Connect2id server 15.9
The user sessions
of the Connect2id server can be used as a lightweight
method to feed user attributes (JWT claims) into the issued ID
tokens. Whenever a new IdP session gets
created for a logged in user, attributes to include automatically in the ID
tokens for the user can be saved in the claims
field.
Example session with four saved claims:
{
"sub" : "alice",
"auth_time" : 1723187423,
"creation_time" : 1723187423,
"max_life" : 302400,
"auth_life" : 302400,
"max_idle" : 10080,
"rps" : [ "eedi8jah", "ahp9xei5", "ioj6agah" ],
"claims" : { "email" : "[email protected]",
"name" : "Alice Adams",
"roles" : [ "admin", "audit" ],
"office" : "B-397" }
}
This capability has existed since 2015 and can be disabled with op.authz.feedSubjectSessionClaimsIntoIDToken:
op.authz.feedSubjectSessionClaimsIntoIDToken=false
Starting with this 15.9 release, the op.authz.feedSubjectSessionClaimsIntoIDToken
is deprecated for removal, and in its place a new configuration property
introduced -- op.idToken.includeSubjectSessionClaims,
to enable fine-grained control over the claims when necessary.
The default value of the new configuration property value is *
(asterisk),
meaning all claims. It thus preserves the default behaviour of the deprecated
op.authz.feedSubjectSessionClaimsIntoIDToken
property.
op.idToken.includeSubjectSessionClaims=*
To select only specific claims for automatic inclusion in the ID tokens simply list their names:
op.idToken.includeSubjectSessionClaims=email,roles
To disable all automatic inclusion set the value to an empty list:
op.idToken.includeSubjectSessionClaims=
Because the session is made available to the Connect2id server claims
source plugins, its claims
field can naturally be used to fulfil requests for individual consented claims
to be delivered to client applications in the ID tokens or at the
userinfo endpoint. This can simplify
deployments and infrastructure, by loading all potential user attributes for
release to clients at the time of user authentication, avoiding subsequent
calls to services and databases to get them.
For example, taking the session claims
above, the email
and roles
can be
listed for automatic inclusion in all ID tokens, while any remaining claims
found in the field will be made available to the claims source, for client
applications to request them individually and explicitly.
We plan to include a ready plugin to handle such retrieval of claims stored in the user session in a future release of the Connect2id server. Note that because of the requirement for the user session to be still present (active), this is suitable only for client applications that don't require access to the user claims after user logout / IdP session expiration.
Download 15.9
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.9: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 655f6dfe53bbb7a2aa2712b8191a0fd41cacd3a1945f6f6fcbfca67c77658fda
Connect2id server 15.9 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: ce8ba12064b81a4ecfb9172794b0c6a59192b012ca57827567e60f655256da52
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.9: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: c49e894e535e2e8130e1d0df8a9637a63199eaf842e8670372d92a87da68bb4c
Connect2id server 15.9 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 29e7f7f9a26cbce8fc426c0bc9908e756d683a741193b379f2c5a1691456e9d4
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.9 (2024-08-08)
Configuration
/WEB-INF/oidcProvider.properties
op.idToken.includeSubjectSessionClaims -- New optional configuration property to control the automatic inclusion of members from the subject session
claims
JSON object in issued ID tokens. Applies to regular andprompt=none
OpenID authentication requests as well as ID token refreshes. An*
(asterisk) selects all members. The member names can alternatively be specified as comma and / or space separated list. An empty list disables the inclusion. The default value is*
(include all).op.authz.feedSubjectSessionClaimsIntoIDToken -- Deprecated for removal, use
op.idToken.includeSubjectSessionClaims
instead.
Dependency changes
Updates to com.nimbusds:oauth2-authz-store:26.5.2
Upgrades to com.nimbusds:common:3.4
Updates to net.thisptr:jackson-jq:1.0.0-preview.20240207
Connect2id server 15.8
This Connect2id server release updates the plugin interface for handling token exchange scenarios, to enable access to the client metadata for received subject tokens that are locally issued access tokens.
Several dependencies were updated as well. There is more information about the new release in the notes below.
Download 15.8
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.8: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 9e3f2c5051fde956c887aa3a81ca4737faa22d6b1fc528931e64f6ea7f71bec2
Connect2id server 15.8 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 62c25fc97348cca6dc4b789ae3352b9e15d4d46bda9598e8efeba8d7b2b5bdf7
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.8: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 9debac08f536597c63ea489587ddcbccaa66f6435d609d9d34cab48bc74b1960
Connect2id server 15.8 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 23cb23d74aad87859a78ff8cf786ac8c7c216cddfeb24b97644ac91ca02c0bdb
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.8 (2024-07-26)
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.6
- The
TokenExchangeGrantHandler
SPI receives a newTokenIntrospection.getOIDCClientMetadata
helper method to access the OAuth 2.0 / OpenID relying party metadata for asubject_token
that is a locally issued access token.
- The
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:5.6
Updates to Infinispan 14.0.29.Final
Updates to com.h2database:h2:2.3.230
Updates to Dropwizard Metrics 4.2.26
Connect2id server 15.7.1
This is a small maintenance release of the Connect2id server that fixes five non-critical issues. More information about them can be found in the release notes below.
If you are using the password OAuth 2.0 grant with first party native applications, we recently published a mini guide how to implement a challenge-based flow for a second authenticating factor, such as an OTP, email or SMS verification.
Download 15.7.1
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.7.1: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 6afa6759052316521e3609455cae75fd96ba677683f8ced9bb8e550b848eb16f
Connect2id server 15.7.1 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: db385895cb919e4d698923b8945f54a28624ecdfe6d0c2964981a560bb48f267
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.7.1: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 6c8f7b5819023163534bcaa8c730fbf957036634c1dd3a8478bd331acc223a4e
Connect2id server 15.7.1 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: b4761c5fb6be4b972e2f0ff2e7c01e7917f76404a09cf4ee878d431a03d0432e
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.7.1 (2024-06-27)
Resolved issues
Fixes the return value of the
IDTokenIssueEvent.getLocalSubject
method (in theIDTokenIssueEventListener
SPI) to return the local subject and not the pairwise subject value when the ID token is issued in response to an OAuth 2.0 authorisation code grant (issue server/1001).Removes the redundant automatic setting of the
tls_client_certificate_bound_access_tokens
client metadata field when a client is registered forself_signed_tls_client_auth
, an artefact from Connect2id server v6.x when persistence of thetls_client_certificate_bound_access_tokens
client metadata field was not supported (issue server/1003).Calls to the token introspection endpoint with a blank
token
value and atoken_type_hint
set toaccess_token
must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue server/1004).Calls to the token revocation endpoint with a blank
token
value must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue oidc-sdk/471).Calls with
client_secret_jwt
orprivate_key_jwt
authentication with an empty or blankclient_id
must produce an HTTP 400 Bad Request, not an HTTP 500 Internal Server Error (issue oidc-sdk/472).
Dependency changes
Updates to com.nimbusds:oauth2-oidc-sdk:11.13
Upgrades to com.nimbusds:nimbus-jose-jwt:9.40
Updates to com.nimbusds:c2id-server-jwkset:1.30.6
Updates to org.postgresql:postgresql:42.7.3
Connect2id server 15.7
This Connect2id server release enabled support for issue of DPoP bound access tokens, for the JWT as well as the SAML 2.0 bearer grants. With the next major 16.0 release, the server is also going to support the dpop_bound_access_tokens client metadata parameter, so that a client can be required to always use DPoP in its registration.
This release also updates two of the Connect2id server SPIs.
The SPI for ID token issue
events receives
a new
IDTokenIssueEvent.getLocalSubject()
method to access the local (system) end-user ID, which can be useful in cases
when the ID token sub
(subject) is a pairwise
identifier.
The SPI for customising token responses receives new methods to access the OpenID claims source and a generic JWT signer.
More information about this new release can be found in the customary notes below.
If you are an authentication provider and have come across Microsoft's May announcement to allow the plugin of External Authentication Method (EAM) providers into Entra ID, check out our new guide how to achieve this with the Connect2id server. If there is sufficient feedback and demand we'll consider creating an official maintained Connect2id server plugin for Entra EAM.
Download 15.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 5ae6d0051302f7734aa09081bad943a2a56d32409b08a8acec6239b387bbab24
Connect2id server 15.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 872123f8df4ed3ccc7d57cf8ce1f9bd2ba524cadcc61412ea82e8a091bbe4859
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.7: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: c32dbe7d03dde79848b7690c81d24eba1bb2e8a17559043a420b5816e8ae3419
Connect2id server 15.7 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 1a7d7fc290bdcc4bc32401a564bf964c735ba578a211fe32c7a3df1b37e059a1
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.7 (2024-06-03)
Summary
Enables issue of DPoP access tokens (RFC 9449) for the JWT and SAML 2.0 bearer OAuth 2.0 grants.
Updates the CustomTokenResponseComposer SPI to provide access the OpenID claims source and a generic JWT signer.
Updates the IDTokenIssueEvent in the IDTokenIssueEventListener SPI to provide access to the local subject, useful in cases when the ID token
sub
(subject) is a pairwise identifier.
Web API
/token
Enables support for issue of DPoP-bound access tokens (RFC 9449) for the following OAuth 2.0 grants:
urn:ietf:params:oauth:grant-type:jwt-bearer
(RFC 7523)urn:ietf:params:oauth:grant-type:saml2-bearer
(RFC 7522)
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.5
The
CustomTokenResponseComposer
SPI is updated, adding methods to theTokenResponseContext
to access the OpenID claims source and a generic JWT signer.IDTokenIssueEvent, part of the IDTokenIssueEventListener SPI, provides access to the local ID token subject, useful in cases when the ID token
sub
(subject) claim is a pairwise identifier.
Resolved issues
The Connect2id server must accept signed request objects (JARs) with the JWT
typ
(type) header valuesoauth-authz-req+jwt
(see RFC 9101) andJWT
(issue server/999).The logout JWT in OpenID Connect back-channel logout notifications must include an
exp
(expiration time) claim. The expiration for the logout JWTs is set 5 minutes into future (issue server/1000).Improves the parse performance of JSON numbers in JWT claims sets (issue nimbus-jose-jwt/546).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:5.5
Updates to com.nimbusds:oauth2-oidc-sdk:11.12
Updates to com.nimbusds:c2id-server-jwkset:1.30.5
Updates to com.nimbusds:nimbus-jose-jwt:9.39.3
Updates to com.google.code.gson:gson:2.11.0
Updates to commons-codec:commons-codec:1.17.0
Connect2id server 15.6 introduces a new plugin interface for authentication and consent events
The Connect2id server received a new plugin interface (SPI) for receiving an event every time a user authenticates and submits their consent at the authorisation endpoint. The events can be used for purposes such as audit logging and resolving disputes. Contextual information about the user authentication can be obtained from the referenced ID token claims set (if an ID token is issued) as well as the referenced subject session. Information about the user consent can be obtained from the referenced authorised scope, claim names and data.
This release also relaxes the back-channel logout notifications policy for
Connect2id server deployments configured with issuer
aliasing in the
PERSISTED_GRANT_ISOLATION
mode, allowing delivery of notifications in
response to logout requests. Notification
delivery in response to session expiration remains blocked in this mode.
Finally, this release resolves four issues, three related to SPI plugins.
Download 15.6
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 15.6: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 5ad5fc679f9c33837ab46690ae0d23edf692e522622005579bd5c06fa5be9139
Connect2id server 15.6 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 87c3c7075ac32244ea5b860a7218cbc56e18ea9b0e076e784f84e9f2085be991
Multi-tenant edition
Apache Tomcat package with Connect2id server 15.6: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: f77623867ef95bfad50ddf896d86294e77419d8b2bb4c8275ae39e11bcfcb384
Connect2id server 15.6 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 89e6cb73cbec7f3f8789f9871d4e60e139fed8af1f26eee0ce4acd4d850f89a8
Questions?
For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
15.6 (2024-05-10)
Summary
New plugin interface (Service Provider Interface, or SPI) for listening to end-user authentication and consent events at the authorisation endpoint of the Connect2id server.
Enables delivery of back-channel logout notifications in the issuer aliasing mode "isolation" in response to end-user logout at the logout session API.
Web API
/logout-sessions/rest/v1/
- Delivers back-channel logout notifications when OpenID provider / OAuth
2.0 server issuer aliasing mode
PERSISTED_GRANT_ISOLATION
is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from logout session API calls to be blocked.
- Delivers back-channel logout notifications when OpenID provider / OAuth
2.0 server issuer aliasing mode
/session-store/rest/v2/
- Delivers back-channel logout notifications in response to end-session
(
DELETE
) calls when OpenID provider / OAuth 2.0 server issuer aliasing modePERSISTED_GRANT_ISOLATION
is configured. Previously this mode caused the delivery of back-channel logout notifications resulting from end-session API calls to be blocked.
- Delivers back-channel logout notifications in response to end-session
(
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:5.4
New
SubjectAuthAndConsentEventListener
SPI for listening to subject authentication and consent events.For clients using the code flow (
response_type=code
), the event is dispatched when the client submits a valid authorisation code at the token endpoint of the Connect2id server.For clients using an implicit (
response_type=token
,response_type=id_token
,id_token token
) or hybrid flow (response_type=code id_token
,response_type=code token
,response_type=code id_token token
), the event is dispatched when the request at the authorisation endpoint of the Connect2id server successfully completes.
Resolved issues
Fixes StackOverflowException in SPI calls that use the
com.nimbusds.openid. connect.provider.spi.internal.sessionstore.SubjectAuthentication.getAMRList
method (issue server/993).Revises the OpenID Connect Back-Channel Logout 1.0 policy when issuer alias mode
PERSISTED_GRANT_ISOLATION
is configured. Back-channel logout notifications were previously blocked in this mode. Starting with this release notifications resulting from API-originating logout / end-session requests will be delivered. Note that the delivery of back-channel logout notifications on subject session expiration remains blocked since subject sessions do not record issuer alias information (issue server/992).Prevents Connect2id server startup when a given OpenID claim is advertised as supported by two or more enabled claims sources. Disabled claims sources are not checked. The exception will be logged at FATAL level using the
OP7004
code, detailing the name of the claim and the claim source (issue server/994).Compressed (
zip=DEFLATE
) JWE request objects (JARs) with cipher texts of compressed plain text that are too large must be rejected to conserve CPU and memory resources on decompression. When JWE DEFLATE compression is utilised a limit of 100K cipher text characters is enforced. Note that all request objects passed by URL (request_uri
) are already being limited to 50 KBytes in size (issue jose-jwt/545).Support serialisation of null valued JWT top-level claims returned by the
encode
andadvancedEncode
methods ofSelfContainedAccessTokenClaimsCodec
SPI implementations. Previously such JWT claims were ignored and serialised (issue authz-store/234).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:5.4
Updates to com.nimbusds:oauth2-oidc-sdk:11.10.3
Upgrades to com.nimbusds:nimbus-jose-jwt:9.39
Updates to com.nimbusds:c2id-server-jwkset:1.30.2
Upgrades to com.nimbusds:oauth2-authz-store:26.5.1
Upgrades to com.nimbusds:oidc-session-store:19.0
Upgrades to com.nimbusds:tenant-manager:9.1
Updates to com.nimbusds:tenant-registry:9.0.1