Blog »

New access token configurations in Connect2id server 12.13

2022-06-20

This release of the Connect2id server ships new possibilities for feeding additional (custom) claims into JWT-encoded access tokens and laying them out in a suitable way for the intended resource servers.

Feeding custom claims from the client registration

There is now a new authzStore.accessToken.codec.jwt.copyClientData configuration to direct the Connect2id server to take selected members from the optional "data" field in client registrations and make them available as top-level JWT claims in access tokens issued to the client.

For example, to copy the data.org_id member (if present) from client registrations and paste into the access tokens:

authzStore.accessToken.codec.jwt.copyClientData=org_id

The updated access token guide has details, tips and examples how to use this new configuration parameter.

Moving authorisation data claims to the top-level

The "dat" (data) field in internal authorisation objects has provided Connect2id server deployments with a simple method for storing custom parameters related to the authorisation grant and making them available in issued access tokens. This is done by simply copying the "dat" JSON object into the token claims set.

Example access token claims with a custom dat claim:

{
  "sub"       : "449d693f-c0b8-4088-8ed6-6607d3c95853",
  "client_id" : "ieJ0iefo",
  "scope"     : "https://api.example.com/read",
  "dat"       : {
     "enforce_single_use" : true,
     "app_ctx"            : "ext"
  }
  ...
}

eployments that need to have selected members from the "dat" JSON object appear as top-level access token claims can now do so with the following configuration: authzStore.accessToken.codec.jwt.moveAuthzData

Example config to make dat.enforce_single_use a top-level claim:

authzStore.accessToken.codec.jwt.moveAuthzData=enforce_single_use

The resulting access token claims:

{
  "sub"                : "449d693f-c0b8-4088-8ed6-6607d3c95853",
  "client_id"          : "ieJ0iefo",
  "scope"              : "https://api.example.com/read",
  "enforce_single_use" : true,
  "dat"                : {
     "app_ctx" : "ext"
  }
  ...
}

The usage of this new configuration is also explained in the access token guide.

Download 12.13

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.13: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 2ab142228d456e2ff9efec3c9e7ad196062a7d39f0116923c5f1e9d489f46f28

Connect2id server 12.13 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 1b6a273ff7625bf62d4dc1ae4c6dba06c34a44ff0b91a4c8d317fae8a7c2c223

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.13: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0fdf5a6fe700f2861d7c74d9a9f0c08e3fae8897c69e36f8046c02e28dbc4007

Connect2id server 12.13 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: f32676fd296eb3ea00da3daa684bbe1b1027a361892b05af0be9f427da9db278

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

12.13 (2022-06-20)

Summary

  • The default Connect2id server codec for self-contained (JWT-encoded) access tokens can now insert selected elements from the client data field and the authorisation data fields as top-level JWT claims. Deployments can use this feature to conform to access token profiles without a custom SelfContainedAccessTokenClaimsCodec plugin.

Configuration

  • /WEB-INF/authzStore.properties

    • authzStore.accessToken.codec.jwt.copyClientData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists names of members in the client registration's "data" JSON object to copy as top-level JWT claims. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.

    • authzStore.accessToken.codec.jwt.moveAuthzData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists the names of members in the authorisation "dat" (data) JSON object to move to top-level JWT claims in access tokens minted by the default self-contained access token encoder. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.45

    • Updates the SelfContainedAccessTokenClaimsCodec SPI by adding a new TokenEncoderContext.getOIDCClientInformation method.

    • Updates the AccessTokenIssueEventListener and IDTokenIssueEventListener SPIs by adding a new EventContext.getOIDCClientInformation method.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.45

  • Upgrades to com.nimbusds:oauth2-authz-store:18.1

  • Upgrades to com.nimbusds:common:2.49