Release notes

13.3 (2023-01-23)

Summary

  • Token exchange (RFC 8693) plugins can now optionally specify the issue of a refresh token and ID token (in addition to the access token) when authorising a request received via the TokenExchangeGrantHandler SPI. The plugin can also flag the authorisation as long-lived (persisted), to cause the granted scope values and other attributes to be remembered for the subject and the requesting client. This also enables control of the refresh token encoding (if issued) - persisted or stateless.

  • Resource owner password credentials grant plugins can now specify the issue of stateless (JWT-encoded) refresh tokens. Previously only persisted refresh tokens could be issued.

  • Updates the plugin for handling OAuth 2.0 grants at an external web service (web hook) to support token exchange (RFC 8693) authorisations for refresh token and ID token issue.

Web API

  • /token

    • Adds support for refresh token and ID token issue for a OAuth 2.0 token exchange grant (RFC 8693).

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.52

    • The TokenExchangeAuthorization class is updated to support optional persistence of the authorisation (with the long-lived flag), issue of a refresh token (stateless or persisted) and issue of an ID token.

    • The PasswordGrantAuthorization class is updated to support issue of a stateless refresh token when the long-lived authorisation flag is set to false. Previously only persisted refresh tokens could only be issued, when the long-lived authorisation flag was set to true.

Resolved issues

  • The AES key from client_secret derivation for shared JSON Web Encryption (JWE) of ID tokens, UserInfo responses and other objects must remove the right-most bits, not the left-most. See OpenID Connect Core 1.0 errata 2020-07-24 (issue oidc-sdk/412).

  • The clients web API GET by client_id must handle client identifiers that are OpenID Connect Federation 1.0 entity IDs (and URLs in general) seamlessly (issue server/824).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.52

  • Updates to com.nimbusds:oauth2-oidc-sdk:10.5.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.29

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.4

13.2.1 (2023-01-19)

Resolved issues

  • Updates the Woodstox Core dependency used in the SAML 2.0 assertion grant SPI, to address a potential stack overflow vulnerability in the XML DTD parse code (CVE-2022-40152). Note that the CVE has been incorrectly filed to an XStream dependency (a different project). Connect2id server deployments that don't use a SAML 2.0 assertion grant plugin for exchanging SAML 2.0 tokens for OAuth 2.0 tokens are not affected (issue server/820).

  • Streaming registered OpenID Connect Federation 1.0 clients from the federation client index must observe the tenant ID (issue server/640).

  • Fixes NPE that prevented clean up of expired OpenID Connect Federation 1.0 automatic clients (issue server/657).

Dependency changes

  • Updates to com.fasterxml.woodstox:woodstox-core:5.4.0

  • Updates Dropwizard Metrics to 4.2.15

13.2 (2023-01-12)

Summary

  • Upgrades OpenID Connect Federation 1.0 draft 25 support to publish a signed JWK set at the URL advertised in the signed_jwks_uri OpenID provider metadata found in the entity configuration.

  • Fixes two bugs affecting deployments of Connect2id server v13.0 and v13.1 with an SQL database. Updating is strongly recommended (see issue server/816 for details).

Web API

  • /.well-known/openid-configuration

    • signed_jwks_uri -- New optional metadata field specifying an endpoint where the OpenID provider JWK set is published as a signed JWT. Available when OpenID Connect Federation 1.0 is enabled, else omitted.
  • /jwks.jwt -- New endpoint publishing the OpenID provider JWK set as a signed JWT when OpenID Connect Federation 1.0 is enabled. The JWT is signed with the RS256 algorithm using the first RSA key in the configured Connect2id server federation entity JWK set. The JWT typ (type) header is set to jwk-set+jwt. The JWT contains the iss (issuer), sub (subject), iat (issued-at time) and keys (JWK set keys) claims, as specified in OpenID Connect Federation 1.0, section 4.1.

Resolved issues

  • Fixes a bug introduced in Connect2id server 13.0, multi-tenant edition, affecting deployments with MySQL, PostgreSQL and MS SQL Server that may cause false HTTP 404 (invalid authorisation session ID) responses from the authorisation session web API. Connect2id server 13.0 and 13.1 multi-tenant deployments are strongly recommended updating (issue server/816).

  • Fixes a bug introduced in Connect2id server 13.0 affecting deployments with MySQL, PostgreSQL and MS SQL Server that causes incorrect PAR URI rejections at the authorisation endpoint. Connect2id server 13.0 and 13.1 deployments are strongly recommended updating (issue server/818).

  • Fixes non-critical NPE when writing HTTP 404 responses at the .well-known/openid-federation endpoint when OpenID Connect Federation 1.0 is disabled (issue server/817).

  • Optimises OpenID Connect Federation 1.0 related logging (issue server/815).

  • The PARValidator SPI must be invoked with an AuthenticationRequest if the validated authorisation request has the "openid" scope value (issue server/819).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.5

13.1 (2022-12-23)

Summary

  • OpenID Connect Federation 1.0 upgrade.

    The pushed authorisation request (PAR) endpoint is now able to handle automatic registration clients authenticating with a public key using a JWT assertion (private_key_jwt) or mutual TLS (tls_client_auth or self_signed_tls_client_auth).

    The entity configuration, trust chain resolution and client registration is updated to draft 25 of the OpenID Connect Federation 1.0 specification.

    See https://openid.net/specs/openid-connect-federation-1_0.html

  • The token introspection endpoint receives a new configuration to control the pruning of audience ("aud") values in responses.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.token.introspection.pruneAudience -- New optional configuration property to override the default Connect2id server filtering (since v7.17 (2019-10-12)) of audience ("aud") values in token introspection responses. If true causes the audience to be pruned to the client_id of the introspecting client, intended to prevent revealing information about recipients other than the intended in multi-audience tokens. If false the complete token audience will always be shown. Has no effect on tokens that don't specify an audience. The default value is true.

    • op.federation.autoClientAuthMethods.par -- New optional configuration property listing the enabled methods for authenticating OpenID Connect Federation 1.0 automatic client registration requests at the OAuth 2.0 pushed authorisation request (PAR) endpoint. Supported methods: private_key_jwt, tls_client_auth and self_signed_tls_client_auth.

    • op.federation.logoURI -- New optional configuration property specifying the logo URI of the OpenID provider as an OpenID Connect Federation 1.0 entity. Will appear in the entity configuration published at the /.well-known/openid-federation endpoint, under the metadata.federation_entity.logo_uri claim.

  • jose.federationJWKSet -> jose.federation.jwkSet -- Renames the Java system property name for setting the OpenID Connect Federation 1.0 entity JWK set. The Java system property overrides the /WEB-INF/federationJWKSet.json JWK set file content.

Web API

  • /.well-known/openid-federation

    • Updates the published entity configuration to OpenID Connect Federation 1.0 draft 25.

    • metadata.federation_entity.logo_uri -- New optional federation entity claim, configured by the op.federation.logoURI property.

  • /par

    • Supports OpenID Connect Federation 1.0 compliant automatic registration clients that use the private_key_jwt, tls_client_auth and self_signed_tls_client_auth methods (must be enabled in the op.federation.autoClientAuthMethods.par configuration property).
  • /federation/clients

    • Updates explicit client registration to OpenID Connect Federation 1.0 draft 25.
  • /token/introspect

    • Pruning of the audience ("aud") values in token introspection responses can be now be controlled by the optional op.token.introspection.pruneAudience configuration property.

Resolved issues

  • The PAR endpoint should clear client_secret_post, client_secret_jwt and private_key_jwt form parameter artifacts from the stored authorisation request (issue server/813).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:10.4

  • Updates to com.nimbusds:nimbus-jose-jwt:9.25.6

  • Upgrades to com.nimbusds:tenant-manager:7.4

  • Upgrades to com.nimbusds:oauth2-authz-store:19.4

13.0 (2022-11-30)

Summary

  • Individual clients can be registered to require use of Proof Key for Code Exchange by OAuth Public Clients (RFC 7636) by means of the code_challenge_method client metadata.

  • Upgrades the OpenID provider / OAuth 2.0 authorisation server issuer alias model.

    Issuer aliasing was introduced in v12.3 (2021-09-17) to enable a Connect2id server deployment to migrate seamlessly and over time from one issuer identifier URL to another. Issuer aliases can also be used when an OpenID provider / OAuth 2.0 authorisation server is known by multiple URLs.

    This release introduces two differentiated issuer alias modes (configurable by op.issuerAliasMode):

    • MIGRATION -- Intended to facilitate issuer URL migration or deployments where the OpenID provider is known by multiple URLs. This is the default mode and how the Connect2id server previously behaved with enabled issuer aliases.

    • PERSISTED_GRANT_ISOLATION -- Enforces complete OAuth 2.0 grant isolation between issuer aliases. Has the effect of disabling long-lived (persisted) consent, forcing issue of self-contained (stateless) refresh tokens only, and blocking the use of any previously issued identifier-based refresh tokens. This mode is intended for deployments that for some reason choose not to operate a multi-tenant Connect2id server where the OpenID providers / OAuth 2.0 authorisation servers completely isolated.

    For security reasons both issuer alias modes will now behave as follows:

    • Prevent switching of the issuer URL during an OAuth authorisation code, implicit or hybrid flow (which may involve the PAR endpoint).

    • Prevent switching of the issuer URL in the authorisation session API at the user authentication or consent step.

    • The token introspection endpoint will mark any token issued under a different alias as invalid and the scope to access the endpoint must also be set to the current issuer URL.

    • The UserInfo endpoint will reject access tokens issued under a different alias.

    Note, in the MIGRATION issuer alias mode refresh tokens which are tied to long-lived (persisted) consent can be shared across all issuer aliases. The resulting access tokens however will be issued and remain valid for the current issuer alias only.

    Finally, the issuer aliasing was updated to enable dynamic addition and removal of issuer alias URLs, with no changes to the Connect2id server configuration.

  • Upgrades H2 SQL database support from v1.x to v2.x. This is a breaking change that affects the persisted H2 data format. Data stored by H2 v1.x is not compatible and cannot be read by H2 v2.x. Connect2id server deployments that use H2 to persist server data will need to perform a migration. See the Data Migration guide for more information.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.issuerAliases -- New optional configuration property for Connect2id server deployments that need to support issuer alias URLs of the OpenID provider / OAuth 2.0 authorisation server. By setting the configuration property to "*" (asterisk) the HTTP reverse proxy in front of the Connect2id server is enabled to determine the whitelisted issuer alias URLs when setting the "Issuer" security header. This can be useful in deployments where issuer aliases must be added or removed dynamically, without restarting the server (in the regular edition) or updating the OpenID provider / OAuth 2.0 authorisation server configuration via the tenants web API (in the multi-tenant edition). Previously the Connect2id server supported only a static whitelist of allowed issuer aliases.

    • op.issuerAliasMode -- New optional configuration property introducing two differentiated modes of issuer aliasing:

      • MIGRATION -- Enables seamless migration over time to a new issuer URL. This is the default mode and how the Connect2id server previously behaved with enabled issuer aliases.

      • PERSISTED_GRANT_ISOLATION -- Enforces persisted grant isolation between issuer aliases: disables long-lived (persisted) consent; forces issue of self-contained (stateless) refresh tokens; blocks the use of any previously issued identifier-based refresh tokens.

    • op.reg.httpMaxRequestSize -- New optional configuration property enabling override of the size limit of the entity body of HTTP POST and PUT requests to the client registration web API. Configurable via Java system property only! The default value is 250 thousand (250000) characters.

  • /WEB-INF/infinispan--redis-.xml

    • New redisMapPassword and redisCachePassword configuration properties of type string to set a password for accessing Redis. The default value is no password.
  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Adds new "code_challenge_method" column to the "clients" table. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the new column (with an appropriate default value) on startup.
  • /WEB-INF/infinispan-*-ldap.xml

    • Adds new "oauthCodeChallengeMethod" attribute to the "oauthClientMetadata" object classes. Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) must update the LDAP schema manually to version 1.19 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.19/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas /diff/src/main/resources/oidc-client-schema-openldap.ldif?at=1.19 &diff2=97f372ce82ddd94e08a3937c4169f3a190aed2b2 and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas /diff/src/main/resources/oidc-client-schema-opendj.ldif?at=1.19 &diff2=97f372ce82ddd94e08a3937c4169f3a190aed2b2

Web API

  • /clients

    • Supports registration of clients with the optional custom code_challenge_method metadata field of type string and values S256 and plain to force the client to use a code challenge method (see Proof Key for Code Exchange by OAuth Public Clients, RFC 7636) at the authorisation and the pushed authorisation request (PAR) endpoints. The default value is no code challenge method.

      Note that the Connect2id server op.authz.allowedPKCE and op.authz. requiredPKCE configuration properties will always override this client metadata.

Resolved issues

  • Upgrades the security of the authorisation code grant at the token endpoint by adding an immediate code invalidation to complement the usual invalid_grant OAuth 2.0 error in the following cases: 1) mismatch between token request client_id (for a public or successfully authenticated confidential client) and the client_id associated with the issued code at the authorisation endpoint; 2) invalid or missing redirect_uri; 3) missing, invalid or unexpected code_verifier (PKCE); 4) mismatch between the code issuer and the tenant issuer at the token endpoint (issue authz-store/195).

  • Improves the data layer performance of code for token exchange at the token endpoint (issue authz-store/195).

  • Updates the token endpoint unauthorized_client error description in the case when the request is rejected because the client is not registered for the grant type (issue server/798).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:19.3

  • Updates to com.nimbusds:oidc-session-store:15.1.1

  • Upgrades to com.nimbusds:tenant-manager:7.3.1

  • Upgrades to com.nimbusds:tenant-registry:7.1

  • Updates to com.google.code.gson:gson:2.10

  • Updates to com.nimbusds:infinispan-cachestore-sql:5.0

  • Updates to com.nimbusds:infinispan-cachestore-redis:9.2.9

  • Upgrades to org.jooq.pro-java-11:jooq:3.17.4

  • Updates to com.zaxxer:HikariCP:5.0.1

  • Updates to org.postgresql:postgresql:42.5.1

  • Upgrades to com.h2database:h2:2.1.214

12.18 (2022-10-25)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.metadataOverlay -- New optional configuration property for a JSON object overlay to apply to the OpenID provider / OAuth 2.0 authorisation server metadata published at the ".well-known/openid-configuration" and ".well-known/oauth-authorization-server" endpoints. Non-null values in the overlay object replace existing metadata fields, null values remove them. Note, the overlay does not affect the internal Connect2id server configuration and after its application the resulting JSON object is not checked for being a legal representation of OpenID provider / OAuth 2.0 authorisation server metadata. If set the overlay must be represented as a JSON object string, and can be additionally BASE64 encoded to ease passing the configuration property from a command line shell.

Web API

  • /authz-sessions/rest/v3/

    • Pushed authorisation request (PAR) URIs will become invalidated after their use at the authorisation endpoint. Previously a PAR URI will remain valid until its expiration configured by the op.par.lifetime property.

Resolved issues

  • Logs warning under AS0277 when revoking an authorisation by self-contained (JWT-encoded) access token which local (public) subject or client_id are not encoded (issue authz-store/194).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2.1

  • Updates to io.prometheus:simpleclient:0.16.0

  • Updates to io.prometheus:simpleclient_servlet:0.16.0

  • Updates to io.prometheus:simpleclient_dropwizard:0.16.0

  • Updates to Log4j 2.19.0

12.17 (2022-09-14)

Web API

  • /authz-store/rest/v2/revocation

    • Adds support for an optional "quiet" query parameter when posting a revocation. When set to quiet=true an HTTP 204 No Content response will be returned; if any authorisation(s) were matched by the revocation parameters and removed they will not be returned in the response body.

Resolved issues

  • The authorisation session web API must not set the "required_sub" parameter in the authentication prompt to the end-user ID when the Connect2id server is configured with alwaysPromptForAuth=true and the end-user has an active session. This resulted in a incorrect OpenID Connect login_required error if the current end-user is (re)authenticated to another subject (end-user ID) as a result of the authentication prompt. The fix corrects the behaviour so that the original session is closed and a new one with the new subject (end-user ID) is started (issue server/781).

  • The op.grantHandler.tokenExchange.webAPI.actorToken.types configuration property of the token exchange grant handler plugin must support setting of no actor token types accepted. The default value must also be none (issue grant-handlers-web/1).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:18.2

  • Updates to com.nimbusds:oidc-session-store:14.9.2

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.3

  • Updates to com.nimbusds:tenant-manager:6.0.4

  • Updates to com.nimbusds:tenant-registry:6.0.3

  • Updates to com.google.crypto.tink:tink:1.7.0

  • Updates DropWizard to 4.2.12

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.6

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.8

  • Updates to org.postgresql:postgresql:42.5.0

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.6

  • Updates to com.microsoft.sqlserver:mssql-jdbc:11.2.1.jre11

12.16.1 (2022-08-18)

Resolved issues

  • Fixes missing logging of the base configuration properties in the web-based token exchange grant handler (issue server/776).

  • Fixes test that erroneously removed the SPI manifests for the web-based password, client credentials and token exchange grant handlers (issue server/778).

Dependency changes

  • Updates to com.nimbusds:oauth-grant-handlers-web:1.0.1

12.16 (2022-08-12)

Summary

  • Adds new plugin for handling OAuth 2.0 token exchange (RFC 8693) grants that passes processing of the grant authorisation to an external web service (web hook). The plugin implements the TokenExchangeGrantHandler SPI introduced in Connect2id server 12.14.

    Features:

    • Supports arbitrary "subject_token" and "actor_token" types.

    • The acceptable "subject_token", "actor_token" and requested token types are configurable.

    • Optional automatic introspection of the received "subject_token" of type access token. Calls upon the internal Connect2id server introspection for access tokens that are locally issued, or one or more configured token introspection endpoints compliant with RFC 7662.

    • Optional automatic JWT verification of the received "subject_token" of type JWT, access token or ID token. The JWT signature is verified using a set of JWKs at one or more configured URLs.

    • Received "subject_token" and "actor_token" instances can also be passed in their original form for verification by the web service itself.

    • Supports passing of selected client metadata parameters to the web service, in addition to the client_id and confidential status, to be used as inputs in the authorisation decision. The "scope" and "data" client metadata fields are included by default.

    • Supports setting of HTTP connect and read timeouts, for the underlying web service, the configured token introspection endpoints and JWK set URLs.

  • Replaces the existing plugin for handling OAuth 2.0 client credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

  • Replaces the existing plugin for handling OAuth 2.0 resource own password credentials grants at an external web service (web hook) with a new one that enables configuration of the client metadata fields to pass to the handler. Also supports multi-tenant operation.

Configuration

  • /WEB-INF/tokenExchangeGrantHandlerWebAPI.properties -- New configuration file for the new web-based token exchange grant handler, containing the default configuration properties. They can be selectively overridden with Java system properties.

  • /WEB-INF/clientGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data"

  • /WEB-INF/passwordGrantHandlerWebAPI.properties

    • op.grantHandler.clientCredentials.webAPI.customParams -- New optional configuration property to list the names of custom token request parameters to include as top-level members in the handler request JSON object.

    • op.grantHandler.clientCredentials.webAPI.clientMetadata -- New optional configuration property to list the names of client metadata fields to include in the "client" JSON object which is part of handler request. If not specified the following client metadata fields are included by default: "scope", "application_type", "sector_identifier_uri", "subject_type", "default_max_age", "require_auth_time", "default_acr_values", "data".

Web API

  • /authz-sessions/rest/v3/

    • Designates the "invalid_target" OAuth 2.0 error code, defined in RFC 8707, as a standard acceptable code to indicate an error condition during end-user authentication / consent. Deployments that use this error code are no longer required to list it in the op.authz. customErrorCodes configuration.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.51

    • Adds DefaultTokenIntrospectionResponseComposer class.

    • Adds DefaultTokenRequestParameters class.

Resolved issues

  • Updates the systemPropertiesURL configuration property to support AWS S3 URLs in the new style virtual format (issue server/773).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.51

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.41

  • Adds com.nimbusds:oauth-grant-handlers-web:1.0

  • Removes com.nimbusds:oauth-password-grant-web-api:1.5

  • Updates to com.nimbusds:oauth-client-grant-handler:2.0.3

  • Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1.1

  • Updates to com.nimbusds:tenant-manager:6.0.3

  • Updates to com.nimbusds:tenant-registry:6.0.2

  • Updates to com.nimbusds:oauth2-authz-store:18.1.1

  • Updates to com.nimbusds:oidc-session-store:14.9.1

  • Updates to com.nimbusds:c2id-server-jwkset:1.26

  • Updates to com.nimbusds:infinispan-cachestore-common:2.4.1

  • Updates to com.nimbusds:infinispan-cachestore-ldap:3.1.3

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.7

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.2.1

  • Updates to org.postgresql:postgresql:42.4.1

  • Updates to com.nimbusds:c2id-server-property-source:1.1

  • Upgrades to com.thetransactioncompany:java-property-utils:1.17

  • Updates to com.amazonaws:aws-java-sdk-*:1.12.264

  • Updates to DropWizard Metrics 4.2.10

  • Updates to Log4j 2.18.0

12.15 (2022-07-17)

Summary

  • Updates OpenID Connect RP-Initiated Logout 1.0 support to draft 02. Introduces new logout_hint, client_id and ui_locales request parameters. See https://openid.net/specs/openid-connect-rpinitiated-1_0.html

  • PrivateKeyJWTCertificateVerifier SPI plugins can override the default error_description and error_uri in invalid_client errors returned to the authenticating OAuth 2.0 client.

  • New dynamodb.enableContBackups configuration property to enable DynamoDB continuous backups / point-in-time recovery for tables holding crucial or long-lived Connect2id server data. Previously continuous backups could be enabled only via the AWS CLI, SDK, API or web console.

Configuration

  • /WEB-INF/infinispan-*-dynamodb.xml

    • New dynamodb.enableContBackups configuration property of type boolean (true|false) to enable continuous backups / point-in-time recovery for all DynamoDB tables where crucial or long-lived Connect2id server data is persisted: id_access_tokens, long_lived_authorizations, revocation_journal, clients, federation_clients and tenants (in the multi-tenant Connect2id server edition). Applied at Connect2id server startup on new table creation as well as for existing tables. The default value is false (no continuous backups).

Web API

  • Logout (end-session) endpoint

    • id_token_hint -- Relying parties can submit ID token hints encrypted with JSON Web Encryption (JWE) for confidentiality. The ID token can be encrypted with a public encryption RSA or EC JWK published at the Connect2id server's jwks.json endpoint. A relying party that is provisioned with a client_secret can alternatively encrypt the ID token with a symmetric AES key using the JWE dir algorithm and a JWE method listed in the id_token_encryption_enc_values_supported OpenID provider metadata field, as specified in OpenID Connect Core 1.0 incorporating errata set 1, section 10.2.

    • client_id -- New optional RP-initiated logout request parameter, of type string, representing the client ID of the relying party. A relying party should use it to identify itself in a request when the recommended id_token_hint parameter isn't included or when the id_token_hint represents a symmetrically encrypted (JWE) ID token so the OpenID provider can resolve the relying party's registered client_secret necessary for the ID token decryption. If both id_token_hint and client_id are included in a logout request the client ID must be found in the ID token audience.

      Note, a valid id_token_hint remains required for RP-initiated logout requests that include a post_logout_redirect_uri parameter.

    • logout_hint -- New optional RP-initiated logout request parameter, of type string, representing a hint about the end-user that is logging out, such as the user's email address, telephone number or username. Analogous to the login_hint OpenID authentication request parameter.

    • ui_locales -- New optional parameter, of type string and consisting of one or more space delimited BCP47 (RFC 7231) language tags, representing the end-user's preferred languages and scripts for the logout UI.

  • /logout-sessions/rest/v1/

    • Adds support for the optional client_id RP-initiated logout request parameter. The Connect2id server will use it to identify the calling relying party when the recommended id_token_hint logout request parameter isn't included or represents an ID token that is symmetrically encrypted with a client_secret. If both id_token_hint and client_id are present in a logout request the Connect2id will check the ID token was issued to the client_id; if not an invalid_id_token_hint error will be returned.

    • New id_token_hint_present parameter in the logout prompt message, of type boolean (true|false), to show if the relying party included an id_token_hint in the logout request.

      Note, if the id_token_hint logout request parameter failed the Connect2id server verification (covers all standard ID token checks, save for its exp claim), the logout session API will return an invalid_id_token_hint error. Hence, the id_token_hint_present when true will always indicate a valid ID token.

    • New optional op_logout parameter in the logout confirmation message, of type boolean (true|false) and a default value false, to indicate an end-user request for IdP-wide logout in addition to confirming the RP logout. This new parameter deprecates the existing confirm_logout parameter.

    • New optional logout_hint parameter in the logout prompt message, of type string, representing the logout_hint RP-initiated logout request parameter.

    • New optional ui_locales parameter in the logout prompt, logout end and logout error messages, of type string array, representing the ui_locales RP-initiated logout request parameter.

    • New invalid_request error code to indicate an invalid RP-initiated logout request.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.49

    • New ExposedInvalidClientException class that extends the common InvalidClientException for representing OAuth 2.0 invalid_client errors, to indicate that the default Connect2id server error_description and error_uri must be overridden with specific values.

      The Connect2id has a security policy to log the message of InvalidClientException instances and return a general error_description in the HTTP 401 Unauthorized response that doesn't reveal the exact cause why client authentication failed. The new ExposedInvalidClientException lets client authentication related plugins override this policy and set the error_description and error_uri in the HTTP 401 Unauthorized response. This facility must be used judiciously.

    • Connect2id server plugins implementing the PrivateKeyJWTCertificateVerifier SPI can throw the new ExposedInvalidClientException instead of the common InvalidClientException to override the default Connect2id server error_description and error_uri in the resulting HTTP 401 Unauthorized response.

      When using the ExposedInvalidClientException to set a custom invalid client error_description care must be taken not to divulge sensitive or more information than necessary.

Resolved issues

  • Updates the access token (as subject_token) introspection in token exchange grant handling (RFC 8693) to mark tokens which client_id doesn't match the client_id of the requesting OAuth 2.0 client as invalid. In addition, an OP6216 warning will be logged when this condition is encountered (issue server/768).

  • The logout session web API must not log request query strings at INFO level (issue server/770).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.49

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.38

  • Upgrades to com.nimbusds:lang-tag:1.7

12.14 (2022-06-30)

Summary

  • Support for OAuth 2.0 Token Exchange (RFC 8693). This is an OAuth 2.0 extension that specifies a generic mechanism for clients to obtain an access token in exchange for another token, which type and encoding can be arbitrary and which issuer can be the same OAuth 2.0 authorisation server or another trusted 3rd party token service. This grant also supports impersonation (act-as) and delegation (on-behalf-of) scenarios. See https://datatracker. ietf.org/doc/html/rfc8693

Web API

  • /clients

    • Supports registration of clients for the OAuth 2.0 token exchange grant ("urn:ietf:params:oauth:grant-type:token-exchange"). The clients can be confidential (with authentication credentials) or public.
  • /token

    • Supports the OAuth 2.0 token exchange grant (RFC 8693), identified by the grant_type "urn:ietf:params:oauth:grant-type:token-exchange". Requires a TokenExchangeGrantHandler SPI plugin.
  • /monitor/v1/metrics

    • Adds new tokenEndpoint.tokenExchange.successfulRequests, tokenEndpoint.tokenExchange.invalidClientErrors, tokenEndpoint.tokenExchange.unauthorizedClientErrors, tokenEndpoint.tokenExchange.invalidGrantErrors and tokenEndpoint.tokenExchange.invalidScopeErrors meters for the OAuth 2.0 token exchange grant.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.48

    • TokenExchangeGrantHandler -- New SPI for implementing OAuth 2.0 token exchange (RFC 8693) scenarios. Accepts subject_token and actor_token instances of any token type and issuer. The requested_token_type must be an access token (locally issued). The access token can be of type Bearer, with a client X.509 certificate binding (RFC 8705), or DPoP bound (draft-ietf-oauth-dpop-09). Issue of other types of tokens as well as refresh tokens currently isn't supported.

    • ClientCredentialsGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ResourceOwnerPasswordCredentialsGrant -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • SelfIssuedJWTGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ThirdPartyJWTGrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • SelfIssuedSAML2GrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • ThirdPartySAML2GrantHandler -- Adds new processGrant method to the SPI to enable handling of token parameters other than scope and provide access to the configured OP / AS issuer URI (necessary for grant handler plugins in multi-tenant Connect2id server deployments). The old processGrant method is deprecated. The new processGrant method has a default implementation that passed the call to the old deprecated method so existing plugins can continue functioning as they are.

    • Adds a ClaimsSpec field to the GrantAuthorization class. This enables plugins implementing the ClientCredentialsGrantHandler SPI to authorise OAuth 2.0 clients registered for the client_credentials grant to receive an access token for OpenID claims at the UserInfo endpoint. This also enables the existing Connect2id server feature where authorised OpenID claims specified with the access_token: prefix will be fed into the access token.

Resolved issues

  • Increases the entity size limit of HTTP requests to the client registration endpoint from 20K chars to 250K chars to cater for client registrations with exceptionally large metadata. The entity size limit has been present to prevent DoS attacks in client registration that is open or managed in a way that doesn't enforce a limit on the submitted client metadata (issue server/765).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.48

12.13 (2022-06-20)

Summary

  • The default Connect2id server codec for self-contained (JWT-encoded) access tokens can now insert selected elements from the client data field and the authorisation data fields as top-level JWT claims. Deployments can use this feature to conform to access token profiles without a custom SelfContainedAccessTokenClaimsCodec plugin.

Configuration

  • /WEB-INF/authzStore.properties

    • authzStore.accessToken.codec.jwt.copyClientData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists names of members in the client registration's "data" JSON object to copy as top-level JWT claims. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.

    • authzStore.accessToken.codec.jwt.moveAuthzData -- New optional configuration property of the default Connect2id server codec for JWT-encoded access tokens. Lists the names of members in the authorisation "dat" (data) JSON object to move to top-level JWT claims in access tokens minted by the default self-contained access token encoder. An "*" (asterisk) selects all members. If a custom JWT codec (implementing the SelfContainedAccessTokenClaimsCodec SPI) is plugged this setting has no effect.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.45

    • Updates the SelfContainedAccessTokenClaimsCodec SPI by adding a new TokenEncoderContext.getOIDCClientInformation method.

    • Updates the AccessTokenIssueEventListener and IDTokenIssueEventListener SPIs by adding a new EventContext.getOIDCClientInformation method.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.45

  • Upgrades to com.nimbusds:oauth2-authz-store:18.1

  • Upgrades to com.nimbusds:common:2.49

12.12 (2022-06-03)

Summary

  • New plugin interface (Service Provider Interface, or SPI) for accepting qualified X.509 certificates to verify the digital signature in private_key_jwt client authentications.

  • New plugin interface (SPI) for intercepting client authentication success and failure events at all Connect2id server endpoints where client authentication occurs. Can be used for logging, reporting, audit, debugging and other purposes.

  • Introduces a secure random 12 byte "client_auth_id" to identify each individual client authentication performed by the Connect2id server in log messages, OAuth 2.0 invalid_client errors and calls to SPIs like the new private key JWT certificate verifier and the client authentication interceptor.

  • Includes a web-based handler plugin for the OAuth 2.0 client credentials grant, implementing the ClientCredentialsGrantHandler SPI from the Connect2id server SDK. This handler is not compatible with the multi-tenant edition of the Connect2id server. Disabled by default. The default client credentials handler remains the existing local one (com. nimbusds:oauth-client-grant-handler:2.0.2).

Web API

  • /token

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.
  • /token/introspect

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.
  • /token/revoke

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.
  • /par

    • OAuth 2.0 invalid_client error objects include a "client_auth_id" to identify the client authentication event in server log messages and SPI calls.

Configuration

  • /WEB-INF/clientGrantHandlerWebAPI.properties -- New configuration file for the client credentials grant handler plugin that delegates processing of the grant authorisation to a web-service. The configuration properties can be overridden or set with Java system properties.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.44

    • com.nimbusds.openid.connect.provider.spi.clientauth. PrivateKeyJWTCertificateVerifier -- New SPI for verifying an X.509 certificate (x5c) in private_key_jwt} client authentications. This can be used to enable private_key_jwt authentication based on qualified certificates and without a prior client JWK set registration (via the "jwks" or "jwks_uri" client metadata parameters).

      The SPI enables implementation of policies where only selected clients are allowed or required to include a certificate for the private_key_jwt, based on the client's registered metadata or other criteria.

      A client can place the certificate in the private_key_jwt "x5c" header. Alternatively, the certificate can be put in the "x5c" parameter of a matching public JWK and have the key pre-registered via the "jwks" or "jwks_uri" client metadata parameter.

      Implementations must be thread-safe.

    • com.nimbusds.openid.connect.provider.spi.clientauth. ClientAuthenticationInterceptor -- New SPI for intercepting successful and failed client authentications at all Connect2id server endpoints where client authentication occurs, such as the token, token introspection, token revocation and pushed authorisation request (PAR) endpoints. Successful client authentications can be subjected to additional checks and rejected with an OAuth 2.0 invalid_client error.

      Implementations must be thread-safe. Interceptors that create events should use a separate thread for blocking operations.

Resolved issues

  • Fixes an HTTP 500 Internal Server Error on a token revocation request with client authentication where the client_id resolves to an invalid client registration (issue server/760).

  • The message OP0131 ("Couldn't determine Connect2id server local host") should be logged at WARN level, not ERROR (issue server/759).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.44

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.37.2

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.23

  • Updates to Infinispan 9.4.24

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.5

  • Updates to com.nimbusds:oauth-password-grant-web-api:1.5

  • Updates to com.nimbusds:oauth-client-grant-handler:2.0.2

  • Adds com.nimbusds:oauth-client-grant-web-api:1.4

12.11 (2022-05-22)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.splashPage -- New configuration property for the splash page to display at the Connect2id server issuer URL (op.issuer).

      Supported values:

      • urn:c2id:splash_page:default -- The default splash page, an HTML page showing the Connect2id server version, a list of the available endpoints and links to public online documentation.
      • urn:c2id:splash_page:blank -- A blank page.
      • urn:c2id:splash_page:op_metadata -- Redirects (HTTP 301) to the OpenID provider metadata at /.well-known/openid-configuration
      • https or http URL -- Redirects (HTTP 301) to the specified HTTPS or HTTP URL.

Resolved issues

  • Fixes a bug that affected the correct handling of the subject session "auth_life" property (for values > 0) in the authorisation session web API, used to determine when the authentication lifetime (in minutes) of a session expires and the subject (end-user) must be re-authenticated in the same session (issue server/756).

  • Adds custom static error pages for 404, 405 and other HTTP status codes handled by the Servlet container to hide the Servlet container version and other potentially sensitive information (issue server/745).

12.10 (2022-05-03)

Summary

  • Support for OpenID authentication requests with prompt=create to enable relying parties to instruct the OpenID provider to present the user with a sign-up screen. After the user is successfully registered the flow proceeds as usual. Support for the "create" prompt value is advertised in a new "prompt_values_supported" OpenID provider metadata field. Login handlers integrating with the authorisation session API will receive indication of a prompt=create in a new "create_account" {true|false} parameter of the "auth" message. If the OpenID provider has no requirement or wish to honour prompt=create the login handler can safely ignore the "create_account" flag and render the usual user authentication screen. OpenID prompt=create requests will always trigger an "auth" prompt message in the authorisation session API, similarly to OpenID prompt=select requests.

    The Connect2id server will reject OpenID authentication requests with a prompt parameter that contains values other than "create", in accordance with the specification recommendation.

    This new prompt "create" value is specified in Initiating User Registration via OpenID Connect - draft 04, see https://openid.net/ specs/openid-connect-prompt-create-1_0.html

  • Support for minting back-channel logout notification tokens with explicit JWT typing. This is a simple measure to help relying parties simplify the prevention of mix-up of logout token JWTs with other types of JWT without having to examine the JWT claims structure. Enabled by default.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.logout.backChannel.jwtTypeExplicit -- New configuration property to enable / disable explicit typing of the issued back-channel logout tokens by setting the JWT type ("typ") header to "logout+jwt". Explicit logout token typing is a new recommendation in OpenID Connect Back-Channel Logout 1.0 - draft 07, section 4.1. This is a simple measure to prevent mix-up of logout token JWTs with other types of JWT without having to examine the JWT claims structure. Enabled by default.

      See https://openid.net/specs/openid-connect-backchannel-1_0.html

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Removes the default "dynamodb.region" setting of "us-east-1". The purpose of this change is to enable DynamoDB configurations where the AWS region is determined by the default AWS region provider chain, for example by setting the "AWS_REGION" environment variable. The DynamoDB store XML schema is updated to v1.19. See https://docs.aws.amazon.com/ sdk-for-java/v1/developer-guide/java-dg-region-selection.html

Web API

  • /.well-known/openid-configuration

    • prompt_values_supported -- New metadata field defined in Initiating User Registration via OpenID Connect - draft 04. Lists the supported prompt values in OpenID authentication requests. The Connect2id server supports the following prompt values: none, login, consent, select_account and create.
  • /authz-sessions/rest/v3/

    • The authentication prompt (message with type "auth") receives a new "create_account" member of type boolean to indicate an OpenID authentication request with a prompt=create parameter.

Resolved issues

  • Sourcing of "access_token:*" claims must call the AdvancedClaimsSource SPI instead of the basic ClaimsSource SPI in order to pass optional "claims_data" (issue server/753, authz-store/191).

Dependency changes

  • Updates to com.nimbusds:c2id-server-sdk:4.43

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.35

  • Updates to com.nimbusds:nimbus-jose-jwt:9.22

  • Upgrades to com.nimbusds:oauth2-authz-store:17.9

  • Updates to com.nimbusds:oidc-claims-source-ldap:1.6.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.2

  • Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.201

  • Updates to com.nimbusds:c2id-server-property-source:1.0.4

  • Updates to org.postgresql:postgresql:42.3.4

  • Updates to org.slf4j:slf4j-api:1.7.36

  • Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.7

  • Updates to com.nimbusds:token-event-publisher-aws-sqs:1.1.3

  • Adds dependency to com.amazonaws:aws-java-sdk-sts:1.12.201

12.9 (2022-03-23)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.token.idToken.jwtType -- New configuration property to set the type ("typ") header of issued ID tokens. Explicit JWT typing is a simple measure to prevent mix-up of ID token JWTs with other types of JWT without having to examine the JWT claims structure. Note this is a non-standard feature and may result in rejection of ID tokens by client libraries not able or not configured to handle typing. Typing is disabled by default.

    • op.token.userinfo.jwtType -- New configuration property to set the type ("typ") header of issued UserInfo JWTs. Explicit JWT typing is a simple measure to prevent mix-up of UserInfo JWTs with other types of JWT without having to examine the JWT claims structure. Note this is a non-standard feature and may result in rejection of UserInfo JWTs by client libraries not able or not configured to handle typing. Typing is disabled by default.

Web API

  • /clients/

    • Adds support for a new optional "refresh_client_secret" client metadata field of type boolean for use in client update requests. When the "refresh_client_secret" is set to true in a client update request the Connect2id server will refresh the client secret, overriding a disabled op.reg.alwaysRefreshClientSecretOnUpdate configuration setting. When "refresh_client_secret" is set to false or omitted the refresh of the client secret will be determined by the configured op.reg. alwaysRefreshClientSecretOnUpdate setting.

      The intent of "refresh_client_secret" is to give registered clients a direct control over how soon or often to refresh their secret. This is a non-standard metadata field.

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.31

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.2.1

  • Updates to com.nimbusds:lang-tag:1.6

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.4

  • Updates to org.postgresql:postgresql:42.3.3

12.8 (2022-03-12)

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.42

    • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getRawRequest method returning the original raw OAuth 2.0 authorisation / OpenID authentication request, as received at the authorisation endpoint and prior to any JAR unwrapping / resolution if JWT-secured.

    • com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getRawRequest method returning the original raw OAuth 2.0 authorisation / OpenID authentication request, as received at the authorisation endpoint and prior to any JAR unwrapping / resolution if JWT-secured.

Resolved issues

  • Fixes a vulnerability in the Connect2id server banner (splash) page that allowed injection of HTML or JavaScript via an invalid "Issuer" HTTP header. No feasible exploits found, but upgrading is generally recommended. The banner page also receives a Content-Security-Policy to allow only local content (issue server/733).

  • Fixes a vulnerability at the token endpoint that allowed log injection of CR and LF characters via a client_id prior to client validation. In Connect2id server deployments with a plain text Log4j appender the vulnerability may be exploited to compromise the integrity of the log messages and potentially forge log events. The severity of the vulnerability is low, upgrading is recommended (issue server/734).

  • Fixes the log label for the token introspection HTTP request logging and the OP6500 internal server error message (issue server/735).

  • The token and UserInfo endpoints must return an HTTP 400 Bad Request with an invalid_dpop_proof error when receiving a DPoP HTTP request header with a header value that doesn't parse to a signed JWT. Previously the Connect2id server ignored th DPoP header when JWT parsing failed (issue server/736).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.42

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.28

  • Updates to com.nimbusds:nimbus-jose-jwt:9.21

  • Updates to com.nimbusds:common:2.48

  • Updates to org.cryptomator:siv-mode:1.4.4

  • Updates to net.minidev:json-smart:2.4.8

12.7 (2022-03-01)

Web API

  • /authz-sessions/rest/v3/

    • The DELETE call for returning an authorisation response error to the OAuth 2.0 client adds support for an "error_uri" query parameter. See RFC 6749, section 5.2.
  • /monitor/v1/metrics

    • Adds new "authzEndpoint.invalidRequests" meter of invalid requests by OAuth 2.0 clients and OpenID Connect relying parties at the OAuth 2.0 authorisation endpoint. Covers authorisation error responses with the "invalid_request" and other codes (save for "access_denied" metered by "authzEndpoint.failedSubjectAuthentications" and "authzEndpoint. consentDenials") as well as non-redirecting errors.

Resolved issues

  • The authorisation session API DELETE /authz-sessions/rest/v3/{sid} call must return an HTTP 400 Bad Request when illegal characters are present in a OAuth 2.0 error code or description, as specified in RFC 6749, section 5.2. Previously illegal characters would produce a HTTP 500 Internal Server Error (issue server/730).

Dependency changes

  • Updates to com.nimbusds:nimbus-jose-jwt:9.20

  • Updates to com.nimbusds:oauth2-authz-store:17.8

  • Updates to com.nimbusds:oidc-session-store:14.9

  • Updates to com.nimbusds:common:2.46

  • Updates to javax.servlet:javax.servlet-api:4.0.1

  • Updates to org.apache.commons:commons-lang3:3.12.0

  • Updates to javax.ws.rs:javax.ws.rs-api:2.1.1

  • Updates to org.glassfish.jersey.containers:jersey-container-servlet:2.35

  • Updates to com.google.code.gson:gson:2.9.0

  • Updates to commons-codec:commons-codec:1.15

  • Updates to io.prometheus:simpleclient:0.15.0

  • Updates to io.prometheus:simpleclient_servlet:0.15.0

  • Updates to io.prometheus:simpleclient_dropwizard:0.15.0

  • Updates to Log4j 2.17.2

12.6.1 (2022-02-10)

Resolved issues

  • Fixes op.map.claims.* system property override for configuring the custom scope-to-claims mapper in the single-tenant edition of the Connect2id server. The multi-tenant server edition is not affected. The single-tenant server edition will log at startup the configured mapping (at level INFO with ID OP0080) (issue server/725).

  • OpenID Connect for Identity Assurance: MinimalVerificationSpec.parse must allow trust_framework set to an empty JSON object (issue oidc-sdk/385).

  • OpenID Connect for Identity Assurance: The birthplace claim must allow ISO 3166-1 Alpha-3 country codes. (issue server/728).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.25

  • Updates to com.nimbusds:nimbus-jose-jwt:9.19

  • Updates to org.postgresql:postgresql:42.3.2

12.6 (2022-01-17)

Summary

  • Upgrades OpenID Connect for Identity Assurance 1.0 support to the latest implementers' draft 12 from 6 September 2021. See https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html

  • Upgrades the AuthorizationRequestValidator and PARValidator SPIs to enable read-only access to the OpenID provider / OAuth 2.0 authorisation server metadata for plugin configuration and other purposes.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.assurance.supportedDocumentTypes -- New optional configuration property listing the supported document types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_supported" OpenID provider metadata parameter.

    • op.assurance.supportedMethodsForDocuments -- New optional configuration property listing the supported coarse identity verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedValidationMethodsForDocuments -- New optional configuration property listing the supported validation methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_validation_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedVerificationMethodsForDocuments -- New optional configuration property listing the supported person verification methods for evidences of type document if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "documents_verification_methods_supported" OpenID provider metadata parameter.

    • op.assurance.supportedElectronicRecordTypes -- New optional configuration property listing the supported electronic record types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "electronic_records_supported" OpenID provider metadata parameter.

    • op.assurance.supportedAttachments -- New optional configuration property listing the supported attachment types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "attachments_supported" OpenID provider metadata parameter. Attachment types: embedded, external.

    • op.assurance.supportedDigestAlgs -- New optional configuration property listing the supported digest algorithms for external attachments if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "digest_algorithms_supported" OpenID provider metadata parameter. If external attachments are supported must at least include sha-256.

    • op.assurance.supportedIDDocumentTypes -- Becomes deprecated, the corresponding "id_documents_supported" OpenID provider metadata parameter in no longer in use in OpenID Connect for Identity Assurance 1.0.

    • op.assurance.supportedIdentityVerificationMethods -- Becomes deprecated, the corresponding "id_documents_verification_methods_supported" OpenID provider metadata parameter is no longer in use in OpenID Connect for Identity Assurance 1.0.

Web API

  • /.well-known/openid-configuration

    • documents_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported document types. Replaces "id_documents_supported".

    • documents_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported coarse identity verification methods for evidences of type document. Replaces "id_documents_verification_methods_supported".

    • documents_validation_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported validation methods for evidences of type document.

    • documents_verification_methods_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported person verification methods for evidences of type document.

    • electronic_records_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported electronic record types.

    • attachments_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported attachment types: embedded, external.

    • digest_algorithms_supported -- New metadata field introduced in draft 12 of OpenID Connect for Identity Assurance 1.0. Lists the supported digest algorithms for external attachments.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.41

    • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

    • com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext -- Adds new getReadOnlyOIDCProviderMetadata method returning the OpenID provider / Authorisation server metadata.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.41

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.20.1

  • Updates to com.nimbusds:oauth2-authz-store:17.7

  • Updates to com.nimbusds:oidc-session-store:14.8

  • Updates to com.nimbusds:content-type:2.2

  • Updates to com.nimbusds:c2id-server-property-source:1.0.3

  • Removes and updates selected OpenSAML 3.4.6 transitive dependencies

  • Replaces javax.activation:javax.activation-api:jar:1.2.0 with jakarta. activation:jakarta.activation-api:jar:1.2.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.6

  • Updates to com.zaxxer:HikariCP:4.0.3

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.3

  • Updates to org.postgresql:postgresql:42.3.1

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.9

  • Updates to com.nimbusds:tenant-registry:6.0.1

  • Updates to com.amazonaws:aws-java-sdk-dynamodb:1.12.132

  • Updates to com.github.dubasdey:log4j2-jsonevent-layout:0.0.5

  • Updates to AWS Java SDK 1.12.132

  • Updates DropWizard to 4.1.29

  • Updates Prometheus SimpleClient to 0.14.1

  • Updates Log4j to 2.17.1

12.5.4 (2021-12-18)

Resolved issues

  • Updates Log4j to 2.17.0 to address a critical DoS vulnerability described in CVE-2021-45105, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45105 (issue server/711).

Dependency changes

  • Updates Log4j to 2.17.0

12.5.3 (2021-12-16)

Resolved issues

  • Fixes op.checkSession.iframe and op.checkSession.cookieName configuration property parsing to support Java system property override (issue server/709).

Dependency changes

  • Updates to com.nimbusds:software-statement-verifier:2.2.2

  • Updates to org.apache.commons:commons-compress:1.21

12.5.2 (2021-12-15)

Resolved issues

  • Updates Log4j to 2.16.0 to address a critical vulnerability described in CVE-2021-45046, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45046 (issue server/708).

Dependency changes

  • Updates Log4j to 2.16.0

  • Updates to org.slf4j:slf4j-api:1.7.32

  • Updates to com.google.code.gson:gson:2.8.9

  • Updates to com.google.crypto.tink:tink:1.6.1

  • Updates BouncyCastle to 1.70.

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.3

12.5.1 (2021-12-10)

Resolved issues

  • Updates Log4j to 2.15.0 to address a critical vulnerability described in CVE 2021-44228, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-44228 (issue server/707).

  • Logs a WARN instead of INFO for OP5114 when the op.reg.allowLocalhostRedirectionURIsForTest configuration property is enabled (issue server/702).

  • Increases the default HTTP claims source op.httpClaimsSource.connectTimeout and op.httpClaimsSource.readTimeout values from 250ms to 1000ms to prevent timeouts on slow HTTP connections or slow claims sources (issue server/704).

  • Updates the op.httpClaimsSource.supportedClaims documentation to explain that setting the property to "*" indicates support for all claims supported by the OpenID provider without explicitly listing them (issue server/703).

Dependency changes

  • Updates Log4j to 2.15.0

  • Updates to com.nimbusds:oidc-claims-source-http:2.2.1

12.5 (2021-11-29)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.reg.allowLocalhostRedirectionURIsForTest -- New configuration property to allow registration of HTTP and HTTPS localhost redirection URIs for the purpose of testing and developing OAuth 2.0 web application clients. The default value is false (not allowed). Must not be used in production!

Web API

  • /clients

    • Allows registration of a frontchannel_logout_uri with a custom URI scheme. Intended to support front-channel logout notifications to mobile applications (application_type=native) with a custom URI scheme. Previously only https URLs were allowed. The http URL scheme remains disallowed.
  • /authz-sessions/rest/v3/

    • Consent: The API is updated to support opting out of the additional encryption of self-contained (JWT-encoded) access tokens which the Connect2id server will apply when the OpenID relying party is registered for pairwise subjects (with subject_type=pairwise) and the access token subject is also set for a pairwise identifier (with access_token.sub_type=PAIRWISE). The default behaviour of the Connect2id server is to always apply encryption to the JWT-encoded access tokens when the OpenID relying party is registered for pairwise subjects, in order to prevent exposing of information about the underlying subject ID which would happen if the self-contained access token was only signed. When the token subject is made pairwise there is still a theoretical possibility for the OpenID relying party to perform some correlation between the end-users, by observing the variations of the pairwise identifier across multiple token audiences (resource servers), hence the strict default Connect2id policy to also encrypt access tokens with a pairwise subject. To opt out of the default encryption use access_token.encrypt=false in the consent object.
  • /direct-authz/rest/v2/

    • Direct authorisation request: The API is updated to support opting out of the additional encryption of self-contained (JWT-encoded) access tokens which the Connect2id server will apply when the OpenID relying party is registered for pairwise subjects (with subject_type=pairwise) and the access token subject is also set for a pairwise identifier (with access_token.sub_type=PAIRWISE). See the explanation about the related authorisation session web API change. To opt out of the default encryption use access_token.encrypt=false in the consent object.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.39

    • com.nimbusds.openid.connect.provider.spi.grants.AccessTokenSpec

      • Refactors the class for Optional self-contained access token preference.

Resolved issues

  • Includes the JWK kid and crv (for EC keys) in the OP0102 log error message to ease key identification when a server JWK fails the signing JWK validation on startup (issue server/696).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.39

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.20

  • Updates to com.nimbusds:c2id-server-jwkset:1.26

12.4 (2021-10-27)

Summary

  • Expands the cryptographic capabilities of the Connect2id server with the ES256K algorithm for JWS, RSA-OAEP-384 and RSA-OAEP-512 for JWE and XC20P (extended nonce ChaCha20 / Poly1305) as JWE encryption method. The ES256K and EdDSA (with 25519 curve) JWS algorithms can now be used to sign ID tokens, UserInfo responses and authorisation responses (JARM). JWT-encoded access tokens can now be signed with the ES256, ES256K, ES384 and ES512 JWS algorithms.

    Specifications:

    • ES256K: https://datatracker.ietf.org/doc/html/rfc8812#section-3.1
    • RSA-OAEP-384 and RSA-OAEP-512: https://www.w3.org/TR/WebCryptoAPI/
    • XC20P: https://datatracker.ietf. org/doc/html/draft-amringer-jose-chacha-02#section-4.1

Configuration

  • /WEB-INF/jwkSet.json

    • Adds support for including an optional signing JSON Web Key (JWK) of type (kty) EC and with curve (crv) secp256k1 for performing signatures with the ES256K JWS algorithm.
  • /WEB-INF/oidcProvider.properties

    • op.token.authJWSAlgs -- Adds token endpoint private_key_jwt client authentication support for the ES256K JWS algorithm.

    • op.authz.requestJWSAlgs -- Adds request object / JAR support for the ES256K JWS algorithm.

    • op.authz.requestJWEAlgs -- Adds request object / JAR support for the RSA-OAEP-384 and RSA-OAEP-512 JWE algorithms.

    • op.authz.requestJWEEncs -- Adds request object / JAR support for the XC20P (extended nonce ChaCha20 / Poly1305) JWE encryption method.

    • op.authz.responseJWSAlgs -- Adds JARM support for the ES256K and EdDSA (with 25519 curve) JWS algorithms.

    • op.authz.responseJWEAlgs -- Adds JARM support for the RSA-OAEP-384 and RSA-OAEP-512 JWE algorithms.

    • op.authz.responseJWEEncs -- Adds JARM support for the XC20P (extended nonce ChaCha20 / Poly1305) JWE encryption method.

    • op.idToken.jwsAlgs -- Adds ID token support for the ES256K and EdDSA (with 25519 curve) JWS algorithms.

    • op.idToken.jweAlgs-- Adds ID token support for the RSA-OAEP-384 and RSA-OAEP-512 JWE algorithms.

    • op.idToken.jweEncs -- Adds ID token support for the XC20P (extended nonce ChaCha20 / Poly1305) JWE encryption method.

    • op.userinfo.jwsAlgs -- Adds UserInfo JWT response support for the ES256K and EdDSA (with 25519 curve) JWS algorithms.

    • op.userinfo.jweAlgs -- Adds UserInfo JWT response support for the RSA-OAEP-384 and RSA-OAEP-512 JWE algorithms.

    • op.userinfo.jweEncs -- Adds UserInfo JWT response support for the XC20P (extended nonce ChaCha20 / Poly1305) JWE encryption method.

  • /WEB-INF/authzStore.properties

    • authzStore.accessToken.jwsAlgorithm -- Adds support for signing self-contained (JWT) access tokens with the ES256, ES256K, ES384 and ES512 JWS algorithms.

    • authzStore.accessToken.jweMethod -- Adds support for direct encryption of self-contained (JWT-encoded) access tokens with the XC20P (extended nonce ChaCha20 / Poly1305) JWE encryption method.

Resolved issues

  • Updates the HTTP claims source connector to include an "Accept: application/json" HTTP header in the outgoing requests (issue httpcs/1).

  • Updates the AS0213 log INFO message to include the type of the introspected access token (issue server/692).

  • Updates the SE3000 log INFO message to indicate when a X.509 certificate is present for a loaded server JWK (issue server/694).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.19

  • Updates to com.nimbusds:oauth2-authz-store:17.6

  • Updates to com.nimbusds:oauth2-session-store:14.7

  • Upgrades to com.nimbusds:c2id-server-jwkset:1.24

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.15.2

  • Updates to com.nimbusds:oidc-claims-source-http:2.2

12.3 (2021-09-17)

Summary

  • Supports issuer URL aliases. An issuer alias URL can be configured to migrate a Connect2id server deployment seamlessly and over time from one issuer identifier URL (op.issuer) to another. Issuer aliases can also be used when an OpenID provider / OAuth 2.0 authorisation server is known by multiple URLs.

    The allowed issuer aliases, if any, are configured in a new optional op.issuerAliases.* property.

    A Connect2id server endpoint or API will process a request under an issuer alias when the HTTP request header "Issuer" is present and set to a value matching a configured alias. If no "Issuer" header is specified the default issuer configured in op.issuer will be assumed. The default op.issuer will also be assumed when the "Issuer" header is explicitly set to it. If the "Issuer" header is set to an issuer URL that isn't configured the Connect2id server will return an HTTP 400 error with a message.

    The "Issuer" header must be set by the reverse HTTP proxy or similar trusted internal infrastructure. It must not be settable by client applications. Connect2id server deployments must scrub the incoming client application HTTP requests from any "Issuer" headers.

    Issuer aliases are supported in the regular as well as the multi-tenant Connect2id server edition.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.issuer.aliases.* -- New optional configuration property for setting one or more issuer alias URLs of the OpenID provider / OAuth 2.0 authorisation server. Can be used to migrate from one issuer URL (op.issuer) to another, or to operate an OpenID provider / OAuth 2.0 authorisation server that is known by multiple URLs. Blank if none.

Web API

  • The standard OAuth 2.0 / OpenID Connect endpoints and Connect2id server specific web APIs will process a request under a configured issuer alias (op.issuerAliases.*) when the HTTP request includes an "Issuer" header set to the issuer alias URL. The header value must match the configured issuer alias URL exactly. If the "Issuer" header is set to an issuer URL that isn't configured the Connect2id server will return an HTTP 400 "Bad Request" error with an appropriate message.

Resolved issues

  • Updates log message OP6205 for reporting internal token handler errors to include the client ID, authentication method and grant (issue server/693).

Dependency changes

  • Updates to com.nimbusds:tenant-manager:6.0.2

  • Updates to com.nimbusds:tenant-registry:6.0

  • Updates to com.nimbusds:oidc-session-store:14.6

  • Updates to com.nimbusds:oauth2-authz-store:17.5

  • Updates to com.nimbusds:nimbus-jose-jwt:9.14

  • Updates to org.cryptomator:siv-mode:1.4.3

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.1

  • Updates to com.google.code.gson:gson:2.8.8

12.2 (2021-08-26)

Summary

  • Supports issue of access tokens of type DPoP, where the token is bound to a private RSA or EC key generated and held by the OAuth 2.0 client, potentially in secure storage preventing the key's extraction. Use of the DPoP token at a resource server requires proof of possession of the private key, preventing the use of an accidentally or maliciously leaked token by an unauthorised party. The original Bearer tokens in OAuth 2.0 offer no such protection to constrain their use.

    DPoP is intended primarily for browser based applications (also commonly called single page applications, or SPAs) where the alternative standard method to constrain a token, by binding it to a client X.509 certificate (RFC 8705), is not suitable, due to the browsers' poor support for dealing with client certificates and mutual TLS in JS application code.

    SPAs should use the WebCrypto browser API to generate the necessary private keys (with disabled extraction) for signing the DPoP proofs and actual signing.

    The Connect2id server accepts the following JWS algorithms for the signed DPoP proof JWTs: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES256K, ES384 and ES512.

    The Connect2id server will reject DPoP proof JWTs with an "iat" (issued-at time) that is more than 30 seconds behind or ahead of the current system time. Proof JWTs with a repeated "jti" (JWT ID) will also be rejected to prevent replay.

    See OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (draft-ietf-oauth-dpop-03).

  • The Connect2id server can now be configured with longer RSA signing and encryption keys, with lengths of 3072 and 4096 bits. The 2048 RSA key length remains the recommended for now and also the default for in provided jwkset-gen.jar tool for generating server JWK sets (the latest tool version is 1.22).

Configuration

  • /WEB-INF/jwkSet.json

    • Supports RSA signing and encryption keys of lengths 3072 and 4096 bits, in addition to 2048-bit RSA keys.

Web API

  • /.well-known/openid-configuration, /.well-known/oauth-authorization-server

    • dpop_signing_alg_values_supported -- New metadata field, lists the accepted JWS algorithms for the DPoP proof JWTs: RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES256K, ES384 and ES512.
  • /token

    • Supports issue of access tokens of type DPoP for the following OAuth 2.0 grants:

      • authorisation code
      • refresh token
      • client credentials
      • resource owner password credentials
    • Supports issue of DPoP bound refresh tokens for public OAuth 2.0 clients.

  • /token/introspect

    • Supports introspection of access tokens of type DPoP. Introspection success responses for a DPoP token will have the "token_type" member set to "DPoP" and will include a "cnf.jkt" member set to the BASE64URL encoded SHA-256 thumbprint of the JWK used to sign the DPoP proof JWT.
  • /userinfo

    • Supports access tokens of type DPoP. Those must be included in the "Authorization" HTTP request header using the "DPoP" scheme.
  • /monitor/v1/metrics

    • Adds new "dPoP.numCachedJTIs" metric of type gauge showing the number of locally cached DPoP proof JWT ID (jti) entries intended to ensure the single use of received DPoP proofs at the token and UserInfo endpoints.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.38

    • com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization

      • Adds default getJWKThumbprintConfirmation method to represent a DPoP JWK SHA-256 thumbprint confirmation.
    • com.nimbusds.openid.connect.provider.spi.tokens.MutableAccessTokenAuthorization

      • Implements AccessTokenAuthorization.getJWKThumbprintConfirmation

      • Adds withJWKThumbprintConfirmation setter method.

    • com.nimbusds.openid.connect.provider.spi.tokens.BaseSelfContainedAccessTokenClaimsCodec

      • Updates the base abstract codec for JWT-encoded access tokens to support the "cnf.jkt" claim for DPoP.
    • com.nimbusds.openid.connect.provider.spi.tokens.introspection.BaseTokenIntrospectionResponseComposer

      • Updates the base abstract composer for customer token introspection responses support the "cnf.jkt" member for DPoP.

Resolved issues

  • Logs invalid refresh token (AS0270), refresh token request client_id - encoded client mismatch (AS0274) and refresh token not permitted (AS0275) events (issue authz-store/188).

  • Improves the efficiency when loading issuer lookup cache entries in the tenant registry (issue/tenant-registry/5).

  • Fixes a bug in AuthorizationRequest.Builder(AuthorizationRequest) that prevented copy of OpenID authentication request parameters, which can affect modification of requests in AuthorizationRequestValidator and PARValidator SPI implementations (issue oidc-sdk/367).

  • Refactors and extends handling of corrupted JSON in long_lived_authorizations items in a AWS DynamoDB table for get, put-if-absent, replace and remove operations to prevent an internal server error (HTTP 500) and clean up the detected corrupted items where feasible (issues authz-store/186, 187).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.38

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.15

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.12.1

  • Upgrades to com.nimbusds:c2id-server-jwkset:1.22

  • Upgrades to com.nimbusds:oauth2-authz-store:17.4.1

  • Updates to com.nimbusds:tenant-registry:5.3.4

12.1 (2021-07-05)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.idToken.includeJWTID -- New configuration property to enable / disable inclusion of a JWT ID claim ("jti") in issued ID tokens. Disabled by default.

Resolved issues

  • Fixes JSON encoding issue that affected serialisation of the ~/7E character into objects and for persistence since v11.3 (issue common/62).

  • Fixes a bug that prevented completion of plain OAuth 2.0 authorisation requests with prompt=none and resulted in a HTTP 500 server error. OpenID authentication requests were not affected (issue server/681).

  • Fixes the label for the OP6520 log event at the token introspection endpoint (issue server/687).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.9.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.10.1

  • Updates to com.nimbusds:oauth2-authz-store:17.2

  • Updates to com.nimbusds:oidc-session-store:14.5.2

  • Updates to com.nimbusds:common:2.45.4

  • Updates to com.thetransactioncompany:pretty-json:1.4.3

  • Adds com.google.code.gson:gson:2.8.7

12.0 (2021-06-09)

Summary

  • Uniform pairwise subject IDs

    Adds support for issuing pairwise subject identifiers with a uniform string length which is not affected by the length of the local (system) subject identifiers. This measure is intended to prevent leaking information about the length of the local subject identifiers. Uniformity is configured with a new "op.pairwiseSubjects.padLocalSubjectsToLength" property. It specifies a length to which a local subject identifier will be padded before input to the pairwise codec (SIV mode deterministic AES encryption). For uniform pairwise subject lengths the property should be set to the maximum expected length of the local subjects. Subject IDs longer than the configured length will result in a pairwise encoding that is proportionally longer.

    Setting the property to -1 (negative integer) disables padding, which is the behaviour of the pairwise codec in previous Connect2id server versions.

    Example pairwise IDs for local subjects "alice", "bob" and "claire" with no padding:

    myzM-ARj7vYBH9NOIog9Sf5xklhU_rkLenu8mOtfLv6L Q20o2EYNsamhlOh2RbteNp7Te7AilmMPVk3cyhmCBA rNW4ByxEQd06rNCLLMvH2-d1WRumrJcSrmDGA6FlvtxeGw

    With padding up to 10 characters:

    pxXoRPqPpLy3fBbLNV22KRCghztrFMtGV3AxDnQH_erfB4dwZ_0 s10h_EEMtYHaNSZuMBznfvupKqC2mznkIGnmxRevffJGo4ybRrM uLfwVCpRUu1ltEeXqRt_Yik7SN5-yKabYwXan-xYCwgJlDZubSA

    Important: Changing the padding length will reset all previously issued pairwise subject identifiers!

    Configuration choices for "op.pairwiseSubjects.padLocalSubjectsToLength":

    • Configure a length to issue uniform pairwise subject IDs: if pairwise subjects have never been issued or to benefit from the new improved security. In the latter case don't forget to notify the relying parties of the reset!

    • No padding: to ensure backward compatibility if pairwise subjects have already been issued and a reset is not desirable. Also, if the local subjects have a uniform length, for example when based on a GUUID which has a constant length of 37 characters.

  • OpenID provider managed sector IDs

    Connect2id server deployments that need to issue ID tokens and UserInfo responses with pairwise (pseudonymous) subject (end-user) identifiers to two or more OpenID relying parties under single administrative control can now do so without requiring the relying parties to host a JSON document for the "sector_identifier_uri" client registration parameter. A single OpenID relying party can also choose to register a "sector_identifier_uri" to ensure the pairwise "sub" values in the received ID tokens and UserInfo responses remain consistent if its registered redirection URI changes in future. See OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1, section 5, for an explanation of the "sector_identifier_uri" parameter and its validation.

    For such relying parties an OpenID provider can now manage the sector IDs internally, in some a database or portal, by assigning unique sector ID URNs to them prior to registration. Those URNs will not get resolved and validated in the same way a standard https URL in the "sector_identifier_uri" parameter gets, by downloading a JSON document from the URL. Instead, the URN will be used to provide the sector ID directly. The expected URN format is urn:c2id:sector_id:<id> where <id> represents the sector ID assigned to a relying party or group of relying parties.

    To use this feature the new "op.reg.enableProviderManagedSectorIDs" configuration property must be turned on. The client registration POST or PUT request must be authorised with a master API token or one-time registration token with a "client-reg:set-sector-id-urn" scope value. Unauthorised requests (if open registration is allowed) cannot use sector ID URNs.

  • Access tokens with pairwise subjects

    The Connect2id server can now optionally issue access tokens with a subject (end-user) identifier made pairwise for the token's intended audience (resource server).

    Use tokens with a pairwise subject:

    • To keep the local (system) end-user ID confidential from the resource servers, as privacy measure, especially if the subject identifier represents or contains personal information, such as the user's email address or social security number.

    • To minimise the possibility for resource servers to link or correlate the identity of users. The pairwise identifier for a given subject (end-user) in an access token will be different, unique and not-reversible for each resource server (token audience).

    The Connect2id server computes the pairwise identifier for an access token by applying strong deterministic SIV AES based encryption over the concatenation of the token audience and the local subject identifier.

    pairwise_sub = SIVAES(aud|local_sub)

    The algorithm is identical to the one the Connect2id server uses to compute pairwise subject identifiers for ID tokens and UserInfo responses and uses the same "subject-encrypt" AES key from the configured server JWK set.

    JWT-encoded as well identifier-based access tokens are supported.

    Note, to issue access tokens with a pairwise subject the token authorisation must specify an explicit token audience for the intended resource server(s). If the audience is a list of multiple values the first one will be used to compute the pairwise subject. This enables the issue of tokens with a pairwise subject where there are multiple audiences as aliases specified, for example the resource indicator, e.g. "https://api.example.com", as primary audience and the resource server client ID, e.g. "Zoo0rah0", to enable token introspection at the Connect2id server endpoint with an audience restriction check on the client_id.

    Also note that access tokens with a pairwise subject that grant release of OpenID claims at the UserInfo endpoint, as only or additional scope, need not specify the UserInfo endpoint or the OpenID provider issuer URL as audience.

    If required for audit purposes a pairwise subject identifier can be decrypted (reversed) with the Connect2id server's configured "subject-encrypt" JSON Web Key (JWK). See https://bitbucket.org/connect2id/pairwise-subject-codec/ .

  • Allows issue of the access and refresh tokens without a scope, to ease handling of OAuth 2.0 Rich Authorisation Requests (RAR). See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-05

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.pairwiseSubjects.padLocalSubjectsToLength -- New configuration property to enable output of pairwise subject identifiers with a uniform string length which is not affected by the length of the local (system) subject identifier. Intended to prevent leaking information about the length of the local subject identifiers. Uniformity is achieved by padding local subject identifiers up to the specified length, which should be the maximum expected length of the local subjects. Subjects longer than the configured length will result in a pairwise encoding that is proportionally longer.

      -1 (negative integer) disables padding.

      Important note: Changing the padding length will reset all previously issued pairwise subject identifiers!

    • op.reg.enableProviderManagedSectorIDs -- New configuration property to enable registration of OpenID provider managed sector identifiers for the computation of pairwise subject (end-user) identifiers. A managed sector ID can be registered with the "sector_identifier_uri" set to a URN with the format urn:c2id:sector_id:<id>. The registration requires a master API token or a one-time registration token with a "client-reg:set-sector-id-urn" scope value. The default value is false (disabled).

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Adds new "ats" (access token subject type) columns to the "id_access_tokens" and "long_lived_authorizations" tables. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the new columns (with an appropriate default value) on startup.
  • /WEB-INF/infinispan-*-ldap.xml

    • Adds new "authzAccessTokenSubjectType" attribute to the "oauth2IdAccessToken" and "oauth2Authz" object classes. Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) need to update the LDAP schema manually to version 1.17 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.17/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-authz-schema-openldap.ldif?at=1.17 &diff1=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa &diff2=cdfdb912753b17a0fed7c08aa500be53cb767cd7 and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-authz-schema-opendj.ldif?at=1.17 &diff1=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa &diff2=cdfdb912753b17a0fed7c08aa500be53cb767cd7

Web API

  • /clients

    • Adds support for registering OpenID relying parties for pairwise subject identifiers where the "sector_identifier_uri" parameter is a URN for a sector ID that is managed by the OpenID provider. The expected URN format is urn:c2id:sector_id:<id>. The OpenID provider must manage the assignment of the URN sector IDs to relying parties prior to registration and ensure that the ID stays unique for a given OpenID relying party, unless the sector ID is allowed to be shared by two more relying parties, typically when those are under single administrative control. To register URN sector IDs the "op.reg.enableProviderManagedSectorIDs" configuration property must be enabled. The registration must be authorised with a master API token or a one-time registration token with a "client-reg:set-sector-id-urn" scope value.

    • Will return an "invalid_client_metadata" OAuth 2.0 error with a suitable description message when the client registration request is not authorised for a "preferred_client_id", "preferred_client_secret" or custom "data" parameter. Previously those parameters will be silently scrubbed from the registration request if not authorised (by means of the master API token or a specific one-time registration token).

  • /token

    • Supports issue of access tokens with a pairwise subject identifier encoded for the token audience as sector identifier. If the token has multiple audiences the first audience value in the list is taken as the sector identifier. Access tokens for releasing OpenID claims at the UserInfo endpoint that have pairwise subject need not include the UserInfo endpoint or the OpenID issuer URL in its audience.
  • /token/introspect

    • Supports introspection of access tokens with a pairwise subject identifier. The standard "sub" (subject) field will be set to the pairwise identifier.
  • /token/revoke

    • Supports revocation of access tokens with a pairwise subject identifier.
  • /userinfo

    • Supports access tokens with a pairwise subject identifier. Note, access tokens for OpenID claims that have a pairwise subject identifier need not include the UserInfo endpoint or the OpenID issuer URL in its audience.
  • /authz-sessions/rest/v3/

    • Consent prompt: Adds new optional "sub_type" member of type string with values "PUBLIC" (default) or "PAIRWISE" to the "access_token" JSON object. When set to "PAIRWISE" the Connect2id server will issue an access token with a pairwise subject identifier. This requires the consent to specify a token "audience" (if multiple audience values are set the first in the list will used to compute the pairwise identifier).

    • Consent: The consent can now specify an empty or null "scope" to enable handling of Rich Authorisation Requests (RAR). In this case the issued access and refresh tokens will not contain a scope. Previously a consent PUT with an empty scope would cause an "access_denied" OAuth error to be returned to the client. Integrations must now explicitly trigger an "access_denied" OAuth 2.0 error via the authorisation session web API.

  • /direct-authz/rest/v2/

    • Direct authorisation request: Adds new optional "sub_type" member of type string with values "PUBLIC" (default) or "PAIRWISE" to the "access_token" JSON object. When set to "PAIRWISE" the Connect2id server will issue an access token with a pairwise subject identifier. This requires the request to specify a token "audience" (if multiple audience values are set the first in the list will used to compute the pairwise identifier).
  • /authz-store/rest/v3/

    • OAuth 2.0 / OpenID Connect authorisation object: Adds new optional "ats" (access token subject type) member of type string with values "PUBLIC" (default) or "PAIRWISE".

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.36

  • com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization

    • Adds new getSubjectType method to return the SubjectType for the access token (PUBLIC or PAIRWISE). The default implementation returns null (not specified).

    • Adds new getLocalSubject method to return the local (system) subject identifier for an access token since the existing getSubject can return a pairwise identifier. The default implementation calls getSubject for a PUBLIC access token subject, else returns null.

  • com.nimbusds.openid.connect.provider.spi.tokens.MutableAccessTokenAuthorization

    • Adds new getSubjectType and withSubject methods for getting / setting the access token subject type (PUBLIC or PAIRWISE).

    • Adds new getLocalSubject and withLocalSubject methods for getting / setting the access token local subject identifier.

  • com.nimbusds.openid.connect.provider.spi.grants.AccessTokenSpec

    • Adds support for specifying an access token subject type (PUBLIC or PAIRWISE). When set to PAIRWISE the access token must specify an audience (if multiple audience values are set the first in the list will used to compute the pairwise identifier).
  • com.nimbusds.openid.connect.provider.spi.tokens.introspection.TokenIntrospectionResponseComposer

    • TokenIntrospectionResponseComposer SPI implementations can access the local (system) subject of access tokens with a pairwise subject identifier via the AccessTokenAuthorization.getLocalSubject method.
  • com.nimbusds.openid.connect.provider.spi.tokens.SelfContainedAccessTokenClaimsCodec

    • Connect2id server deployments with a SelfContainedAccessTokenClaimsCodec SPI implementation and which issue access tokens with pairwise subject identifiers should provide encoding / decoding for the AccessTokenAuthorization.getSubjectType and getLocalSubject methods.

Resolved issues

  • Fixes leading JSON array bracket output for a GET on the clients endpoint with no registered clients. The bug was introduced in 11.6.1 (issue server/679).

  • Enforces a string length limit of 10K chars when parsing JWT headers (after the BASE64URL decoding). The 10K chars should be sufficient to accommodate JWT headers with an X.509 certificate chain in the "x5c" header parameter (issue nimbus-jose-jwt/424).

  • Prevents StackOverflowError when parsing a JWT header with a very large number of nested JOSE objects (issue nimbus-jose-jwt/425).

  • Moves validation of configured signing RSA and EC keys from JWT issue time to Connect2id server startup to improve performance (issue server/673).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.36

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.9

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.10

  • Upgrades to com.nimbusds:c2id-server-jwkset:1.19

  • Upgrades to com.nimbusds:oauth2-authz-store:17.1.1

  • Updates to com.nimbusds:oidc-session-store:14.5.1

  • Upgrades to com.nimbusds:c2id-server-ldap-schemas:1.17

  • Updates Infinispan to 9.4.23.Final.

  • Updates to org.cryptomator:siv-mode:1.4.2

  • Updates to com.google.crypto.tink:tink:1.6.0

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.0

11.6.2 (2021-05-21)

Resolved issues

  • Fixes the HTTP 401 error response for an HTTP GET /clients request with an invalid master access token. The bug was introduced in 11.6.1 (issue server/668).

  • Fixes bug introduced in 11.3 (2021-03-31) that allowed OpenID authentication requests with response_type=id_token or response_type=id_token token to pass without a nonce (issue oidc-sdk/363).

  • Updates the logout endpoint OP2711 log INFO message that an ID token hint is required when the RP requests a post-logout redirection (issue server/671).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.5.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.9.3

  • Updates to Infinispan 9.4.22.Final

  • Updates to com.google.crypto.tink:tink:1.5.0

11.6.1 (2021-05-03)

Resolved issues

  • Fixes missing output of the "resource" parameter (RFC 8707) as URI string list in the authorisation session API objects for OpenID authentication requests. Plain OAuth 2.0 authorisation requests were not affected (issue server/664).

  • Switches HTTP GET /clients output to streaming to conserve memory when reading a large number of OAuth 2.0 client registrations (issue server/665).

  • Improves logging of HTTP 302 errors at the client registration endpoint by including additional details in the log message at INFO level, reduces the number of log statements to log a condition (issue server/667).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.5

11.6 (2021-04-27)

Summary

  • Adds a set of new Connect2id server configuration properties for setting up OAuth 2.0 servers conforming to version 2021-03-12 of the FAPI 1.0 Advanced security profile. See Financial-grade API Security Profile 1.0 - Part 2: Advanced (2021-03-12).

  • Adds configuration properties for causing selected OAuth 2.0 authorisation request parameters, including custom parameters, to appear in the authentication or consent prompt in the authorisation web API. Intended to save HTTP GET calls to the authorisation session resource when access to those parameters is needed.

Configuration

  • /WEB-INF/oidProvider.properties

    • op.authz.alwaysRequireRedirectURI -- New configuration property to specify whether the redirect_uri parameter is required for all authorisation requests. The default value is false (required only for OpenID authentication requests).

    • op.authz.alwaysRequireSignedRequestJWT -- New configuration property to specify whether a JWS signed request JWT passed inline via "request" or by URL reference via "request_uri" will be required for all authorisation requests. The default value is false (not required unless the client is explicitly registered for it).

    • op.authz.requireRequestJWTNotBefore -- New configuration property to specify whether received request object JWTs must include a not before (nbf) claim. The default value is false.

    • op.authz.maxLifetimeRequestJWTExpiration -- New configuration property to specify the maximum accepted lifetime in seconds of an expiration (exp) claim in request JWTs. The lifetime is computed from the not before (nbf) claim if present, otherwise from the current time. The default value is -1 (not specified).

    • op.authz.maxAgeRequestJWTNotBefore -- New configuration property to specify the maximum accepted age in seconds of a not before (nbf) claim in request JWTs. The default value is -1 (not specified).

    • op.authz.alwaysRequireSignedResponse -- New configuration property to specify whether all authorisation requests must specify a JWT-secured response (JARM) or a "response_type" that includes an "id_token" to serve as a detached signature. The default value is false.

    • op.authz.requestParamsInAuthPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the authentication prompt, in a JSON object named "request". No parameters are included by default.

    • op.authz.requestParamsInConsentPrompt -- New configuration property to specify selected OAuth 2.0 authorisation request parameters to include in the consent prompt, in a JSON object named "request". No parameters are included by default.

Web API

  • /authz-sessions/rest/v3/

    • Authentication prompt: Adds new optional "request" member of type JSON object to the authentication prompt ("auth"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInAuthPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during authentication.

    • Consent prompt: Adds new optional "request" member of type JSON object to the consent prompt ("consent"), to include selected parameters from the OAuth 2.0 authorisation / OpenID authentication request. The new configuration property op.authz.requestParamsInConsentPrompt determines what parameters to include. Intended to replace a GET call to the authorisation session resource for obtaining selected request parameters during consent.

Resolved issues

  • The "resource" parameter (RFC 8707) as URI string list must be included in the authorisation session object under "auth_req", fixes regression bug (issue serer/658).

  • The "prompt" parameter as string list must be included in the authorisation session object under "auth_req" for plain OAuth 2.0 requests (custom Connect2id server feature) (issue serer/660).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.4.1

  • Updates to com.nimbusds:nimbus-jose-jwt:9.9

  • Updates to com.nimbusds:oauth2-authz-store:16.7.3

  • Updates to com.nimbusds:oidc-session-store:14.4.4

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.5

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.7

  • Updates to com.nimbusds:tenant-manager:5.0.2

  • Updates to com.nimbusds:tenant-registry:5.3.3

  • Updates to net.minidev:json-smart:2.4.6

11.5 (2021-04-14)

Configuration

  • /WEB-INF/infinispan-stateless-redis-dynamodb.xml -- New Infinispan configuration file for storing short-lived and cached data in Redis, and long-lived data in DynamoDB. Long-lived data in DynamoDB can be transparently cached by turning the optional Amazon DynamoDB Accelerator (DAX) for the DynamoDB tables.

    This Infinispan configuration is suitable for single-region deployments in AWS as well as multi-region deployments where only replication of long-lived data in DynamoDB via the "global-tables" feature is required.

    This Infinispan configuration is an alternative to the existing available "infinispan-stateless-dynamodb.xml" configuration where the long-lived as well as the short-lived and cached data is stored in DynamoDB. Both types of data in that configuration can be replicated via the "global-tables" feature.

  • /WEB-INF/cors.properties

    • cors.enable -- New configuration property for disabling the CORS Filter. If false the CORS Filter is disabled and will pass all HTTP request and response headers unmodified. The CORS Filter can be disabled if the Connect2id server is provisioned with a reverse proxy handling CORS. The default value is true enabling the CORS Filter to process cross-domain requests according to its configuration.

Resolved issues

  • Disables access to external entities in XML parsing in the OAuth 2.0 SDK SAML2AssertionValidator, closing a potential vulnerability when processing OAuth 2.0 grants of type SAML 2.0 bearer assertion (urn:ietf:params:oauth:grant-type:saml2-bearer). The exchange of SAML 2.0 bearer assertions for OAuth access tokens is not enabled by the Connect2id out of the box and requires a plugin. Deployments that have implemented such a plugin for the SelfIssuedSAML2GrantHandler or ThirdPartySAML2GrantHandler should upgrade (issue oidc-sdk/356).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.3.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.8.1

  • Updates to com.nimbusds:nimbus-jwkset-loader:5.1

  • Updates to com.nimbusds:oidc-session-store:14.4.2

  • Updates to com.nimbusds:oauth2-authz-store:16.7.2

  • Updates to com.nimbusds:common:2.45.1

  • Updates to com.nimbusds:tenant-manager:5.0.1

  • Updates to com.nimbusds:tenant-registry:5.3.1

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.4

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.6

  • Updates to net.minidev:json-smart:2.4.2

  • Updates to com.thetransactioncompany:cors-filter:2.10

  • Updates to com.nimbusds:software-statement-verifier:2.2.1

11.4 (2021-04-01)

Summary

  • Enables the following OAuth 2.0 grants in the multi-tenant Connect2id server edition:

    • The resource owner password credentials grant (password).

    • The JWT bearer assertion grant (urn:ietf:params:oauth:grant-type:jwt-bearer), as defined in RFC 7523.

    • The SAML 2.0 bearer assertion grant (urn:ietf:params:oauth:grant-type:saml2-bearer), as defined in RFC 7523.

    The client credentials grant has been available in the multi-tenant Connect2id server since v7.7.1.

SPI

  • The following OAuth 2.0 grant handler SPIs become supported in the multi-tenant Connect2id server edition:

    • PasswordGrantHandler

    • SelfIssuedJWTGrantHandler

    • ThirdPartyJWTGrantHandler

    • SelfIssuedSAML2GrantHandler

    • ThirdPartySAML2GrantHandler

11.3 (2021-03-31)

Summary

  • Upgrades to the AuthorizationRequestValidator and PARValidator SPIs to allow for initialisation and shutdown code.

  • Upgrades the Software Statement Verifier plugin (for the RegistrationInterceptor SPI) to support the configuration of scope rules based on JSON Path expressions. Intended for use in Open Banking.

  • Upgrades the JSON serialisation in the Connect2id server.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.31

  • com.nimbusds.openid.connect.provider.spi.authz.AuthorizationRequestValidator

    • Lets the SPI extend Lifecycle which has default init, isEnabled and shutdown methods.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.31/ com/nimbusds/openid/connect/provider/spi/authz/ AuthorizationRequestValidator.html

  • com.nimbusds.openid.connect.provider.spi.par.PARValidator

    • Lets the SPI extend Lifecycle which has default init, isEnabled and shutdown methods.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.31/ com/nimbusds/openid/connect/provider/spi/par/PARValidator.html

Resolved issues

  • Corrupted persisted long-lived authorisation records should be treated as missing record and not result in a 500 Internal Server Error. Corrupted entries are logged under AS0267 (issue authz-store/183).

  • Corrupted persisted revocation journal entries should be treated as missing entry and not result in a 500 Internal Server Error. Corrupted entries are logged under AS0271 (issue authz-store/182).

  • Log uniform INFO messages on failed client authentication at the token (OP6203), token introspection (OP6512), token revocation (OP6412) and PAR (OP6203) endpoints (issue server/653).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.31

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.3

  • Updates to com.nimbusds:oauth2-authz-store:16.7.1

  • Updates to com.nimbusds:oidc-session-store:14.4.1

  • Upgrades to com.nimbusds:common:2.45

  • Updates to com.unboundid:unboundid-ldapsdk:5.1.4

  • Updates to com.thetransactioncompany:pretty-json:1.4.1

  • Updates to net.minidev:json-smart:2.3

  • Adds com.jsoniter:jsoniter:0.9.23

  • Updates to com.nimbusds:software-statement-verifier:2.2

11.2 (2021-03-07)

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.30

  • com.nimbusds.openid.connect.provider.spi.authz.AuthorizationRequestValidator

    • New SPI for performing additional custom validation as well as modification of received OAuth 2.0 authorisation / OpenID authentication requests. The validator has access to the registered client information for the client_id in the authorisation request. If the validator rejects the request it can set a standard or custom error code and also optionally disable redirection back to the client redirect_uri.

      The loading of an AuthorizationRequestValidator SPI implementation is logged at INFO level under OP2113. The cause for rejection of a request is also logged at INFO level, under OP2114.

      Note, to perform additional custom validation of pushed authorisation requests use the PARValidator SPI.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/authz/ AuthorizationRequestValidator.html

  • com.nimbusds.openid.connect.provider.spi.par.PARValidator

    • Adds new PARValidator.validatePushedAuthorizationRequest method that also enables optional modification of received Pushed Authorisation Request (PAR). This method has a default implementation that calls the existing validate only method. Existing plugins need not be updated.

      See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.30/ com/nimbusds/openid/connect/provider/spi/par/PARValidator.html

  • com.nimbusds.openid.connect.provider.spi.grants.SelfIssuedJWTGrantHandler

    • Upgrades the included OAuth 2.0 self-issued JWT bearer grant handler plugin, see https://bitbucket.org/connect2id/self-issued-jwt-bearer-grant-handler .

      • New op.grantHandler.selfIssuedJWTBearer.accessToken.includeClientMetadataFields configuration property to specify names of client metadata fields to include in the optional access token data field, empty set if none. To specify a member within a field that is a JSON object member use dot (.) notation.

      • The op.grantHandler.selfIssuedJWTBearer.enable configuration property receives a default value false (disabled).

      • Lets op.grantHandler.selfIssuedJWTBearer.accessToken.audienceList also apply to identifier-based access tokens.

      • Makes the /WEB-INF/selfIssuedJWTBearerHandler.properties configuration file optional.

Resolved issues

  • Adjusts DynamoDB item output of the "clm" and "cls" attributes to the long_lived_authorizations table to prevent false HMAC check errors when a dynamodb.hmacSHA256Key is configured (issue authz-store/179).

  • Updates revocation_journal DynamoDB parsing to include the illegal string on a parse exception (issue authz-store/180).

  • Updates OP2209 logging to include the JSON string in the exception message when ID token minting fails due to an "aud" (audience) parse error (issue server/644).

  • Authorisation and token requests with a parameter included more than once, save for "resource", must result in a invalid_request error (issue oidc-sdk/345).

  • Fixes new RSASSASigner(RSAKey) conversion to PrivateKey with a Hardware Security Module (HSM) (issue nimbus-jose-jwt/404).

  • Updates JSON parsing in the OAuth 2.0 SDK to catch non-documented and unexpected exceptions (issue oauth-oidc-sdk/347).

  • Allows OAuth 2.0 client metadata "software_version" of type JSON number and converts it to a JSON string in new and updated client registrations. This is done to accommodate non RFC 7591 compliant dynamic client registrations in the UK Open Banking profile (issue oauth-oidc-sdk/348).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.30

  • Updates to com.nimbusds:oauth2-authz-store:16.5.2

  • Updates to com.nimbusds:oauth2-oidc-sdk:9.2.2

  • Updates to com.nimbusds:nimbus-jose-jwt:9.6.1

  • Updates to com.nimbusds:oauth-jwt-self-issued-grant-handler:1.1

11.1.1 (2021-02-19)

Resolved issues

  • Fixes bug that caused DynamoDB table creation without a range (sort) key to fail in single-tenant Connect2id server 1.11 instances (issue server/636).
  • Adds extra logging around DynamoDB table creation to include the resolved table spec (issue server/638).
  • Empty or blank DynamoDB apply-range-key must return null in config API (issue ispn-dynamodb/14).
  • Require non-empty DynamoDB range key value when a range key is set (issue ispn-dynamodb/15).
  • Log stored HMAC, computed HMAC and original item when an invalid HMAC is detected in the DynamoDB connector (issue ispn-dynamodb/17).

Dependency changes

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:4.1.5

11.1 (2021-02-17)

Summary

  • Support for AWS DynamoDB in the multi-tenant edition of the Connect2id server. Persisted tenant specific objects are isolated in their DynamoDB tables by means of a range (sort) key named "tid".

  • Reduces the footprint of AWS related dependencies by switching from the AWS Java SDK bundle to smaller service specific dependencies. The size of the final WAR file is reduced from 244 megabytes to 68 megabytes. If an SPI implementation (custom plugin) requires an AWS dependency previously available through the AWS Java SDK bundle it now needs to be explicitly included as a dependency.

Configuration

  • /WEB-INF/infinispan-multitenant-stateless-dynamodb.xml -- New Infinispan configuration file for the multi-tenant edition of the Connect2id server with an AWS DynamoDB backend. The standard DynamoDB configuration properties from the regular Connect2id server edition apply, save for the "dynamodb.applyRangeKey" and "dynamodb.rangeKeyValue" properties that have no effect.

Resolved issues

  • Fixes typo in the "invalid_client" error description (issue server/634).

Dependency changes

  • Updates to com.nimbusds:oauth2-authz-store:16.5

  • Updates to com.nimbusds:oidc-session-store:14.3

  • Updates to com.nimbusds:tenant-registry:5.3

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:4.1.1

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.5

  • Replaces com.amazonaws:aws-java-sdk-bundle with the narrower aws-java-sdk-dynamodb and aws-java-sdk-s3:1.11.955

  • Updates to com.nimbusds:software-statement-verifier:2.1.1

11.0 (2021-02-09)

Summary

  • Supports OAuth 2.0 client authentication with a client X.509 certificate issued by a trusted Certificate Authority (CA), as specified in OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705), section 2.2.

    When registering a client for the "tls_client_auth" method the "tls_client_auth_subject_dn" metadata parameter must be set to the expected subject distinguished name (DN) of the client certificate. Other client metadata parameters defined in RFC 8705 for identifying the certificate subject are not presently supported.

    The client certificate is to be validated at a terminating TLS reverse proxy which must pass a successfully validated certificate to the Connect2id server in the HTTP security header set by the existing "op.tls.clientX509CertHeader" configuration property.

    Note, due to limitations of the commonly available TLS termination software, configuring simultaneous validation of CA-issued client certificates as well as acceptance of self-signed client certificates is normally not possible. Because of that a Connect2id server deployment can be configured to support either "tls_client_auth" or "self_signed_tls_client_auth" from RFC 8705, but not both.

  • Supports the JWT-secured authorisation response mode (JARM). An OAuth 2.0 client can utilise JARM to receive signed and optionally encrypted authorisation responses. All standard response modes in JARM are supported: "query.jwt", "fragment.jwt", "form_post.jwt" and the "jwt" shorthand.

    A client can request an RS256 signed authorisation response by setting the optional "response_mode" authorisation request parameter to "jwt" or a more specific value, such as "query.jwt". If the client is registered with an "authorization_signed_response_alg" metadata parameter all authorisation responses will be signed with the specified JWS algorithm, even if there is no explicit request for JARM in the "response_mode" authorisation request parameter. If the client is also registered with the "authorization_encrypted_response_alg" and "authorization_encrypted_response_enc" metadata parameters the signed authorisation response will be additionally encrypted.

    See Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM), draft 02 from 2018-10-17.

  • Adds a codec plugin interface (SPI) for persisting client secrets in a encrypted, hashed or otherwise encoded form. The codec interface also enables import of OAuth 2.0 client registrations via the custom "preferred_client_secret" metadata field where the secret is passed in a hashed form, for example using the BCrypt, SCrypt, Argon2 or another hash algorithm.

  • Supports seamless "client_secret" rollover. After an update of a client's secret via the client registration endpoint the previous secret will remain valid for client authentication purposes for a period of 30 minutes. HMAC-secured ID tokens hints ("id_token_hint" with JWS HS256, HS384 or HS512) will also be checked against the previous replaced "client_secret".

  • Upgrades the OAuth 2.0 / OpenID Connect SDK to major release 9.x which in turn upgrades to Nimbus JOSE+JWT 9.x. The objective of the Nimbus JOSE+JWT 9.0 release was to shade the JSON Smart dependency and make it optional. Plugged SPI implementations that rely on Nimbus JOSE+JWT 8.x and earlier interfaces and classes may be affected and should be recompiled / rebuilt and if necessary, modified.

  • Upgrades the schemas of backend RDBMS and LDAPv3 stores to support the client metadata fields required for "tls_client_auth" and JARM. See the configuration section below for more information.

Configuration

  • /WEB-INF/oidProvider.properties

    • op.authz.responseModes -- Adds support for the "query.jwt", "fragment.jwt", "form_post.jwt" and "jwt" (shorthand) response modes from JARM.

    • op.authz.responseJWSAlgs -- New configuration property, sets the accepted JWS algorithms for signed OAuth 2.0 authorisation responses (JARM). Supported JWS algorithms: HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384 and ES512.

    • op.authz.responseJWEAlgs -- New configuration property, sets the accepted JWE algorithms for encrypted OAuth 2.0 authorisation responses (JARM). Note, encryption is always applied after signing. Supported JWE algorithms: RSA-OAEP-256, RSA-OAEP (use no longer recommended), RSA1_5 (use no longer recommended), ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW and dir.

    • op.authz.responseJWEEncs -- New configuration property, sets the accepted JWE content encryption methods for encrypted OAuth 2.0 authorisation responses (JARM). Supported JWE methods: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM and A256GCM

    • op.token.authMethods -- Adds support for "tls_client_auth", PKI client authentication where the client must include a CA-issued client X.509 certificate in requests. Note, the "tls_client_auth" and "self_signed_tls_client_auth" methods cannot be enabled simultaneously.

    • op.tls.clientX509CertHeader -- The existing Connect2id server configuration property for specifying an HTTP header name for receiving validated client X.509 certificates from the TLS proxy will also apply to the new "tls_client_auth" method. The configuration property was originally introduced in Connect2id server 6.12 to facilitate the "self_signed_tls_client_auth" method.

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Adds new "tls_client_auth_subject_dn", "tls_client_auth_san_dns", "tls_client_auth_san_uri", "tls_client_auth_san_ip", "tls_client_auth_san_email", "authorization_signed_response_alg", "authorization_encrypted_response_alg" and "authorization_encrypted_response_enc" columns to the "clients" table. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the new columns (with an appropriate default value) on startup.
  • /WEB-INF/infinispan-*-ldap.xml

    • Adds new "oauthTLSClientAuthSubjectDN", "oauthTLSClientAuthSANDNS", "oauthTLSClientAuthSANURI", "oauthTLSClientAuthSANIP", "oauthTLSClientAuthSANEmail", "oauthAuthorizationResponseJWSAlg", "oauthAuthorizationResponseJWEAlg" and "oauthAuthorizationResponseJWEEnc" attributes to the "oauthClientMetadata" object class. Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) need to update the LDAP schema manually to version 1.15 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.15/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-client-schema-openldap.ldif?at=1.15 &diff1=c8ba0c6a092c409e43b9efe7360cd76a460a2b95 &diff2=cb3676cefe8bbccbcdb4352cc707a53ef53ae28a and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-client-schema-opendj.ldif?at=1.15 &diff1=c8ba0c6a092c409e43b9efe7360cd76a460a2b95 &diff2=cb3676cefe8bbccbcdb4352cc707a53ef53ae28a
  • /WEB-INF/oidcClientInfoMap.json -- File removed, switched to programmatic configuration.

Web API

  • /.well-known/openid-configuration, /.well-known/oauth-authorization-server

    • response_modes_supported -- Will include the supported OAuth 2.0 response modes for JARM if enabled -- "query.jwt", "fragment.jwt", "form_post.jwt" and "jwt".

    • authorization_signing_alg_values_supported -- New optional JSON array listing the supported JWS algorithms for signed OAuth 2.0 authorisation responses (JARM).

    • authorization_encryption_alg_values_supported -- New optional JSON array listing the supported JWE algorithms for encrypted OAuth 2.0 authorisation responses (JARM).

    • authorization_encryption_enc_values_supported -- New optional JSON array listing the supported JWE content encryption methods for encrypted OAuth 2.0 authorisation responses (JARM).

  • /clients

    • Supports the "authorization_signed_response_alg", "authorization_encrypted_response_alg" and "authorization_encrypted_response_enc" client metadata parameters from JARM.

    • Supports registration of clients for PKI mutual-TLS client authentication ("tls_client_auth") with the "tls_client_auth_subject_dn" metadata parameter used to set the expected subject DN in the client's certificate.

    • Updating a "client_secret" will cause the previous value to remain valid for client authentication purposes for another 30 minutes, to facilitate seamless rollover.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.27.1

  • com.nimbusds.openid.connect.provider.spi.secrets.ClientSecretStoreCodec -- New Service Provider Interface (SPI) for encoding OAuth client secrets before persisting them to storage. Can be used to symmetrically encrypt (e.g. with AES) or to hash secrets (e.g. with SCrypt, BCrypt, Argon2) before committing them to storage. Note, OAuth clients registered for "client_secret_jwt" authentication where the secret must be available in plaintext to perform HMAC must not be hashed. This also applies to secrets which may otherwise require the plain secret to be available for decoding, for example to facilitate symmetric encryption of ID tokens or UserInfo.

    The supplied SecretCodecContext provides access to the Connect2id server JWK set to retrieve any configured symmetric keys for the client secret encryption, as well as the client metadata to determine the registered client authentication method.

    Implementations must be thread-safe.

Resolved issues

  • The Connect2id server should also include the previous replaced client_secret when validating an id_token_hint secured with JWS HS256, HS384 and HS512 (issue server/12).

  • Adds missing persistence for the "software_version" client metadata field in LDAP stores (iss #623).

  • The Connect2id server must not redirect back to an OAuth 2.0 client with an otherwise redirectable authorisation error if no "redirect_uri" was set in the original plain OAuth 2.0 authorisation request and the client has more than one "redirect_uri" registered (issue server/630).

  • Revises Connect2id server error reporting on invalid a "request_uri" and "request" JWT in a authorisation request. Errors due to the JWT claims including a "sub" (subject) claim that equals the "client_id" will be reported to the client with an "invalid_request" code, instead of resulting in a non-redirecting error. Errors due to a JWT that cannot be decrypted will also be reported to the client with an "invalid_request_object" code, instead of resulting in a non-redirecting error (issue server/631).

  • Caches single-tenant static OP / AS metadata to increase performance (iss server/627).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.27.1

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:9.1

  • Upgrades to com.nimbusds:nimbus-jose-jwt:9.5

  • Upgrades to com.nimbusds:c2id-server-ldap-schemas:1.15

  • Updates to com.nimbusds:oauth2-authz-store:16.4.2

  • Updates to com.nimbusds:oidc-session-store:14.2.2

  • Updates to OpenSAML 3.4.6.

  • Updates to BouncyCastle 1.68

  • Updates to Infinispan 9.4.21.Final

  • Updates to DropWizard Metrics 4.1.17

  • Updates to org.jooq.pro-java-8:jooq:3.14.2

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.1

  • Updates to org.postgresql:postgresql:42.2.18

  • Updates to com.microsoft.sqlserver:mssql-jdbc:8.4.1.jre11

  • Updates to Log4j 2.14.0

  • Updates to commons-io:commons-io:2.8.0

  • Updates to com.amazonaws:aws-java-sdk-bundle:1.11.936

10.4 (2020-12-21)

Summary

  • Adds a plugin for verifying software statements in OAuth 2.0 client registration requests.

  • Introducing configurable caching for selected metrics which report Connect2id server object count in order to conserve database query resources.

  • Upgrades OpenID Connect Federation 1.0 support to draft 14.

Configuration

  • /WEB-INF/monitor.properties

    • monitor.entryCountCacheTimeout -- New configuration property, specifies a timeout for caching entry count results, in seconds. Zero disables caching, negative disables readings, causing the gauge to always return -1. The default timeout value is 1800 seconds (30 minutes).

      Gauges with entry count caching:

      • authzSessionStore.numSessions
      • sessionStore.numSessions
      • clientStore.numRegistrations
      • clientStore.numCachedRemoteJWKSets
      • clientStore.numCachedRemoteRequestObjects
      • authzStore.numAuthzCodes
      • authzStore.numIdAccessTokens
      • authzStore.numLongLivedAuthorizations
      • authzStore.numRevocationJournalEntries

Web API

  • /federation/clients

    • Upgrades explicit federation Relying Party (RP) registration to draft 14. The trust_anchor_id will now be returned as top-level entity statement claim about the registered RP, instead of as RP metadata parameter.
  • /monitor/v1/metrics

    • Introduces caching to the following gauges which report the number of persisted or cached Connect2id server objects for a given type. Intended to conserve database resources when querying the object count is expensive, for example in MySQL tables with millions of rows. The caching and timeout is controlled by the new monitor.entryCountCacheTimeout configuration property.

      • authzSessionStore.numSessions
      • sessionStore.numSessions
      • clientStore.numRegistrations
      • clientStore.numCachedRemoteJWKSets
      • clientStore.numCachedRemoteRequestObjects
      • authzStore.numAuthzCodes
      • authzStore.numIdAccessTokens
      • authzStore.numLongLivedAuthorizations
      • authzStore.numRevocationJournalEntries

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.24

  • com.nimbusds.openid.connect.provider.spi.reg.FinalMetadataValidator

    • Adds a new "getReceivedMetadata" method to the ValidatorContext that returns the original OAuth 2.0 client / OpenID relying party metadata as received at the client registration endpoint.
  • com.nimbusds.openid.connect.provider.spi.grants.ClientCredentialsGrantHandler

    • Upgrades the included OAuth 2.0 client credentials grant handler plugin, see https://bitbucket.org/connect2id/client-credentials-grant-handler .

      • New op.grantHandler.clientCredentials.simpleHandler.accessToken.includeClientMetadataFields configuration property to specify names of client metadata fields to include in the optional access token data field, empty set if none. To specify a member within a field that is a JSON object member use dot (.) notation.

      • The op.grantHandler.clientCredentials.simpleHandler.enable configuration property receives a default value false (disabled).

      • Lets op.grantHandler.clientCredentials.simpleHandler.accessToken.audienceList also apply to identifier-based access tokens.

      • Makes the /WEB-INF/clientGrantHandler.properties configuration file optional.

  • com.nimbusds.openid.connect.provider.spi.reg.RegistrationInterceptor

    • Allows more than one RegistrationInterceptor SPI implementation to be present, but only at most one can be enabled.

    • New plugin for verifying optional software statements included in OAuth 2.0 client registration requests. Also supports registration requests encoded into a signed JWT and submitted over mutual TLS with a client X.509 certificate, to conform with Open Banking and other profiles. See https://bitbucket.org/connect2id/software-statement-verifier .

Resolved issues

  • Submitted client X.509 certificate must be supplied to the RegistrationInterceptor SPI (issue server/618).

  • Client certificate extraction log messages OP6020 and OP6021 must be assigned to the appropriate Connect2id server endpoint (issue server/617).

  • Improves exception messaging and logging when parsing corrupted string array fields from SQL records (issue server/470).

  • Logs CustomTokenResponseComposer SPI implementation loading under OP6218 (issue server/620).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.24

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:8.29

  • Updates to com.nimbusds:oauth2-authz-store:16.4

  • Updates to com.nimbusds:oidc-session-store:14.2

  • Upgrades to com.nimbusds:common:2.44

  • Updates to io.dropwizard.metrics:*:4.1.16

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.3

  • Updates to com.unboundid:unboundid-ldapsdk:5.1.3

  • Upgrades to com.nimbusds:oauth-client-grant-handler:2.0

  • New com.nimbusds:software-statement-verifier:2.1 dependency

  • Updates to org.bouncycastle:*:1.67

  • Updates to com.thetransactioncompany:cors-filter:2.9.1

10.3 (2020-11-25)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.allowedPKCE -- New optional configuration property specifying the allowed PKCE (RFC 7636) code challenge methods which OAuth 2.0 clients may use at the authorisation endpoint, as comma and / or space separated list. The default allowed code challenge methods are "plain" and "S256" (all RFC 7636 methods).

      Authorisation requests which use a code challenge method that isn't allowed by the configuration will be rejected with an invalid_request error.

      The allowed code challenge methods will be advertised in the OpenID provider / OAuth 2.0 authorisation server "code_challenge_methods_supported" metadata field.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.23

  • com.nimbusds.openid.connect.provider.spi.reg.RegistrationInterceptor

    • New SPI for intercepting and optionally modifying HTTP POST, GET, PUT and DELETE requests at the client registration endpoint. Can be used to process software statements (RFC 7591, section 2.3) and signed (JWT) registration requests (such as those in Open Banking Dynamic Client Registration).

Resolved issues

  • Fixes issue in the MySQL schema for the federation_clients table where MySQL 5.7.x doesn't accept a second TIMESTAMP column with NON NULL declaration. MySQL 8.x is not affected (issue server/614).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.23

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:8.27

  • Upgrades to com.thetransactioncompany:java-property-utils:1.16

10.2 (2020-11-13)

Summary

  • Includes the Connect2id server issuer URL as "iss" parameter in authorisation responses. Intended for OAuth 2.0 clients using more than one authorisation server to prevent a class of attacks called "mix-up" attacks. Clients interacting with a single OAuth 2.0 server and OpenID relying parties which receive an ID token (and accordingly validate the "iss" claim) are not affected. See OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response (draft-meyerzuselhausen-oauth-iss-auth-resp-01) for further details.

  • Tightens the URI scheme policy for OAuth 2.0 client metadata to prevent potential attacks using malicious "javascript", "data" and "vbscript" schemes in old and insufficiently protected web browsers. Deployments which utilise open client registration are advised to upgrade. See the article at https://security.lauritz-holtmann.de/post/sso-security-redirect-uri/ for further details.

  • Updates the logout web API to facilitate post-logout redirections in cases when the end-user session has expired.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.policy, op.tos, op.serviceDocs -- If the optional policy, terms of service and service documentation links are specified by absolute URL, the scheme must be either "https" or "http".

Web API

  • /.well-known/openid-configuration, /.well-known/oauth-authorization-server

    • Adds the "authorization_response_iss_parameter_supported" metadata parameter (the value is set to true), as specified in OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response (draft-meyerzuselhausen-oauth-iss-auth-resp-01).
  • /authz-sessions/rest/v3/

    • Includes an "iss" (issuer) parameter in OAuth 2.0 authorisation success and error responses, as specified in OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response (draft-meyerzuselhausen-oauth-iss-auth-resp-01). Intended for OAuth 2.0 clients using more than one authorisation server to prevent a class of attacks called "mix-up" attacks. Clients interacting with a single OAuth 2.0 server and OpenID relying parties which receive an ID token (and accordingly validate the "iss" claim) are not affected.
  • /clients

    • Registration of OAuth 2.0 clients and OpenID relying parties with "redirect_uris" or "post_logout_redirect_uris" containing the custom URI schemes "javascript", "data" and "vbscript" is prohibited for security reasons. Native applications can continue registering redirection URIs with custom URI schemes which don't match the prohibited.

    • Registration of OAuth 2.0 clients with "client_uri", "policy_uri" or "tos_uri" with URI schemes other than "https" and "http" is prohibited for security reasons.

    • Registration of OpenID relying parties will no longer permit custom URI schemes for "frontchannel_logout_uri" and "backchannel_logout_uri". The only permitted URI scheme is "https".

  • /logout-sessions/rest/v1/

    • Updates the logout session web API to not return an "invalid_session" error when the submitted end-user session SID (typically stored in a browser cookie at the IdP domain) is invalid or expired. OpenID relying parties (RP) making a logout request with a valid "post_logout_redirect_uri" will thus be able to complete the redirection, regardless of the end-user session state at the IdP.

      Following this change "invalid_session" errors will no longer be returned by the logout session web API.

Resolved issues

  • Prohibits registration of OAuth 2.0 clients and OpenID relying parties with "redirect_uris" or "post_logout_redirect_uris" with the custom URI schemes "javascript", "data" and "vbscript" for security reasons. Also requires browser rendered URIs derived from client and server metadata, such as "client_uri", "policy_uri" and "tos_uri" to have an "https" or "http" URI. See https://security.lauritz-holtmann.de/post/sso-security-redirect-uri/ for more information (issue server/611).

  • Prohibits registration of OpenID relying parties with custom "frontchannel_logout_uri" and "frontchannel_logout_uri" URI schemes, thus making "https" the only allowed URI scheme (issue server/612).

  • Improves INFO logging at the logout session endpoint (issue server/610).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:8.26

10.1 (2020-10-29)

Summary

  • Adds support for OpenID Connect Federation 1.0 (draft 12) automatic clients. Automatic clients don't register explicitly with the Connect2id server, instead they proceed directly to the authorisation endpoint, where they submit a signed request object (JWT) containing additional federation- specific claims, thus letting the request object also serve as an implicit authenticated registration request. The Connect2id server will perform the regular federation trust chain resolution and retrieve the client's metadata from its federation entity statement published at a well-known endpoint. The client registration will expire according to a configured policy - a set lifetime or the trust chain lifetime.

    See https://openid.net/specs/openid-connect-federation-1_0-12.html.

  • Updates OpenID Connect for Identity Assurance 1.0 (draft 11) support to accept "claims" authentication request parameters where the "verified_claims" element is a JSON array. This is intended to enable requests for claims sets with different verification requirements (e.g. different trust frameworks). Previously such requests will result in a invalid_request error at the authorisation endpoint.

    Example "claims" request for two verifications, using the "eidas_ial_substantial" and the "de_aml" trust frameworks:

    {
    "userinfo": {
      "verified_claims": [
        {
          "verification": {
            "trust_framework": {
              "value": "eidas_ial_substantial"
            }
          },
          "claims": {
            "given_name": null,
            "family_name": null
          }
        },
        {
          "verification": {
            "trust_framework": {
              "value": "de_aml"
            }
          },
          "claims": {
            "birthdate": null
          }
        }
      ]
    }
    }
    

    The consent prompt in the authorisation session API will list the requested verified claims across all elements in the "verified_claims" JSON array.

    Note that "claims" -> "verification" will only present the first requested "verification" element if multiple are found. Use the "claims" -> "raw_request" to obtain all verifications. A future version of the Connect2id server will update the consent prompt to simplify handling of verified claims requests with multiple verifications.

    See https://openid.net/specs/openid-connect-4-identity-assurance-1_0-11.html, section 6.3.3.

  • Connect2id server deployments with an AWS DynamoDB backend can be configured to include a SHA-256 based message authentication code (HMAC) in each stored item to guarantee its integrity and authenticity while stored in the database.

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.federation.clientRegistrationTypes -- The configuration property for the supported OpenID Connect Federation 1.0 client registration types now allows for automatic as well as explicit registration.

    • op.federation.autoClientAuthMethods.ar -- New configuration property specifying the supported methods for authenticating implicit registration requests of OpenID Connect Federation 1.0 automatic clients at the OAuth 2.0 authorisation endpoint. The only currently supported method is "request_object".

    • op.federation.autoClientLifetime -- New configuration property for the lifetime of registered OpenID Connect Federation 1.0 automatic clients, in seconds. If zero or negative the lifetime will be determined by the trust chain expiration time. When explicitly set must not be shorter than 5 minutes (300 seconds) to allow sufficient time for the completion of a single OAuth 2.0 flow with an authorisation, token and UserInfo request by the registered relying party. The default lifetime is one hour (3600 seconds).

  • /WEB-INF/infinispan-*-dynamodb.xml

    • Updates the DynamoDB store schema to v1.8 and adds the option to secure the integrity and authenticity of the stored DynamoDB items with a SHA-256 based Message Authentication Code (HMAC), appended to each item in a "_hmac#256" binary attribute. If a retrieved DynamoDB item is missing the "_hmac#256" attribute or its verification fails the Connect2id server will produce an HTTP 500 Internal Server Error, log the error with a "DS0131" code and increment the ".dynamoDB.invalidItemHmacCounter" metric.

      To enable this HMAC protection the Connect2id server must be configured with a secret 256 bit key (as BASE-64 encoded string) in the "dynamoDB.hmacSHA256Key" Java system property.

      The HMAC protection must be enabled for newly provisioned or empty DynamoDB tables. Enabling the protection for DynamoDB tables with prior existing items will cause HMAC validation errors on their retrieval.

  • /WEB-INF/infinispan-stateless-dynamodb.xml

    • DynamoDB consistent reads for "sessionStore.sessionMap" can be enabled by setting the "dynamodb.consistentReads.sessionStore.sessionMap" Java system property to true.

Web API

  • /authz-sessions/rest/v3/

    • The consent prompt "claims" parameter adds support for verified claims requests (OpenID Connect Identity Assurance 1.0) with multiple verifications.

      The "claims" -> "new" -> "essential", "voluntary" arrays will list the requested verified claims (prefixed with "verified:") across all "verified_claims" elements (if multiple are found).

      The "claims" -> "verification" -> "id_token", "userinfo" objects will include the first found verification element (if multiple are found), the full list of verification objects can be obtained by parsing the "claims" -> "raw_request" parameter (requires op.authz.includeRawClaimsRequestInPrompt=false).

  • /monitor/v1/metrics

    • Adds new ".dynamoDB.invalidItemHmacCounter" metric of type counter for Connect2id server deployments with a DynamoDB database. Counts the number of retrieved DynamoDB items which failed the HMAC SHA-256 check (if enabled).

SPI

  • PasswordGrantHandler, JWTGrantHandler, SAML2GrantHandler

    • Consented claims which name is prefixed with "id_token:" will be included in the ID token instead of via the default method, the UserInfo endpoint. This feature is adopted from the authorisation session web API.
  • Included OpenID Connect HTTP claims source

    • Updates the included AdvancedClaimsSource SPI implementation for sourcing OpenID claims from an HTTP endpoint to version 2.1 (com.nimbusds:oidc-claims-source-http:2.1). The JSON object representing the request will now include a "claims_transport" parameter hinting how the requested claims are going to be transported to the relying party: "userinfo" for the UserInfo endpoint, "id_token" for the ID token, omitted if not applicable (for claims requested by an internal plugin, such as an access token codec).

Resolved issues

  • OpenID claims requests with JSON array of verified_claims must not fail (issue server/605).

  • Fixes NPE in OpenID Connect Federation 1.0 client registration error processing logic (issue server/585).

  • Front-channel logout requests must not include the issuer identifier (iss) as query parameter when a session identifier (sid) isn't included (issue server/595).

  • Updates the OAuth 2.0 authorisation endpoint to reject signed (JWS) request objects (JARs) where the optional JWT "sub" (subject) claim is set to the client_id value, see the latest cross-JWT confusion security recommendation in https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-29#section-10.8 (issue server/588).

  • Fixes the reported "request" (JAR) parameter name in illegal_request error messages from the OAuth 2.0 authorisation endpoint (issue server/589).

  • Ignore unknown key types in a JWK set, when parsing a client JWK set and in other cases (issue nimbus-jose-jwt/377).

  • Logs at INFO level the enabled / disabled status of every loaded claims source at Connect2id server startup under OP7107 (issue server/600).

  • Logs at TRACE level the decoded self-contained access token authorisation under AS0544 (issue authz-server/178).

  • HTTP POST and PUT requests to the client registration endpoint where the entity body exceeds the hard-wired character limit must return a HTTP 400 Bad Request, not HTTP 500 Internal Server Error. Raises the limit from 15 thousand to 20 thousand characters (issue server/579).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:8.23.1

  • Updates to com.nimbusds:nimbus-jose-jwt:8.20.1

  • Updates to com.nimbusds:oauth2-authz-store:16.3

  • Updates to com.nimbusds:oidc-claims-source-http:2.1

  • Updates to BouncyCastle 1.66

  • Updates to Infinispan 9.4.20

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:3.7.2

  • Updates to com.unboundid:unboundid-ldapsdk:5.1.1

  • Updates to com.amazonaws:aws-java-sdk-bundle:1.11.880

10.0 (2020-08-18)

Summary

  • Supports OpenID Connect Federation 1.0 (draft 12) with explicit client registration. The extension to OpenID Connect enables seamless single sign-on and identity provisioning in a federation of OpenID providers and relying parties approved by one or more operators (trust anchors), potentially involving intermediate authorities. See https://openid.net/specs/openid-connect-federation-1_0-12.html

  • Enables issue of refresh tokens for transient (non-persisted) authorisations, where the authorisation data is contained in the refresh token (as encrypted JWT). Previously refresh tokens could be issued only for long-lived (persisted) authorisations, where the refresh token is an encrypted key pointing to the authorisation record. The Connect2id server can issue an unlimited number of self-contained refresh tokens for a given client and subject (end-user). This can be useful in cases where an end-user has instances of a public client on several devices, but the granted authorisations must not be shared between the client instances. Revocation applies to all client instances.

  • Supports setting of global or client-specific policy for enforcing use of pushed authorisation requests (PAR) only, and rejecting regular requests at the authorisation endpoint (including JAR). The new op.par.require configuration sets the global PAR policy. The new require_pushed_authorization_requests client metadata parameter sets the PAR policy for an individual OAuth 2.0 client. Clients which must use PAR will receive an invalid_request error with message "PAR required" from the authorisation endpoint if they attempt a regular request. See OAuth 2.0 Pushed Authorization Requests (draft-ietf-oauth-par-02).

  • The authorisation store web API receives a new version with endpoint /authz-store/rest/v3 with an updated "revocation" resource, to handle revocation of non-persisted authorisations tied to self-contained refresh tokens. The previous web API version at endpoint /authz-store/rest/v3 remains available.

  • Supports the tls_client_certificate_bound_access_tokens client metadata parameter from OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705). Intended for enforcing issue of X.509 client certificate bound access tokens to a public (non-authenticating) client. The client must present a client certificate (self-signed or CA issued) at the token endpoint; if no certificate is presented the client will receive an invalid_client token error response with HTTP status code 401 Unauthorized.

  • Supports configuration of unlimited additional access tokens for the Connect2id server integration web APIs, to facilitate token roll-over and for other purposes.

  • Upgrades the OAuth 2.0 / OpenID Connect SDK to major release 8.0 which removes the deprecated javax.mail dependency and all deprecated API methods relying on its classes. ClaimsSource and AdvancedClaimsSource SPI implementations which rely on the javax.mail.Address class for the "email" claim need to switch to an alternative java.lang.String based getter / setter method of the UserInfo class.

Configuration

  • /WEB-INF/federationJWKSet.json -- New JSON Web Key (JWK) set file for configuring one or more RSA keys for signing the issued federation entity statements. The RSA keys must have a size of 2048 bits, a unique key identifier (kid), a key use (use) set to signature (sig) and an algorithm (alg) set to RS256. The first RSA JWK in the list will be used for signing. Previously used keys to facilitate roll-over can follow. The federation JWK set can be alternatively passed via a op.federationJWKSet Java system property, optionally with additional BASE64URL encoding to avoid shell escaping of special JSON characters. For more information regarding key generation and configuration see https://connect2id.com/products/server/docs/config/jwk-set#config

  • /WEB-INF/oidcProvider.properties

    • op.federation.enable -- Enables / disables support for OpenID Connect Federation 1.0. Disabled by default.

    • op.federation.clientRegistrationTypes -- The supported client registration types. Supported client registration types: explicit

    • op.federation.organizationName -- The organisation name in the federation, blank if not specified.

    • op.federation.trustAnchors.* -- The configured trust anchors. Must contain at least one entity ID.

    • op.federation.authorityHints.* -- The intermediate entities or trust anchors that may issue an entity statement about the OpenID Connect provider. Must contain at least one entity ID.

    • op.federation.constraints.maxPathLength -- The maximum path length when resolving trust chains. The default value is 2 (up to two intermediates to the trust anchor).

    • op.federation.constraints.permitted.* -- The explicitly permitted entity IDs when resolving trust chains, blank if not specified.

    • op.federation.constraints.excluded.* -- The excluded entity IDs when resolving trust chains, blank if not specified.

    • op.federation.httpRequestTimeout -- The HTTP read timeout (in milliseconds) when resolving trust chains. Zero implies no timeout. Must not be negative. The default value is 500 ms.

    • op.federation.httpReadTimeout -- The HTTP read timeout (in milliseconds) when resolving trust chains. Zero implies no timeout. Must not be negative. The default value is 500 ms.

    • op.federation.contacts.* -- List of contacts for this federation entity. These may contain names, e-mail addresses, descriptions, phone numbers, etc. Blank if not specified.

    • op.federation.policyURI -- URL of the federation entity policy. The URL can be also be specified relative to the issuer URL (op.issuer). Blank if not specified.

    • op.federation.homepageURI -- URL of the federation entity homepage. The URL can be also be specified relative to the issuer URL (op.issuer). Blank if not specified.

    • op.federation.trustMarks.* -- Trust marks about this federation entity as signed JSON Web Tokens (JWT). Blank if not specified.

    • op.federation.entityStatementLifetime -- The lifetime of issued entity statements, in seconds. The default lifetime is one week (604800 seconds).

    • op.reg.apiAccessTokenSHA256.* -- Supports configuration of additional API access tokens, to facilitate token roll-over or for other needs. Those are configured by appending a dot (.) with a unique label to the property name, e.g. as op.reg.apiAccessTokenSHA256.1=abc...

      The support for op.reg.secondaryAPIAccessTokenSHA256 remains, however deployments are encouraged to switch to the new configuration method.

    • op.authz.apiAccessTokenSHA256.* -- Supports configuration of additional API access tokens, to facilitate token roll-over or for other needs. Those are configured by appending a dot (.) with a unique label to the property name, e.g. as op.authz.apiAccessTokenSHA256.1=abc...

    • op.logout.apiAccessTokenSHA256.* -- Supports configuration of additional API access tokens, to facilitate token roll-over or for other needs. Those are configured by appending a dot (.) with a unique label to the property name, e.g. as op.logout.apiAccessTokenSHA256.1=abc...

    • op.par.require -- Enforces a global pushed authorisation requests (PAR) only policy. If true the Connect2id server will accept authorisation requests initiated via PAR only, regular authorisation requests will be rejected at the authorisation endpoint with an invalid_request error. The default value is false.

  • /WEB-INF/sessionStore.properties

    • sessionStore.apiAccessTokenSHA256.* -- Supports configuration of additional API access tokens, to facilitate token roll-over or for other needs. Those are configured by appending a dot (.) with a unique label to the property name, e.g. as sessionStore.apiAccessTokenSHA256.1=abc...

      The support for sessionStore.secondaryAPIAccessTokenSHA256 remains, however deployments are encouraged to switch to the new configuration method.

  • /WEB-INF/authzStore.properties

    • authzStore.apiAccessTokenSHA256.* -- Supports configuration of additional API access tokens, to facilitate token roll-over or for other needs. Those are configured by appending a dot (.) with a unique label to the property name, e.g. as authzStore.apiAccessTokenSHA256.1=abc...

      The support for authzStore.secondaryAPIAccessTokenSHA256 remains, however deployments are encouraged to switch to the new configuration method.

  • /WEB-INF/monitor.properties

    • authzStore.apiAccessTokenSHA256.* -- Supports configuration of additional API access tokens, to facilitate token roll-over or for a load balancer to monitor the health of the Connect2id server. Those are configured by appending a dot (.) with a unique label to the property name, e.g. as monitor.apiAccessTokenSHA256.1=abc...

      The support for monitor.secondaryAPIAccessTokenSHA256 remains, however deployments are encouraged to switch to the new configuration method.

  • /WEB-INF/infinispan-*.xml

    • Adds new "federation.registrationsMap" to Infinispan for tracking the registered federation clients.

      In deployments with an SQL RDBMS (MySQL, PostreSQL, MS SQL Server, H2) the Connect2id server on startup will automatically create a new "federation_clients" table for persisting tracking metadata about the federation clients.

      In deployments with AWS DynamoDB the Connect2id server on startup will automatically create a new "federation_clients" table for persisting the federation clients metadata.

      In deployments with Redis the federation clients metadata will be stored in a separate database with number 15.

      In deployments with LDAP the federation clients metadata will be kept in memory only and will not be persisted. Support for LDAP persistence and an appropriate schema will be added in a future release or upon request.

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Adds new "require_pushed_authorization_requests" and "tls_client_certificate_bound_access_tokens" columns to the "clients" table. In existing Connect2id server deployments with an SQL RDBMS the server will automatically add the new columns (with an appropriate default value) on startup.
  • /WEB-INF/infinispan-*-ldap.xml

    • Adds new "oauthRequirePAR" and "oauthClientCertBoundAccessTokens" attributes to the "oauthClientIdentity" object class. Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) need to update the LDAP schema manually to version 1.13 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.13/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-client-schema-openldap.ldif?at=1.13 &diff2=135b1b503919b270a2cb4a8e44dfbfc8fd0a4e27 and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/ src/main/resources/oidc-client-schema-opendj.ldif?at=1.13 &diff2=135b1b503919b270a2cb4a8e44dfbfc8fd0a4e27

Web API

  • /.well-known/openid-federation

    • New endpoint for retrieving the OpenID provider's self-signed federation entity statement. See OpenID Connect Federation 1.0 (draft 12), section 5.
  • /federation/clients

    • New endpoint for explicit registration of federation entities as OpenID relying parties. See OpenID Connect Federation 1.0 (draft 12), section 9.2.
  • /.well-known/openid-configuration, /.well-known/oauth-authorization-server

    • Adds support for the "require_pushed_authorization_requests" metadata parameter from OAuth 2.0 Pushed Authorization Requests (draft-ietf-oauth-par-02), controlled by the new op.par.require configuration setting.
  • /clients

    • Adds support for the "require_pushed_authorization_requests" client metadata parameter from OAuth 2.0 Pushed Authorization Requests (draft-ietf-oauth-par-02).

    • Supports setting of the "tls_client_certificate_bound_access_tokens" client metadata parameter from OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705).

  • /authz-store/rest/v3

    • New version 3 of the authorisation store web API. Modifies the HTTP response from the "revocation" resource as follows: Revocations will always succeed with a 2xx HTTP status code. If the revocation matches one or more long-lived (persisted) authorisations those will be returned with a 200 Success status, as previously. Else a 204 No Content status will be returned (previously a 404 Not Found), as the revocation may match a transient authorisation with a self-contained (JWT) access and / or refresh token.
  • /authz-store/rest/v2

    • The previous version of the authorisation store web API remains available.

Resolved issues

  • Increases the size of the jwks column for H2 from VARCHAR 10000 to VARCHAR 50000 (issue server/578). The H2 command to alter an existing clients table is ALTER TABLE "clients" ALTER COLUMN "jwks" SET DATA TYPE VARCHAR(50000);.

  • Changes the data type of the jwks column for MySQL from VARCHAR 10000 to JSON to increase the size while working around the limit of 65535 bytes per row (issue server/578). The MySQL command to alter an existing clients table is ALTER TABLE clients MODIFY jwks JSON;.

  • All startup and configuration errors must be logged in c2id-server.log (issue server/569)

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.22

  • Upgrades to com.nimbusds:c2id-server-ldap-schemas:1.13

  • Upgrades to com.nimbusds:tenant-manager:5.0

  • Upgrades to com.nimbusds:tenant-registry:5.2

  • Upgrades to com.nimbusds:oauth2-authz-store:16.2

  • Upgrades to com.nimbusds:oidc-session-store:14.1.3

  • Updates to com.nimbusds:nimbus-jose-jwt:8.18

  • Upgrades to com.nimbusds:nimbus-jwkset-loader:5.0

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:8.19

  • Updates to com.nimbusds:content-type:2.1

  • Updates to com.nimbusds:oauth-password-grant-web-api:1.4

  • Upgrades to com.nimbusds:common:2.43.1

  • Upgrades to com.thetransactioncompany:java-property-utils:1.15

  • Adds javax.activation:javax.activation-api:1.2.0

  • Removes com.sun.mail:javax.mail:1.6.2

9.5.2 (2020-08-08)

Resolved issues

  • Fixes a bug which produced an internal server error (HTTP 500) at the token endpoint when a CustomTokenResponseComposer SPI implementation is installed and the server produces a token error response for a particular setting of the authorisation (issue server/581).

9.5.1 (2020-06-22)

Resolved issues

  • Replaces the BASE64 Apache Commons Codec with the BASE64 codec from the Nimbus JOSE+JWT library to prevent an unchecked IllegalArgumentException exception due to illegal chars in a submitted authorisation code (issue server/574, common/61).

  • Restores accepting client_secret_jwt and private_key_jwt client authentication JWTs for the token revocation endpoint where the audience is set to the token endpoint URI, removed in Connect2id server v8.0. This rollback is done to preserve backward compatibility with existing clients. New clients should set the authentication JWT "aud" (audience) to the exact endpoint URI as future Connect2id server releases may stop accepting the issuer URI or the token endpoint URI for security reasons (issue server/573).

  • Logs the exception message for OP6412 when client authentication at the token revocation endpoint fails (issue server/570).

  • Exports public EdDSA keys from the server JWK set to /jwks.json (issue server/568).

Dependency changes

  • Updates to com.nimbusds:common:2.38.1

  • Updates to com.nimbusds:oidc-session-store:13.4.2

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.4

9.5 (2020-05-22)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.prohibitSwitchBetweenBasicResponseModes -- New optional configuration property. If true client requests to switch between the "query" and "fragment" response modes by setting the response_mode authorisation request parameter are prohibited. The default value is false.

    • op.token.requireClientX509Cert -- New optional configuration property. If true the token endpoint will require a client X.509 certificate from all clients, in order to enforce issue of client certificate bound access tokens (RFC 8705). The default value is false.

9.4 (2020-05-20)

Summary

  • Adds support for issuing EdDSA signed JWT-encoded access tokens. Choose EdDSA (RFC 8037) for increased performance and compact signatures. Connect2id benchmarks show EdDSA signature generation with an Ed25519 key receiving a 62x boost over 2048-bit RSA (RS256), with verification remaining roughly on par. The JWT signature size is reduced 4 fold.

    To roll-over to EdDSA signed JWT-encoded access tokens provision the Connect2id server JWK set with a signing Ed25519 key and set the JWS algorithm for access tokens to "EdDSA". Check the configuration notes for details.

Configuration

  • /WEB-INF/jwkSet.json

    • Introduces a new optional Ed25519 octet key pair JWK (key type "OKP") with curve "Ed25519", use "sig" (signature) and requiring a unique key ID. Intended for issuing EdDSA signed JWT-encoded access tokens. To generate and roll-over the EdDSA signing key you can use the latest available Connect2id server JWK set generator, see https://connect2id.com/products/server/docs/config/jwk-set#generation
  • /WEB-INF/authzStore.properties

    • authzStore.accessToken.jwsAlgorithm -- Adds support for signing issued JWT-encoded access tokens with the "EdDSA" JWS algorithm (RFC 8037). Requires the Connect2id server JWK set to be provisioned with a signing Ed25519 key. The default JWS algorithm for signing remains "RS256" with an 2048-bit RSA key due to the ubiquitous JWT library support for RS256.

Resolved issues

  • Calls to the ClaimsSource from a TokenIntrospectionResponseComposer SPI implementation should automatically include any "claims_data" if available for the introspected access token (issue server/561).

  • Fixes a bug which prevented persistence of client registrations into an SQL database where the client_id contains a colon (:) character in combination with some non-alphanumeric characters preceding it. Affected the single-tenant edition of the Connect2id server (issue server/563).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.7

  • Updates to com.nimbusds:nimbus-jose-jwt:8.17

  • Updates to BouncyCastle 1.65

  • Updates to OpenSAML 3.4.5

  • Updates to com.nimbusds:lang-tag:1.5

  • Updates to com.amazonaws:aws-java-sdk-bundle:1.11.782

  • Updates to com.zaxxer:HikariCP:3.4.5

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.6.0

  • Updates to org.postgresql:postgresql:42.2.12

  • Updates to com.microsoft.sqlserver:mssql-jdbc:8.2.2.jre11

  • Updates DropWizard Metrics to 4.1.8

  • Updates Prometheus to 0.9.0

  • Updates Log4j to 2.13.3

9.3 (2020-05-12)

Configuration

  • /WEB-INF/infinispan-*-{mysql|postgres95|sqlserver|h2}.xml

    • Updates the SQL store schema to v2.7 and switches to a single shared database connection pool for all Infinispan map and cache structures used by the Connect2id server. Support for per map / cache connection pool to spread the load over multiple databases (vertical partitioning) is still available.
  • /WEB-INF/infinispan-*-dynamodb.xml

    • Updates the DynamoDB store schema to v1.7 and adds support for configuring an optional HTTP proxy for connections to the DynamoDB endpoint. The HTTP proxy is configured by setting the Java system properties "dynamodb.httpProxyHost" and "dynamodb.httpProxyPort".

Web API

  • /authz-sessions/rest/v3/

    • Exposes the optional "id_token_hint" OpenID authentication request parameter in the authorisation session object (under "auth_req").

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.20

  • com.nimbusds.openid.connect.provider.spi.tokens.response.CustomTokenResponseComposer

    • New SPI for composing custom token success and error responses. Can be used to include additional parameters in an access token response based on the authorisation (consent) "data" parameter, such as an "authorization_details" parameter required in OAuth 2.0 Rich Authorization Requests (draft-lodderstedt-oauth-rar-03).

Resolved issues

  • Previously consented claims appearing in the consent prompt (authorisation session API) must not include language tags. Fixed a bug which prevented stripping of the tags from claim names retrieved from the "clm" field in authorisation records (issue server/558).

  • Enhances the authorisation session API by automatically stripping language tags in the names of consented claims (issue server/559).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.20

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.5

  • Upgrades to com.nimbusds:oauth2-authz-store:14.6

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:4.2.2

  • Upgrades to com.nimbusds:infinispan-cachestore-dynamodb:3.6.1

9.2 (2020-04-21)

Summary

  • Updates support for "JWT Secured Authorization Request (JAR)" to draft-ietf-oauth-jwsreq-21. client_id becomes the sole required query parameter for JAR requests, in addition to the query parameter for the JWT itself (request for a JWT passed inline or request_uri for a JWT passed by URI reference).

  • Adds new "op.authz.oAuthRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OAuth 2.0 authorisation request (JAR) (excluding OpenID authentication requests). The default policy is to accept only the JWT-secured parameters, with unsecured query parameters being ignored.

  • Adds new "op.authz.openIDRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OpenID authentication request. The default policy is merge unsecured OpenID authentication request query parameters, with the JWT-secured parameters having precedence.

Configuration

  • /WEB-INF/oidcProvider.properties

    • New "op.authz.oAuthRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OAuth 2.0 authorisation request (JAR) (excluding OpenID authentication requests).

      Supported policies:

      • STRICT -- Use only JWT-secured parameters, unsecured query parameters will be ignored. This is the default policy for OAuth 2.0 authorisation requests.

      • MERGE_UNSECURED -- Merge unsecured authorisation request query parameters, with the JWT-secured parameters having precedence.

    • New "op.authz.openIDRequestJWTPolicy" configuration setting for specifying a policy for merging unsecured parameters in a JWT-secured OpenID authentication request.

      Supported policies:

      • STRICT -- Use only JWT-secured parameters, unsecured query parameters will be ignored.

      • MERGE_UNSECURED -- Merge unsecured OpenID authentication request query parameters, with the JWT-secured parameters having precedence. This is the default policy for OpenID authentication requests.

Resolved issues

  • Adds missing AccessTokenKeyExternalizer and AccessTokenAuthorizationExternalizer declarations for "authzStore.idAccessTokenMap" in the infinispan-*.xml configs (issue server/545).

  • Fixes handling of GeneralException instances thrown from ClaimSource SPIs when no error code and HTTP status code is specified. The correct response is to return an HTTP status code 500 instead of an empty UserInfo (issue server/547).

  • Fixes "userInfoEndpoint.serverErrors" metering on a ClaimsSource SPI throwing an unchecked Exception or a GeneralException (with no parameters) instance (issue server/548).

  • Fixes the supply of optional claims data to ClaimsSource SPI implementations for OpenID claims requests for ID tokens (issue server/549).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.4

  • Updates to com.nimbusds:nimbus-jose-jwt:8.14.1

9.1.1 (2020-03-26)

Resolved issues

  • Fixes premature expiration of OAuth 2.0 authorisation codes resulting from prompt=none or persisted consent authorisations in stateless Connect2id server deployments (single node or cluster) with an SQL RDBMS database (MySQL, PostgreSQL, Microsoft SQL server). Applies to Infinispan configurations infinispan-stateless-{mysql|postgres95|sqlserver}.xml (where Redis is not used as an in-memory cache / store). Affected deployments should update (issue authz-store/176).

  • Adds debug logging for authorisation grant put (AS0230) and authorisation grant retrieval (AS0222) (issues authz-store/174 and 175).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.4.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.11

9.1 (2020-03-24)

Web API

  • /token/introspect

    • Updates "JWT Response for OAuth Token Introspection" support to the upcoming draft-ietf-oauth-jwt-introspection-response-09 version.

      For a client (resource server) to obtain a JWT-secured introspection response it must submit an introspection request with the Accept HTTP request header set to "application/token-introspection+jwt". The request must be authorised with the registered client authentication method or with an access token.

      The JWT response will be JWS signed and include the following JWT claims:

      • "iss" -- Set to the OpenID Provider / Authorisation server issuer URL.
      • "aud" -- Set to the client_id of the caller (resource server).

      • "iat" -- The issue timestamp.

      • "token_introspection" -- A JSON object containing the token introspection response members, such as "active", etc.

      The optional op.token.introspection.jwtType configuration property that overrides the JWT "typ" (type) header applies.

      Legacy JWT-secured introspection responses (according to draft-ietf-oauth-jwt-introspection-response-09) will continue to be supported, for a client (resource server) to request one the Accept HTTP request header must be set to "application/jwt".

SPI

Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.19

  • com.nimbusds.openid.connect.provider.spi.par.ValidatorContext

    • Adds a getIssuer() method to the PAR ValidatorContext.

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.19

  • Updates to com.nimbusds:oauth2-oidc-sdk:7.3

9.0 (2020-03-18)

Summary

  • Updates support for OpenID Connect for Identity Assurance 1.0 to draft 09 (see https://openid.net/specs/openid-connect-4-identity-assurance-1_0-09.html). Requested verified claims will now be automatically marked and processed as such in the authorisation session API. The requested "verification" and individual claim "purpose" parameters will be presented in the consent prompt.

  • Updates the authorisation session API and the OAuth 2.0 grant handler SPIs to enable passing of additional JSON data with requests to the configured claims source(s). This can be used to pass claim values from the authorisation handler or when implementing Identity Assurance the necessary verification element for verified claims in the UserInfo response or the ID token.

    The included HTTP-based claims source SPI implementation is updated to include a "claims_data" parameter (of type JSON object) in the request to represent the optional claims data.

  • Upgrades the Infinispan and backend database schemas for the identifier-based access tokens and the long-lived (persisted) authorisation records.

    On startup the Connect2id server will automatically create the new required "id_access_tokens" and "long_lived_authorizations" table columns for a relational MySQL, PostgreSQL or Microsoft SQL Server database.

    Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) need to update the LDAP schema manually to version 1.12 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.10/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/src/main/resources/ oidc-authz-schema-openldap.ldif?at=1.12 &diff1=49115daf531b48c2d9fd0f766721d84c28576eae &diff2=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/src/main/resources/ oidc-authz-schema-opendj.ldif?at=1.12 &diff1=49115daf531b48c2d9fd0f766721d84c28576eae &diff2=4c78a00734bfeb9abdd4c9dec76d9fbc51216faa

    Connect2id server deployments with a DynamoDB database are essentially schema-less and no specific action is required.

Configuration

  • /WEB-INF/oidcProvider.properties

    • New "op.token.introspection.jwtType" configuration property. Sets the "typ" (type) header of JWT introspection responses. The default value is "token-introspection+jwt". This configuration allows the type header to be set to "JWT" for non-compliant clients and JWT libraries which cannot handle header values other than "JWT".
  • /WEB-INF/log4j.xml

    • Adds an optional console (SYSTEM_OUT) appender. Setting the Java system property log4j.loggers.root.appender to console switches logging from the rolling-file appender to the standard output. Can be useful in container deployments.

Web API

  • /authz-sessions/rest/v3/

    • The consent prompt identifies requested verified OpenID claims by prefixing their name with "verified:", for example "verified:given_name", "verified:family_name" or "verified:address". When submitting consent to the Connect2id server the names of the verified claims must also be prefixed with "verified:".

      To process verified OpenID claims OpenID Connect for Identity Assurance 1.0 must be enabled (op.assurance.supportsVerifiedClaims=true).

    • The consent prompt is updated to include the optional "purpose" attribute of requested verified OpenID claims (OpenID Connect for Identity Assurance 1.0) as well as regular claims. If the attribute is set for one or more claims the purpose strings will appear in a new claims.purposes JSON object containing the claim name / purpose string pairs.

      The accepted purpose string length is between 3 and 300 characters, according to the Assurance specification. The Relying Party may use the "ui_locales" OpenID authentication request parameter to set the preferred language for the purpose strings.

      In order to prevent injection attacks all special characters in a purpose string must be escaped before shown in a user interface.

    • The consent prompt is updated to include the optional "verification" JSON object for a requested verified claims set (OpenID Connect for Identity Assurance 1.0). If the verification element is set for a requested verified claims set to be returned in the UserInfo response it will appear in a new claims.verification.userinfo JSON object. Likewise, if the element is set for a requested claims set to be returned with the ID token it will appear in a claims.verifiction.id_token JSON object.

      To include the "verification" element in the consent prompt OpenID Connect for Identity Assurance 1.0 must be enabled (op.assurance.supportsVerifiedClaims=true).

    • The consent is updated to include an optional "claims_data" JSON object parameter. The data will be made available in the ClaimsSourceRequestContext.getClaimsData method when the configured claims source(s) get called at the UserInfo endpoint or when feeding the consented claims into the ID token.

      The "claims_data" can be used to provision entire claims from the authorisation session and the front-channel. It can also be used in Identity Assurance to construct the "verification" element in the authorisation session and then have it included in the UserInfo response, for example in remote in-person proofing scenarios.

      The "claims_data" will be included in the issued access token and in long-lived (persisted) authorisations in a new "cld" (claims data) JSON object field. To keep the claims data confidential from the relying party (client) either an identifier access token encoding must be chosen (access_token.encoding = IDENTIFIER in the consent) or if a self-contained (JWT) encoding is chosen the JWT must be additionally encrypted (access_token.encrypt = true).

      An AdvancedClaimsSource SPI implementation can retrieve the claims data JSON object by a call to the ClaimsSourceRequestContext.getClaimsData method.

  • /authz-store/rest/v2/authorizations

    • The OAuth 2.0 / OpenID Connect authorisations includes a new optional "cld" (claims data) JSON object field to represent claims data to be passed to the OpenID claims source(s) with access tokens consumed at the UserInfo endpoint.
  • /token/introspect

    • The access token introspection response includes a new optional "cld" (claims data) JSON object field to represent claims data to be passed to the OpenID claims source(s) with access tokens consumed at the UserInfo endpoint.

SPI

Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.18

  • com.nimbusds.openid.connect.provider.spi.claims.ClaimsSource, AdvancedClaimsSource

    • The names of verified OpenID claims passed via the "claims" argument of the "getClaims" method will be prefixed with "verified:" by the Connect2id server (OpenID Connect for Identity Assurance 1.0).
  • com.nimbusds.openid.connect.provider.spi.claims.ClaimsSourceRequestContext

    • Adds new "getClaimsData" method to obtain optional data set by an authorisation handler to fulfill OpenID claims provision, for example to construct the "verification" element for a verified claims set (OpenID Connect for Identity Assurance 1.0).
  • com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization

    • Adds new "getClaimsData" method to the interface to represent OpenID claims fulfillment data. The default implementation returns null.
  • com.nimbusds.openid.connect.provider.spi.grants.BasicClaimsSpec

    • Adds new constructor and "getData" method for passing optional claims fulfillment data to the configured OpenID claims source(s).

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).

  • Fixes a bug introduced in Connect2id server 8.1 which prevented output of the "verification" element in the OpenID "claims" authentication parameter output in /authz-sessions/rest/v3/ GET responses. The bug was caused by a faulty consent-all keyword sanitization (issue server/532).

  • Removes an erroneous standard output print (issue server/535).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.18

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.2

  • Updates to com.nimbusds:nimbus-jose-jwt:8.10

  • Upgrades to com.nimbusds:oauth2-authz-store:14.4.1

  • Updates to com.nimbusds:oidc-session-store:13.4.1

  • Upgrades to com.nimbusds:oidc-claims-source-http:2.0

  • Updates to commons-codec:commons-codec:1.14

  • Updates to io.dropwizard.metrics:*:4.0.7

  • Updates to io.prometheus:*:0.8.1

  • Updates to org.apache.logging.log4j:*:2.13.1

  • Updates to org.slf4j:slf4j-api:1.7.30

  • Updates to com.amazonaws:aws-java-sdk-bundle:1.11.728

  • Updates to Infinispan 9.4.18.Final.

  • Updates to com.zaxxer:HikariCP:3.4.2

  • Updates to com.h2database:h2:1.4.200

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.5.4

  • Updates to org.postgresql:postgresql:42.2.10

  • Updates to com.unboundid:unboundid-ldapsdk:5.0.1

  • Updates to org.opensaml:*:3.4.3

  • Upgrades to com.nimbusds:c2id-server-ldap-schemas:1.12

8.2 (2020-02-25)

Configuration

  • /WEB-INF/oidcProvider.properties

    • "op.token.authMethods" -- Basic authentication ("client_secret_basic") is no longer required when configuring the enabled client authentication methods. Connect2id server deployments can now be configured with a single enabled client authentication method other than Basic, for example with "self_signed_tls_client_auth" only for client X.509 certificate authentication.

      The first authentication method (ignoring "none") in the list will now specify the default method for clients which don't set one explicitly during registration.

  • /WEB-INF/authzStore.properties

    • New "authzStore.refreshToken.defaultLifetime" configuration property. Specifies a default refresh token lifetime in seconds. Can be overridden by individual authorisations. If zero or omitted defaults to permanent (no expiration). Must be zero or a positive integer. The default value is zero (no expiration).
  • /WEB-INF/cors.properties

    • Any property in the configuration file can be overridden with a Java system property, e.g. by setting the optional -D argument at JVM startup -Dcors.allowOrigin=https://example.com

Web API

  • /authz-sessions/rest/v3/

    • Includes the OpenID authentication request "purpose" parameter (from OpenID Connect for Identity Assurance 1.0) in the "auth_req" JSON object which exposes selected request parameters when the authorisation session is queried with a GET. Normally the "purpose" parameter is only provided during the consent step. With this the logic page can access it at any one time during the authorisation session.

Resolved issues

  • Fixes the URL encoding of the query parameters in front-channel logout notification URIs. The query parameters were receiving a double URL encoding (issue server/520).

  • Fixes an OpenID "claims" request parameter sanitisation bug which prevented output of the parameter in the consent prompt when op.authz.includeRawClaimsRequestInPrompt is enabled (issue server/523).

  • Updates the UserInfo endpoint to log (INFO level, log line with ID OP7301) the missing token scope if a bearer token error "insufficient_scope" is returned (issue server/517).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.14

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.1

  • Updates to com.nimbusds:nimbus-jose-jwt:8.8

  • Upgrades to com.nimbusds:oauth2-authz-store:14.2

  • Updates to org.bouncycastle:bcprov-jdk15on:1.64

  • Updates to org.bouncycastle:bcpkix-jdk15on:1.64

  • Upgrades to com.thetransactioncompany:cors-filter:2.9

8.1 (2020-02-03)

Summary

  • Updates mTLS client authentication by accepting client X.509 certificates with additional URL-encoding on top of the PEM encoding when the certificate is received from a TLS termination proxy via the HTTP security header configured by "op.tls.clientX509CertHeader".

  • Adds a new "authzStore.options.issueLegacyRefreshTokens" configuration property to facilitate seamless rolling cluster upgrades from Connect2id server 7.x and earlier versions to 8.x. When this setting is enabled Connect2id server 8.1 instances will issue refresh tokens in the old encoding supported and recognised in 7.x (instead of the new refresh token encoding with additional encryption of metadata, introduced in 8.0). After the rolling upgrade is completed and all instances are 8.1 the setting can be disabled (on a subsequent upgrade) to start issuing new refresh tokens with the new encoding.

Configuration

  • /WEB-INF/oidcProvider.properties

    • Client X.509 certificates received with the HTTP security header configured by "op.tls.clientX509CertHeader" can have an optional additional URL-encoding (also called percent encoding) of the PEM-encoded string. The presence of additional URL-encoding is automatically detected.
  • /WEB-INF/authzStore.properties

    • New "authzStore.options.issueLegacyRefreshTokens" configuration property. If true the Connect2id server will issue refresh tokens in the legacy format supported up to v7.x. Intended to facilitate seamless rolling cluster upgrades to v8.x and later without producing invalid_grant errors when a new 8.x refresh token is used at a Connect2id server 7.x instance. The default value is false (no issue of legacy refresh tokens).

Resolved issues

  • Fixes parse exception reporting when reading DynamoDB items from "pending_codes" and "id_access_tokens", logs JSON with error message (issue authz-store/169).

  • Fixes loading of OAuth 2.0 grant handler SPIs when multiple implementations are available (broken in Connect2id server 8.0, issue server/515).

  • Logs the names of the OAuth 2.0 grant handler SPI classes when multiple are enabled for a given grant type (issue server/515).

  • Logs the names of an SPI class when a single must be loaded and multiple are available (issue common/60).

  • Disables the setting of the "jsessionid" cookie in the Connect2id server banner page (index.jsp) as no cookie or session is required by the page (issue server/516).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-authz-store:14.1

  • Upgrades to com.nimbusds:nimbus-jose-jwt:8.5

  • Upgrades to com.nimbusds:common:2.36

  • Adds new dependency to io.github.cemiltokatli.uricomponent:uri-component:1.0

8.0 (2020-01-01)

Summary

  • Supports OAuth 2.0 Pushed Authorization Requests. See https://tools.ietf.org/html/draft-ietf-oauth-par-00

  • Supports OpenID Connect for Identity Assurance 1.0 (draft 08). See https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html

  • The default self-contained (JWT) access token codec implementing the SelfContainedAccessTokenClaimsCodec SPI now supports multiple JWT profiles:

    • c2id-1.1 -- Connect2id server specific profile, available since v7.17, with the JWT "typ" (type) header set to "at+jwt".

    • c2id-1.0 -- Connect2id server specific profile, available since v1.0, outputs identical JWT claims as c2id-1.1 but doesn't set the JWT "typ" (type) header.

    • oauth-1.0 -- Standard profile in development at the OAuth working group, see draft-ietf-oauth-access-token-jwt-03

    The active JWT profile for access tokens is selected by a new optional "authzStore.accessToken.codec.jwt.profile" configuration property.

  • Consented OpenID claims can now be fed into the access token by prefixing their name with "access_token:". For example, "access_token:email" will cause the "email" claim to be retrieved from the configured OpenID claims source and fed into each access token for the given OAuth 2.0 grant. If the access token is self-contained (JWT) the "email" claim will be added as a top-level claim with the same name. If the access token is identifier-based the "email" claim will appear as top-level claim in the token introspection response.

    Two additional prefixes are supported:

    • "access_token:uip:" -- Causes the OpenID claim to be merged into the top-level "uip" (optional preset UserInfo claims) JSON object claim.

    • "access_token:dat:" -- Causes the OpenID claim to be merged into the top-level "dat" (optional data) JSON object claim.

    If the claim name clashes with an existing top-level access token claim it will be ignored and not fed into the access token.

  • Identifier-based (or key-based) access tokens are now stored in hashed form (SHA-256 truncated to 128 bits) to prevent token leakage if the database or a database backup is exposed and the HMAC SHA-256 key (the Connect2id server JWK with key ID "hmac") to attach an authenticity and integrity code to each token identifier is also compromised. Previously the only protection against undetected token identifier leaks from the database or a backup was the HMAC SHA-256 key remaining secret.

    When upgrading to Connect2id server 8.0 if there are existing identifier-based access tokens in the database issued by a previous Connect2id server version the "authzStore.options.legacyPlainKeysInStorage" configuration property can be set to true to enable their successful introspection, otherwise they will be deemed invalid.

  • Upgrades the Infinispan and backend database schemas for the identifier-based access tokens.

    On startup the Connect2id server will automatically create the new required "id_access_tokens" table columns for a relational MySQL, PostgreSQL and Microsoft SQL Server databases.

    Connect2id server deployments with an LDAP v3 backend database (such as OpenLDAP or OpenDJ) need to update the LDAP schema manually to version 1.10 see https://bitbucket.org/connect2id/server-ldap-schemas/src/1.10/ , the OpenLDAP schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/src/main/resources/ oidc-authz-schema-openldap.ldif?at=1.10 &diff1=d9599b598753ec3037b784b29baeac0e28bf7615 &diff2=49115daf531b48c2d9fd0f766721d84c28576eae and the OpenDJ schema diff https://bitbucket.org/connect2id/server-ldap-schemas/diff/src/main/resources/ oidc-authz-schema-opendj.ldif?at=1.10 &diff1=d9599b598753ec3037b784b29baeac0e28bf7615 &diff2=49115daf531b48c2d9fd0f766721d84c28576eae

    Connect2id server deployments with a DynamoDB database are essentially schema-less.

    Connect2id server deployments with Redis as the primary in-memory and caching store use a new bucket (database) with number 14 to store tokens in the new format. Cached tokens in the old format in Redis bucket 4 will remain there until they expire.

  • Introduces a new AES JSON Web Key (JWK) in the Connect2id server JWK set for encrypting and authenticating refresh tokens without the need for a database lookup. The encryption will also enable the inclusion of additional metadata and the implementation of advanced security measures in future Connect2id server versions. Existing refresh tokens without the additional encryption layer will continue to be valid and will be handled transparently.

Configuration

  • /WEB-INF/jwkSet.json

    • Introduces a new AES 256 bit octet sequence JWK with use "enc" (encryption) and ID "refresh-token-encrypt" for encrypting issued refresh tokens. This key is required, starting from Connect2id server 8.0.
  • /WEB-INF/oidcProvider.properties

    • New "op.par.lifetime" configuration property which sets the lifetime of the pushed authorisation requests (PAR), in seconds. Must not be shorter than 10 seconds. The default value is 60 seconds.

    • New "op.authz.includeRawClaimsRequestInPrompt" configuration property which enables / disables inclusion of the raw OpenID "claims" request parameter in the consent prompts of the authorisation session web API, under "claims" -> "raw_request". Access to the raw "claims" request parameter may be required when processing requests for verified claims (OpenID Connect for Identity Assurance 1.0). The default values is false (disabled).

    • New "op.assurance.supportsVerifiedClaims" configuration property which enables / disables advertisement of OpenID Connect for Identity Assurance 1.0 support in OpenID provider metadata and inclusion of the optional transaction specific "purpose" OpenID authentication parameter in the consent prompts of the authorisation session web API. Corresponds to the "verified_claims_supported" OpenID provider metadata parameter. The default values is false (disabled).

    • New "op.assurance.supportedTrustFrameworks" configuration property. Lists the supported trust frameworks if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "trust_frameworks_supported" OpenID provider metadata parameter.

    • New "op.assurance.supportedIdentityEvidenceTypes" configuration property. Lists the supported identity evidence types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "evidence_supported" OpenID provider metadata parameter.

    • New "op.assurance.supportedIDDocumentTypes" configuration property. Lists the supported ID document types if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "id_documents_supported" OpenID provider metadata parameter.

    • New "op.assurance.supportedIdentityVerificationMethods" configuration property. Lists the supported identity verification methods if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "id_documents_verification_methods_supported" OpenID provider metadata parameter.

    • New "op.assurance.supportedVerifiedClaims" configuration property. Lists the supported verified claims if OpenID Connect for Identity Assurance 1.0 support is enabled. Corresponds to the "claims_in_verified_claims_supported" OpenID provider metadata parameter.

  • /WEB-INF/authzStore.properties

    • New "authzStore.accessToken.codec.jwt.profile" configuration property. Sets the JWT profile to use for access tokens minted by the default self-contained access token codec. See the SelfContainedAccessTokenClaimsCodec SPI JavaDoc for more information.

      Supported profiles:

      • c2id-1.1 -- Connect2id server specific profile, available since v7.17, with the JWT "typ" (type) header set to "at+jwt".

      • c2id-1.0 -- Connect2id server specific profile, available since v1.0, outputs identical JWT claims as c2id-1.1 but doesn't set the JWT "typ" (type) header.

      • oauth-1.0 -- Standard profile in development at the OAuth working group, see draft-ietf-oauth-access-token-jwt-03

      The default value is c2id-1.1.

    • New "authzStore.options.legacyPlainKeysInStorage" configuration property. If true the Connect2id server will support retrieval of legacy plain keys for identifier-based access tokens from storage after upgrading to Connect2id server 8.x, false to ignore such keys which will cause the introspection of the linked access tokens to flag them as invalid. Note that enabling this configuration causes additional database reads and a performance penalty during introspection. The default value is false (no support for legacy plain access token keys).

  • /WEB-INF/log4j.xml

    • The root logger level ("INFO") can now be overridden by setting the "log4j.level" Java system property.
  • /WEB-INF/infinispan-*.xml

    • Updates the data structure for the identifier-based access tokens, which is now named "authzStore.idAccessTokenMap".
  • /WEB-INF/infinispan--redis-.xml

    • Deployments using Redis as primary caching and in-memory store will use a new bucket with number 14 for the identifier-based access tokens. Cached tokens in the old format in Redis bucket 4 will remain there until they expire.

Web API

  • /par

    • New endpoint for receiving back-channel OAuth 2.0 authorisation and OpenID authentication requests, also called Pushed Authorization Requests (PAR). Confidential clients must authenticate with the same registered method as for the token endpoint. The complete specification is at https://tools.ietf.org/html/draft-ietf-oauth-par-00
  • /authz-sessions/rest/v3/

    • If op.authz.includeRawClaimsRequestInPrompt=true the raw OpenID "claims" request parameter will be included in the consent prompt API responses (as JSON object member "claims" -> "raw_request").

    • If OpenID Connect for Identity Assurance 1.0 is enabled (op.assurance.supportsVerifiedClaims=true) and the OpenID authentication request includes the transaction specific purpose parameter, the parameter will be included in the consent prompt API responses (as JSON object member purpose).

    • The "claims" parameter of the consent objects enables OpenID claims to be fed into the access token by prefixing their name with "access_token:". For example, "access_token:email" will cause the "email" claim to be retrieved from the configured OpenID claims source and fed into each access token for the given OAuth 2.0 grant. If the access token is self-contained (JWT) the "email" claim will be added as a top-level claim with the same name. If the access token is identifier-based the "email" claim will appear as top-level claim in the token introspection response.

      Two additional prefixes are supported:

      • "access_token:uip:" -- Causes the OpenID claim to be merged into the top-level "uip" (optional preset UserInfo claims) JSON object claim.

      • "access_token:dat:" -- Causes the OpenID claim to be merged into the top-level "dat" (optional data) JSON object claim.

      If the claim name clashes with an existing top-level access token claim it will be ignored and not fed into the access token.

  • /monitor/v1/metrics

    • Adds new meters for the Pushed Authorisation Request (PAR) endpoint:

      • "parEndpoint.successfulRequests" -- Meters successful PAR requests.

      • "parEndpoint.invalidRequests" -- Meters invalid PAR requests.

      • "parEndpoint.invalidClientErrors" -- Meters "invalid_client" errors at the PAR endpoint.

      • "parEndpoint.serverErrors", serverErrors -- Meters server errors (HTTP 500) at the PAR endpoint.

SPI

Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.12

  • com.nimbusds.openid.connect.provider.spi.par.PARValidator

    • New SPI for performing additional validation of received Pushed Authorisation Requests (PAR). See https://www.javadoc.io/doc/com.nimbusds/c2id-server-sdk/4.12/ com/nimbusds/openid/connect/provider/spi/par/PARValidator.html
  • com.nimbusds.openid.connect.provider.spi.tokens

    • The self-contained and identifier-based access token codecs can now be configured via Connect2id server properties which are obtained by calling the TokenCodecContext.getCodecProperties method, for example to enable support of multiple token profiles.

    • The self-contained access token codec interface (SelfContainedAccessTokenClaimsCodec) is extended with new advancedEncode and advancedDecode methods to enable setting and validation of the JWT "typ" (type) header.

    • The AccessTokenAuthorization interface adds support for custom top-level access token claims via the new getOtherTopLevelParameters method.

Resolved issues

  • Fixes the expiration logic for refresh tokens when the Connect2id server is configured with authzStore.refreshToken.alwaysUpdate=true (issue authz-store/166).

  • Fixes "authzStore.accessTokenIssues" metering on successful refresh token usage (issue authz-store/167).

  • Fixes persistence of client_id metadata for cached request_uri claims in multi-tenant Connect2id server deployments (issue server/507).

  • Updates AWS SDK to 1.11.632 to support IAM role for Amazon EKS (issue server/503).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.12

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:6.21.2

  • Upgrades to com.nimbusds:nimbus-jose-jwt:8.4

  • Updates to org.cryptomator:siv-mode:1.2.2

  • Updates to com.nimbusds:oidc-session-store:13.4

  • Upgrades to com.nimbusds:oauth2-authz-store:14.0.6

  • Updates to com.nimbusds:infinispan-cachestore-dynamodb:3.5.2

  • Upgrades to com.nimbusds:infinispan-cachestore-sql:4.1.1

  • Updates to org.postgresql:postgresql:42.2.8

  • Updates to com.unboundid:unboundid-ldapsdk:4.0.14

  • Updates to com.amazonaws:aws-java-sdk-bundle:1.11.632

  • Upgrades to com.nimbusds:c2id-server-ldap-schemas:1.10

  • Updates to Infinispan 9.4.17.Final.

  • Updates to com.nimbusds:jgroups-dynamodb-ping:1.2.3