Connect2id server 14.0 RC9 with new refresh token settings, optional ID token refresh and Oracle database support
This is a stable snapshot of the upcoming Connect2id server 14.0. The final release will include more features and changes.
New refresh token settings
Self-contained (JWT-encoded) refresh tokens for transient (non-persisted) authorisations can now also be optionally rotated. Previously the rotation was possible only for refresh tokens linked to a long-lived (persisted) authorisation. The rotation is intended as a poor-man's protection for public OAuth 2.0 clients against replay of a leaked refresh token. The more secure and robust in case of slow / poor networks method to prevent replay is for public clients to use sender-constrained refresh tokens, by means of mTLS or DPoP.
The refresh token rotation is now set on a individual authorisation basis, via
the optional refresh_token.rotate parameter in the
consent
of authorisation sessions.
Example consent setting refresh token rotation:
{
"scope" : [ "openid", "email" ],
"claims" : [ "email", "email_verified" ],
"refresh_token" : { "rotate" : true }
}
The direct authorisation endpoint and the token exchange and password grant handlers also support the new rotation parameter.
If the refresh_token.rotate parameter for a given authorisation is omitted
a default policy will be applied, according to the new
authzStore.refreshToken.defaultRotate
configuration property.
The global authzStore.refreshToken.alwaysUpdate (always rotate) configuration property is deprecated and should no longer be used. Instead, set the authzStore.refreshToken.defaultRotate configuration property and override it for specific clients or authorisations.
ID token refresh
Another new feature is the option to refresh ID tokens, in response to a valid
refresh token grant with the openid scope, and provided the end-user is c
considered logged into the OpenID provider.
The ID token refresh can be allowed on a individual authorisation basis, by
setting the optional id_token.refresh parameter in the
consent of
authorisation sessions.
Example consent allowing ID token refresh:
{
"scope" : [ "openid" ],
"id_token" : { "allow_refresh" : true }
}
As long as the OpenID provider session where the user login took place remains present, the token endpoint will return a new ID token in the response to refresh request. When the session is closed or expires issue of the ID token will cease (an access token will still be returned).
The ID token refresh can thus be used by authorised relying parties to perform a back-channel check whether the user still has a session with the Connect2id server.
Note that the ID token refresh does not guarantee the end-user is actually
present and properly authenticated, due to the back-channel nature of the
token request. The standard prompt=none OpenID authentication request is
intended for this purpose, as it's done via the front-channel (the browser) and
cannot be triggered without an end-user interaction.
Claims source plugins can access the user sessions
Connect2id server plugins for sourcing the consented user claims that go into UserInfo responses or ID tokens can now access the end-user session where the claims sourcing was authorised.
This can be useful to populate claims from information held in the session,
such as authentication details, or claims that were saved in the claims
fields at the time the user session was created.
Token introspection composer plugins can also access the user sessions
Plugins for shaping token introspection responses can now also access the user session where the token issue was authorised.
The presence of a session can a deployment specific condition for returning a
an introspection response for an active (valid) access token. The session can
also serve as a source for selected claims to include in the response, such as
the optional claims field of the
session.
Scope management
A new op.authz.limitScopeToRegistered configuration property was devised to limit the requested scope values in the consent prompt of the authorisation session API to those registered in the metadata of the requesting client.
If disabled or no "scope" client metadata field is registered, the authorisation request scope will be passed on to the consent prompt as it is.
This configuration property is enabled by default.
op.authz.limitToRegisteredScope=true
Simplified configuration
All Connect2id server configuration properties were revised and given appropriate default values where appropriate.
This will minimise the effort to configure deployments, by reducing the number of Java system properties that must be set.
SBOM
A Software Bill Of Materials (SBOM) in
CycloneDX JSON and XML format is included in the
c2id.war under /WEB-INF/sbom/CycloneDX-Sbom.json and
/WEB-INF/sbom/CycloneDX-Sbom.json.
Infinispan upgrade
The underlying Infinispan layer received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.
Oracle database support
The Oracle database is now supported, alongside the MySQL, PostgreSQL and Microsoft SQL Server relational databases.
Support for persistence to LDAP is removed
In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.
Bug fixes, optimisations
The code base received several bug fixes. The data persistence layer was optimised, which may result in CPU and storage bill savings in large deployments.
More information can be found in the release notes below.
Download 14.0-rc.9
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.0-rc.9: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: d751829f61fe5b6645e60c0b255356f2d201d9629752dcff70bb2f331705a9ca
Connect2id server 14.0-rc.9 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 0cec0cf6e0cb9d77599f108ea0f9a920796a01cc6fcde871febfb3d1a16fb3f7
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.0 (2023-06-08)
Summary
Support for refresh token rotation that can be set on an individual authorisation basis, overriding the global Connect2id server configuration.
Self-contained (JWT-encoded) refresh tokens, which are linked to transient / non-persisted ("long_lived":false) authorisations, also receive the ability to be rotated.
In previous Connect2id server versions refresh token rotation could only be set globally and apply only to identifier-based refresh tokens, which are linked to long-lived / persisted ("long_lived":true) authorisations.
Support for ID token refresh at the token endpoint, set on an individual authorisation basis. The token response will include a new ID token provided the refresh token authorisation allows such refresh and the subject (end-user) session bound to the refresh token is still present. If the session was closed or expired no ID token will be included in the token response.
An authorised OpenID relying party may use the ID token refresh to do a back-channel check whether the end-user session with the OpenID provider still exists (i.e. that the session wasn't closed or expired). OpenID relying parties should use the standard "prompt=none" OpenID authentication request to ensure the end-user is actively present and properly authenticated, since this method involves the front-channel (the browser). An ID token refresh thus isn't equivalent to or a substitute for a "prompt=none" OpenID authentication request.
Public clients registered for OAuth 2.0 mutual TLS (RFC 8705) and the OAuth 2.0 refresh token grant will receive refresh tokens that are client X.509 certificate bound.
A new "op.authz.limitScopeToRegistered" configuration property will limit the requested scope values in the consent prompt of the authorisation session API to those registered in the metadata of the requesting client. If disabled or no "scope" client metadata field is registered, the authorisation request scope will be passed on to the consent prompt as it is. Enabled by default.
All Connect2id server configuration properties are revised and given appropriate default values where applicable. Intended to minimise the configuration effort and reduce the number of Java system properties necessary to deploy a Connect2id server.
Updates the TokenIntrospectionResponseComposer SPI to provide access to the subject (end-user) session where token consent occurred, when the session is still present (not closed or expired). The subject session may be used by customised token introspection endpoints to include selected claims or other details from the session in the introspection responses.
Updates the AdvancedClaimsSource SPI to provide access to the subject (end-user) session where the claims sourcing was authorised, provided the session is still present (not closed or expired). The subject session may be used to source claims for UserInfo responses and ID tokens.
A Software Bill Of Materials (SBOM) in CycloneDX JSON and XML format is included in the c2id.war under /WEB-INF/sbom/CycloneDX-Sbom.json and /WEB-INF/sbom/CycloneDX-Sbom.json
Upgrades to Infinispan 14.0.
Adds Oracle 12c r1+ Database support.
Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.
Configuration
/WEB-INF/oidcProvider.properties
op.authz.limitToRegisteredScope -- New optional configuration property of type boolean to limit the requested scope values in the consent prompt for OAuth 2.0 authorisation / OpenID authentication requests to those registered the in the "scopes" client metadata field (provided the metadata field is set). The default value is true.
op.authz.feedSubjectSessionClaimsIntoIDToken -- No longer a required configuration property, receives a default value of true.
op.reg.allowOpenRegistration -- Receives a default value false.
op.reg.rejectNonTLSRedirectionURIs -- Receives a default value true.
op.reg.refreshAccessTokenOnUpdate -- Receives a default value true.
op.reg.clientSecretLifetime -- Receives a default value 0 (no expiration).
op.reg.alwaysRefreshClientSecretOnUpdate -- Receives a default value true.
op.reg.resourceRetriever.httpConnectTimeout -- Increases the default value to 1000 ms.
op.reg.resourceRetriever.httpReadTimeout -- Increases the default value to 1000 ms.
op.idToken.defaultLifetime -- Receives a default value 300 seconds.
op.idToken.jwsAlgs -- Receives a default value of all supported, with "none" excluded.
op.idToken.jweAlgs -- Receives a default value of all supported.
op.idToken.jweEncs -- Receives a default value of all supported.
op.idToken.ignoreUserInfoError -- Receives a default value true.
op.authz.sessionLifetime -- Receives a default value 15 minutes.
op.authz.responseTypes -- Receives a default value of all supported.
op.authz.responseModes -- Receives a default value of all standard supported.
op.authz.requestJWSAlgs -- Receives a default value of all supported, with "none" excluded.
op.authz.requestJWEAlgs -- Receives a default value of all supported.
op.authz.requestJWEEncs -- Receives a default value of all supported.
op.authz.responseJWSAlgs -- Receives a default value of all supported.
op.authz.responseJWEAlgs -- Receives a default value of all supported.
op.authz.responseJWEEncs -- Receives a default value of all supported.
op.authz.includeClientInfoInAuthPrompt -- Receives a default value false.
op.authz.includeOtherConsentedScopeAndClaimsInPrompt -- Receives a default value false.
op.authz.alwaysPromptForConsent -- Receives a default value false.
op.authz.requireIDTokenHintWithPromptNone -- Receives a default value false.
op.authz.advertisedScopes -- Receives a default value "openid".
op.authz.advertisedClaims -- Receives a default value "sub".
op.authz.advertisedDisplayTypes -- Receives a default value page.
op.token.authMethods -- Receives a default value of all supported, with "tls_client_auth" and "self_signed_tls_client_auth" excluded.
op.token.authJWSAlgs -- Receives a default value of all supported.
op.userinfo.jwsAlgs -- Receives a default value of all supported.
op.userinfo.jweAlgs -- Receives a default value of all supported.
op.userinfo.jweEncs -- Receives a default value of all supported.
op.logout.sessionLifetime -- Receives a default value of 10 minutes.
op.logout.backChannel.httpConnectTimeout -- Increases the default value to 1000 ms.
op.logout.backChannel.httpReadTimeout -- Increases the default value to 1000 ms.
op.federation.httpConnectTimeout -- Replaces the op.federation.httpRequestTimeout configuration property, increases the default value to 1000 ms.
op.federation.httpReadTimeout -- Increases the default value to 1000 ms.
/WEB-INF/authzStore.properties
authzStore.refreshToken.defaultRotate -- New optional configuration property of type boolean for the default refresh token rotation setting. Can be overridden by individual authorisations. The default value is false (no rotation).
authzStore.refreshToken.alwaysUpdate -- Deprecated, use "authzStore.refreshToken.defaultRotate" instead.
authzStore.accessToken.includeX5C -- New optional configuration property of type boolean to enable / disable inclusion of the X.509 certificate chain ("x5c") header parameter in self-contained (JWT) access tokens when the signing JWK is provisioned with a certificate. The default value is true (enabled).
authzStore.code.lifetime -- Receives a default value of 300 seconds (5 minutes).
authzStore.accessToken.defaultLifetime -- Receives a default value 600 seconds (10 minutes).
authzStore.accessToken.jwsAlgorithm -- Receives a default value RS256.
authzStore.accessToken.jweAlgorithm --Receives a default value dir.
authzStore.accessToken.jweMethod -- Receives a default value A128GCM.
authzStore.accessToken.allowDirectInspection -- Receives a default value false.
authzStore.options.highlyAvailableMode -- Receives a default value true.
authzStore.options.legacyPlainKeysInStorage -- Removed, after being deprecated in Connect2id server 10.0.
/WEB-INF/sessionStore.properties
sessionStore.maxLifetime -- Receives a default value 259200 minutes (180 days).
sessionStore.authLifetime -- Receives a default value 43200 minutes (30 days).
sessionStore.maxIdleTime -- Receives a default value 14400 minutes (10 days).
sessionStore.quotaPerSubject -- Receives a default value 5.
sessionStore.onQuotaExhaustion -- Receives a default value CLOSE_OLD_SESSION.
/WEB-INF/infinispan-*.xml
Upgrades the XML schema to Infinispan 14.0.
Replaces the Infinispan "op.clientRegTokenMap" with a new generic "authzStore.expendedTokenMap" capable of storing keys for expended tokens that are rotated self-contained (JWT-encoded) refresh tokens, client registration tokens, client_secret_jwt and private_key_jwt tokens, DPoP tokens and other one-time-use objects.
/WEB-INF/infinispan-stateless-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-stateless-redis-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-replication-oracle.xml
- New Infinispan configuration for replication clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml
New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.
/WEB-INF/infinispan-*-ldap.xml
- The LDAP backend database XML configurations are removed and no longer supported.
/WEB-INF/sql
- New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).
Web API
/token
Supports issue of rotated self-contained (JWT-encoded) refresh tokens.
Supports ID token refresh. Requires the refresh token authorisation to explicitly allow ID token refresh and the subject (end-user) session bound to the refresh token to be still present (not closed or expired), else an ID token will not be included in the token response.
The expiration of the refreshed ID token will be set according to the globally configured "op.idToken.defaultLifetime". An ID token lifetime supplied to the consent object (with "id_token.lifetime") will not be replicated in refreshed ID tokens.
The "max_age" OpenID authentication request parameter will trigger inclusion of the "auth_time" claim only in the ID token issued in the direct response to it, not in refreshed ID tokens. For an OpenID relying party to receive the "auth_time" claim in refreshed ID tokens it must be registered as client for the "require_auth_time" metadata parameter.
The refreshed ID token will include all consented claims as well as any claims found in the subject session "claims" field (unless the "op.authz.feedSubjectSessionClaimsIntoIDToken" configuration property prevents this). Preset ID token claims supplied to the consent object (with "preset_claims.id_token") will not be replicated in refreshed ID tokens.
/authz-sessions/rest/v3/
Adds an optional "refresh_token.rotate" parameter of type boolean to the consent object. Sets the refresh token rotation for the current authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the consent object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
/direct-authz/rest/v2/
Adds an optional "refresh_token.rotate" parameter of type boolean to the request object. Sets the refresh token rotation for the individual authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the request object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
Adds an optional "claims_data" parameter of type JSON object to the request object. The parameter will be passed in the request to retrieve the consented OpenID claims from the configured source(s). The claims data will be included in a "cld" (claims data) field in the issued access token(s) and in the long-lived authorisations if the consent is persisted. If the claims data must be kept confidential from the client either an identifier access token encoding must be chosen or if a self-contained (JWT) access token is chosen it must be additionally encrypted. An AdvancedClaimsSource SPI implementation can retrieve the claims data JSON object by a call to the "ClaimsSourceRequestContext.getClaimsData" method.
This parameter is identical to the "claims_data" parameter in the consent object of the authorisation session web API.
/authz-store/rest/v3/
New "rtr" authorisation field of type boolean for the refresh token rotate setting. The default value is false.
New "idr" authorisation field of type boolean for the allow ID token refresh setting. The default value is false.
Removes the "/config" resource for retrieval (via HTTP GET) of the public authorisation store configuration.
/monitor/v1/metrics
Adds new "authzStore.numExpendedTokenEntries" gauge.
Removes the "clientStore.numCachedExpendedTokens" gauge (replaced by the new "authzStore.numExpendedTokenEntries" gauge).
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.54
The RefreshTokenSpec class receives a new optional rotation setting. If empty the default Connect2id server refresh token rotation policy will apply.
The IDToken spec class receives a new optional allow refresh setting. The default setting is no ID token refresh allowed.
The PasswordGrantHandler SPI can set a refresh token rotation preference.
The TokenExchangeGrantHandler SPI can set a refresh token rotation preference.
The TokenIntrospectionResponseComposer SPI adds access to the subject (end-user) session used for the token consent, provided the session is still present (not closed or expired). The session object can be accessed via the "TokenIntrospectionContext.getSubjectSession" method. The subject session may be used by customised token introspection endpoints to include subject claims or other details from the session in the responses.
The AdvancedClaimsSource SPI adds access to the subject (end-user) session where the claims sourcing was authorised, provided the session is still present (not closed or expired). The session object can be accessed via the "ClaimsSourceRequestContext.getSubjectSession" method.
The subject session is supplied in the following cases:
Claims sourcing for the UserInfo endpoint where the subject session where the claims consent occurred is still present (not expired or closed);
Claims sourcing for ID token issue for an OAuth 2.0 authorisation code, implicit (including OpenID Connect hybrid response type) and refresh token grants;
Claims sourcing for a direct authorisation request where a valid subject session ID was supplied, or a new subject session was created.
The subject session may be used as a source of subject authentication claims, or claims from the optional "claims" session field.
Adds an "AccessTokenAuthorization.getSubjectSessionKey" method, returns null by default. Intended to represent the new encrypted subject session ID key attribute ("sik") in access tokens. Connect2id server deployments with a custom codec (SelfContainedAccessTokenClaimsCodec SPI implementation) for the JWT claims for access tokens should update it to include the new attribute.
Resolved issues
The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).
The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).
Retrieving an authorisation record by refresh token must echo the submitted refresh token value in the returned record instead of recreating it from the persisted "rts" field (issue authz-store/203).
Authorisation updates must always return a refresh token in the current format, not the legacy format (issue authz-store/204).
The direct authorisation endpoint must always return a refresh token in the current, not the legacy format (issue server/837).
Store retrieval of identifier-based access tokens must recreate the local subject when the subject type is pairwise (issue authz-store/201).
Removes redundant persistence of registration_client_uri, recreates it dynamically from the OP / AS issuer URL and the client_id (issue server/512).
The "cnf" column of the "id_access_tokens" SQL table must be increased from 100 to 150 VARCHAR for H2 and MS SQL Server to accommodate token authorisations that use both a x5t#S256 and a jkt binding (issue authz-store/206).
Adds missing DynamoDB persistence of the "cld" (claims data) authorisation record field (issue authz-store/210).
Automatic revocation of all authorisations on replay of a rotated refresh token (issue authz-store/212).
Persist only the subject session ID key in pending authorisation code entries (omitting the appended HMAC), to prevent exploitation of session IDs in case of unauthorised access to the backend database or a database record leak (issue server/863).
Fixes NPE in DirectAuthorizationRequest.getResolvedClaims (issue server/867).
Consented non-requested OpenID claims should not be included in the saved claims field ("scs") of authorisations and authorisation records (issue server/868).
Client registration POST with empty "jwks" must produce HTTP 400 instead of HTTP 500 (issue server/878).
The server configuration must be rejected when mTLS client authentication is enabled and an op.tls.clientX509CertHeader is not configured (issue server/882).
Tokens issued within 500ms of a revocation event must not be marked as revoked (issue authz-store/211).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.55.1
Upgrades to com.nimbusds:oauth2-oidc-sdk:10.9.1
Upgrades to com.nimbusds:c2id-server-jwkset:1.29.1
Updates to com.nimbusds:c2id-server-property-source:1.1.2
Updates to com.nimbusds:tenant-manager:7.4.1
Updates to com.nimbusds:tenant-registry:8.2
Updates to com.nimbusds:oauth2-authz-store:24.1.2
Updates to com.nimbusds:oidc-session-store:16.4.2
Updates to com.nimbusds:software-statement-verifier:2.2.5
Upgrades to com.nimbusds:common:2.52
Upgrades to com.nimbusds:infinispan-cachestore-common:3.1
Upgrades to BouncyCastle 1.73.
Upgrades to Infinispan 14.0.7.Final
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1
Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1
Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6
Updates to com.thetransactioncompany:pretty-json:1.5
Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0
Connect2id server 14.0 RC8 with new refresh token settings, optional ID token refresh and Oracle database support
This is a stable snapshot of the upcoming Connect2id server 14.0. The final release will include more features and changes.
New refresh token settings
Self-contained (JWT-encoded) refresh tokens for transient (non-persisted) authorisations can now also be optionally rotated. Previously the rotation was possible only for refresh tokens linked to a long-lived (persisted) authorisation. The rotation is intended as a poor-man's protection for public OAuth 2.0 clients against replay of a leaked refresh token. The more secure and robust in case of slow / poor networks method to prevent replay is for public clients to use sender-constrained refresh tokens, by means of mTLS or DPoP.
The refresh token rotation is now set on a individual authorisation basis, via
the optional refresh_token.rotate parameter in the
consent
of authorisation sessions.
Example consent setting refresh token rotation:
{
"scope" : [ "openid", "email" ],
"claims" : [ "email", "email_verified" ],
"refresh_token" : { "rotate" : true }
}
The direct authorisation endpoint and the token exchange and password grant handlers also support the new rotation parameter.
If the refresh_token.rotate parameter for a given authorisation is omitted
a default policy will be applied, according to the new
authzStore.refreshToken.defaultRotate
configuration property.
The global authzStore.refreshToken.alwaysUpdate (always rotate) configuration property is deprecated and should no longer be used. Instead, set the authzStore.refreshToken.defaultRotate configuration property and override it for specific clients or authorisations.
ID token refresh
Another new feature is the option to refresh ID tokens, in response to a valid
refresh token grant with the openid scope, and provided the end-user is c
considered logged into the OpenID provider.
The ID token refresh can be allowed on a individual authorisation basis, by
setting the optional id_token.refresh parameter in the
consent of
authorisation sessions.
Example consent allowing ID token refresh:
{
"scope" : [ "openid" ],
"id_token" : { "allow_refresh" : true }
}
As long as the OpenID provider session where the user login took place remains present, the token endpoint will return a new ID token in the response to refresh request. When the session is closed or expires issue of the ID token will cease (an access token will still be returned).
The ID token refresh can thus be used by authorised relying parties to perform a back-channel check whether the user still has a session with the Connect2id server.
Note that the ID token refresh does not guarantee the end-user is actually
present and properly authenticated, due to the back-channel nature of the
token request. The standard prompt=none OpenID authentication request is
intended for this purpose, as it's done via the front-channel (the browser) and
cannot be triggered without an end-user interaction.
Claims source plugins can access the user sessions
Connect2id server plugins for sourcing the consented user claims that go into UserInfo responses or ID tokens can now access the end-user session where the claims sourcing was authorised.
This can be useful to populate claims from information held in the session,
such as authentication details, or claims that were saved in the claims
fields at the time the user session was created.
Token introspection composer plugins can also access the user sessions
Plugins for shaping token introspection responses can now also access the user session where the token issue was authorised.
The presence of a session can a deployment specific condition for returning a
an introspection response for an active (valid) access token. The session can
also serve as a source for selected claims to include in the response, such as
the optional claims field of the
session.
Scope management
A new op.authz.limitScopeToRegistered configuration property was devised to limit the requested scope values in the consent prompt of the authorisation session API to those registered in the metadata of the requesting client.
If disabled or no "scope" client metadata field is registered, the authorisation request scope will be passed on to the consent prompt as it is.
This configuration property is enabled by default.
op.authz.limitToRegisteredScope=true
Simplified configuration
All Connect2id server configuration properties were revised and given appropriate default values where appropriate.
This will minimise the effort to configure deployments, by reducing the number of Java system properties that must be set.
Infinispan upgrade
The underlying Infinispan layer received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.
Oracle database support
The Oracle database is now supported, alongside the MySQL, PostgreSQL and Microsoft SQL Server relational databases.
Support for persistence to LDAP is removed
In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.
Bug fixes, optimisations
The code base received several bug fixes. The data persistence layer was optimised, which may result in CPU and storage bill savings in large deployments.
More information can be found in the release notes below.
Download 14.0-rc.8
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.0-rc.8: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 79723680cbf0107217877d4844f891f6e95c47aaffbfb6928aa7621b167161e3
Connect2id server 14.0-rc.8 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 352bff5b6399d5d113905d9b8696fd727d5732991f9840d94019db4c94ff408f
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.0 (2023-05-31)
Summary
Support for refresh token rotation that can be set on an individual authorisation basis, overriding the global Connect2id server configuration.
Self-contained (JWT-encoded) refresh tokens, which are linked to transient / non-persisted ("long_lived":false) authorisations, also receive the ability to be rotated.
In previous Connect2id server versions refresh token rotation could only be set globally and apply only to identifier-based refresh tokens, which are linked to long-lived / persisted ("long_lived":true) authorisations.
Support for ID token refresh at the token endpoint, set on an individual authorisation basis. The token response will include a new ID token provided the refresh token authorisation allows such refresh and the subject (end-user) session bound to the refresh token is still present. If the session was closed or expired no ID token will be included in the token response.
An authorised OpenID relying party may use the ID token refresh to do a back-channel check whether the end-user session with the OpenID provider still exists (i.e. that the session wasn't closed or expired). OpenID relying parties should use the standard "prompt=none" OpenID authentication request to ensure the end-user is actively present and properly authenticated, since this method involves the front-channel (the browser). An ID token refresh thus isn't equivalent to or a substitute for a "prompt=none" OpenID authentication request.
Public clients registered for OAuth 2.0 mutual TLS (RFC 8705) and the OAuth 2.0 refresh token grant will receive refresh tokens that are client X.509 certificate bound.
A new "op.authz.limitScopeToRegistered" configuration property will limit the requested scope values in the consent prompt of the authorisation session API to those registered in the metadata of the requesting client. If disabled or no "scope" client metadata field is registered, the authorisation request scope will be passed on to the consent prompt as it is. Enabled by default.
All Connect2id server configuration properties are revised and given appropriate default values where applicable. Intended to minimise the configuration effort and reduce the number of Java system properties necessary to deploy a Connect2id server.
Updates the TokenIntrospectionResponseComposer SPI to provide access to the subject (end-user) session where token consent occurred, when the session is still present (not closed or expired). The subject session may be used by customised token introspection endpoints to include selected claims or other details from the session in the introspection responses.
Updates the AdvancedClaimsSource SPI to provide access to the subject (end-user) session where the claims sourcing was authorised, provided the session is still present (not closed or expired). The subject session may be used to source claims for UserInfo responses and ID tokens.
Upgrades to Infinispan 14.0.
Adds Oracle 12c r1+ Database support.
Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.
Configuration
/WEB-INF/oidcProvider.properties
op.authz.limitToRegisteredScope -- New optional configuration property of type boolean to limit the requested scope values in the consent prompt for OAuth 2.0 authorisation / OpenID authentication requests to those registered the in the "scopes" client metadata field (provided the metadata field is set). The default value is true.
op.authz.feedSubjectSessionClaimsIntoIDToken -- No longer a required configuration property, receives a default value of true.
op.reg.allowOpenRegistration -- Receives a default value false.
op.reg.rejectNonTLSRedirectionURIs -- Receives a default value true.
op.reg.refreshAccessTokenOnUpdate -- Receives a default value true.
op.reg.clientSecretLifetime -- Receives a default value 0 (no expiration).
op.reg.alwaysRefreshClientSecretOnUpdate -- Receives a default value true.
op.reg.resourceRetriever.httpConnectTimeout -- Increases the default value to 1000 ms.
op.reg.resourceRetriever.httpReadTimeout -- Increases the default value to 1000 ms.
op.idToken.defaultLifetime -- Receives a default value 300 seconds.
op.idToken.jwsAlgs -- Receives a default value of all supported, with "none" excluded.
op.idToken.jweAlgs -- Receives a default value of all supported.
op.idToken.jweEncs -- Receives a default value of all supported.
op.idToken.ignoreUserInfoError -- Receives a default value true.
op.authz.sessionLifetime -- Receives a default value 15 minutes.
op.authz.responseTypes -- Receives a default value of all supported.
op.authz.responseModes -- Receives a default value of all standard supported.
op.authz.requestJWSAlgs -- Receives a default value of all supported, with "none" excluded.
op.authz.requestJWEAlgs -- Receives a default value of all supported.
op.authz.requestJWEEncs -- Receives a default value of all supported.
op.authz.responseJWSAlgs -- Receives a default value of all supported.
op.authz.responseJWEAlgs -- Receives a default value of all supported.
op.authz.responseJWEEncs -- Receives a default value of all supported.
op.authz.includeClientInfoInAuthPrompt -- Receives a default value false.
op.authz.includeOtherConsentedScopeAndClaimsInPrompt -- Receives a default value false.
op.authz.alwaysPromptForConsent -- Receives a default value false.
op.authz.requireIDTokenHintWithPromptNone -- Receives a default value false.
op.authz.advertisedScopes -- Receives a default value "openid".
op.authz.advertisedClaims -- Receives a default value "sub".
op.authz.advertisedDisplayTypes -- Receives a default value page.
op.token.authMethods -- Receives a default value of all supported, with "tls_client_auth" and "self_signed_tls_client_auth" excluded.
op.token.authJWSAlgs -- Receives a default value of all supported.
op.userinfo.jwsAlgs -- Receives a default value of all supported.
op.userinfo.jweAlgs -- Receives a default value of all supported.
op.userinfo.jweEncs -- Receives a default value of all supported.
op.logout.sessionLifetime -- Receives a default value of 10 minutes.
op.logout.backChannel.httpConnectTimeout -- Increases the default value to 1000 ms.
op.logout.backChannel.httpReadTimeout -- Increases the default value to 1000 ms.
op.federation.httpConnectTimeout -- Replaces the op.federation.httpRequestTimeout configuration property, increases the default value to 1000 ms.
op.federation.httpReadTimeout -- Increases the default value to 1000 ms.
/WEB-INF/authzStore.properties
authzStore.refreshToken.defaultRotate -- New optional configuration property of type boolean for the default refresh token rotation setting. Can be overridden by individual authorisations. The default value is false (no rotation).
authzStore.refreshToken.alwaysUpdate -- Deprecated, use "authzStore.refreshToken.defaultRotate" instead.
authzStore.accessToken.includeX5C -- New optional configuration property of type boolean to enable / disable inclusion of the X.509 certificate chain ("x5c") header parameter in self-contained (JWT) access tokens when the signing JWK is provisioned with a certificate. The default value is true (enabled).
authzStore.code.lifetime -- Receives a default value of 300 seconds (5 minutes).
authzStore.accessToken.defaultLifetime -- Receives a default value 600 seconds (10 minutes).
authzStore.accessToken.jwsAlgorithm -- Receives a default value RS256.
authzStore.accessToken.jweAlgorithm --Receives a default value dir.
authzStore.accessToken.jweMethod -- Receives a default value A128GCM.
authzStore.accessToken.allowDirectInspection -- Receives a default value false.
authzStore.options.highlyAvailableMode -- Receives a default value true.
authzStore.options.legacyPlainKeysInStorage -- Removed, after being deprecated in Connect2id server 10.0.
/WEB-INF/sessionStore.properties
sessionStore.maxLifetime -- Receives a default value 259200 minutes (180 days).
sessionStore.authLifetime -- Receives a default value 43200 minutes (30 days).
sessionStore.maxIdleTime -- Receives a default value 14400 minutes (10 days).
sessionStore.quotaPerSubject -- Receives a default value 5.
sessionStore.onQuotaExhaustion -- Receives a default value CLOSE_OLD_SESSION.
/WEB-INF/infinispan-*.xml
Upgrades the XML schema to Infinispan 14.0.
Replaces the Infinispan "op.clientRegTokenMap" with a new generic "authzStore.expendedTokenMap" capable of storing keys for expended tokens that are rotated self-contained (JWT-encoded) refresh tokens, client registration tokens, client_secret_jwt and private_key_jwt tokens, DPoP tokens and other one-time-use objects.
/WEB-INF/infinispan-stateless-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-stateless-redis-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-replication-oracle.xml
- New Infinispan configuration for replication clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml
New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.
/WEB-INF/infinispan-*-ldap.xml
- The LDAP backend database XML configurations are removed and no longer supported.
/WEB-INF/sql
- New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).
Web API
/token
Supports issue of rotated self-contained (JWT-encoded) refresh tokens.
Supports ID token refresh. Requires the refresh token authorisation to explicitly allow ID token refresh and the subject (end-user) session bound to the refresh token to be still present (not closed or expired), else an ID token will not be included in the token response.
The expiration of the refreshed ID token will be set according to the globally configured "op.idToken.defaultLifetime". An ID token lifetime supplied to the consent object (with "id_token.lifetime") will not be replicated in refreshed ID tokens.
The "max_age" OpenID authentication request parameter will trigger inclusion of the "auth_time" claim only in the ID token issued in the direct response to it, not in refreshed ID tokens. For an OpenID relying party to receive the "auth_time" claim in refreshed ID tokens it must be registered as client for the "require_auth_time" metadata parameter.
The refreshed ID token will include all consented claims as well as any claims found in the subject session "claims" field (unless the "op.authz.feedSubjectSessionClaimsIntoIDToken" configuration property prevents this). Preset ID token claims supplied to the consent object (with "preset_claims.id_token") will not be replicated in refreshed ID tokens.
/authz-sessions/rest/v3/
Adds an optional "refresh_token.rotate" parameter of type boolean to the consent object. Sets the refresh token rotation for the current authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the consent object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
/direct-authz/rest/v2/
Adds an optional "refresh_token.rotate" parameter of type boolean to the request object. Sets the refresh token rotation for the individual authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the consent object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
/authz-store/rest/v3/
New "rtr" authorisation field of type boolean for the refresh token rotate setting. The default value is false.
New "idr" authorisation field of type boolean for the allow ID token refresh setting. The default value is false.
Removes the "/config" resource for retrieval (via HTTP GET) of the public authorisation store configuration.
/monitor/v1/metrics
Adds new "authzStore.numExpendedTokenEntries" gauge.
Removes the "clientStore.numCachedExpendedTokens" gauge (replaced by the new "authzStore.numExpendedTokenEntries" gauge).
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.54
The RefreshTokenSpec class receives a new optional rotation setting. If empty the default Connect2id server refresh token rotation policy will apply.
The IDToken spec class receives a new optional allow refresh setting. The default setting is no ID token refresh allowed.
The PasswordGrantHandler SPI can set a refresh token rotation preference.
The TokenExchangeGrantHandler SPI can set a refresh token rotation preference.
The TokenIntrospectionResponseComposer SPI adds access to the subject (end-user) session used for the token consent, provided the session is still present (not closed or expired). The session object can be accessed via the "TokenIntrospectionContext.getSubjectSession" method. The subject session may be used by customised token introspection endpoints to include subject claims or other details from the session in the responses.
The AdvancedClaimsSource SPI adds access to the subject (end-user) session where the claims sourcing was authorised, provided the session is still present (not closed or expired). The session object can be accessed via the "ClaimsSourceRequestContext.getSubjectSession" method.
The subject session is supplied in the following cases:
Claims sourcing for the UserInfo endpoint where the subject session where the claims consent occurred is still present (not expired or closed);
Claims sourcing for ID token issue for an OAuth 2.0 authorisation code, implicit (including OpenID Connect hybrid response type) and refresh token grants;
Claims sourcing for a direct authorisation request where a valid subject session ID was supplied, or a new subject session was created.
The subject session may be used as a source of subject authentication claims, or claims from the optional "claims" session field.
Adds an "AccessTokenAuthorization.getSubjectSessionKey" method, returns null by default. Intended to represent the new encrypted subject session ID key attribute ("sik") in access tokens. Connect2id server deployments with a custom codec (SelfContainedAccessTokenClaimsCodec SPI implementation) for the JWT claims for access tokens should update it to include the new attribute.
Resolved issues
The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).
The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).
Retrieving an authorisation record by refresh token must echo the submitted refresh token value in the returned record instead of recreating it from the persisted "rts" field (issue authz-store/203).
Authorisation updates must always return a refresh token in the current format, not the legacy format (issue authz-store/204).
The direct authorisation endpoint must always return a refresh token in the current, not the legacy format (issue server/837).
Store retrieval of identifier-based access tokens must recreate the local subject when the subject type is pairwise (issue authz-store/201).
Removes redundant persistence of registration_client_uri, recreates it dynamically from the OP / AS issuer URL and the client_id (issue server/512).
The "cnf" column of the "id_access_tokens" SQL table must be increased from 100 to 150 VARCHAR for H2 and MS SQL Server to accommodate token authorisations that use both a x5t#S256 and a jkt binding (issue authz-store/206).
Adds missing DynamoDB persistence of the "cld" (claims data) authorisation record field (issue authz-store/210).
Automatic revocation of all authorisations on replay of a rotated refresh token (issue authz-store/212).
Persist only the subject session ID key in pending authorisation code entries (omitting the appended HMAC), to prevent exploitation of session IDs in case of unauthorised access to the backend database or a database record leak (issue server/863).
Fixes NPE in DirectAuthorizationRequest.getResolvedClaims (issue server/867).
Consented non-requested OpenID claims should not be included in the saved claims field ("scs") of authorisations and authorisation records (issue server/868).
Client registration POST with empty "jwks" must produce HTTP 400 instead of HTTP 500 (issue server/878).
The server configuration must be rejected when mTLS client authentication is enabled and an op.tls.clientX509CertHeader is not configured (issue server/882).
Tokens issued within 500ms of a revocation event must not be marked as revoked (issue authz-store/211).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.55.1
Upgrades to com.nimbusds:oauth2-oidc-sdk:10.9.1
Upgrades to com.nimbusds:c2id-server-jwkset:1.29.1
Updates to com.nimbusds:c2id-server-property-source:1.1.1
Updates to com.nimbusds:tenant-manager:7.4.1
Updates to com.nimbusds:tenant-registry:8.2
Updates to com.nimbusds:oauth2-authz-store:24.1.1
Updates to com.nimbusds:oidc-session-store:16.4.2
Updates to com.nimbusds:software-statement-verifier:2.2.5
Upgrades to com.nimbusds:common:2.52
Upgrades to com.nimbusds:infinispan-cachestore-common:3.1
Upgrades to BouncyCastle 1.73.
Upgrades to Infinispan 14.0.7.Final
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1
Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1
Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6
Updates to com.thetransactioncompany:pretty-json:1.5
Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0
Connect2id server 14.0 RC7 with new refresh token settings, optional ID token refresh and Oracle database support
This is a stable snapshot of the upcoming Connect2id server 14.0. The final release will include more features and changes.
New refresh token settings
Self-contained (JWT-encoded) refresh tokens that link to transient (non-persisted) authorisations can now also be optionally rotated. Previously the rotation was possible only for refresh tokens linked to a long-lived (persisted) authorisation. The rotation is intended as a poor-man's protection for public OAuth 2.0 clients against replay of a leaked refresh token. The more secure and robust in case of slow / poor networks method to prevent replay is for public clients to use sender-constrained refresh tokens, by means of mTLS or DPoP.
The refresh token rotation can now be set on a individual authorisation basis,
by setting the optional refresh_token.rotate parameter in the
consent
of authorisation sessions.
Example consent setting refresh token rotation:
{
"scope" : [ "openid", "email" ],
"claims" : [ "email", "email_verified" ],
"refresh_token" : { "rotate" : true }
}
The direct authorisation endpoint and the token exchange and password grant handlers also support the new rotation parameter.
If the refresh_token.rotate parameter for a given authorisation isn't set
a default policy will be applied, according to the new
authzStore.refreshToken.defaultRotate
configuration property.
The global authzStore.refreshToken.alwaysUpdate (always rotate) configuration property is deprecated and should no longer be used. Instead, set the authzStore.refreshToken.defaultRotate configuration property and override it for specific clients or authorisations.
ID token refresh
ID token refresh can be allowed on a individual authorisation basis, by setting
the optional id_token.refresh parameter in the
consent of
authorisation sessions.
Example consent allowing ID token refresh:
{
"scope" : [ "openid" ],
"id_token" : { "allow_refresh" : true }
}
As long as the OpenID provider session where the user login took place remains present, the token endpoint will return a new ID token in response to the refresh token. When the session is closed or expires issue of the ID token will cease (but an access token will still be returned).
The ID token refresh can thus be used by authorised relying parties to perform a back-channel check whether the user still has a session with the Connect2id server.
Note that the ID token refresh does not guarantee the end-user is actually
present and properly authenticated, due to the back-channel nature of the
token request. The standard prompt=none OpenID authentication request is
intended for this purpose, as it's done via the front-channel (the browser) and
cannot be triggered without an end-user interaction.
Infinispan upgrade
The underlying Infinispan layer received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.
Oracle database support
The Oracle database is now supported, alongside the MySQL, PostgreSQL and Microsoft SQL Server relational databases.
Support for persistence to LDAP is removed
In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.
Bug fixes, optimisations
The code base received several bug fixes. The data persistence layer was optimised, which may result in CPU and storage bill savings in large deployments.
More information can be found in the release notes below.
Download 14.0-rc.7
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.0-rc.7: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: d66e9ab4d5fa5c924d68c9b3353317db083a29c9ead3534315172c530193aca2
Connect2id server 14.0-rc.7 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 0315d3b5d04fc1e0a7b47f0f62387be63bc41d5f0f36b5af48a2d5519a34d4ed
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.0 (2023-05-09)
Summary
Support for refresh token rotation that can be set on an individual authorisation basis, overriding the global Connect2id server configuration.
Self-contained (JWT-encoded) refresh tokens, which are linked to transient / non-persisted ("long_lived":false) authorisations, also receive the ability to be rotated.
In previous Connect2id server versions refresh token rotation could only be set globally and apply only to identifier-based refresh tokens, which are linked to long-lived / persisted ("long_lived":true) authorisations.
Support for ID token refresh at the token endpoint, set on an individual authorisation basis. The token response will include a new ID token provided the refresh token authorisation allows such refresh and the subject (end-user) session bound to the refresh token is still present. If the session was closed or expired no ID token will be included in the token response.
An authorised OpenID relying party may use the ID token refresh to do a back-channel check whether the end-user session with the OpenID provider still exists (i.e. that the session wasn't closed or expired). OpenID relying parties should use the standard "prompt=none" OpenID authentication request to ensure the end-user is actively present and properly authenticated, since this method involves the front-channel (the browser). An ID token refresh thus isn't equivalent to or a substitute for a "prompt=none" OpenID authentication request.
Public clients registered for OAuth 2.0 mutual TLS (RFC 8705) and the OAuth 2.0 refresh token grant will receive refresh tokens that are client X.509 certificate bound.
Upgrades to Infinispan 14.0.
Adds Oracle 12c r1+ Database support.
Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.
Configuration
/WEB-INF/oidcProvider.properties
- op.authz.feedSubjectSessionClaimsIntoIDToken -- No longer a required configuration property, receives a default value of true.
/WEB-INF/authzStore.properties
authzStore.refreshToken.defaultRotate -- New optional configuration property for the default refresh token rotation setting. Can be overridden by individual authorisations. The default value is false (no rotation).
authzStore.refreshToken.alwaysUpdate -- Deprecated, use "authzStore.refreshToken.defaultRotate" instead.
/WEB-INF/infinispan-*.xml
Upgrades the XML schema to Infinispan 14.0.
Replaces the Infinispan "op.clientRegTokenMap" with a new generic "authzStore.expendedTokenMap" capable of storing keys for expended tokens that are rotated self-contained (JWT-encoded) refresh tokens, client registration tokens, client_secret_jwt and private_key_jwt tokens, DPoP tokens and other one-time-use objects.
/WEB-INF/infinispan-stateless-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-stateless-redis-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-replication-oracle.xml
- New Infinispan configuration for replication clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml
New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.
/WEB-INF/infinispan-*-ldap.xml
- The LDAP backend database XML configurations are removed and no longer supported.
/WEB-INF/sql
- New directory containing the required SQL statements for manual table creation, to be used when the Connect2id is configured to disable automatic table creation (if missing) on server startup (with dataSource.createTableIfMissing=false).
Web API
/token
Supports issue of rotated self-contained (JWT-encoded) refresh tokens.
Supports ID token refresh. Requires the refresh token authorisation to explicitly allow ID token refresh and the subject (end-user) session bound to the refresh token to be still present (not closed or expired), else an ID token will not be included in the token response.
The expiration of the refreshed ID token will be set according to the globally configured "op.idToken.defaultLifetime". An ID token lifetime supplied to the consent object (with "id_token.lifetime") will not be replicated in refreshed ID tokens.
The "max_age" OpenID authentication request parameter will trigger inclusion of the "auth_time" claim only in the ID token issued in the direct response to it, not in refreshed ID tokens. For an OpenID relying party to receive the "auth_time" claim in refreshed ID tokens it must be registered as client for the "require_auth_time" metadata parameter.
The refreshed ID token will include all consented claims as well as any claims found in the subject session "claims" field (unless the "op.authz.feedSubjectSessionClaimsIntoIDToken" configuration property prevents this). Preset ID token claims supplied to the consent object (with "preset_claims.id_token") will not be replicated in refreshed ID tokens.
/authz-sessions/rest/v3/
Adds an optional "refresh_token.rotate" parameter of type boolean to the consent object. Sets the refresh token rotation for the current authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the consent object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
/direct-authz/rest/v2/
Adds an optional "refresh_token.rotate" parameter of type boolean to the request object. Sets the refresh token rotation for the individual authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the consent object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
/authz-store/rest/v3/
New "rtr" authorisation field of type boolean for the refresh token rotate setting. The default value is false.
New "idr" authorisation field of type boolean for the allow ID token refresh setting. The default value is false.
/monitor/v1/metrics
Adds new "authzStore.numExpendedTokenEntries" gauge.
Removes the "clientStore.numCachedExpendedTokens" gauge (replaced by the new "authzStore.numExpendedTokenEntries" gauge).
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.53
The RefreshTokenSpec class receives a new optional rotation setting. If empty the default Connect2id server refresh token rotation policy will apply.
The IDToken spec class receives a new optional allow refresh setting. The default setting is no ID token refresh allowed.
The PasswordGrantHandler SPI can set a refresh token rotation preference.
The TokenExchangeGrantHandler SPI can set a refresh token rotation preference.
Resolved issues
The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).
The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).
Retrieving an authorisation record by refresh token must echo the submitted refresh token value in the returned record instead of recreating it from the persisted "rts" field (issue authz-store/203).
Authorisation updates must always return a refresh token in the current format, not the legacy format (issue authz-store/204).
The direct authorisation endpoint must always return a refresh token in the current, not the legacy format (issue server/837).
Store retrieval of identifier-based access tokens must recreate the local subject when the subject type is pairwise (issue authz-store/201).
Removes redundant persistence of registration_client_uri, recreates it dynamically from the OP / AS issuer URL and the client_id (issue server/512).
The "cnf" column of the "id_access_tokens" SQL table must be increased from 100 to 150 VARCHAR for H2 and MS SQL Server to accommodate token authorisations that use both a x5t#S256 and a jkt binding (issue authz-store/206).
Adds missing DynamoDB persistence of the "cld" (claims data) authorisation record field (issue authz-store/210).
Automatic revocation of all authorisations on replay of a rotated refresh token (issue authz-store/212).
Persist only the subject session ID key in pending authorisation code entries (omitting the appended HMAC), to prevent exploitation of session IDs in case of unauthorised access to the backend database or a database record leak (issue server/863).
Fixes NPE in DirectAuthorizationRequest.getResolvedClaims (issue server/867).
Consented non-requested OpenID claims should not be included in the saved claims field ("scs") of authorisations and authorisation records (issue server/868).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.53
Upgrades to com.nimbusds:oauth2-oidc-sdk:10.9
Updates to com.nimbusds:c2id-server-property-source:1.1.1
Updates to com.nimbusds:tenant-manager:7.4.1
Updates to com.nimbusds:tenant-registry:8.2
Updates to com.nimbusds:oauth2-authz-store:23.0
Updates to com.nimbusds:oidc-session-store:16.4
Updates to com.nimbusds:software-statement-verifier:2.2.5
Upgrades to com.nimbusds:common:2.52
Upgrades to com.nimbusds:infinispan-cachestore-common:3.1
Upgrades to Infinispan 14.0.7.Final
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1
Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1
Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6
Updates to com.thetransactioncompany:pretty-json:1.5
Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0
Connect2id server 13.7.4
This release of the Connect2id server fixes a bug that
caused incorrect encoding of the state parameter in post-logout
redirect URIs.
Deployments that implement an OpenID provider logout endpoint are encouraged to
update. Details are available in the release notes below.
This week we also released a preview of the upcoming Connect2id server 14.0.
Download 13.7.4
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 13.7.4: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: 97442463a2d50000eb41478ee285dbe78ddf959d5e1f0d35868771fa6896be3b
Connect2id server 13.7.4 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: f94347483b3d04f06bbd1d38bba57aa23d6b6b4ddcb39708fec90e4933b2b7b8
Multi-tenant edition
Apache Tomcat package with Connect2id server 13.7.4: Connect2id-server-mt.zip
GPG signature: Connect2id-server-mt.zip.asc
SHA-256: 95a547da885cbcd33ae5468ce928502bec4572fa5ab45771f7e48e8bdc30a349
Connect2id server 13.7.4 WAR package: c2id-mt.war
GPG signature: c2id-mt.war.asc
SHA-256: 48c63e817000d8f9116e1b532e547998a9a4708e71e1fb1d7564cc10f34a159a
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
13.7.4 (2023-05-09)
Resolved issues
- The /logout-sessions/rest/v1 API must URL-encode the state parameter in the final post-logout redirection URI (issue server/873).
Dependency changes
- Updates to com.nimbusds:software-statement-verifier:2.2.4
Connect2id server 14.0 RC6 with new refresh token settings, optional ID token refresh and Oracle database support
This is a stable snapshot of the upcoming Connect2id server 14.0. The final release will include more features and changes.
New refresh token settings
Self-contained (JWT-encoded) refresh tokens that link to transient (non-persisted) authorisations can now also be optionally rotated. Previously the rotation was possible only for refresh tokens linked to a long-lived (persisted) authorisation. The rotation is intended as a poor-man's protection for public OAuth 2.0 clients against replay of a leaked refresh token. The more secure and robust in case of slow / poor networks method to prevent replay is for public clients to use sender-constrained refresh tokens, by means of mTLS or DPoP.
The refresh token rotation can now be set on a individual authorisation basis,
by setting the optional refresh_token.rotate parameter in the
consent
of authorisation sessions.
Example consent setting refresh token rotation:
{
"scope" : [ "openid", "email" ],
"claims" : [ "email", "email_verified" ],
"refresh_token" : { "rotate" : true }
}
The direct authorisation endpoint and the token exchange and password grant handlers also support the new rotation parameter.
If the refresh_token.rotate parameter for a given authorisation isn't set
a default policy will be applied, according to the new
authzStore.refreshToken.defaultRotate
configuration property.
The global authzStore.refreshToken.alwaysUpdate (always rotate) configuration property is deprecated and should no longer be used. Instead, set the authzStore.refreshToken.defaultRotate configuration property and override it for specific clients or authorisations.
ID token refresh
ID token refresh can be allowed on a individual authorisation basis, by setting
the optional id_token.refresh parameter in the
consent of
authorisation sessions.
Example consent allowing ID token refresh:
{
"scope" : [ "openid" ],
"id_token" : { "allow_refresh" : true }
}
As long as the OpenID provider session where the user login took place remains present, the token endpoint will return a new ID token in response to the refresh token. When the session is closed or expires issue of the ID token will cease (but an access token will still be returned).
The ID token refresh can thus be used by authorised relying parties to perform a back-channel check whether the user still has a session with the Connect2id server.
Note that the ID token refresh does not guarantee the end-user is actually
present and properly authenticated, due to the back-channel nature of the
token request. The standard prompt=none OpenID authentication request is
intended for this purpose, as it's done via the front-channel (the browser) and
cannot be triggered without an end-user interaction.
Infinispan upgrade
The underlying Infinispan layer received a sweeping upgrade from v9.4.x to v14.0.x, while retaining the existing stateless, stateless + Redis and replication Connect2id server clustering modes.
Oracle database support
The Oracle database is now supported, alongside the MySQL, PostgreSQL and Microsoft SQL Server relational databases.
Support for persistence to LDAP is removed
In v14.0 persisting Connect2id server data to an LDAP server will no longer be supported. Connect2id server deployments with an LDAP backend database have the choice to migrate to a supported SQL RDBMS or to AWS DynamoDB.
Bug fixes, optimisations
The code base received several bug fixes. The data persistence layer was optimised, which may result in CPU and storage bill savings in large deployments.
More information can be found in the release notes below.
Download 14.0-rc.6
For the signature validation: Public GPG key
Standard Connect2id server edition
Apache Tomcat package with Connect2id server 14.0-rc.6: Connect2id-server.zip
GPG signature: Connect2id-server.zip.asc
SHA-256: b44819da65977c4e66ec78d8166c5d55f6f87acd60fb066674ed26abcd6f03e7
Connect2id server 14.0-rc.6 WAR package: c2id.war
GPG signature: c2id.war.asc
SHA-256: 64c8f713b0101079eae9ccedfb3a273406f97adcf787c6999636dbcacc34ad37
Questions?
If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.
Release notes
14.0 (2023-05-06)
Summary
Support for refresh token rotation that can be set on an individual authorisation basis, overriding the global Connect2id server configuration.
Self-contained (JWT-encoded) refresh tokens, which are linked to transient / non-persisted ("long_lived":false) authorisations, also receive the ability to be rotated.
In previous Connect2id server versions refresh token rotation could only be set globally and apply only to identifier-based refresh tokens, which are linked to long-lived / persisted ("long_lived":true) authorisations.
Support for ID token refresh at the token endpoint, set on an individual authorisation basis. The token response will include a new ID token provided the refresh token authorisation allows such refresh and the subject (end-user) session bound to the refresh token is still present. If the session was closed or expired no ID token will be included in the token response.
An authorised OpenID relying party may use the ID token refresh to do a back-channel check whether the end-user session with the OpenID provider still exists (i.e. that the session wasn't closed or expired). OpenID relying parties should use the standard "prompt=none" OpenID authentication request to ensure the end-user is actively present and properly authenticated, since this method involves the front-channel (the browser). An ID token refresh thus isn't equivalent to or a substitute for a "prompt=none" OpenID authentication request.
Public clients registered for OAuth 2.0 mutual TLS (RFC 8705) and the OAuth 2.0 refresh token grant will receive refresh tokens that are client X.509 certificate bound.
Upgrades to Infinispan 14.0.
Adds Oracle 12c r1+ Database support.
Removes LDAP backend database support as part of the Infinispan 14.0 upgrade. Connect2id server deployments with an LDAP backend database can migrate to a supported SQL RDBMS or to AWS DynamoDB.
Configuration
/WEB-INF/oidcProvider.properties
- op.authz.feedSubjectSessionClaimsIntoIDToken -- No longer a required configuration property, receives a default value of true.
/WEB-INF/authzStore.properties
authzStore.refreshToken.defaultRotate -- New optional configuration property for the default refresh token rotation setting. Can be overridden by individual authorisations. The default value is false (no rotation).
authzStore.refreshToken.alwaysUpdate -- Deprecated, use "authzStore.refreshToken.defaultRotate" instead.
/WEB-INF/infinispan-*.xml
Upgrades the XML schema to Infinispan 14.0.
Replaces the Infinispan "op.clientRegTokenMap" with a new generic "authzStore.expendedTokenMap" capable of storing keys for expended tokens that are rotated self-contained (JWT-encoded) refresh tokens, client registration tokens, client_secret_jwt and private_key_jwt tokens, DPoP tokens and other one-time-use objects.
/WEB-INF/infinispan-stateless-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-stateless-redis-oracle.xml
- New Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-replication-oracle.xml
- New Infinispan configuration for replication clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database.
/WEB-INF/infinispan-multitenant-stateless-redis-oracle.xml
- New multi-tenant Infinispan configuration for stateless clustering and an Oracle database and Redis for caching and storage of short-lived objects.
/WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|oracle|h2}.xml
New optional "dataSource.createTableIfMissing" Java system property. When "true" (the default value) the Connect2id server will automatically create the required SQL tables on startup. It will also perform automatic table alternations where necessary in new major releases. When "false" the database administrator must create or alter the tables manually before server startup.
New optional "dataSource.maxPoolSize" Java system property. Controls the maximum size the SQL connection pool is allowed to reach, including both idle and in-use connections. The default size is 5.
/WEB-INF/infinispan-*-ldap.xml
- The LDAP backend database XML configurations are removed and no longer supported.
/WEB-INF/sql
- New directory containing the required SQL statements for manual table
creation, to be used when the Connect2id is configured to disable
automatic table creation (if missing) on server startup (with
dataSource.createTableIfMissing=false).
- New directory containing the required SQL statements for manual table
creation, to be used when the Connect2id is configured to disable
automatic table creation (if missing) on server startup (with
Web API
/token
Supports issue of rotated self-contained (JWT-encoded) refresh tokens.
Supports ID token refresh. Requires the refresh token authorisation to explicitly allow ID token refresh and the subject (end-user) session bound to the refresh token to be still present (not closed or expired), else an ID token will not be included in the token response.
The expiration of the refreshed ID token will be set according to the globally configured "op.idToken.defaultLifetime". An ID token lifetime supplied to the consent object (with "id_token.lifetime") will not be replicated in refreshed ID tokens.
The "max_age" OpenID authentication request parameter will trigger inclusion of the "auth_time" claim only in the ID token issued in the direct response to it, not in refreshed ID tokens. For an OpenID relying party to receive the "auth_time" claim in refreshed ID tokens it must be registered as client for the "require_auth_time" metadata parameter.
The refreshed ID token will include all consented claims as well as any claims found in the subject session "claims" field (unless the "op.authz.feedSubjectSessionClaimsIntoIDToken" configuration property prevents this). Preset ID token claims supplied to the consent object (with "preset_claims.id_token") will not be replicated in refreshed ID tokens.
/authz-sessions/rest/v3/
Adds an optional "refresh_token.rotate" parameter of type boolean to the consent object. Sets the refresh token rotation for the current authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the consent object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
/direct-authz/rest/v2/
Adds an optional "refresh_token.rotate" parameter of type boolean to the request object. Sets the refresh token rotation for the individual authorisation. When omitted the "authzStore.refreshToken.defaultRotate" configuration will apply.
Adds an optional "id_token.refresh" parameter of type boolean to the consent object. Allows an OpenID relying party to receive a new ID token at the token endpoint in exchange for a valid refresh token, with the subject session bound to the refresh token still being present.
/authz-store/rest/v3/
New "rtr" authorisation field of type boolean for the refresh token rotate setting. The default value is false.
New "idr" authorisation field of type boolean for the allow ID token refresh setting. The default value is false.
/monitor/v1/metrics
Adds new "authzStore.numExpendedTokenEntries" gauge.
Removes the "clientStore.numCachedExpendedTokens" gauge (replaced by the
new "authzStore.numExpendedTokenEntries" gauge).
SPI
Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.53
The RefreshTokenSpec class receives a new optional rotation setting. If empty the default Connect2id server refresh token rotation policy will apply.
The IDToken spec class receives a new optional allow refresh setting. The default setting is no ID token refresh allowed.
The PasswordGrantHandler SPI can set a refresh token rotation preference.
The TokenExchangeGrantHandler SPI can set a refresh token rotation preference.
Resolved issues
The SQL store must not set the client "application_type" to the default value "web" on record retrieval (issue server/838).
The Microsoft SQL Server id_access_tokens table column cnf must be VARCHAR (100), not NVARCHAR(100) (issue authz-store/199).
Retrieving an authorisation record by refresh token must echo the submitted refresh token value in the returned record instead of recreating it from the persisted "rts" field (issue authz-store/203).
Authorisation updates must always return a refresh token in the current format, not the legacy format (issue authz-store/204).
The direct authorisation endpoint must always return a refresh token in the current, not the legacy format (issue server/837).
Store retrieval of identifier-based access tokens must recreate the local subject when the subject type is pairwise (issue authz-store/201).
Removes redundant persistence of registration_client_uri, recreates it dynamically from the OP / AS issuer URL and the client_id (issue server/512).
The "cnf" column of the "id_access_tokens" SQL table must be increased from 100 to 150 VARCHAR for H2 and MS SQL Server to accommodate token
authorisations that use both a x5t#S256 and a jkt binding (issue authz-store/206).Adds missing DynamoDB persistence of the "cld" (claims data) authorisation record field (issue authz-store/210).
Automatic revocation of all authorisations on replay of a rotated refresh token (issue authz-store/212).
Persist only the subject session ID key in pending authorisation code entries (omitting the appended HMAC), to prevent exploitation of session IDs in case of unauthorised access to the backend database or a database record leak (issue server/863).
Fixes NPE in DirectAuthorizationRequest.getResolvedClaims (issue server/867).
Consented non-requested OpenID claims should not be included in the saved claims field ("scs") of authorisations and authorisation records (issue server/868).
Dependency changes
Upgrades to com.nimbusds:c2id-server-sdk:4.53
Upgrades to com.nimbusds:oauth2-oidc-sdk:10.9
Updates to com.nimbusds:c2id-server-property-source:1.1.1
Updates to com.nimbusds:tenant-manager:7.4.1
Updates to com.nimbusds:tenant-registry:8.2
Updates to com.nimbusds:oauth2-authz-store:23.0
Updates to com.nimbusds:oidc-session-store:16.4
Updates to com.nimbusds:software-statement-verifier:2.2.3
Upgrades to com.nimbusds:common:2.52
Upgrades to com.nimbusds:infinispan-cachestore-common:3.1
Upgrades to Infinispan 14.0.7.Final
Upgrades to com.nimbusds:infinispan-cachestore-sql:7.0.2
Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:5.0.1
Upgrades to com.nimbusds:infinispan-cachestore-redis:10.0.1
Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.6
Adds com.oracle.database.jdbc:ojdbc11:21.8.0.0