Connect2id server 10.3 introduces new plugin interface for handling software statements

This new release of the Connect2id server ships two new features and one bug fix.

SPI for handling software statements

One way of managing and securing client registration is with software statements, a signed JWT embedded into the client metadata which locks selected parameters, for example the client name, logo and other configurations, and further allows the request to be authenticated. Software statements appear in OpenBanking with dynamic client registration, where client application parameters are kept and attested by a central directory.

Previously, to handle such statements or requests secured in some other way, a custom web service had to be layered on top of the clients API.

This new release introduces a plugin interface (SPI) for intercepting incoming HTTP requests, and potentially validating and rewriting them to implement software statements or some other security profile for client registration.

Sample client registration request with an embedded software statement:

POST /clients HTTP/1.1
Content-Type: application/json
Accept: application/json

{
  "redirect_uris"      : [ "https://client.example.org/cb" ],
  "software_statement" : "eyJhbGciOiJSUzI1NiJ9.
eyJzb2Z0d2FyZV9pZCI6IjROUkIxLTBYWkFCWkk5RTYtNVNNM1IiLCJjbGll
bnRfbmFtZSI6IkV4YW1wbGUgU3RhdGVtZW50LWJhc2VkIENsaWVudCIsImNs
aWVudF91cmkiOiJodHRwczovL2NsaWVudC5leGFtcGxlLm5ldC8ifQ.
GHfL4QNIrQwL18BSRdE595T9jbzqa06R9BT8w409x9oIcKaZo_mt15riEXHa
zdISUvDIZhtiyNrSHQ8K4TvqWxH6uJgcmoodZdPwmWRIEYbQDLqPNxREtYn0
5X3AR7ia4FRjQ2ojZjk5fJqJdQ-JcfxyhK-P8BAWBd6I2LLA77IG32xtbhxY
fHX7VhuU5ProJO8uvu3Ayv4XRhLZJY4yKfmyjiiKiPNe-Ia4SMy_d_QSWxsk
U5XIQl5Sa2YRPMbDRXttm2TfnZM1xx70DoYi8g6czz-CPGRi4SW_S2RKHIJf
IjoI3zTJ0Y2oe0_EJAiXbL6OyF9S5tKxDXV8JIndSA"
}

Enabled PKCE methods configuration

An op.authz.allowedPKCE configuration property is added setting the enabled PKCE methods.

To limit the allowed code challenge methods to S256 only:

op.authz.allowedPKCE=S256

The allowed PKCE methods will be advertised in the server metadata under code_challenge_methods_supported.

Resolved issues

Fixes a DB schema schema bug affecting 10.x deployments with MySQL 5.7.x. See the release notes for details.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 10.3: Connect2id-server.zip

SHA-256: a740bc2558becb304e51f171a5a579fa46b6ced54b5b192bd108eed289fd3a4f

Connect2id server 10.3 WAR package: c2id.war

SHA-256: bc3bb2b6424d90d13d342e6a5a77601b62220197ecc93ffb8058bceb75fdf79e

Multi-tenant edition

Apache Tomcat package with Connect2id server 10.3: Connect2id-server-mt.zip

SHA-256: 0c2fe2f57d3cd56ae7f96883f99085adcd3842b21dbae8f05b6e9e8a8de559c6

Connect2id server 10.3 WAR package: c2id-multi-tenant.war

SHA-256: fa8c7a638aa24ad5f0ca1366148de3b40703a33364860b7de29525122ceded96

Questions?

Contact Connect2id support.


Release notes

10.3 (2020-11-25)

Configuration

  • /WEB-INF/oidcProvider.properties

    • op.authz.allowedPKCE -- New optional configuration property specifying the allowed PKCE (RFC 7636) code challenge methods which OAuth 2.0 clients may use at the authorisation endpoint, as comma and / or space separated list. The default allowed code challenge methods are "plain" and "S256" (all RFC 7636 methods).

      Authorisation requests which use a code challenge method that isn't allowed by the configuration will be rejected with an invalid_request error.

      The allowed code challenge methods will be advertised in the OpenID provider / OAuth 2.0 authorisation server "code_challenge_methods_supported" metadata field.

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.23

  • com.nimbusds.openid.connect.provider.spi.reg.RegistrationInterceptor

    • New SPI for intercepting and optionally modifying HTTP POST, GET, PUT and DELETE requests at the client registration endpoint. Can be used to process software statements (RFC 7591, section 2.3) and signed (JWT) registration requests (such as those in Open Banking Dynamic Client Registration).

Resolved issues

  • Fixes issue in the MySQL schema for the federation_clients table where MySQL 5.7.x doesn't accept a second TIMESTAMP column with NON NULL declaration. MySQL 8.x is not affected (issue server/614).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.23

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:8.27

  • Upgrades to com.thetransactioncompany:java-property-utils:1.16