Connect2id server 12.6 with major upgrade to Identity Assurance / eKYC support

2022-01-18

Identity Assurance / eKYC upgrade

In September 2021 the Identity Assurance / eKYC extension to OpenID Connect received a major upgrade and was later voted to become an implementer's draft, a crucial step towards reaching standard status.

The changes fall into three areas:

• Revision of the verification data element, to make a clear distinction between the process of verifying that the user is the owner of the claims and the process that involves the validation of evidences, such as ID cards or electronic records. The concept of assurance level was factored out and is no longer a part of the trust framework identifier. A new taxonomy for the identity evidences was created, which now has the types document, electronic_record, vouch, utility_bill and electronic_signature. Finally, there is a possibility to deliver attachments to relying parties, such as scanned documents.
• Revision of the OpenID provider metadata, adding new fields and deprecating others.
• Definition of two new OpenID claims: msisdn, also_known_as and address.country_code.

The changes are outlined in the history section of the Identity Assurance / eKYC draft, but due to the numerous significant changes we recommend studying the entire spec.

The Connect2id server is now updated to support the new syntax for the verification data element. The old (deprecated) syntax will continue to work with the server as well as with the underlying OAuth 2.0 / OpenID Connect SDK.

The server configuration for eKYC was also updated so the new fields can be advertised in OpenID provider metadata. Note that fields related to the deprecated id_document type should no longer be used. The changes in configuration and OpenID provider metadata are explained in the release notes below.

If you are interested in adopting Identity Assurance / eKYC in your Connect2id server deployment start here.

If you use our open source OAuth 2.0 / OpenID Connect SDK to construct verification data on the server side, or within a client application that relies on a IdA / eKYC provider, you will find these improvements:

• A more intuitive API and improved typed-safety for writing robust code.
• It's now easier to create custom verification data requests by extending the new MinimalVerificationSpec class.
• External attachments can be downloaded (with HTTP timeouts) and their digests automatically verified with a single line of code.
• Constants and helper methods for dealing with ISO 3166-1 and 3166-3 country codes, including logic for mapping between two (alpha-2) and three-letter (apha-3) ISO 3166-1 country codes.

Check the OpenID Connect SDK guide and examples for IdA / eKYC to find out more.

Accessing OpenID provider metadata from within a plugin

The AuthorizationRequestValidator and PARValidator SPIs can now access the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes. Contact us if you find this useful for other types of plugins.

Dependency updates

Finally, this 12.6 release comes with about a dozen updates to frameworks and libraries. Several optional and unused dependencies for OpenSAML were removed.

Docker

The Docker c2id/c2id-server-demo and c2id/c2id-server-min images switched from Debian (as OS) with Java 11 to Amazon Coretto 11, which has a lighter combined footprint. Fewer Linux packages will also mean fewer false positives to deal with when an image is scanned for vulnerabilities, because scanners at present cannot tell if a package is used or not (and Java doesn't need many of the standard packages that come in a Linux OS). Note that Amazon Coretto still isn't a bare bones Linux distribution, so vim, curl and other basic utilities can still be found in it.

• https://hub.docker.com/r/c2id/c2id-server-demo/tags

• https://hub.docker.com/r/c2id/c2id-server-min/tags

Download 12.6

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.6: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a6ad8242ebfb578f0d62963a842635bfee8e76c27db78be180d254340ca66ee7

Connect2id server 12.6 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: ea0bb877aa6c51ea96d1353823fceb8ae026fe75711c780ee14f060ac7d3fb41

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.6: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a787bd9d95eb0f657e19e7337dc327fdd45703e5720998a7a8f1caa268e6ec07

Connect2id server 12.6 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: b9d5844723274e817f02dbe63dde316c5089ed2b6c33ec75340d34a822bdee27 

Questions?

Contact Connect2id support.

---

Release notes

12.6 (2022-01-17)

Summary

• Upgrades OpenID Connect for Identity Assurance 1.0 support to the latest implementers' draft 12 from 6 September 2021. See https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html

• Upgrades the AuthorizationRequestValidator and PARValidator SPIs to enable read-only access to the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes.

Configuration

• /WEB-INF/oidcProvider.properties

  • op.assurance.supportedDocumentTypes -- New optional configuration property listing the supported document types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_supported" OpenID provider metadata parameter.

  • op.assurance.supportedMethodsForDocuments -- New optional configuration property listing the supported coarse identity verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_methods_supported" OpenID provider metadata parameter.

  • op.assurance.supportedValidationMethodsForDocuments -- New optional configuration property listing the supported validation methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_validation_methods_supported" OpenID provider metadata parameter.

  • op.assurance.supportedVerificationMethodsForDocuments -- New optional configuration property listing the supported person verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_verification_methods_supported" OpenID provider metadata parameter.

  • op.assurance.supportedElectronicRecordTypes -- New optional configuration property listing the supported electronic record types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "electronic_records_supported" OpenID provider metadata parameter.

  • op.assurance.supportedAttachments -- New optional configuration property listing the supported attachment types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "attachments_supported" OpenID provider metadata parameter. Attachment types: embedded, external.

  • op.assurance.supportedDigestAlgs -- New optional configuration property listing the supported digest algorithms for external attachments if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "digest_algorithms_supported" OpenID provider metadata parameter. If external attachments are supported must at least include sha-256.

  • op.assurance.supportedIDDocumentTypes -- Becomes deprecated, the corresponding "id_documents_supported" OpenID provider metadata parameter in no longer in use in OpenID Connect for Identity Assurance 1.0.

  • op.assurance.supportedIdentityVerificationMethods -- Becomes deprecated, the corresponding "id_documents_verification_methods_supported" OpenID provider metadata parameter is no longer in use in OpenID Connect for Identity Assurance 1.0.

Web API

• /.well-known/openid-configuration

  • documents_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported document types. Replaces "id_documents_supported".

  • documents_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported coarse identity verification methods for evidences of type document. Replaces "id_documents_verification_methods_supported".

  • documents_validation_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported validation methods for evidences of type document.

  • documents_verification_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported person verification methods for evidences of type document.

  • electronic_records_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported electronic record types.

  • attachments_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported attachment types: embedded, external.

  • digest_algorithms_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported digest algorithms for external attachments.

SPI

• Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.41

  • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

  • com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

Dependency changes

• Upgrades to com.nimbusds:c2id-server-sdk:4.41

• Updates to com.nimbusds:oauth2-oidc-sdk:9.20.1

• Updates to com.nimbusds:oauth2-authz-store:17.7

• Updates to com.nimbusds:oidc-session-store:14.8

• Updates to com.nimbusds:content-type:2.2

• Updates to com.nimbusds:c2id-server-property-source:1.0.3

• Removes and updates selected OpenSAML 3.4.6 transitive dependencies

• Replaces javax.activation:javax.activation-api:jar:1.2.0 with jakarta. activation:jakarta.activation-api:jar:1.2.1

• Updates to com.nimbusds:infinispan-cachestore-sql:4.2.6

• Updates to com.zaxxer:HikariCP:4.0.3

• Updates to org.mariadb.jdbc:mariadb-java-client:2.7.3

• Updates to org.postgresql:postgresql:42.3.1

• Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.9

• Updates to com.nimbusds:tenant-registry:6.0.1

• Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.132

• Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.5

• Updates to AWS Java SDK 1.12.132

• Updates DropWizard to 4.1.29

• Updates Prometheus SimpleClient to 0.14.1

• Updates Log4j to 2.17.1