Blog »

Connect2id server 14.0 RC5 with new refresh token settings and Oracle database support

2023-04-17

This is a stable snapshot of the upcoming Connect2id server 14.0. The final release will include more features and changes.

New refresh token settings

Self-contained (JWT-encoded) refresh tokens that link to transient (non-persisted) authorisations can now also be rotated. Previously the rotation was only possible for refresh tokens linked to a long-lived (persisted) authorisation, where the refresh token is a secure random identifier. The rotation is intended as a poor-man's protection for public OAuth 2.0 clients against replay of a leaked refresh token. The more secure and robust in case of slow / poor networks method to prevent replay is for public clients to use sender-constrained refresh tokens, by means of mTLS or DPoP.

The refresh token rotation can now be set on a individual authorisation basis, by setting the optional refresh_token.rotate parameter in the consent of authorisation sessions. The direct authorisation endpoint and the token exchange and password grant handlers also support it.

If the refresh_token.rotate parameter for a given authorisation isn't set a default policy will be applied, according to the new authzStore.refreshToken.defaultRotate configuration property.

The global authzStore.refreshToken.alwaysUpdate (always rotate) configuration property is deprecated and should no longer be used. Instead, set the authzStore.refreshToken.defaultRotate configuration property and override it for specific clients or authorisations.

Infinispan upgrade

The underlying Infinispan layer received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.

Oracle database support

The Oracle database is now supported, alongside the MySQL, PostgreSQL and Microsoft SQL Server relational databases.

Support for persistence to LDAP is removed

In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.

Bug fixes, optimisations

The code base received several bug fixes. The data persistence layer was optimised, which may result in CPU and storage bill savings in large deployments.

More information can be found in the release notes below.

Download 14.0-rc.5

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 14.0-rc.5: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a7aec63eda99b1a2309c509297290b5ea20c8302460197a6f57c02947c809b39

Connect2id server 14.0-rc.5 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 716291783f232581b9d44a8c2f10cad1bd9235da1ff6dccb3632adb360377253

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

14.0 (2023-04-17)

Summary

  • Refresh token rotation can now be set for individual authorisations. The self-contained (JWT-encoded) refresh tokens for non-persisted ("long_lived":false) authorisations can be rotated as well.

  • Upgrades to Infinispan 14.0.

  • Adds Oracle 12c r1+ Database support.

  • Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.

Configuration

  • /WEB-INF/authzStore.properties

    • authzStore.refreshToken.defaultRotate -- New optional configuration property for the default refresh token rotation setting. Can be overridden by individual authorisations. The default value is false (no rotation).

    • authzStore.refreshToken.alwaysUpdate -- Deprecated, use "authzStore.refreshToken.defaultRotate" instead.

  • /WEB-INF/infinispan-*.xml

    • Upgrades the XML schema to Infinispan 14.0.

    • Replaces the Infinispan "op.clientRegTokenMap" with a new generic "authzStore.expendedTokenMap" capable of storing keys for expended tokens that are rotated self-contained (JWT-encoded) refresh tokens, client registration tokens, client_secret_jwt and private_key_jwt tokens, DPoP tokens and other one-time-use objects.

  • /WEB-INF/infinispan-stateless-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database.

  • /WEB-INF/infinispan-stateless-redis-oracle.xml

    • New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.

  • /WEB-INF/infinispan-replication-oracle.xml

    • New Infinispan configuration for replication clustering and an Oracle database.

  • /WEB-INF/infinispan-multitenant-stateless-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.

  • /WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml

    • New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml

    • New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.

    • New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.

  • /WEB-INF/infinispan-*-ldap.xml

    • The LDAP backend database XML configurations are removed and no longer supported.

  • /WEB-INF/sql

    • New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).

Web API

  • /authz-sessions/rest/v3/

    • Adds an optional "refresh_token.rotate" parameter of type boolean to the consent object. Sets the refresh token rotation for the individual authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.

  • /direct-authz/rest/v2/

    • Adds an optional "refresh_token.rotate" parameter of type boolean to the request object. Sets the refresh token rotation for the individual authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.

  • /monitor/v1/metrics

    • Adds new "authzStore.numExpendedTokenEntries" gauge.

    • Removes the "clientStore.numCachedExpendedTokens" gauge (replaced by the new "authzStore.numExpendedTokenEntries" gauge).

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.53

    • The RefreshTokenSpec class receives a new optional refresh token rotation preference. If empty the default Connect2id server refresh token rotation policy will apply.

    • The PasswordGrantHandler SPI can set a refresh token rotation preference.

    • The TokenExchangeGrantHandler SPI can set a refresh token rotation preference.

Resolved issues

  • The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).

  • The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).

  • Retrieving an authorisation record by refresh token must echo the submitted refresh token value in the returned record instead of recreating it from the persisted "rts" field (issue authz-store/203).

  • Authorisation updates must always return a refresh token in the current format, not the legacy format (issue authz-store/204).

  • The direct authorisation endpoint must always return a refresh token in the current, not the legacy format (issue server/837).

  • Store retrieval of identifier-based access tokens must recreate the local subject when the subject type is pairwise (issue authz-store/201).

  • Removes redundant persistence of registration_client_uri, recreates it dynamically from the OP / AS issuer URL and the client_id (issue server/512).

  • The "cnf" column of the "id_access_tokens" SQL table must be increased from 100 to 150 VARCHAR for H2 and MS SQL Server to accommodate token authorisations that use both a x5t#S256 and a jkt binding (issue authz-store/206).

  • Adds missing DynamoDB persistence of the "cld" (claims data) authorisation record field (issue authz-store/210).

  • Automatic revocation of all authorisations on replay of a rotated refresh token (issue authz-store/212).