Connect2id server 13.0

This release of the Connect2id server for OpenID provision and OAuth 2.0 authorisation focuses on PKCE and issuer (domain) aliasing. It is given a new major number for two reasons: the database schema receives an update; deployments that have an embedded H2 database for persisting server data are switched to a new backwards incompatible version of H2.

Per-client PKCE policy support

The Proof Key for Code Exchange by OAuth Public Clients (PKCE) is a security extension originally devised to prevent code injection attacks on clients that cannot authenticate at the token endpoint. It was later found to be useful against other attack vectors and thus became mandatory in OAuth 2.1.

This release of the Connect2id server introduces the new code_challenge_method metadata field to require a client to use PKCE. If the client makes an authorisation request without a code_challenge or with a method other than the registered the Connect2id server will return an invalid_request error with an explanation what PKCE method is expected.

Note, the global op.authz.requiredPKCE configuration property, which applies to all clients, will always override the individual PKCE setting.

Example registration request where the client is required to use the recommended S256 code challenge method:

POST /clients HTTP/1.1
Host: demo.c2id.com
Content-Type: application/json
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "redirect_uris"         : [ "https://client.example.org/callback" ],
  "code_challenge_method" : "S256"
}

The client registration howto is updated with this and other useful examples.

OpenID provider issuer (domain) aliases

Connect2id server 12.3 introduced the concept of issuer aliases, for scenarios where an OpenID provider / OAuth 2.0 server can be known by multiple issuer URLs. This can also be useful to migrate an identity provider seamlessly and over time from one issuer URL to another.

This release upgrades the issuer alias model, by adding a new mode suitable for light multitenancy, by isolating the OAuth flows, grants and tokens between issuer aliases while keeping the client registrations and end-user sessions shared.

The issuer aliases guide has a thorough explanation how to configure and operate such a deployment. The guide also lists the limitations of issuer aliases and when the multitenant edition of the Connect2id server is appropriate.

Client registration entity size limit

The Connect2id server limits the size of client metadata in registration requests to 250K chars, to prevent DoS attacks.

This limit can now be adjusted if needed via a op.reg.httpMaxRequestSize Java system property.

Example:

op.reg.httpMaxRequestSize=100000

Database schema

The introduction of the new code_challenge_method client metadata parameter will necessitate a change to the database schema of Connect2id server deployments that use an SQL store (MySQL, PostgreSQL, SQL Server or H2) or an LDAP store (such as OpenLDAP).

If you have an SQL database on startup the Connect2id server will automatically add the new code_challenge_method column to the clients table.

If you have LDAP store this will require a manual schema upgrade, explained in the release notes below.

If you have a DynamoDB store which is schema-less there is nothing to do.

SQL connector and driver updates

The connector for SQL stores, including jOOQ, the connection pool library and some of the JDBC drivers were also upgraded.

H2 database

Support for the H2 SQL database was upgraded from v1.x to 2.x. The new version of the database received changes to the SQL data types and the underlying file format. This means that data stored in H2 v1.x is not compatible and cannot be read by the new v2.x. If you have a Connect2id server deployment with the embedded H2 database and need to migrate the server data check out the data migration guide.

Redis

Connect2id server deployments with Redis for storing short lived and cached data can now easily configure a password to access the Redis server with the new redisMapPassword and redisCachePassword system properties.

For more information what's new or changed check the release notes below.

Download 13.0

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 13.0: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 02c72ef9d3ef9c35db9189b8984fb67abfe7f844ceccf854a7f71e383c3906f0

Connect2id server 13.0 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 95280957fed80e6bf827668bffc5afafeb63cc49904d6a2d6ea14ec7ab432017

Multi-tenant edition

Apache Tomcat package with Connect2id server 13.0: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 3c61225f1f3dccdc7e69c932d53adc46b60ec4abd971f8234069f4980aa60dc3

Connect2id server 13.0 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 2c75c97dcdd6e6098a7a2b7ee7f3e35b91c0e39f9b5260b30ecebf197a08f92b

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

13.0 (2022-11-30)

Summary

  • Individual clients can be registered to require use of Proof Key for Code Exchange by OAuth Public Clients (RFC 7636) by means of the code_challenge_method client metadata.

  • Upgrades the OpenID provider / OAuth 2.0 authorisation server issuer alias model.

    Issuer aliasing was introduced in v12.3 (2021-09-17) to enable a Connect2id server deployment to migrate seamlessly and over time from one issuer identifier URL to another. Issuer aliases can also be used when an OpenID provider / OAuth 2.0 authorisation server is known by multiple URLs.

    This release introduces two differentiated issuer alias modes (configurable by op.issuerAliasMode):

    • MIGRATION -- Intended to facilitate issuer URL migration or deployments where the OpenID provider is known by multiple URLs. This is the default mode and how the Connect2id server previously behaved with enabled issuer aliases.

    • PERSISTED_GRANT_ISOLATION -- Enforces complete OAuth 2.0 grant isolation between issuer aliases. Has the effect of disabling long-lived (persisted) consent, forcing issue of self-contained (stateless) refresh tokens only, and blocking the use of any previously issued identifier-based refresh tokens. This mode is intended for deployments that for some reason choose not to operate a multi-tenant Connect2id server where the OpenID providers / OAuth 2.0 authorisation servers completely isolated.

    For security reasons both issuer alias modes will now behave as follows:

    • Prevent switching of the issuer URL during an OAuth authorisation code, implicit or hybrid flow (which may involve the PAR endpoint).

    • Prevent switching of the issuer URL in the authorisation session API at the user authentication or consent step.

    • The token introspection endpoint will mark any token issued under a different alias as invalid and the scope to access the endpoint must also be set to the current issuer URL.

    • The UserInfo endpoint will reject access tokens issued under a different alias.

    Note, in the MIGRATION issuer alias mode refresh tokens which are tied to long-lived (persisted) consent can be shared across all issuer aliases. The resulting access tokens however will be issued and remain valid for the current issuer alias only.

    Finally, the issuer aliasing was updated to enable dynamic addition and removal of issuer alias URLs, with no changes to the Connect2id server configuration.

  • Upgrades H2 SQL database support from v1.x to v2.x. This is a breaking change that affects the persisted H2 data format. Data stored by H2 v1.x is not compatible and cannot be read by H2 v2.x. Connect2id server deployments that use H2 to persist server data will need to perform a migration. See the Data Migration guide for more information.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.issuerAliases -- New optional configuration property for Connect2id server deployments that need to support issuer alias URLs of the OpenID provider / OAuth 2.0 authorisation server. By setting the configuration property to "*" (asterisk) the HTTP reverse proxy in front of the Connect2id server is enabled to determine the whitelisted issuer alias URLs when setting the "Issuer" security header. This can be useful in deployments where issuer aliases must be added or removed dynamically, without restarting the server (in the regular edition) or updating the OpenID provider / OAuth 2.0 authorisation server configuration via the tenants web API (in the multi-tenant edition). Previously the Connect2id server supported only a static whitelist of allowed issuer aliases.

    • op.issuerAliasMode -- New optional configuration property introducing two differentiated modes of issuer aliasing:

      • MIGRATION -- Enables seamless migration over time to a new issuer URL. This is the default mode and how the Connect2id server previously behaved with enabled issuer aliases.

      • PERSISTED_GRANT_ISOLATION -- Enforces persisted grant isolation between issuer aliases: disables long-lived (persisted) consent; forces issue of self-contained (stateless) refresh tokens; blocks the use of any previously issued identifier-based refresh tokens.

    • op.reg.httpMaxRequestSize -- New optional configuration property enabling override of the size limit of the entity body of HTTP POST and PUT requests to the client registration web API. Configurable via Java system property only! The default value is 250 thousand (250000) characters.

  • /WEB-INF/infinispan--redis-.xml

    • New redisMapPassword and redisCachePassword configuration properties of type string to set a password for accessing Redis. The default value is no password.
  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Adds new "code_challenge_method" column to the "clients" table. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the new column (with an appropriate default value) on startup.
  • /WEB-INF/infinispan-*-ldap.xml

    • Adds new "oauthCodeChallengeMethod" attribute to the "oauthClientMetadata" object classes. Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) must update the LDAP schema manually to version 1.19 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.19/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas /diff/src/main/resources/oidc-client-schema-openldap.ldif?at=1.19 &diff2=97f372ce82ddd94e08a3937c4169f3a190aed2b2 and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas /diff/src/main/resources/oidc-client-schema-opendj.ldif?at=1.19 &diff2=97f372ce82ddd94e08a3937c4169f3a190aed2b2

Web API

  • /clients

    • Supports registration of clients with the optional custom code_challenge_method metadata field of type string and values S256 and plain to force the client to use a code challenge method (see Proof Key for Code Exchange by OAuth Public Clients, RFC 7636) at the authorisation and the pushed authorisation request (PAR) endpoints. The default value is no code challenge method.

      Note that the Connect2id server op.authz.allowedPKCE and op.authz. requiredPKCE configuration properties will always override this client metadata.

Resolved issues

  • Upgrades the security of the authorisation code grant at the token endpoint by adding an immediate code invalidation to complement the usual invalid_grant OAuth 2.0 error in the following cases: 1) mismatch between token request client_id (for a public or successfully authenticated confidential client) and the client_id associated with the issued code at the authorisation endpoint; 2) invalid or missing redirect_uri; 3) missing, invalid or unexpected code_verifier (PKCE); 4) mismatch between the code issuer and the tenant issuer at the token endpoint (issue authz-store/195).

  • Improves the data layer performance of code for token exchange at the token endpoint (issue authz-store/195).

  • Updates the token endpoint unauthorized_client error description in the case when the request is rejected because the client is not registered for the grant type (issue server/798).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:19.3

  • Updates to com.nimbusds:oidc-session-store:15.1.1

  • Upgrades to com.nimbusds:tenant-manager:7.3.1

  • Upgrades to com.nimbusds:tenant-registry:7.1

  • Updates to com.google.code.gson:gson:2.10

  • Updates to com.nimbusds:infinispan-cachestore-sql:5.0

  • Updates to com.nimbusds:infinispan-cachestore-redis:9.2.9

  • Upgrades to org.jooq.pro-java-11:jooq:3.17.4

  • Updates to com.zaxxer:HikariCP:5.0.1

  • Updates to org.postgresql:postgresql:42.5.1

  • Upgrades to com.h2database:h2:2.1.214

Connect2id server 12.18

Connect2id server deployments can now mask or rewrite selected OpenID provider metadata fields published at the /.well-known/openid-configuration endpoint, to minimise the amount of metadata, or show fewer supported endpoints and capabilities, which cannot be disabled by a simple configuration setting. This is done by creating a JSON object to act as overlay, and saving it in the new op.metadataOverlay configuration property.

Sample overlay to hide the introspection endpoint:

op.metadataOverlay={"introspection_endpoint":null}

With additional BASE64 encoding on top of the JSON text, for easier passing around via environment variables:

op.metadataOverlay=eyJpbnRyb3NwZWN0aW9uX2VuZHBvaW50IjpudWxsfQ==

Note, the overlay will not alter the internal Connect2id server configuration and the server will not check the resulting JSON object for being a legal representation of OpenID provider metadata according to the specification. One way to double check the published metadata is to run it through the parse method of the OIDCProviderMetadata class in the OAuth 2.0 / OpenID Connect SDK.

For more information what's new or changed check the release notes below.

Download 12.18

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.18: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: ab5c6afa1b83f748d60799525327824884acd5d73bb407b12aefc1d826fb8b45

Connect2id server 12.18 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 98e6d1aeebf02198b7139f782689bcf13d4b59cbd9042ec8e2911d6e72468c75

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.18: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 1ef2ae977c7e5222c1a27fae5be0d9868f80b431007105f4f80bbbda7f136f9a

Connect2id server 12.18 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: b4d4bf14ca3492a9301b9625801da3c69258589c3d7545322c4b02cfed46f92f

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.18 (2022-10-25)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.metadataOverlay -- New optional configuration property for a JSON object overlay to apply to the OpenID provider / OAuth 2.0 authorisation server metadata published at the ".well-known/openid-configuration" and ".well-known/oauth-authorization-server" endpoints. Non-null values in the overlay object replace existing metadata fields, null values remove them. Note, the overlay does not affect the internal Connect2id server configuration and after its application the resulting JSON object is not checked for being a legal representation of OpenID provider / OAuth 2.0 authorisation server metadata. If set the overlay must be represented as a JSON object string, and can be additionally BASE64 encoded to ease passing the configuration property from a command line shell.

Web API

  • /authz-sessions/rest/v3/

    • Pushed authorisation request (PAR) URIs will become invalidated after their use at the authorisation endpoint. Previously a PAR URI will remain valid until its expiration configured by the op.par.lifetime property.

Resolved issues

  • Logs warning under AS0277 when revoking an authorisation by self-contained (JWT-encoded) access token which local (public) subject or client_id are not encoded (issue authz-store/194).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2.1

  • Updates to io.prometheus:simpleclient:0.16.0

  • Updates to io.prometheus:simpleclient_servlet:0.16.0

  • Updates to io.prometheus:simpleclient_dropwizard:0.16.0

  • Updates to Log4j 2.19.0

Connect2id server 12.17

This September release of the Connect2id server updates the revocation web API to enable callers to conserve server and network resources. When revoking the tokens and persisted consent for a given subject (end-user) or client the server will return all matching long-lived (persisted) authorisations that have been deleted. For a revoked client with thousands or millions of end-users this can potentially result in the streaming of megabytes of removed authorisations into the HTTP response. In such cases or whenever the revocation is not interested in what authorisations are affected or their details, a new quiet=true query parameter can now be applied to omit the streaming and return a HTTP 204 No Content response.

Example use of the quiet=true query parameter when revoking a client with ID zaqu4ong:

POST /authz-store/rest/v3/revocation?quiet=true HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/x-www-form-urlencoded

client_id=zaqu4ong

The HTTP 204 No Content response:

Status Code: 204 No Content

The authorisation session API and the token exchange plugin received two bug fixes.

Check the release notes below for details.

Download 12.17

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 84959987d94ebca82ac9296161b63631d1fe71208250de5e01dfc682a14d5e79

Connect2id server 12.17 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: eb0cd476641f68228002d63af810fe26a83b5c1bb811ca22443691c4e8b5dd9e

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.17: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 6941ba145e5f58073aeb05f004886a8d9a509cdb20ba9fb63418945063381179

Connect2id server 12.17 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 504fe78e94d6d6f6ebd8bae647e15823336962043caa7c725346c740751d1c04

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.17 (2022-09-14)

Web API

  • /authz-store/rest/v2/revocation

    • Adds support for an optional "quiet" query parameter when posting a revocation. When set to quiet=true an HTTP 204 No Content response will be returned; if any authorisation(s) were matched by the revocation parameters and removed they will not be returned in the response body.

Resolved issues

  • The authorisation session web API must not set the "required_sub" parameter in the authentication prompt to the end-user ID when the Connect2id server is configured with alwaysPromptForAuth=true and the end-user has an active session. This resulted in a incorrect OpenID Connect login_required error if the current end-user is (re)authenticated to another subject (end-user ID) as a result of the authentication prompt. The fix corrects the behaviour so that the original session is closed and a new one with the new subject (end-user ID) is started (issue server/781).

  • The op.grantHandler.tokenExchange.webAPI.actorToken.types configuration property of the token exchange grant handler plugin must support setting of no actor token types accepted. The default value must also be none (issue grant-handlers-web/1).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2

  • Updates to com.nimbusds:oidc-session-store:14.9.2

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.3

  • Updates to com.nimbusds:tenant-manager:6.0.4

  • Updates to com.nimbusds:tenant-registry:6.0.3

  • Updates to com.google.crypto.tink:tink:1.7.0

  • Updates DropWizard to 4.2.12

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.6

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.8

  • Updates to org.postgresql:postgresql:42.5.0

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.6

  • Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.1.jre11

Connect2id server 12.16.1

This Connect2id server release fixes issues in the new token exchange plugin as well as in the re-engineered web-based password and client credentials grant handler plugins shipped in v12.16. You can find more information in the release notes below.

Download 12.16.1

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: c12801414d8023e964b6512c5b05b04f040e85d07ab1eb5da771213007171ccd

Connect2id server 12.16.1 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 791d731e66694413ea00a9f7554a77bf6c2a0177f345ff44b01529a64115d0b9

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.16.1: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 0f499cbdafba4c0c48eab771670d3511f521332619c47ed899e860749b233194

Connect2id server 12.16.1 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 24ddb24b1d893d9a0d1ee606ed09eb5c256a65133aea4dcd28f95f0fbeddbcef

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.16.1 (2022-08-18)

Resolved issues

  • Fixes missing logging of the base configuration properties in the web-based token exchange grant handler (issue server/776).

  • Fixes test that erroneously removed the SPI manifests for the web-based password, client credentials and token exchange grant handlers (issue server/778).

Dependency changes

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.1

Connect2id server 12.16 ships with a new plugin for handling token exchange (RFC 8693)

This Connect2id server release ships a new plugin for the token exchange (RFC 8693) grant handler SPI introduced in v12.15 last month. The plugin follows the web hook pattern of the existing password and client credentials grant handler plugins that delegate the authorisation to a web service.

The new token exchange plugin

The job of a web service handling a token exchange grant is to determine whether the received subject_token is eligible for exchange and if it is return the subject, scope and other optional properties of the new access token which the Connect2id server will mint and return to the client in the token response.

A web service handling a token exchange grant can base its authorisation decisions on the the following inputs:

  • The claims of the verified subject token and optional actor token (if the latter is accepted or required);

  • The requested token scope (if any) and other parameters;

  • The client ID and selected client metadata.

Example request to the grant handler service demonstrating the plugin web API:

POST /token-exchange-grant-handler HTTP/1.1
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json
Issuer: https://c2id.com

{
  "subject_token"      : "Eexungahcaetaizoh7ingait3Ur9ya1b",
  "subject_token_type" : "urn:ietf:params:oauth:token-type:access_token",
  "scope"              : [ "https://api.example.com/get-customer-address" ],
  "client"             : { "client_id"        : "123",
                           "confidential"     : true,
                           "application_type" : "web" }
}

Example response to the Connect2id server for an eligible subject token:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "sub"               : "164476e0-5c10-4cf0-bf75-b30fec2ba925",
  "issued_token_type" : "urn:ietf:params:oauth:token-type:access_token",
  "scope"             : [ "https://api.example.com/get-customer-address" ]
}

Example response for an invalid subject token:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error"             : "invalid_request",
  "error_description" : "Invalid subject token"
}

The token exchange plugin has a number of configurations that deployments can use to filter and pre-process the grants prior to invocation of the web service:

  • Specify the accepted subject and actor token types and reject all others with an invalid_request error.

  • Perform local or remote RFC 7662 compliant introspection of the subject token as an access token.

  • Perform signature and expiration validation of the subject token as a signed JWT.

Upgraded web-based password and client credentials grant handler plugins

The token exchange grant handler plugin together with the other web-based plugins for the password and the client credentials grants are now consolidated in a single JAR which project can be found here:

https://bitbucket.org/connect2id/grant-handlers-web/

The source code is licensed under the open source Apache 2.0 license and can be freely modified.

The web-based password and client credentials grant handlers received several upgrades:

  • The ability to handle custom token request parameters.

  • New configuration property to select which client metadata parameters to pass on in requests to the web service.

  • Requests to the web service now include the OpenID provider / OAuth 2.0 authorisation server issuer URL, to enable tenant specific handling of grants in multi-tenant Connect2id server deployments.

You can find detailed information about all changes in Connect2id server 12.16 in the notes below.

Download 12.16

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.16: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 774f2865eff2fded264155778275f9761a36ff1662f1aae6a60a63931178dd45

Connect2id server 12.16 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 54414e5b164b7de0a871c1797e0bc7d2e1f2224cb734bb6bad9526e766f89b78

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.16: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 774f2865eff2fded264155778275f9761a36ff1662f1aae6a60a63931178dd45

Connect2id server 12.16 WAR package: c2id-multi-tenant.war

GPG signature: c2id-multi-tenant.war.asc

SHA-256: 70d525f52bd16030193292e1d742a155c048b592514e87e24548619c7f6210ab

Questions?

If you have technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.


Release notes

12.16 (2022-08-12)

Summary

  • Adds new plugin for handling OAuth 2.0 token exchange (RFC 8693) grants that passes processing of the grant authorisation to an external web service (web hook). The plugin implements the TokenExchangeGrantHandler SPI introduced in Connect2id server 12.14.

    Features:

    • Supports arbitrary "subject_token" and "actor_token" types.

    • The acceptable "subject_token", "actor_token" and requested token types are configurable.

    • Optional automatic introspection of the received "subject_token" of type access token. Calls upon the internal Connect2id server introspection for access tokens that are locally issued, or one or more configured token introspection endpoints compliant with RFC 7662.

    • Optional automatic JWT verification of the received "subject_token" of type JWT, access token or ID token. The JWT signature is verified using a set of JWKs at one or more configured URLs.

    • Received "subject_token" and "actor_token" instances can also be passed in their original form for verification by the web service itself.

    • Supports passing of selected client metadata parameters to the web service, in addition to the client_id and confidential status, to be used as inputs in the authorisation decision. The "scope" and "data" client metadata fields are included by default.

    • Supports setting of HTTP connect and read timeouts, for the underlying web service, the configured token introspection endpoints and JWK set URLs.

  • Replaces the existing plugin for handling OAuth 2.0 client credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

  • Replaces the existing plugin for handling OAuth 2.0 resource own password credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

Configuration

  • /WEB-INF/tokenExchangeGrantHandlerWebAPI.properties -- New configuration file for the new web-based token exchange grant handler, containing the default configuration properties. They can be selectively overridden with Java system properties.

  • /WEB-INF/clientGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data"

  • /WEB-INF/passwordGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data".

Web API

  • /authz-sessions/rest/v3/

    • Designates the "invalid_target" OAuth 2.0 error code, defined in RFC 8707, as a standard acceptable code to indicate an error condition during end-user authentication / consent. Deployments that use this error code are no longer required to list it in the op.authz. customErrorCodes configuration.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.51

    • Adds DefaultTokenIntrospectionResponseComposer class.

    • Adds DefaultTokenRequestParameters class.

Resolved issues

  • Updates the systemPropertiesURL configuration property to support AWS S3 URLs in the new style virtual format (issue server/773).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.51

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.41

  • Adds com.nimbusds:oauth-grant-handlers-web:1.0

  • Removes com.nimbusds:oauth-password-grant-web-api:1.5

  • Updates to com.nimbusds:oauth-client-grant-handler:2.0.3

  • Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1.1

  • Updates to com.nimbusds:tenant-manager:6.0.3

  • Updates to com.nimbusds:tenant-registry:6.0.2

  • Updates to com.nimbusds:oauth2-authz-store:18.1.1

  • Updates to com.nimbusds:oidc-session-store:14.9.1

  • Updates to com.nimbusds:c2id-server-jwkset:1.26

  • Updates to com.nimbusds:infinispan-cachestore-common:2.4.1

  • Updates to com.nimbusds:infinispan-cachestore-ldap:3.1.3

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.7

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.2.1

  • Updates to org.postgresql:postgresql:42.4.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1

  • Upgrades to com.thetransactioncompany:java-property-utils:1.17

  • Updates to com.amazonaws:aws-java-sdk-*:1.12.264

  • Updates to DropWizard Metrics 4.2.10

  • Updates to Log4j 2.18.0