Connect2id server 15.6 introduces a new plugin interface for authentication and consent events
The Connect2id server received a new plugin interface (SPI) for receiving an event every time a user authenticates and submits their consent at the authorisation endpoint. The events can be used for purposes such as audit logging and resolving disputes. Contextual information about the user authentication can be obtained from the referenced ID token claims set (if an ID token is issued) as well as the referenced subject session. Information about the user consent can be obtained from the referenced authorised scope, claim names and data.
This release also relaxes the back-channel logout notifications policy for
Connect2id server deployments configured with issuer
aliasing in the
PERSISTED_GRANT_ISOLATION
mode, allowing delivery of notifications in
response to logout requests. Notification
delivery in response to session expiration remains blocked in this mode.
Finally, this release resolves four issues, three related to SPI plugins.
Download 15.6
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.6: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 5ad5fc679f9c33837ab46690ae0d23edf692e522622005579bd5c06fa5be9139
Connect2id server 15.6 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 87c3c7075ac32244ea5b860a7218cbc56e18ea9b0e076e784f84e9f2085be991
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.6: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: f77623867ef95bfad50ddf896d86294e77419d8b2bb4c8275ae39e11bcfcb384
Connect2id server 15.6 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 89e6cb73cbec7f3f8789f9871d4e60e139fed8af1f26eee0ce4acd4d850f89a8
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.6 (2024-05-10)
Summary
New plugin interface (Service Provider Interface, or SPI) for listening to end-user authentication and consent events at the authorisation endpoint of the Connect2id server.
Enables delivery of back-channel logout notifications in the issuer aliasing mode "isolation" in response to end-user logout at the logout session API.
Web API
/logout-sessions/rest/v1/
- Delivers back-channel logout notifications when OpenID provider / OAuth
2.0 server issuer aliasing mode
PERSISTED_GRANT_ISOLATION
is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from logout session API calls to be blocked.
- Delivers back-channel logout notifications when OpenID provider / OAuth
2.0 server issuer aliasing mode
/session-store/rest/v2/
- Delivers back-channel logout notifications in response to end-session
(
DELETE
) calls when OpenID provider / OAuth 2.0 server issuer aliasing modePERSISTED_GRANT_ISOLATION
is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from end-session API calls to be blocked.
- Delivers back-channel logout notifications in response to end-session
(
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.4
New
SubjectAuthAndConsentEventListener
SPI for listening to subject authentication and consent events.For clients using the code flow (
response_type=code
), the event is dispatched when the client submits a valid authorisation code at the token endpoint of the Connect2id server.For clients using an implicit (
response_type=token
,response_type=id_token
,id_token token
) or hybrid flow (response_type=code id_token
,response_type=code token
,response_type=code id_token token
), the event is dispatched when the request at the authorisation endpoint of the Connect2id server successfully completes.
Resolved issues
Fixes StackOverflowException in SPI calls that use the
com.nimbusds.openid. connect.provider.spi.internal.sessionstore.SubjectAuthentication.getAMRList
method (issue server/993).Revises the OpenID Connect Back-Channel Logout 1.0 policy when issuer alias mode
PERSISTED_GRANT_ISOLATION
is configured. Back-channel logout notifications were previously blocked in this mode. Starting with this release notifications resulting from API-originating logout / end-session requests will be delivered. Note that the delivery of back-channel logout notifications on subject session expiration remains blocked since subject sessions do not record issuer alias information (issue server/992).Prevents Connect2id server startup when a given OpenID claim is advertised as supported by two or more enabled claims sources. Disabled claims sources are not checked. The exception will be logged at FATAL level using the
OP7004
code, detailing the name of the claim and the claim source (issue server/994).Compressed (
zip=DEFLATE
) JWE request objects (JARs) with cipher texts of compressed plain text that are too large must be rejected to conserve CPU and memory resources on decompression. When JWE DEFLATE compression is utilised a limit of 100K cipher text characters is enforced. Note that all request objects passed by URL (request_uri
) are already being limited to 50 KBytes in size (issue jose-jwt/545).Support serialisation of null valued JWT top-level claims returned by the
encode
andadvancedEncode
methods ofSelfContainedAccessTokenClaimsCodec
SPI implementations. Previously such JWT claims were ignored and serialised (issue authz-store/234).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:5.4
Updates to com.nimbusds:oauth2-oidc-sdk:11.10.3
Upgrades to com.nimbusds:nimbus-jose-jwt:9.39
Updates to com.nimbusds:c2id-server-jwkset:1.30.2
Upgrades to com.nimbusds:oauth2-authz-store:26.5.1
Upgrades to com.nimbusds:oidc-session-store:19.0
Upgrades to com.nimbusds:tenant-manager:9.1
Updates to com.nimbusds:tenant-registry:9.0.1