The OAuth 2.0 token exchange in Connect2id server 13.3 supports refresh token and ID token issue
Connect2id server deployments with OAuth 2.0 token
(RFC 8693) will now be able to
issue refresh tokens and ID tokens. Previously the token exchange plugin
interface (SPI) was capable of only specifying access token issue. The
persistence of the token exchange authorisation can also be controlled now,
by setting its long-lived flag (which also determines when a refresh token
gets issued whether it's going to be persisted, with long-lived set to
or a stateless encrypted JWT, with long-lived set to
This token exchange upgrade makes it possible for Connect2id server deployments to experiment with the new OpenID Connect draft specification for native single sign-on (SSO) for Android, iOS and desktop applications. Built-in support for the native SSO is now on the Connect2id server roadmap and it will appear once the spec has become stable.
The new token exchange plugin capabilities can be found useful in other scenarios where a client needs to exchange a token of some kind (opaque or JWT) for a local Connect2id server issued access / refresh / ID token.
This release fixes two issues:
If you have clients using symmetrically encrypted ID tokens or UserInfo (by means of deriving a shared AES key from the
client_secret) upgrading is strongly recommended, to ensure interoperability and correctness of the key derivation. The key derivation suffered from a poorly worded specification in OpenID Connect Core 1.0, addressed in a recent errata. The security of the encryption was never compromised, but depending on how the original spec was interpreted the decryption of JWE objects can unexpectedly fail with a different client library or OpenID Connect server.
There is more information in the release notes.
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.3: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
Connect2id server 13.3 WAR package: c2id.war
GPG signature: c2id.war.asc
Apache Tomcat package with Connect2id server 13.3: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
Connect2id server 13.3 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Token exchange (RFC 8693) plugins can now optionally specify the issue of a refresh token and ID token (in addition to the access token) when authorising a request received via the TokenExchangeGrantHandler SPI. The plugin can also flag the authorisation as long-lived (persisted), to cause the granted scope values and other attributes to be remembered for the subject and the requesting client. This also enables control of the refresh token encoding (if issued) - persisted or stateless.
Resource owner password credentials grant plugins can now specify the issue of stateless (JWT-encoded) refresh tokens. Previously only persisted refresh tokens could be issued.
Updates the plugin for handling OAuth 2.0 grants at an external web service (web hook) to support token exchange (RFC 8693) authorisations for refresh token and ID token issue.
- Adds support for refresh token and ID token issue for a OAuth 2.0 token exchange grant (RFC 8693).
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.52
The TokenExchangeAuthorization class is updated to support optional persistence of the authorisation (with the long-lived flag), issue of a refresh token (stateless or persisted) and issue of an ID token.
The PasswordGrantAuthorization class is updated to support issue of a stateless refresh token when the long-lived authorisation flag is set to
false. Previously only persisted refresh tokens could only be issued, when the long-lived authorisation flag was set to
The AES key from client_secret derivation for shared JSON Web Encryption (JWE) of ID tokens, UserInfo responses and other objects must remove the right-most bits, not the left-most. See OpenID Connect Core 1.0 errata 2020-07-24 (issue oidc-sdk/412).
The clients web API GET by client_id must handle client identifiers that are OpenID Connect Federation 1.0 entity IDs (and URLs in general) seamlessly (issue server/824).
Upgrades to com.nimbusds:c2id-server-sdk:4.52
Updates to com.nimbusds:oauth2-oidc-sdk:10.5.1
Updates to com.nimbusds:nimbus-jose-jwt:9.29
Updates to com.nimbusds:oauth-grant-handlers-web:1.0.4