Connect2id server 10.4

Before we head into the Christmas holiday we have a small Connect2id server update for you.

New plugin for verifying software statements

The server now comes packaged with a plugin for verifying software statements which may be included to a client registration request to attest selected parameters, such as those that define the client identity. The plugin is highly configurable and can for instance handle the type of software statements used in OpenBanking.

The plugin is based on the registration interceptor SPI and is disabled by default.

Updated plugin for handling OAuth 2.0 client credentials grants

The included plugin for handling client credentials grants can now be configured to include selected client metadata fields in the issued access tokens. This can be useful in cases when the resource servers consuming the access tokens need to obtain additional client identity details besides the client_id.

Caching for selected metrics

The monitoring endpoint returns metrics which include gauges indicating the current number of active sessions, long-lived authorisations and other objects. If you have a backend database where querying the object count is expensive, typically with transactional SQL stores, and there are potentially hundreds of thousands or more objects, you can benefit from the new caching and not worry about polling the metrics too often.

The caching is controlled by the new monitor.entryCountCacheTimeout configuration property, which has a default value of 30 minutes (1800 seconds).

monitor.entryCountCacheTimeout=1800

Caching can be entirely turned off, by setting it to zero.

monitor.entryCountCacheTimeout=0

If the database load is still a concern the count readings can also be disabled.

monitor.entryCountCacheTimeout=-1

OpenID Connect Federation 1.0 draft 14

Following the 3rd OpenID Connect Federation interop in December 2020 the code was updated for the new draft 14 (not published yet at the time of this writing).

In explicit federation Relying Party (RP) registration the trust_anchor_id will now be returned as top-level entity statement claim about the registered RP, instead of as RP metadata parameter.

Handling of metadata policy was also updated, but isn't fully on par with the upcoming draft yet.

For a complete list of the changes and addressed issue see the notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 10.4: Connect2id-server.zip

SHA-256: 56c68bcdef80b2c37bd949de3ead6e133da15421de7775232a5e622d9debb6b3

Connect2id server 10.4 WAR package: c2id.war

SHA-256: 07b97dd583f4a3b00e5aa3c2bbc97e0786acface4e40a0e396b610532d6d128d

Multi-tenant edition

Apache Tomcat package with Connect2id server 10.4: Connect2id-server-mt.zip

SHA-256: dbfc3af780a4950d0b111c286d4a5a08a6a2f6b6266752212f044f170c18108d

Connect2id server 10.4 WAR package: c2id-multi-tenant.war

SHA-256: 95d3b67235b2328d5a86173292580647f8fb9d242f02c2fe187d68498acce51a

Questions?

Contact Connect2id support.


Release notes

10.4 (2020-12-21)

Summary

  • Adds a plugin for verifying software statements in OAuth 2.0 client registration requests.

  • Introducing configurable caching for selected metrics which report Connect2id server object count in order to conserve database query resources.

  • Upgrades OpenID Connect Federation 1.0 support to draft 14.

Configuration

  • /WEB-INF/monitor.properties

    • monitor.entryCountCacheTimeout -- New configuration property, specifies a timeout for caching entry count results, in seconds. Zero disables caching, negative disables readings, causing the gauge to always return -1. The default timeout value is 1800 seconds (30 minutes).

      Gauges with entry count caching:

      • authzSessionStore.numSessions
      • sessionStore.numSessions
      • clientStore.numRegistrations
      • clientStore.numCachedRemoteJWKSets
      • clientStore.numCachedRemoteRequestObjects
      • authzStore.numAuthzCodes
      • authzStore.numIdAccessTokens
      • authzStore.numLongLivedAuthorizations
      • authzStore.numRevocationJournalEntries

Web API

  • /federation/clients

    • Upgrades explicit federation Relying Party (RP) registration to draft 14. The trust_anchor_id will now be returned as top-level entity statement claim about the registered RP, instead of as RP metadata parameter.
  • /monitor/v1/metrics

    • Introduces caching to the following gauges which report the number of persisted or cached Connect2id server objects for a given type. Intended to conserve database resources when querying the object count is expensive, for example in MySQL tables with millions of rows. The caching and timeout is controlled by the new monitor.entryCountCacheTimeout configuration property.

      • authzSessionStore.numSessions
      • sessionStore.numSessions
      • clientStore.numRegistrations
      • clientStore.numCachedRemoteJWKSets
      • clientStore.numCachedRemoteRequestObjects
      • authzStore.numAuthzCodes
      • authzStore.numIdAccessTokens
      • authzStore.numLongLivedAuthorizations
      • authzStore.numRevocationJournalEntries

SPI

  • Upgrades the Connect2id server SDK to com.nimbusds:c2id-server-sdk:4.24

  • com.nimbusds.openid.connect.provider.spi.reg.FinalMetadataValidator

    • Adds a new "getReceivedMetadata" method to the ValidatorContext that returns the original OAuth 2.0 client / OpenID relying party metadata as received at the client registration endpoint.
  • com.nimbusds.openid.connect.provider.spi.grants.ClientCredentialsGrantHandler

    • Upgrades the included OAuth 2.0 client credentials grant handler plugin, see https://bitbucket.org/connect2id/client-credentials-grant-handler .

      • New op.grantHandler.clientCredentials.simpleHandler.accessToken.includeClientMetadataFields configuration property to specify names of client metadata fields to include in the optional access token data field, empty set if none. To specify a member within a field that is a JSON object member use dot (.) notation.

      • The op.grantHandler.clientCredentials.simpleHandler.enable configuration property receives a default value false (disabled).

      • Lets op.grantHandler.clientCredentials.simpleHandler.accessToken.audienceList also apply to identifier-based access tokens.

      • Makes the /WEB-INF/clientGrantHandler.properties configuration file optional.

  • com.nimbusds.openid.connect.provider.spi.reg.RegistrationInterceptor

    • Allows more than one RegistrationInterceptor SPI implementation to be present, but only at most one can be enabled.

    • New plugin for verifying optional software statements included in OAuth 2.0 client registration requests. Also supports registration requests encoded into a signed JWT and submitted over mutual TLS with a client X.509 certificate, to conform with Open Banking and other profiles. See https://bitbucket.org/connect2id/software-statement-verifier .

Resolved issues

  • Submitted client X.509 certificate must be supplied to the RegistrationInterceptor SPI (issue server/618).

  • Client certificate extraction log messages OP6020 and OP6021 must be assigned to the appropriate Connect2id server endpoint (issue server/617).

  • Improves exception messaging and logging when parsing corrupted string array fields from SQL records (issue server/470).

  • Logs CustomTokenResponseComposer SPI implementation loading under OP6218 (issue server/620).

Dependency changes

  • Upgrades to com.nimbusds:c2id-server-sdk:4.24

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:8.29

  • Updates to com.nimbusds:oauth2-authz-store:16.4

  • Updates to com.nimbusds:oidc-session-store:14.2

  • Upgrades to com.nimbusds:common:2.44

  • Updates to io.dropwizard.metrics:*:4.1.16

  • Updates to com.nimbusds:infinispan-cachestore-sql:4.2.3

  • Updates to com.unboundid:unboundid-ldapsdk:5.1.3

  • Upgrades to com.nimbusds:oauth-client-grant-handler:2.0

  • New com.nimbusds:software-statement-verifier:2.1 dependency

  • Updates to org.bouncycastle:*:1.67

  • Updates to com.thetransactioncompany:cors-filter:2.9.1