-initiated logout request with a submitted end-user confirmation that included the choice to log out of the IdP as well. To be used as a hint to delete the browser cookie linked to the session. Note that the deletion of the session cookie is not critical, because the session ID is invalidated on the server side.

    • The logout session API is updated to proceed with a requested "post_logout_redirect_uri" when there is no present end-user session, or the session has expired. Previously the redirection request by the relying party (RP) would be silently ignored. This change conforms with OpenID Connect RP-Initiated Logout 1.0 (see section 4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.31

Connect2id server 13.5

2023-02-20

This Connect2id server release ships three new features.

  • Single sign-on (SSO) can be disabled for selected clients. Intended as a lightweight alternative to fully-isolated client-based sessions.

  • The session store API gets a new resource that enables changes to the authentication lifetime of end-user sessions.

  • Client secret store plugins can return the encoded (hashed) secret in client read responses using a new custom encoded_client_secret client metadata field.

This release also fixes two reported bugs affecting the logout API and OpenID Connect Federation 1.0.

Detailed information is available in the release notes below.

Download 13.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: faf122c1be83aeff84961b7cb12a73a7787e885991d71dfd4049792c72b3ba02

Connect2id server 13.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: a586dd25af1e9b711a495bd533fe07845471e51a7629d45a812ba4b3deea59ca

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.5: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: f614ad4c03c6eb2f076d5bb2c0c9888ac56bdb20888ced811f0747127344672d

Connect2id server 13.5 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: b610a9b1d703a7d1dbffd5032875fb459663c93e0d07d6dd2b46fe46648dd084

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.5 (2023-02-20)

Summary

  • Single sign-on (SSO) can be disabled for selected clients.

  • New session store web API resource for modifying the authentication lifetime of an end-user session.

  • Client secret store plugins can return the encoded secret in client read responses using a new custom "encoded_client_secret" client metadata field.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.sso.disableForSelectedClients -- New optional configuration property to disable single sign-on (SSO) for selected registered clients. Ensures end-users will be always (re)authenticated on the first OAuth 2.0 authorisation / OpenID authentication request when end-user has an existing session with the Connect2id server. Subsequent requests from the client received into the same end-user session will be processed as usual, without triggering re-authentication of the end-user.

      Disabling SSO for a client creates the effect of "virtual" client-based sessions with the Connect2id server.

      Clients with disabled SSO are selected by configuring a JSON query that accepts the client registration (as JSON object representation) and returns a boolean true result. The default configuration property is no selector specified.

      Example JSON query to disable SSO for clients which registered a custom data JSON object containing a disable_sso member set to true: .data.disable_sso==true.

      The Connect2id server logs the configured JSON query at INFO level with the ID OP0090.

Web API

  • /session-store/rest/v2/

    • Adds a new /sessions/subject-auth-life resource supporting a PUT method to change the authentication lifetime of a session. The value is specified as an integer number of minutes, where -1 means infinite (no timeout) and 0 implies the default lifetime from the sessionStore.authLifetime configuration property. Returns HTTP 204 No Content on success.

  • /clients/

    • Connect2id server deployments with a ClientSecretStoreCodec plugin for encoding (hashing or encrypting) client secrets before committing them to storage will include the stored client secret in an "encoded_client_secret" metadata field in responses to client registration read (HTTP GET) requests. Note, in order to provide the metadata field in registration read responses the ClientSecretStoreCodec.decode method must return a DecodedSecret.withEncodedValue.

  • /monitor/v1/metrics

    • Adds new sessionStore.sessionAuthLifetimeUpdates meter.

Resolved issues

  • The OpenID Connect Federation 1.0 "value" policy check must support JSON objects (issue oidc-sdk/419).

  • Fixes a bug that prevented return of the state parameter in RP-initiated logout requests with a post_logout_redirect_uri when there is no frontchannel_logout_uri registered for the client (issue server/831).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.7

  • Upgrades to com.nimbusds:oidc-session-store:15.3

  • Adds net.thisptr:jackson-jq:1.0.0-preview.20220705

Connect2id server 13.4.1

2023-02-09

This is a maintenance release of the Connect2id server.

It fixes two recently reported bugs affecting automatic clients in OpenID Connect Federation 1.0 deployments, reported during GAIN interop testing. GAIN is a project of the OpenID Foundation to devise and test a global scheme for verified identities, a scheme that can work across various identity ecosystems and jurisdictions, and is capable of automating the trust establishment, OP & RP metadata discovery and client registration.

The feeding and logging of X.509 certificate based Connect2id server keys (this includes keys stored in a HSM) was also optimised. We took the opportunity to enhance the guide for using an HSM, with tips how to manage their validity time windows and rotation.

There is more information about the resolved issues in the notes below.

The next major 14.0 release will be shipped in the coming weeks. It will include a major upgrade of the embedded Infinispan from version 9.4.x to 14.x and performance optimisations of the SQL, DynamoDB and Redis connectors. Oracle will become a supported RDBMS; support for LDAP as backend database will be removed.

Download 13.4.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 70515364029ad787d9f451d806386ad5529243390c635747a4813b4cca42fa6e

Connect2id server 13.4.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: faae7f3518ced76fd89928e1d0cd9d9ea1cdbbf5e9347436f9ced6721de6b11a

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.4.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 453918111bffc3e0565ae892acd6abdabc54137bdf33b9aa841d582baa1a89e9

Connect2id server 13.4.1 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 9b6560b3b85c2360a208fd1ddc1867f58434d71435dd64955886d58e23999d59

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

13.4.1 (2023-02-09)

Resolved issues

  • The "aud" of request objects (JARs) passed by OpenID Connect Federation 1.0 clients must include the OpenID provider issuer URL, not the authorisation endpoint URL (issue server/825).

  • Fixes a bug that prevented client metadata shaped by a FinalMetadataValidator SPI plugin from appearing in the authentication prompt message when the op.authz.includeClientInfoInAuthPrompt configuration property is set to true and the requesting client is an automatic OpenID Federation 1.0 client that was just registered (issue server/826).

  • The signing JWK feeder when dealing with X.509 certificate based JWKs should bias the key selection to pick the key with the farthest certificate expiration date. This is to ensure optimal roll-over of RSA and EC signing JWKs with an X.509 certificate (issue jwk-set-loader/5).

  • Fixes the SE2000 error log message on failing to find a signing key with a currently valid X.509 certificate (according to its not-before and not-after attributes). The message must apply to both regular (in-memory) keys with an X.509 certificate and HSM keys with a certificate (issue jwk-set-loader/4).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.30.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.2.2